windows 24H2 support, many fixes

Author: SkelSec

pypykatz/_version.py

@@ -1,5 +1,5 @@
 
-__version__ = "0.6.10"
+__version__ = "0.6.11"
 __banner__ = \
 """
 # pypyKatz %s 

pypykatz/alsadecryptor/packages/kerberos/decryptor.py

@@ -22,6 +22,8 @@ def __init__(self):
 		self.pin:str = None
 		self.pin_raw:bytes = None
 		self.cardinfo = None
+		self.aes_key128 = None
+		self.aes_key256 = None
 
 	def __str__(self):
 		t = '\t== Kerberos ==\n'
@@ -39,7 +41,10 @@ def __str__(self):
 			t += '\t\t\tReaderName: %s\n' % self.cardinfo['ReaderName']
 			t += '\t\t\tContainerName: %s\n' % self.cardinfo['ContainerName']
 			t += '\t\t\tCSPName: %s\n' % self.cardinfo['CSPName']
-
+		if self.aes_key128:
+			t += '\t\tAES128 Key: %s\n' % self.aes_key128.hex()
+		if self.aes_key256:
+			t += '\t\tAES256 Key: %s\n' % self.aes_key256.hex()
 		# TODO: check if users actually need this.
 		# I think it's not useful to print out the kerberos ticket data as string, as noone uses it directly.
 		# It is better to use the -k flag an export the tickets
@@ -62,14 +67,18 @@ def to_dict(self):
 		t['tickets'] = []
 		for ticket in self.tickets:
 			t['tickets'] = ticket.to_dict()
-		
+		if self.aes_key128:
+			t['aes128'] = self.aes_key128.hex()
+		if self.aes_key256:
+			t['aes256'] = self.aes_key256.hex()
 		return t
 
 
 class KerberosDecryptor(PackageDecryptor):
-	def __init__(self, reader, decryptor_template, lsa_decryptor, sysinfo):
+	def __init__(self, reader, decryptor_template, lsa_decryptor, sysinfo, with_tickets = True):
 		super().__init__('Kerberos', lsa_decryptor, sysinfo, reader)
 		self.decryptor_template = decryptor_template
+		self.with_tickets = with_tickets
 		self.credentials = []
 
 		self.current_ticket_type = None
@@ -83,10 +92,8 @@ async def find_first_entry(self):
 
 	async def handle_ticket(self, kerberos_ticket):
 		try:
-			#input(kerberos_ticket)
 			kt = await KerberosTicket.aparse(kerberos_ticket, self.reader, self.decryptor_template.sysinfo, self.current_ticket_type)
 			self.current_cred.tickets.append(kt)
-			#print(str(kt))
 		except Exception as e:
 			raise e
 
@@ -131,100 +138,65 @@ async def process_session(self, kerberos_logon_session):
 
 		self.current_cred.username = await kerberos_logon_session.credentials.UserName.read_string(self.reader)
 		self.current_cred.domainname = await kerberos_logon_session.credentials.Domaine.read_string(self.reader)
-		pwdata = await kerberos_logon_session.credentials.Password.read_maxdata(self.reader)
-		self.current_cred.password, self.current_cred.password_raw = self.decrypt_password(pwdata)
-		
-		if kerberos_logon_session.SmartcardInfos.value != 0:
-			csp_info = await kerberos_logon_session.SmartcardInfos.read(self.reader, override_finaltype = self.decryptor_template.csp_info_struct)
-			pin_enc = await csp_info.PinCode.read_maxdata(self.reader)
-			self.current_cred.pin, raw_dec = self.decrypt_password(pin_enc)
-			if csp_info.CspDataLength != 0:
-				self.current_cred.cardinfo = csp_info.CspData.get_infos()
 
 		#### key list (still in session) this is not a linked list (thank god!)
 		if kerberos_logon_session.pKeyList.value != 0:
 			key_list = await kerberos_logon_session.pKeyList.read(self.reader, override_finaltype = self.decryptor_template.keys_list_struct)
-			#print(key_list.cbItem)
 			await key_list.read(self.reader, self.decryptor_template.hash_password_struct)
+			
 			for key in key_list.KeyEntries:
-				pass
-				### GOOD
-				#keydata_enc = key.generic.Checksump.read_raw(self.reader, key.generic.Size)
-				#print(keydata_enc)
-				#keydata, raw_dec = self.decrypt_password(keydata_enc, bytes_expected=True)
-				#print(keydata_enc.hex())
-				#input('KEY?')
-
+				if key.generic.Size > 0:
+					if key.generic.Size <= 24: # AES128
+						keydata = await key.generic.Checksump.read_raw(self.reader, key.generic.Size)
+						if keydata:
+							dec_key, _ = self.decrypt_password(keydata, bytes_expected=True)
+							if dec_key:
+								self.current_cred.aes_key128 = dec_key
+					elif key.generic.Size <= 32: # AES256
+						keydata = await key.generic.Checksump.read_raw(self.reader, key.generic.Size)
+						if keydata:
+							dec_key, _ = self.decrypt_password(keydata, bytes_expected=True)
+							if dec_key:
+								self.current_cred.aes_key256 = dec_key
 
-				#print(key.generic.Checksump.value)
-				
-				#self.log_ptr(key.generic.Checksump.value, 'Checksump', datasize = key.generic.Size)
-				#if self.reader.reader.sysinfo.BuildNumber < WindowsBuild.WIN_10_1507.value and key.generic.Size > LSAISO_DATA_BLOB.size:
-				#	if key.generic.Size <= LSAISO_DATA_BLOB.size + (len("KerberosKey") - 1) + 32: #AES_256_KEY_LENGTH
-				#		input('1')
-				#		data_blob = key.generic.Checksump.read(self.reader, override_finaltype = LSAISO_DATA_BLOB)
-				#		data_blob.read(self.reader, key.generic.Size - LSAISO_DATA_BLOB.size)
-				#		
-				#		input('data blob end')
-				#		"""
-				#		kprintf(L"\n\t   * LSA Isolated Data: %.*S", blob->typeSize, blob->data);
-				#		kprintf(L"\n\t     Unk-Key  : "); kull_m_string_wprintf_hex(blob->unkKeyData, sizeof(blob->unkKeyData), 0);
-				#		kprintf(L"\n\t     Encrypted: "); kull_m_string_wprintf_hex(blob->data + blob->typeSize, blob->origSize, 0);
-				#		kprintf(L"\n\t\t   SS:%u, TS:%u, DS:%u", blob->structSize, blob->typeSize, blob->origSize);
-				#		kprintf(L"\n\t\t   0:0x%x, 1:0x%x, 2:0x%x, 3:0x%x, 4:0x%x, E:", blob->unk0, blob->unk1, blob->unk2, blob->unk3, blob->unk4);
-				#		kull_m_string_wprintf_hex(blob->unkData2, sizeof(blob->unkData2), 0); kprintf(L", 5:0x%x", blob->unk5);
-				#		"""
-				#	else:
-				#		input('2')
-				#		key.generic.Checksump.read(self.reader, override_finaltype = LSAISO_DATA_BLOB)
-				#		print('unkData1 : %s' % data_struct.unkData1.hex())
-				#		print('unkData2 : %s' % data_struct.unkData2.hex())
-				#		print('Encrypted : %s' % data_struct.data.hex()) #another extra struct should wrap this data! ENC_LSAISO_DATA_BLOB
-				#		
-				#else:
-				#	
-				#	if self.reader.reader.sysinfo.BuildNumber < WindowsBuild.WIN_VISTA.value:
-				#		input('3')
-				#		key.generic.Checksump.read(self.reader, override_finaltype = LSAISO_DATA_BLOB)
-				#		print('unkData1 : %s' % data_struct.unkData1.hex())
-				#		print('unkData2 : %s' % data_struct.unkData2.hex())
-				#		print('Encrypted : %s' % data_struct.data.hex()) #another extra struct should wrap this data! ENC_LSAISO_DATA_BLOB
-				#		
-				#	else:
-				#		input('4')
-				#		#we need to decrypt as well!
-				#		self.reader.move(key.generic.Checksump.value)
-				#		enc_data = self.reader.read(key.generic.Size)
-				#		print(hexdump(enc_data))
-				#		dec_data = self.lsa_decryptor.decrypt(enc_data)
-				#		print(hexdump(dec_data))
-				#		t_reader = GenericReader(dec_data)
-				#		data_struct = LSAISO_DATA_BLOB(t_reader)
-				#		print('unkData1 : %s' % data_struct.unkData1.hex())
-				#		print('unkData2 : %s' % data_struct.unkData2.hex())
-				#		print('Encrypted : %s' % data_struct.data.hex()) #another extra struct should wrap this data! ENC_LSAISO_DATA_BLOB
-				#
-				#input()
 
+		if kerberos_logon_session.credentials.Password.Length != 0:
+			pwdata = await kerberos_logon_session.credentials.Password.read_maxdata(self.reader)
+			if self.current_cred.username.endswith('$') is True:
+				self.current_cred.password, self.current_cred.password_raw = self.decrypt_password(pwdata, bytes_expected=True)
+				if self.current_cred.password is not None:
+					self.current_cred.password = self.current_cred.password.hex()
+			else:
+				self.current_cred.password, self.current_cred.password_raw = self.decrypt_password(pwdata)
 
-		if kerberos_logon_session.Tickets_1.Flink.value != 0 and \
-				kerberos_logon_session.Tickets_1.Flink.value != kerberos_logon_session.Tickets_1.Flink.location and \
-					kerberos_logon_session.Tickets_1.Flink.value != kerberos_logon_session.Tickets_1.Flink.location - 4 :
-			self.current_ticket_type = KerberosTicketType.TGS
-			await self.walk_list(kerberos_logon_session.Tickets_1.Flink, self.handle_ticket , override_ptr = self.decryptor_template.kerberos_ticket_struct)
+		if kerberos_logon_session.SmartcardInfos.value != 0:
+			csp_info = await kerberos_logon_session.SmartcardInfos.read(self.reader, override_finaltype = self.decryptor_template.csp_info_struct)
+			pin_enc = await csp_info.PinCode.read_maxdata(self.reader)
+			self.current_cred.pin, raw_dec = self.decrypt_password(pin_enc)
+			if csp_info.CspDataLength != 0:
+				self.current_cred.cardinfo = csp_info.CspData.get_infos()
+
 
-		if kerberos_logon_session.Tickets_2.Flink.value != 0 and \
-				kerberos_logon_session.Tickets_2.Flink.value != kerberos_logon_session.Tickets_2.Flink.location and \
-					kerberos_logon_session.Tickets_2.Flink.value != kerberos_logon_session.Tickets_2.Flink.location - 4 :
-			self.current_ticket_type = KerberosTicketType.CLIENT
-			await self.walk_list(kerberos_logon_session.Tickets_2.Flink,self.handle_ticket , override_ptr = self.decryptor_template.kerberos_ticket_struct)
+		if self.with_tickets is True:
+			if kerberos_logon_session.Tickets_1.Flink.value != 0 and \
+					kerberos_logon_session.Tickets_1.Flink.value != kerberos_logon_session.Tickets_1.Flink.location and \
+						kerberos_logon_session.Tickets_1.Flink.value != kerberos_logon_session.Tickets_1.Flink.location - 4 :
+				self.current_ticket_type = KerberosTicketType.TGS
+				await self.walk_list(kerberos_logon_session.Tickets_1.Flink, self.handle_ticket , override_ptr = self.decryptor_template.kerberos_ticket_struct)
+			
+			if kerberos_logon_session.Tickets_2.Flink.value != 0 and \
+					kerberos_logon_session.Tickets_2.Flink.value != kerberos_logon_session.Tickets_2.Flink.location and \
+						kerberos_logon_session.Tickets_2.Flink.value != kerberos_logon_session.Tickets_2.Flink.location - 4 :
+				self.current_ticket_type = KerberosTicketType.CLIENT
+				await self.walk_list(kerberos_logon_session.Tickets_2.Flink,self.handle_ticket , override_ptr = self.decryptor_template.kerberos_ticket_struct)
+			
+			if kerberos_logon_session.Tickets_3.Flink.value != 0 and \
+					kerberos_logon_session.Tickets_3.Flink.value != kerberos_logon_session.Tickets_3.Flink.location and \
+						kerberos_logon_session.Tickets_3.Flink.value != kerberos_logon_session.Tickets_3.Flink.location - 4 :
+				self.current_ticket_type = KerberosTicketType.TGT
+				await self.walk_list(kerberos_logon_session.Tickets_3.Flink,self.handle_ticket , override_ptr = self.decryptor_template.kerberos_ticket_struct)
+			self.current_ticket_type = None
 
-		if kerberos_logon_session.Tickets_3.Flink.value != 0 and \
-				kerberos_logon_session.Tickets_3.Flink.value != kerberos_logon_session.Tickets_3.Flink.location and \
-					kerberos_logon_session.Tickets_3.Flink.value != kerberos_logon_session.Tickets_3.Flink.location - 4 :
-			self.current_ticket_type = KerberosTicketType.TGT
-			await self.walk_list(kerberos_logon_session.Tickets_3.Flink,self.handle_ticket , override_ptr = self.decryptor_template.kerberos_ticket_struct)
-		self.current_ticket_type = None
 		self.credentials.append(self.current_cred)
 
 

pypykatz/alsadecryptor/packages/kerberos/templates.py

@@ -100,7 +100,7 @@ def get_template(sysinfo):
 				template.hash_password_struct = KERB_HASHPASSWORD_6_1607
 				template.csp_info_struct = KIWI_KERBEROS_CSP_INFOS_10
 
-			elif sysinfo.buildnumber >= WindowsBuild.WIN_11_2022.value:
+			elif WindowsBuild.WIN_11_2022.value <= sysinfo.buildnumber < WindowsBuild.WIN_11_24H2.value:
 				template.signature = b'\x48\x8b\x18\x48\x8d\x0d'
 				template.first_entry_offset = 6
 				template.kerberos_session_struct = KIWI_KERBEROS_LOGON_SESSION_10_1607
@@ -109,6 +109,15 @@ def get_template(sysinfo):
 				template.hash_password_struct = KERB_HASHPASSWORD_6_1607
 				template.csp_info_struct = KIWI_KERBEROS_CSP_INFOS_10
 
+			elif sysinfo.buildnumber >= WindowsBuild.WIN_11_24H2.value:
+				template.signature = b'\x48\x8b\x18\x48\x8d\x0d'
+				template.first_entry_offset = 6
+				template.kerberos_session_struct = KIWI_KERBEROS_LOGON_SESSION_24H2
+				template.kerberos_ticket_struct = KIWI_KERBEROS_INTERNAL_TICKET_11
+				template.keys_list_struct = KIWI_KERBEROS_KEYS_LIST_6
+				template.hash_password_struct = KERB_HASHPASSWORD_6_1607
+				template.csp_info_struct = KIWI_KERBEROS_CSP_INFOS_10
+			
 			else:
 				raise Exception('Could not identify template! Architecture: %s sysinfo.buildnumber: %s' % (sysinfo.architecture, sysinfo.buildnumber))
 
@@ -1078,6 +1087,88 @@ async def load(reader):
 		res.SmartcardInfos = await PVOID.load(reader)
 		return res
 
+
+class KIWI_KERBEROS_LOGON_SESSION_24H2:
+	def __init__(self):
+		self.UsageCount = None
+		self.unk0 = None
+		self.unk1 = None
+		self.unk2 = None
+		self.unk4 = None
+		self.unk5 = None
+		self.unk6 = None
+		self.LocallyUniqueIdentifier = None
+		self.unk7 = None
+		self.unk8 = None
+		self.unk8b = None
+		self.unk9 = None
+		self.unk11 = None
+		self.unk12 = None
+		self.credentials = None
+		self.unk14 = None
+		self.unk15 = None
+		self.unk16 = None
+		self.unk17 = None
+		self.unk18 = None
+		self.unk19 = None
+		self.unk20 = None
+		self.unk21 = None
+		self.unk22 = None
+		self.unk23 = None
+		self.pKeyList = None
+		self.unk26 = None
+		self.Tickets_1 = None
+		self.unk27 = None
+		self.Tickets_2 = None
+		self.unk28 = None
+		self.Tickets_3 = None
+		self.unk29 = None
+		self.SmartcardInfos = None
+	
+	@staticmethod
+	async def load(reader):
+		res = KIWI_KERBEROS_LOGON_SESSION_24H2()
+		res.UsageCount = await ULONG.loadvalue(reader)
+		await reader.align()
+		res.unk0 = await LIST_ENTRY.load(reader)
+		res.unk1  = await PVOID.loadvalue(reader)
+		await reader.align()
+		res.unk2 = await FILETIME.loadvalue(reader)
+		res.unk4 = await PVOID.loadvalue(reader)
+		res.unk5 = await PVOID.loadvalue(reader)
+		res.unk6 = await PVOID.loadvalue(reader)
+		res.LocallyUniqueIdentifier = await LUID.loadvalue(reader)
+		res.unk7  = await FILETIME.loadvalue(reader)
+		res.unk8  = await PVOID.loadvalue(reader)
+		res.unk8b = await ULONG.loadvalue(reader)
+		await reader.align()
+		res.unk9  = await FILETIME.load(reader)
+		res.unk11 = await PVOID.loadvalue(reader)
+		res.unk12 = await PVOID.loadvalue(reader)
+		await reader.align(8)
+		res.credentials = await KIWI_KERBEROS_10_PRIMARY_CREDENTIAL_1607.load(reader)
+		res.unk14 = await ULONG.loadvalue(reader)
+		res.unk15 = await ULONG.loadvalue(reader)
+		res.unk16 = await ULONG.loadvalue(reader)
+		res.unk17 = await ULONG.loadvalue(reader)
+		res.unk18 = await PVOID.loadvalue(reader)
+		res.unk19 = await PVOID.loadvalue(reader)
+		res.unk20 = await PVOID.loadvalue(reader)
+		res.unk21 = await PVOID.loadvalue(reader)
+		res.unk22 = await PVOID.loadvalue(reader)
+		res.unk23 = await PVOID.loadvalue(reader)
+		await reader.align()
+		res.pKeyList = await PVOID.load(reader)
+		res.unk26 = await PVOID.loadvalue(reader)
+		res.Tickets_1 = await LIST_ENTRY.load(reader)
+		res.unk27 = await FILETIME.loadvalue(reader)
+		res.Tickets_2 = await LIST_ENTRY.load(reader)
+		res.unk28 = await FILETIME.loadvalue(reader)
+		res.Tickets_3 = await LIST_ENTRY.load(reader)
+		res.unk29 = await FILETIME.loadvalue(reader)
+		res.SmartcardInfos = await PVOID.load(reader)
+		return res
+
 class KIWI_KERBEROS_LOGON_SESSION_10_1607_X86:
 	def __init__(self):
 		self.UsageCount = None
@@ -1827,7 +1918,7 @@ async def load(reader):
 		res.Type = await DWORD.loadvalue(reader)
 		await reader.align()
 		res.Size      = await SIZE_T.loadvalue(reader)
-		res.Checksump = await PVOID.loadvalue(reader)
+		res.Checksump = await PVOID.load(reader) #loadvalue before?
 		return res
 
 

pypykatz/alsadecryptor/packages/msv/decryptor.py

@@ -108,18 +108,23 @@ async def parse(entry, reader):
 		"""
 		Converts KIWI_MSV1_0_LIST type objects into a unified class
 		"""
-		lsc = LogonSession()
-		lsc.authentication_id = entry.LocallyUniqueIdentifier
-		lsc.session_id = entry.Session
-		lsc.username = await entry.UserName.read_string(reader)
-		lsc.domainname = await entry.Domaine.read_string(reader)
-		lsc.logon_server = await entry.LogonServer.read_string(reader)
-		if entry.LogonTime != 0:
-			lsc.logon_time = filetime_to_dt(entry.LogonTime).isoformat()
-		ts = await entry.pSid.read(reader)
-		lsc.sid = str(ts)
-		lsc.luid = entry.LocallyUniqueIdentifier
-		return lsc
+		try:
+			lsc = LogonSession()
+			lsc.authentication_id = entry.LocallyUniqueIdentifier
+			lsc.session_id = entry.Session
+			lsc.username = await entry.UserName.read_string(reader)
+			lsc.domainname = await entry.Domaine.read_string(reader)
+			lsc.logon_server = await entry.LogonServer.read_string(reader)
+			if entry.LogonTime != 0:
+				lsc.logon_time = filetime_to_dt(entry.LogonTime).isoformat()
+			ts = await entry.pSid.read(reader)
+			lsc.sid = str(ts)
+			lsc.luid = entry.LocallyUniqueIdentifier
+			return lsc
+		except Exception as e:
+			import traceback
+			traceback.print_exc()
+			input()
 
 	def to_dict(self):
 		t = {}
@@ -308,8 +313,16 @@ async def find_first_entry(self):
 				t = await self.reader.read(1)
 				self.logon_session_count = int.from_bytes(t, byteorder = 'big', signed = False)
 
+		additional_offset = 0
+		if self.decryptor_template.first_entry_offset_correction != 0:
+			offsetpos = position + self.decryptor_template.first_entry_offset_correction
+			await self.reader.move(offsetpos)
+			t = await self.reader.read(4)
+			additional_offset = int.from_bytes(t, byteorder = 'little', signed = False)
+
 		#getting logon session ptr
 		ptr_entry_loc = await self.reader.get_ptr_with_offset(position + self.decryptor_template.first_entry_offset)
+		ptr_entry_loc += additional_offset
 		ptr_entry = await self.reader.get_ptr(ptr_entry_loc)
 		return ptr_entry, ptr_entry_loc