[new] mimikatz dpapi::cloudapreg to get some decrypted RefreshToken f…

…rom the registry (thank you DPAPI) - not AzureAd joined [new] mimikatz misc::ngcsign to play with signature even if you don't have access to the real key (NgcSignWithSymmetricPopKey)
j5s · Aug 9, 2020 · a2a25cc · a2a25cc
1 parent 755505b
commit a2a25cc
Show file tree

Hide file tree

Showing 11 changed files with 566 additions and 178 deletions.
diff --git a/mimikatz/mimikatz.vcxproj b/mimikatz/mimikatz.vcxproj
@@ -119,6 +119,7 @@
     <ClCompile Include="..\modules\kull_m_cabinet.c" />
     <ClCompile Include="..\modules\kull_m_cred.c" />
     <ClCompile Include="..\modules\kull_m_crypto.c" />
+    <ClCompile Include="..\modules\kull_m_crypto_ngc.c" />
     <ClCompile Include="..\modules\kull_m_crypto_sk.c" />
     <ClCompile Include="..\modules\kull_m_dpapi.c" />
     <ClCompile Include="..\modules\kull_m_file.c" />
@@ -228,6 +229,7 @@
     <ClInclude Include="..\modules\kull_m_cabinet.h" />
     <ClInclude Include="..\modules\kull_m_cred.h" />
     <ClInclude Include="..\modules\kull_m_crypto.h" />
+    <ClInclude Include="..\modules\kull_m_crypto_ngc.h" />
     <ClInclude Include="..\modules\kull_m_crypto_sk.h" />
     <ClInclude Include="..\modules\kull_m_crypto_system.h" />
     <ClInclude Include="..\modules\kull_m_dpapi.h" />

diff --git a/mimikatz/mimikatz.vcxproj.filters b/mimikatz/mimikatz.vcxproj.filters
@@ -308,6 +308,9 @@
     <ClCompile Include="modules\dpapi\packages\kuhl_m_dpapi_cloudap.c">
       <Filter>local modules\dpapi\packages</Filter>
     </ClCompile>
+    <ClCompile Include="..\modules\kull_m_crypto_ngc.c">
+      <Filter>common modules</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="mimikatz.h" />
@@ -635,6 +638,9 @@
     <ClInclude Include="modules\dpapi\packages\kuhl_m_dpapi_cloudap.h">
       <Filter>local modules\dpapi\packages</Filter>
     </ClInclude>
+    <ClInclude Include="..\modules\kull_m_crypto_ngc.h">
+      <Filter>common modules</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <Filter Include="local modules">

diff --git a/mimikatz/modules/dpapi/kuhl_m_dpapi.c b/mimikatz/modules/dpapi/kuhl_m_dpapi.c
@@ -25,6 +25,7 @@ const KUHL_M_C kuhl_m_c_dpapi[] = {
 	{kuhl_m_dpapi_powershell,	L"ps",			L"PowerShell credentials (PSCredentials or SecureString)"},
 	{kuhl_m_dpapi_lunahsm,		L"luna",		L"Safenet LunaHSM KSP"},
 	{kuhl_m_dpapi_cloudap_keyvalue_derived,	L"cloudapkd",	L""},
+	{kuhl_m_dpapi_cloudap_fromreg, L"cloudapreg",	L""},
 	{kuhl_m_dpapi_oe_cache,		L"cache", NULL},
 };
 const KUHL_M kuhl_m_dpapi = {