-
Notifications
You must be signed in to change notification settings - Fork 659
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Errors during WindowsVault enumeration #31
Comments
Do you happen to know what application or Windows component is creating the vault item? |
In the Credential Manager I see entries like this: TERMSRV/0.0.0.0 or TERMSRV/the.fully.qualified.hostname.here I think it's these entries causing the errors. |
I've been doing some debugging and indeed there are the entries causing the problem |
Maybe this helps a bit, using the CredMan.ps1 script found here: I was able to read some more info using the Enum-Creds function.
|
We actually do have an implementation of that approach (using CredEnumerate) in the CredEnum. Does that command return similar results as CredMan.ps1 script? We currently have several Vault element types unimplemented, as the code was based on Matt Graeber's Get-VaultCredential.ps1 code which purposely left those unimplemented. I want to implement at least the ByteArray scenario but I haven't been able to recreate a "real" entry of that type for testing. |
Indeed, CredEnum outputs something similar as CredMan.ps1
Do you know why the password field is empty in this case? |
They may not have saved a password, but it's hard to say. If you want to investigate more, you could use Mimikatz do manually decrypt the masterkey/credential files (that's beyond the scope of here). Re. the Vault stuff, looks like Mimikatz just prints the byte array. It also has support for some parsing some of the known structures that are stored in those byte arrays |
@Jormungand999 would you mind running the code in this branch and seeing if it helps any? Trying to narrow down for sure where it's at. |
With that branch, I get errors like these:
|
In the output, were the other fields(Identity, Resource, PackageSid, and LastModified) populating okay? Also, what's the OS version? (Open cmd.exe and run |
The OS version is Microsoft Windows [Version 10.0.18363.836] The full output looks like this:
|
Let me know if I can help with something, I can develop code, I only don't have any info about how these bytearrays are stored. |
@Jormungand999 could you try the latest version of vaultbugs branch? I think I got it now. |
@leechristensen it still errors out:
|
It's crashing in this code:
The Length is 0 and pData is also a null pointer, so the Marshall.Copy throws an exception. |
I tried to commit a small code change so that the array isn't copied if the byte array has zero length, but I do not have the permission to do that :-) Anyway, I let the code run with the changed code and now it crashes when it wants to read the second item that is similar to the one before (also one with a ByteArray). It crashes in this function VaultGetItem_WIN8 and I think that might be because tempIdentityElement == null in that case
Exception message: Attempted to read or write protected memory. This is often an indication that other memory is corrupt. Stack trace:
|
Hmm... does Mimikatz's |
Not sure is this is known issue but I see multiple errors when enumerating WindowsVault
ERROR: Exception: VAULT_ELEMENT_TYPE 'ByteArray' is currently unimplemented
ERROR: Exception: VAULT_ELEMENT_TYPE 'ByteArray' is currently unimplemented
ERROR: Exception: VAULT_ELEMENT_TYPE 'ByteArray' is currently unimplemented
ERROR: Exception: VAULT_ELEMENT_TYPE 'ByteArray' is currently unimplemented
ERROR: Exception: VAULT_ELEMENT_TYPE 'ByteArray' is currently unimplemented
ERROR: Exception: VAULT_ELEMENT_TYPE 'ByteArray' is currently unimplemented
ERROR: Exception: VAULT_ELEMENT_TYPE 'ByteArray' is currently unimplemented
ERROR: Exception: VAULT_ELEMENT_TYPE 'ByteArray' is currently unimplemented
The text was updated successfully, but these errors were encountered: