Closed uriyay closed 4 years ago
Hello :) I never saw this kind of revision. Do not hesitate to send me file to reproduce ! https://github.com/gentilkiwi/mimikatz/wiki/howto-~-open-an-issue#give-me-files
@gentilkiwi Hello! I got that error too. Console spits out: "SAMKey : ERROR kuhl_m_lsadump_getSamKey ; Unknow Classic Struct Key revision (2) ERROR kuhl_m_lsadump_getUsersAndSamKey ; kuhl_m_lsadump_getSamKey KO"
If you're interested, which files would you need to see?
EDIT: It seems to be the SAM file throwing the error... this is the SAM file I extracted from my Windows 10 Enterprise machine SAM.zip and SYSTEM file SYSTEM.zip
Solved it by adding handling revision 2 in kuhl_m_lsadump_getSamKey:
case 2:
if(pDomAccF->keys1.Revision == 1)
{
MD5Init(&md5ctx);
MD5Update(&md5ctx, pDomAccF->keys1.Salt, SAM_KEY_DATA_SALT_LENGTH);
MD5Update(&md5ctx, kuhl_m_lsadump_qwertyuiopazxc, sizeof(kuhl_m_lsadump_qwertyuiopazxc));
MD5Update(&md5ctx, sysKey, SYSKEY_LENGTH);
MD5Update(&md5ctx, kuhl_m_lsadump_01234567890123, sizeof(kuhl_m_lsadump_01234567890123));
MD5Final(&md5ctx);
RtlCopyMemory(samKey, pDomAccF->keys1.Key, SAM_KEY_DATA_KEY_LENGTH);
if(!(status = NT_SUCCESS(RtlEncryptDecryptRC4(&data, &key))))
PRINT_ERROR(L"RtlEncryptDecryptRC4 KO");
}
else if (pDomAccF->keys1.Revision == 2) {
pAesKey = (PSAM_KEY_DATA_AES)&pDomAccF->keys1;
if (kull_m_crypto_genericAES128Decrypt(sysKey, pAesKey->Salt, pAesKey->data, pAesKey->DataLen, &out, &len))
{
if (status = (len == SAM_KEY_DATA_KEY_LENGTH))
RtlCopyMemory(samKey, out, SAM_KEY_DATA_KEY_LENGTH);
LocalFree(out);
}
}
Thanks man! Put that to good use!
Thank you, very useful!
Solved it by adding handling revision 2 in kuhl_m_lsadump_getSamKey:
case 2: if(pDomAccF->keys1.Revision == 1) { MD5Init(&md5ctx); MD5Update(&md5ctx, pDomAccF->keys1.Salt, SAM_KEY_DATA_SALT_LENGTH); MD5Update(&md5ctx, kuhl_m_lsadump_qwertyuiopazxc, sizeof(kuhl_m_lsadump_qwertyuiopazxc)); MD5Update(&md5ctx, sysKey, SYSKEY_LENGTH); MD5Update(&md5ctx, kuhl_m_lsadump_01234567890123, sizeof(kuhl_m_lsadump_01234567890123)); MD5Final(&md5ctx); RtlCopyMemory(samKey, pDomAccF->keys1.Key, SAM_KEY_DATA_KEY_LENGTH); if(!(status = NT_SUCCESS(RtlEncryptDecryptRC4(&data, &key)))) PRINT_ERROR(L"RtlEncryptDecryptRC4 KO"); } else if (pDomAccF->keys1.Revision == 2) { pAesKey = (PSAM_KEY_DATA_AES)&pDomAccF->keys1; if (kull_m_crypto_genericAES128Decrypt(sysKey, pAesKey->Salt, pAesKey->data, pAesKey->DataLen, &out, &len)) { if (status = (len == SAM_KEY_DATA_KEY_LENGTH)) RtlCopyMemory(samKey, out, SAM_KEY_DATA_KEY_LENGTH); LocalFree(out); } }
Thank so muchs, its works!!!
When I run lsadump::sam on my Windows 10 x64, I get this error: Unknow Classic Struct Key revision (2) I found that the error comes from here: https://github.com/gentilkiwi/mimikatz/blob/773533b6e927fe4b32d6c4c3710c82037456a086/mimikatz/modules/kuhl_m_lsadump.c#L434 Do you plan to support this revision?