kuhl_m_lsadump_getSamKey fails for pDomAccF->keys1.Revision==2

gentilkiwi / mimikatz

A little tool to play with Windows security

http://blog.gentilkiwi.com/mimikatz

19.24k stars 3.68k forks source link

kuhl_m_lsadump_getSamKey fails for pDomAccF->keys1.Revision==2 #99

Closed uriyay closed 4 years ago

uriyay commented 6 years ago

When I run lsadump::sam on my Windows 10 x64, I get this error: Unknow Classic Struct Key revision (2) I found that the error comes from here: https://github.com/gentilkiwi/mimikatz/blob/773533b6e927fe4b32d6c4c3710c82037456a086/mimikatz/modules/kuhl_m_lsadump.c#L434 Do you plan to support this revision?

gentilkiwi commented 6 years ago

Hello :) I never saw this kind of revision. Do not hesitate to send me file to reproduce ! https://github.com/gentilkiwi/mimikatz/wiki/howto-~-open-an-issue#give-me-files

TheTrollCaptain commented 6 years ago

@gentilkiwi Hello! I got that error too. Console spits out: "SAMKey : ERROR kuhl_m_lsadump_getSamKey ; Unknow Classic Struct Key revision (2) ERROR kuhl_m_lsadump_getUsersAndSamKey ; kuhl_m_lsadump_getSamKey KO"

If you're interested, which files would you need to see?

EDIT: It seems to be the SAM file throwing the error... this is the SAM file I extracted from my Windows 10 Enterprise machine SAM.zip and SYSTEM file SYSTEM.zip

uriyay commented 6 years ago

Solved it by adding handling revision 2 in kuhl_m_lsadump_getSamKey:

case 2:
            if(pDomAccF->keys1.Revision == 1)
            {
                MD5Init(&md5ctx);
                MD5Update(&md5ctx, pDomAccF->keys1.Salt, SAM_KEY_DATA_SALT_LENGTH);
                MD5Update(&md5ctx, kuhl_m_lsadump_qwertyuiopazxc, sizeof(kuhl_m_lsadump_qwertyuiopazxc));
                MD5Update(&md5ctx, sysKey, SYSKEY_LENGTH);
                MD5Update(&md5ctx, kuhl_m_lsadump_01234567890123, sizeof(kuhl_m_lsadump_01234567890123));
                MD5Final(&md5ctx);
                RtlCopyMemory(samKey, pDomAccF->keys1.Key, SAM_KEY_DATA_KEY_LENGTH);
                if(!(status = NT_SUCCESS(RtlEncryptDecryptRC4(&data, &key))))
                    PRINT_ERROR(L"RtlEncryptDecryptRC4 KO");
            }
            else if (pDomAccF->keys1.Revision == 2) {
                pAesKey = (PSAM_KEY_DATA_AES)&pDomAccF->keys1;
                if (kull_m_crypto_genericAES128Decrypt(sysKey, pAesKey->Salt, pAesKey->data, pAesKey->DataLen, &out, &len))
                {
                    if (status = (len == SAM_KEY_DATA_KEY_LENGTH))
                        RtlCopyMemory(samKey, out, SAM_KEY_DATA_KEY_LENGTH);
                    LocalFree(out);
                }
            }

TylerD89 commented 6 years ago

Thanks man! Put that to good use!

0xVIC commented 5 years ago

Thank you, very useful!

afernandezb92 commented 5 years ago

Solved it by adding handling revision 2 in kuhl_m_lsadump_getSamKey:

case 2:
          if(pDomAccF->keys1.Revision == 1)
          {
              MD5Init(&md5ctx);
              MD5Update(&md5ctx, pDomAccF->keys1.Salt, SAM_KEY_DATA_SALT_LENGTH);
              MD5Update(&md5ctx, kuhl_m_lsadump_qwertyuiopazxc, sizeof(kuhl_m_lsadump_qwertyuiopazxc));
              MD5Update(&md5ctx, sysKey, SYSKEY_LENGTH);
              MD5Update(&md5ctx, kuhl_m_lsadump_01234567890123, sizeof(kuhl_m_lsadump_01234567890123));
              MD5Final(&md5ctx);
              RtlCopyMemory(samKey, pDomAccF->keys1.Key, SAM_KEY_DATA_KEY_LENGTH);
              if(!(status = NT_SUCCESS(RtlEncryptDecryptRC4(&data, &key))))
                  PRINT_ERROR(L"RtlEncryptDecryptRC4 KO");
          }
          else if (pDomAccF->keys1.Revision == 2) {
              pAesKey = (PSAM_KEY_DATA_AES)&pDomAccF->keys1;
              if (kull_m_crypto_genericAES128Decrypt(sysKey, pAesKey->Salt, pAesKey->data, pAesKey->DataLen, &out, &len))
              {
                  if (status = (len == SAM_KEY_DATA_KEY_LENGTH))
                      RtlCopyMemory(samKey, out, SAM_KEY_DATA_KEY_LENGTH);
                  LocalFree(out);
              }
          }

Thank so muchs, its works!!!