def __init__(self, dce): cmd.Cmd.__init__(self) self.shell = None self.prompt = 'mimikatz # ' self.tid = None self.intro = mimikatz_intro self.pwd = '' self.share = None self.loggedIn = True self.last_output = None self.dce = dce dh = mimilib.MimiDiffeH() blob = mimilib.PUBLICKEYBLOB() blob['y'] = dh.genPublicKey()[::-1] publicKey = mimilib.MIMI_PUBLICKEY() publicKey['sessionType'] = mimilib.CALG_RC4 publicKey['cbPublicKey'] = 144 publicKey['pbPublicKey'] = blob.getData() resp = mimilib.hMimiBind(self.dce, publicKey) blob = mimilib.PUBLICKEYBLOB(b''.join(resp['serverPublicKey']['pbPublicKey'])) self.key = dh.getSharedSecret(blob['y'][::-1])[-16:][::-1] self.pHandle = resp['phMimi']
def __init__(self, dce): cmd.Cmd.__init__(self) self.shell = None self.prompt = 'mimikatz # ' self.tid = None self.intro = '' \ ' .#####. mimikatz RPC interface\n'\ ' .## ^ ##. "A La Vie, A L\' Amour "\n'\ ' ## / \ ## /* * *\n'\ ' ## \ / ## Benjamin DELPY `gentilkiwi` ( [email protected] )\n'\ ' \'## v ##\' http://blog.gentilkiwi.com/mimikatz (oe.eo)\n'\ ' \'#####\' Impacket client by Alberto Solino (@agsolino) * * */\n\n'\ 'Type help for list of commands' self.pwd = '' self.share = None self.loggedIn = True self.last_output = None self.dce = dce dh = mimilib.MimiDiffeH() blob = mimilib.PUBLICKEYBLOB() blob['y'] = dh.genPublicKey()[::-1] publicKey = mimilib.MIMI_PUBLICKEY() publicKey['sessionType'] = mimilib.CALG_RC4 publicKey['cbPublicKey'] = 144 publicKey['pbPublicKey'] = str(blob) resp = mimilib.hMimiBind(self.dce, publicKey) blob = mimilib.PUBLICKEYBLOB(''.join( resp['serverPublicKey']['pbPublicKey'])) self.key = dh.getSharedSecret(''.join(blob['y'])[::-1])[-16:][::-1] self.pHandle = resp['phMimi']
def __init__(self, dce): cmd.Cmd.__init__(self) self.shell = None self.prompt = 'mimikatz # ' self.tid = None self.intro = '' \ ' .#####. mimikatz RPC interface\n'\ ' .## ^ ##. "A La Vie, A L\' Amour "\n'\ ' ## / \ ## /* * *\n'\ ' ## \ / ## Benjamin DELPY `gentilkiwi` ( [email protected] )\n'\ ' \'## v ##\' http://blog.gentilkiwi.com/mimikatz (oe.eo)\n'\ ' \'#####\' Impacket client by Alberto Solino (@agsolino) * * */\n\n'\ 'Type help for list of commands' self.pwd = '' self.share = None self.loggedIn = True self.last_output = None self.dce = dce dh = mimilib.MimiDiffeH() blob = mimilib.PUBLICKEYBLOB() blob['y'] = dh.genPublicKey()[::-1] publicKey = mimilib.MIMI_PUBLICKEY() publicKey['sessionType'] = mimilib.CALG_RC4 publicKey['cbPublicKey'] = 144 publicKey['pbPublicKey'] = blob.getData() resp = mimilib.hMimiBind(self.dce, publicKey) blob = mimilib.PUBLICKEYBLOB(b''.join(resp['serverPublicKey']['pbPublicKey'])) self.key = dh.getSharedSecret(blob['y'][::-1])[-16:][::-1] self.pHandle = resp['phMimi']
def get_handle_key(self, dce): # Build handshake request dh, public_key = self.get_dh_public_key() resp = mimilib.hMimiBind(dce, public_key) # Get shared secret and obtain handle blob = mimilib.PUBLICKEYBLOB(b''.join(resp['serverPublicKey']['pbPublicKey'])) key = dh.getSharedSecret(blob['y'][::-1]) pHandle = resp['phMimi'] return pHandle, key[-16:]
def test_hMimiBind(self): dce, rpc_transport = self.connect() dh, public_key = self.get_dh_public_key() resp = mimilib.hMimiBind(dce, public_key) self.assertEqual(resp["ErrorCode"], 0) self.assertEqual(resp["serverPublicKey"]["sessionType"], mimilib.CALG_RC4) dce.disconnect() rpc_transport.disconnect()
def __init__(self, rpcTransport): cmd.Cmd.__init__(self) self.shell = None self.prompt = 'mimikatz # ' self.rpc = rpcTransport self.username, self.password, self.domain, self.lmhash, self.nthash, self.aesKey, self.TGT, self.TGS = rpcTransport.get_credentials() self.tid = None self.intro = '' \ ' .#####. mimikatz RPC interface\n'\ ' .## ^ ##. "A La Vie, A L\' Amour "\n'\ ' ## / \ ## /* * *\n'\ ' ## \ / ## Benjamin DELPY `gentilkiwi` ( [email protected] )\n'\ ' \'## v ##\' http://blog.gentilkiwi.com/mimikatz (oe.eo)\n'\ ' \'#####\' Impacket client by Alberto Solino (@agsolino) * * */\n\n'\ 'Type help for list of commands' self.pwd = '' self.share = None self.loggedIn = True self.last_output = None self.dce = rpcTransport.get_dce_rpc() self.dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY) self.dce.connect() self.dce.bind(mimilib.MSRPC_UUID_MIMIKATZ) dh = mimilib.MimiDiffeH() blob = mimilib.PUBLICKEYBLOB() blob['y'] = dh.genPublicKey()[::-1] publicKey = mimilib.MIMI_PUBLICKEY() publicKey['sessionType'] = mimilib.CALG_RC4 publicKey['cbPublicKey'] = 144 publicKey['pbPublicKey'] = str(blob) resp = mimilib.hMimiBind(self.dce, publicKey) blob = mimilib.PUBLICKEYBLOB(''.join(resp['serverPublicKey']['pbPublicKey'])) self.key = dh.getSharedSecret(''.join(blob['y'])[::-1])[-16:][::-1] self.pHandle = resp['phMimi']