def __init__(self, reader): #IMPORTANT NOTICE, THE STRUCTURE STARTS BEFORE THE FLINK/BLINK POINTER, SO WE NEED TO READ BACKWARDS # reader.move(reader.tell() - 32) reader.align() #not sure if it's needed here # #input('KIWI_CREDMAN_LIST_ENTRY_60 \n%s' % hexdump(reader.peek(0x200), start = reader.tell())) # self.cbEncPassword = ULONG(reader).value reader.align() self.encPassword = PWSTR(reader) self.unk0 = ULONG(reader).value self.unk1 = ULONG(reader).value self.unk2 = PVOID(reader) self.unk3 = PVOID(reader) self.UserName = PWSTR(reader) self.cbUserName = ULONG(reader).value reader.align() self.Flink = PKIWI_CREDMAN_LIST_ENTRY_60 self.Blink = PKIWI_CREDMAN_LIST_ENTRY_60 self.type = LSA_UNICODE_STRING(reader) self.unk5 = PVOID(reader) self.server1 = LSA_UNICODE_STRING(reader) self.unk6 = PVOID(reader) self.unk7 = PVOID(reader) self.unk8 = PVOID(reader) self.unk9 = PVOID(reader) self.unk10 = PVOID(reader) self.user = LSA_UNICODE_STRING(reader) self.unk11 = ULONG(reader).value reader.align() self.server2 = LSA_UNICODE_STRING(reader)
def __init__(self, reader): self.Flink = PKIWI_MSV1_0_LIST_51(reader) self.Blink = PKIWI_MSV1_0_LIST_51(reader) self.LocallyUniqueIdentifier = LUID(reader).value self.UserName = LSA_UNICODE_STRING(reader) self.Domaine = LSA_UNICODE_STRING(reader) self.unk0 = PVOID(reader).value self.unk1 = PVOID(reader).value self.pSid = PSID(reader) self.LogonType = ULONG(reader).value self.Session = ULONG(reader).value reader.align(8) self.LogonTime = int.from_bytes(reader.read(8), byteorder='little', signed=False) #autoalign x86 reader.align() self.LogonServer = LSA_UNICODE_STRING(reader) self.Credentials_list_ptr = PKIWI_MSV1_0_CREDENTIAL_LIST(reader) self.unk19 = ULONG(reader).value reader.align() self.unk20 = PVOID(reader).value self.unk21 = PVOID(reader).value self.unk22 = PVOID(reader).value self.unk23 = ULONG(reader).value reader.align() self.CredentialManager = PVOID(reader)
def __init__(self, reader): self.Flink = PKIWI_KERBEROS_INTERNAL_TICKET_60(reader) self.Blink = PKIWI_KERBEROS_INTERNAL_TICKET_60(reader) self.unk0 = PVOID(reader).value self.unk1 = PVOID(reader).value self.ServiceName = PKERB_EXTERNAL_NAME(reader) self.TargetName = PKERB_EXTERNAL_NAME(reader) self.DomainName = LSA_UNICODE_STRING(reader) self.TargetDomainName = LSA_UNICODE_STRING(reader) self.Description = LSA_UNICODE_STRING(reader) self.AltTargetDomainName = LSA_UNICODE_STRING(reader) #//LSA_UNICODE_STRING KDCServer = //?(reader).value self.ClientName = PKERB_EXTERNAL_NAME(reader) self.name0 = PVOID(reader).value self.TicketFlags = int.from_bytes(reader.read(4), byteorder = 'big', signed = False) self.unk2 = ULONG(reader).value self.KeyType = ULONG(reader).value self.Key = KIWI_KERBEROS_BUFFER(reader) self.unk3 = PVOID(reader).value self.unk4 = PVOID(reader).value self.unk5 = PVOID(reader).value self.StartTime = FILETIME(reader).value self.EndTime = FILETIME(reader).value self.RenewUntil = FILETIME(reader).value self.unk6 = ULONG(reader).value self.unk7 = ULONG(reader).value self.domain = PCWSTR(reader).value self.unk8 = ULONG(reader).value self.strangeNames = PVOID(reader).value self.unk9 = ULONG(reader).value self.TicketEncType = ULONG(reader).value self.TicketKvno = ULONG(reader).value self.Ticket = KIWI_KERBEROS_BUFFER(reader)
def __init__(self, reader): self.UserName = LSA_UNICODE_STRING(reader) self.Domaine = LSA_UNICODE_STRING(reader) self.unkFunction = PVOID(reader).value self.type = DWORD(reader).value # // or flags 2 = normal, 1 = ISO(reader).value reader.align() self.Password = LSA_UNICODE_STRING(reader) # union { self.IsoPassword = KIWI_KERBEROS_10_PRIMARY_CREDENTIAL_1607_ISO(reader)
def __init__(self, reader): self.Flink = PKIWI_MSV1_0_LIST_63(reader) self.Blink = PKIWI_MSV1_0_LIST_63(reader) self.unk0 = PVOID(reader).value self.unk1 = ULONG(reader).value reader.align() self.unk2 = PVOID(reader).value self.unk3 = ULONG(reader).value self.unk4 = ULONG(reader).value self.unk5 = ULONG(reader).value reader.align() self.hSemaphore6 = HANDLE(reader).value self.unk7 = PVOID(reader).value self.hSemaphore8 = HANDLE(reader).value self.unk9 = PVOID(reader).value self.unk10 = PVOID(reader).value self.unk11 = ULONG(reader).value self.unk12 = ULONG(reader).value self.unk13 = PVOID(reader).value reader.align() self.LocallyUniqueIdentifier = LUID(reader).value self.SecondaryLocallyUniqueIdentifier = LUID(reader).value self.waza = reader.read(12) reader.align() # #print(hexdump(reader.peek(0x100))) #input() # self.UserName = LSA_UNICODE_STRING(reader) self.Domaine = LSA_UNICODE_STRING(reader) self.unk14 = PVOID(reader).value self.unk15 = PVOID(reader).value self.Type = LSA_UNICODE_STRING(reader) self.pSid = PSID(reader) self.LogonType = ULONG(reader).value reader.align() self.unk18 = PVOID(reader).value self.Session = ULONG(reader).value reader.align(8) self.LogonTime = int.from_bytes(reader.read(8), byteorder='little', signed=False) #autoalign x86 self.LogonServer = LSA_UNICODE_STRING(reader) self.Credentials_list_ptr = PKIWI_MSV1_0_CREDENTIAL_LIST(reader) self.unk19 = PVOID(reader).value self.unk20 = PVOID(reader).value self.unk21 = PVOID(reader).value self.unk22 = ULONG(reader).value self.unk23 = ULONG(reader).value self.unk24 = ULONG(reader).value self.unk25 = ULONG(reader).value self.unk26 = ULONG(reader).value reader.align() #input('CredentialManager\n' + hexdump(reader.peek(0x100))) self.unk27 = PVOID(reader).value self.unk28 = PVOID(reader).value self.unk29 = PVOID(reader).value self.CredentialManager = PVOID(reader)
def __init__(self, reader): self.LogonDomainName = LSA_UNICODE_STRING(reader) self.UserName = LSA_UNICODE_STRING(reader) self.NtOwfPassword = reader.read(16) self.LmOwfPassword = reader.read(16) self.ShaOwPassword = reader.read(20) self.isNtOwfPassword = BOOLEAN(reader).value self.isLmOwfPassword = BOOLEAN(reader).value self.isShaOwPassword = BOOLEAN(reader).value
def add_entry(self, wdigest_entry): """ Changed the wdigest parsing, the struct only contains the pointers in the linked list, the actual data is read by adding an offset to the current entry's position """ wc = WdigestCredential() wc.luid = wdigest_entry.luid #input(wdigest_entry.this_entry.value) self.reader.move(wdigest_entry.this_entry.value + self.decryptor_template.primary_offset) UserName = LSA_UNICODE_STRING(self.reader) DomainName = LSA_UNICODE_STRING(self.reader) Password = LSA_UNICODE_STRING(self.reader) wc.username = UserName.read_string(self.reader) wc.domainname = DomainName.read_string(self.reader) wc.encrypted_password = Password.read_maxdata(self.reader) if wc.username.endswith('$') is True: wc.password, wc.password_raw = self.decrypt_password(wc.encrypted_password, bytes_expected=True) if wc.password is not None: wc.password = wc.password.hex() else: wc.password, wc.password_raw = self.decrypt_password(wc.encrypted_password) if wc.username == '' and wc.domainname == '' and wc.password is None: return self.credentials.append(wc)
def __init__(self, reader): #IMPORTANT NOTICE, THE STRUCTURE STARTS BEFORE THE FLINK/BLINK POINTER, SO WE NEED TO READ BACKWARDS # reader.move(reader.tell() - 32) reader.align() #not sure if it's needed here # self.cbEncPassword = ULONG(reader).value reader.align() self.encPassword = PWSTR self.unk0 = ULONG(reader).value self.unk1 = ULONG(reader).value self.unk2 = PVOID(reader) self.unk3 = PVOID(reader) self.UserName = PWSTR(reader) self.cbUserName = ULONG(reader).value reader.align() self.Flink = PKIWI_CREDMAN_LIST_ENTRY_5 self.Blink = PKIWI_CREDMAN_LIST_ENTRY_5 self.server1 = LSA_UNICODE_STRING self.unk6 = PVOID(reader) self.unk7 = PVOID(reader) self.user = LSA_UNICODE_STRING(reader) self.unk8 = ULONG(reader).value reader.align() self.server2 = LSA_UNICODE_STRING
def __init__(self, reader): self.PinCode = LSA_UNICODE_STRING(reader) self.unk0 = PVOID(reader) self.unk1 = PVOID(reader) self.CertificateInfos = PVOID(reader) self.unkData = PVOID(reader) # // 0 = CspData self.Flags = DWORD(reader).value # // 1 = CspData (not 0x21)(reader).value self.CspDataLength = DWORD(reader).value self.CspData = KERB_SMARTCARD_CSP_INFO_5(reader, size = self.CspDataLength)
def __init__(self, reader): self.PinCode = LSA_UNICODE_STRING(reader) self.unk0 = PVOID(reader).value self.unk1 = PVOID(reader).value self.CertificateInfos = PVOID(reader).value self.unk2 = PVOID(reader).value self.unkData = PVOID(reader).value #// 0 = CspData(reader).value self.Flags = DWORD(reader).value #// 0 = CspData(reader).value self.unkFlags = DWORD(reader).value #// 0x141 (not 0x61) self.CspDataLength = DWORD(reader).value self.CspData = KERB_SMARTCARD_CSP_INFO(reader).value
def __init__(self, reader): self.LogonDomainName = LSA_UNICODE_STRING(reader) self.UserName = LSA_UNICODE_STRING(reader) self.pNtlmCredIsoInProc = PVOID(reader).value self.isIso = BOOLEAN(reader).value self.isNtOwfPassword = BOOLEAN(reader).value self.isLmOwfPassword = BOOLEAN(reader).value self.isShaOwPassword = BOOLEAN(reader).value self.isDPAPIProtected = BOOLEAN(reader).value self.align0 = BYTE(reader).value self.align1 = BYTE(reader).value self.align2 = BYTE(reader).value self.unkD = DWORD(reader).value # // 1/2 # stuff to be done! #pragma pack(push, 2) self.isoSize = WORD(reader).value #// 0000 self.DPAPIProtected = reader.read(16) self.align3 = DWORD(reader).value #// 00000000 # stuff to be done! #pragma pack(pop) self.NtOwfPassword = reader.read(16) self.LmOwfPassword = reader.read(16) self.ShaOwPassword = reader.read(20)
def __init__(self, reader): self.Flink = PKIWI_LIVESSP_LIST_ENTRY(reader) self.Blink = PKIWI_LIVESSP_LIST_ENTRY(reader) self.unk0 = PVOID(reader) self.unk1 = PVOID(reader) self.unk2 = PVOID(reader) self.unk3 = PVOID(reader) self.unk4 = DWORD(reader).value self.unk5 = DWORD(reader).value self.unk6 = PVOID(reader) self.LocallyUniqueIdentifier = LUID(reader).value self.UserName = LSA_UNICODE_STRING(reader) self.unk7 = PVOID(reader) self.suppCreds = PKIWI_LIVESSP_PRIMARY_CREDENTIAL(reader)
def add_entry(self, wdigest_entry): """ Changed the wdigest parsing, the struct only contains the pointers in the linked list, the actual data is read by adding an offset to the current entry's position """ wc = WdigestCredential() wc.luid = wdigest_entry.luid #input(wdigest_entry.this_entry.value) self.reader.move(wdigest_entry.this_entry.value + self.decryptor_template.primary_offset) UserName = LSA_UNICODE_STRING(self.reader) DomainName = LSA_UNICODE_STRING(self.reader) Password = LSA_UNICODE_STRING(self.reader) wc.username = UserName.read_string(self.reader) wc.domainname = DomainName.read_string(self.reader) wc.encrypted_password = Password.read_maxdata(self.reader) wc.password = self.decrypt_password(wc.encrypted_password) self.credentials.append(wc)
def __init__(self, reader): #input('KIWI_KERBEROS_INTERNAL_TICKET_10_1607\n' + hexdump(reader.peek(0x300))) self.Flink = PKIWI_KERBEROS_INTERNAL_TICKET_10_1607(reader) self.Blink = PKIWI_KERBEROS_INTERNAL_TICKET_10_1607(reader) self.unk0 = PVOID(reader).value self.unk1 = PVOID(reader).value self.ServiceName = PKERB_EXTERNAL_NAME(reader) self.TargetName = PKERB_EXTERNAL_NAME(reader) self.DomainName = LSA_UNICODE_STRING(reader) self.TargetDomainName = LSA_UNICODE_STRING(reader) self.Description = LSA_UNICODE_STRING(reader) self.AltTargetDomainName = LSA_UNICODE_STRING(reader) self.KDCServer = LSA_UNICODE_STRING(reader) # //?(reader).value self.unk10586_d = LSA_UNICODE_STRING(reader) #//?(reader).value self.ClientName = PKERB_EXTERNAL_NAME(reader) self.name0 = PVOID(reader).value self.TicketFlags = int.from_bytes(reader.read(4), byteorder = 'big', signed = False) self.unk2 = ULONG(reader).value self.unk14393_0 = PVOID(reader).value self.KeyType = ULONG(reader).value reader.align() self.Key = KIWI_KERBEROS_BUFFER(reader) self.unk14393_1 = PVOID(reader).value self.unk3 = PVOID(reader).value # // ULONG KeyType2 = (reader).value self.unk4 = PVOID(reader).value # // KIWI_KERBEROS_BUFFER Key2 = (reader).value self.unk5 = PVOID(reader).value # // up(reader).value self.StartTime = FILETIME(reader).value self.EndTime = FILETIME(reader).value self.RenewUntil = FILETIME(reader).value self.unk6 = ULONG(reader).value self.unk7 = ULONG(reader).value self.domain = PCWSTR(reader).value self.unk8 = ULONG(reader).value reader.align() self.strangeNames = PVOID(reader).value self.unk9 = ULONG(reader).value self.TicketEncType = ULONG(reader).value self.TicketKvno = ULONG(reader).value reader.align() self.Ticket = KIWI_KERBEROS_BUFFER(reader)
def __init__(self, reader): self.UserName = LSA_UNICODE_STRING(reader) self.Domaine = LSA_UNICODE_STRING(reader) self.unk0 = PVOID(reader).value self.Password = LSA_UNICODE_STRING(reader)
def __init__(self, reader): self.Flink = PKIWI_MSV1_0_PRIMARY_CREDENTIAL_ENC(reader) self.Primary = ANSI_STRING(reader) reader.align() self.encrypted_credentials = LSA_UNICODE_STRING(reader)
def __init__(self, reader): self.salt = LSA_UNICODE_STRING(reader) # // http://tools.ietf.org/html/rfc3962 self.generic = KERB_HASHPASSWORD_GENERIC(reader)
def __init__(self, reader): #print('KERB_HASHPASSWORD_6') #input(hexdump(reader.peek(0x100), start = reader.tell())) self.salt = LSA_UNICODE_STRING(reader) #// http://tools.ietf.org/html/rfc3962 self.stringToKey = PVOID(reader) # // AES Iterations (dword ?) self.generic = KERB_HASHPASSWORD_GENERIC(reader)
def __init__(self, reader): self.salt = LSA_UNICODE_STRING(reader) # // http://tools.ietf.org/html/rfc3962(reader).value self.stringToKey = PVOID(reader).value # // AES Iterations (dword ?)(reader).value self.unk0 = PVOID(reader).value self.generic = KERB_HASHPASSWORD_GENERIC(reader)