search

gentilkiwi / mimikatz

A little tool to play with Windows security
http://blog.gentilkiwi.com/mimikatz
19.24k stars 3.68k forks source link

ERROR kuhl_m_dpapi_chrome_isTableExist #246

Closed Papotito123 closed 4 years ago

Papotito123 commented 4 years ago

Hello: I'm running latest mimikatz and gives this error.AV is turned OFF.

mimikatz(commandline) # dpapi::chrome /in:C:\Users\TESTACCOUNT\AppData\Local\google\chrome\USERDA~1\default\LOGIND~1 /unprotect ERROR kuhl_m_dpapi_chrome_isTableExist ; sqlite3_prepare_v2: malformed database schema (logins) - near "AUTOINCREMENT": syntax error

Thanks.

Papotito123 commented 4 years ago

Hello: This is the screen:

.#####. mimikatz 2.2.0 (x64) #18362 Nov 25 2019 02:50:28 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo)

/ \ ## /*** Benjamin DELPY gentilkiwi ( benjamin@gentilkiwi.com )

\ / ## > http://blog.gentilkiwi.com/mimikatz

'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/

mimikatz # privilege::debug Privilege '20' OK

mimikatz # dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\LOGIND~1 /unprotect ERROR kuhl_m_dpapi_chrome_isTableExist ; sqlite3_prepare_v2: malformed database schema (logins) - near "AUTOINCREMENT": syntax error ERROR kuhl_m_dpapi_chrome_isTableExist ; sqlite3_prepare_v2: malformed database schema (logins) - near "AUTOINCREMENT": syntax error ERROR kuhl_m_dpapi_chrome ; Neither the table 'logins' or the table 'cookies' exist!

Some other chrome recover password tools do well.

Also _TBAL re-appears: mimikatz # !processprotect /remove /process:lsass.exe Process : lsass.exe PID 836 -> 00/00 [0-0-0]

mimikatz # sekurlsa::LogonPasswords full

Authentication Id : 0 ; 256607 (00000000:0003ea5f) Session : Interactive from 1 User Name : TESTACCOUNT Domain : DESKTOP-2GHHNFK Logon Server : DESKTOP-2GHHNFK Logon Time : 12/23/2019 7:54:51 PM SID : S-1-5-21-xxxxxxxxxxxxxxxxxx-1002 msv : [00000003] Primary

I run it with/without wifi. I run it with ,%localappdata%\google\chrome\USERDA~1\default\LOGIND~1 , and using actual full path.

Thanks for any hint.

MushR00m commented 4 years ago

You can try to delete the AUTOINCREMENT attribute of id in logins table.

Papotito123 commented 4 years ago

Hello: MushR00m,thanks for response. I have Win 10 1809 x64. Other mimikatz versions worked good. Also I ran 5 other chrome passwords retriever and did well. So,I assumed that you say to edit Chrome Login Data file? I also ran latest mimi in a partition with Win 10 10240 x64.And did same.Then I ran the 5 recover tools and did good. I will look into Login Data.

Thanks for responding.

Papotito123 commented 4 years ago

Hello: This is with latest mimikatz.exe,Avast AV is Disabled: C:\Windows\system32>cd C:\Users\TESTACCOUNT\Downloads\mimikatz_trunk\x64

C:\Users\TESTACCOUNT\Downloads\mimikatz_trunk\x64>mimikatz.exe

.#####. mimikatz 2.2.0 (x64) #18362 Aug 14 2019 01:31:47 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo)

/ \ ## /*** Benjamin DELPY gentilkiwi ( benjamin@gentilkiwi.com )

\ / ## > http://blog.gentilkiwi.com/mimikatz

'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/

mimikatz # log Using 'mimikatz.log' for logfile : OK

mimikatz # privilege::debug Privilege '20' OK

mimikatz # sekurlsa::logonpasswords

Authentication Id : 0 ; 401659 (00000000:000620fb) Session : Interactive from 1 User Name : TESTACCOUNT Domain : DESKTOP-2GHHNFK Logon Server : DESKTOP-2GHHNFK Logon Time : 1/1/2020 9:10:52 PM SID : S-1-5-21-337365419-192549521-2618175838-1002 msv : [00000003] Primary

Authentication Id : 0 ; 401603 (00000000:000620c3) Session : Interactive from 1 User Name : TESTACCOUNT Domain : DESKTOP-2GHHNFK Logon Server : DESKTOP-2GHHNFK Logon Time : 1/1/2020 9:10:52 PM SID : S-1-5-21-337365419-192549521-2618175838-1002 msv : [00000003] Primary

Authentication Id : 0 ; 997 (00000000:000003e5) Session : Service from 0 User Name : LOCAL SERVICE Domain : NT AUTHORITY Logon Server : (null) Logon Time : 1/1/2020 9:10:25 PM SID : S-1-5-19 msv : tspkg : wdigest :

Authentication Id : 0 ; 81557 (00000000:00013e95) Session : Interactive from 1 User Name : DWM-1 Domain : Window Manager Logon Server : (null) Logon Time : 1/1/2020 9:10:25 PM SID : S-1-5-90-0-1 msv : tspkg : wdigest :

Authentication Id : 0 ; 81511 (00000000:00013e67) Session : Interactive from 1 User Name : DWM-1 Domain : Window Manager Logon Server : (null) Logon Time : 1/1/2020 9:10:25 PM SID : S-1-5-90-0-1 msv : tspkg : wdigest :

Authentication Id : 0 ; 996 (00000000:000003e4) Session : Service from 0 User Name : DESKTOP-2GHHNFK$ Domain : WORKGROUP Logon Server : (null) Logon Time : 1/1/2020 9:10:25 PM SID : S-1-5-20 msv : tspkg : wdigest :

Authentication Id : 0 ; 57674 (00000000:0000e14a) Session : Interactive from 1 User Name : UMFD-1 Domain : Font Driver Host Logon Server : (null) Logon Time : 1/1/2020 9:10:25 PM SID : S-1-5-96-0-1 msv : tspkg : wdigest :

Authentication Id : 0 ; 57622 (00000000:0000e116) Session : Interactive from 0 User Name : UMFD-0 Domain : Font Driver Host Logon Server : (null) Logon Time : 1/1/2020 9:10:25 PM SID : S-1-5-96-0-0 msv : tspkg : wdigest :

Authentication Id : 0 ; 54422 (00000000:0000d496) Session : UndefinedLogonType from 0 User Name : (null) Domain : (null) Logon Server : (null) Logon Time : 1/1/2020 9:10:24 PM SID : msv : tspkg : wdigest : kerberos : ssp : credman :

Authentication Id : 0 ; 999 (00000000:000003e7) Session : UndefinedLogonType from 0 User Name : DESKTOP-2GHHNFK$ Domain : WORKGROUP Logon Server : (null) Logon Time : 1/1/2020 9:10:24 PM SID : S-1-5-18 msv : tspkg : wdigest :

mimikatz # dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\LOGIND~1 /unprotect ERROR kuhl_m_dpapi_chrome ; sqlite3_open_v2: unable to open database file (C:\Users\TESTACCOUNT\AppData\Local\google\chrome\USERDA~1\default\LOGIND~1)

mimikatz # dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\LOGIND~1 /protect ERROR kuhl_m_dpapi_chrome ; sqlite3_open_v2: unable to open database file (C:\Users\TESTACCOUNT\AppData\Local\google\chrome\USERDA~1\default\LOGIND~1)

mimikatz #

I can run other chrome retrieving passwords,as lazagne, and users and passwords are retrieved well. As you can see,this time user password is in plain text.Not like other times that display TBAL{68EDDCF5-0AEB-4C28-A770-AF5302ECA3C9} token.

Any hint will be appreciated.

Papotito123 commented 4 years ago

Hello: This is from latest mimikatz.

C:\Users\TESTACCOUNT\Downloads\mimikatz_trunk (1)\x64>cd "C:\Users\TESTACCOUNT\Downloads\mimikatz_trunk (1)\x64"

C:\Users\TESTACCOUNT\Downloads\mimikatz_trunk (1)\x64>mimikatz.exe

.#####. mimikatz 2.2.0 (x64) #18362 Jan 2 2020 19:21:39 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo)

/ \ ## /*** Benjamin DELPY gentilkiwi ( benjamin@gentilkiwi.com )

\ / ## > http://blog.gentilkiwi.com/mimikatz

'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/

mimikatz # log Using 'mimikatz.log' for logfile : OK

mimikatz # privilege::debug Privilege '20' OK

mimikatz # dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\LOGIND~1 /unprotect ERROR kuhl_m_dpapi_chrome ; sqlite3_open_v2: unable to open database file (C:\Users\TESTACCOUNT\AppData\Local\google\chrome\USERDA~1\default\LOGIND~1)

mimikatz # dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\LOGIND~1 /protect ERROR kuhl_m_dpapi_chrome ; sqlite3_open_v2: unable to open database file (C:\Users\TESTACCOUNT\AppData\Local\google\chrome\USERDA~1\default\LOGIND~1)

mimikatz #

Thanks.

Papotito123 commented 4 years ago

Hello: To be honest, I tried mimikatz in my other 3 suer accounts. And dpapi chrome works good recovering the accounts. I have problems with my test account and also with my virtualbox win10 1809 x64 VM. What really doesn't make sense ,as for me, is that I can run other chrome retrieving passwords,as lazagne, and accounts are retrieved well. So,could be something with a permission to Login Data file that is not comtemplated in mimiktaz maybe because is not an usual behaviour ?

As I told before, mimikatz dpapi chrome works well in 3 other users accounts.

But my testing account and vbox VM(installed in my testing account) , I got this; mimikatz # dpapi::chrome /in:%localappdata%\google\chrome\USERDA1\default\LOGIND1 /unprotect ERROR kuhl_m_dpapi_chrome_isTableExist ; sqlite3_prepare_v2: malformed database schema (logins) - near "AUTOINCREMENT": syntax error ERROR kuhl_m_dpapi_chrome_isTableExist ; sqlite3_prepare_v2: malformed database schema (logins) - near "AUTOINCREMENT": syntax error ERROR kuhl_m_dpapi_chrome ; Neither the table 'logins' or the table 'cookies' exist!

MushR00m,suggests - You can try to delete the AUTOINCREMENT attribute of id in logins table. I did it .But no change,Still received the errors.

Kindly, any suggestion much be appreciated.

Thanks.