Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Errors during WindowsVault enumeration #31

Closed
Jormungand999 opened this issue Jun 17, 2020 · 17 comments · Fixed by #37
Closed

Errors during WindowsVault enumeration #31

Jormungand999 opened this issue Jun 17, 2020 · 17 comments · Fixed by #37
Labels
bug Something isn't working

Comments

@Jormungand999
Copy link

Not sure is this is known issue but I see multiple errors when enumerating WindowsVault

ERROR: Exception: VAULT_ELEMENT_TYPE 'ByteArray' is currently unimplemented
ERROR: Exception: VAULT_ELEMENT_TYPE 'ByteArray' is currently unimplemented
ERROR: Exception: VAULT_ELEMENT_TYPE 'ByteArray' is currently unimplemented
ERROR: Exception: VAULT_ELEMENT_TYPE 'ByteArray' is currently unimplemented
ERROR: Exception: VAULT_ELEMENT_TYPE 'ByteArray' is currently unimplemented
ERROR: Exception: VAULT_ELEMENT_TYPE 'ByteArray' is currently unimplemented
ERROR: Exception: VAULT_ELEMENT_TYPE 'ByteArray' is currently unimplemented
ERROR: Exception: VAULT_ELEMENT_TYPE 'ByteArray' is currently unimplemented
@leechristensen
Copy link
Member

Do you happen to know what application or Windows component is creating the vault item?

@leechristensen leechristensen added the bug Something isn't working label Jun 18, 2020
@Jormungand999
Copy link
Author

Jormungand999 commented Jun 18, 2020
edited
Loading

In the Credential Manager I see entries like this:

TERMSRV/0.0.0.0

or

TERMSRV/the.fully.qualified.hostname.here

I think it's these entries causing the errors.

@Jormungand999
Copy link
Author

I've been doing some debugging and indeed there are the entries causing the problem

@Jormungand999
Copy link
Author

Maybe this helps a bit, using the CredMan.ps1 script found here:
https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde

I was able to read some more info using the Enum-Creds function.
Here's an example of the output:

Flags              : NONE
Type               : DOMAIN_PASSWORD
TargetName         : Domain:target=TERMSRV/[REDACTED]
Comment            :
LastWritten        : 1/8/2019 12:42:35 PM
CredentialBlobSize : 0
CredentialBlob     :
Persist            : LOCAL_MACHINE
AttributeCount     : 0
Attributes         : 0
TargetAlias        :
UserName           : [REDACTED]

@HarmJ0y
Copy link
Member

HarmJ0y commented Jun 18, 2020

We actually do have an implementation of that approach (using CredEnumerate) in the CredEnum. Does that command return similar results as CredMan.ps1 script?

We currently have several Vault element types unimplemented, as the code was based on Matt Graeber's Get-VaultCredential.ps1 code which purposely left those unimplemented. I want to implement at least the ByteArray scenario but I haven't been able to recreate a "real" entry of that type for testing.

@Jormungand999
Copy link
Author

Indeed, CredEnum outputs something similar as CredMan.ps1

  Target              : TERMSRV/[REDACTED]
  UserName            : [REDACTED]
  Password            :
  CredentialType      : DomainPassword
  PersistenceType     : LocalComputer
  LastWriteTime       : 1/9/2019 12:40:25 PM

Do you know why the password field is empty in this case?

@leechristensen
Copy link
Member

They may not have saved a password, but it's hard to say. If you want to investigate more, you could use Mimikatz do manually decrypt the masterkey/credential files (that's beyond the scope of here).

Re. the Vault stuff, looks like Mimikatz just prints the byte array. It also has support for some parsing some of the known structures that are stored in those byte arrays

@leechristensen
Copy link
Member

@Jormungand999 would you mind running the code in this branch and seeing if it helps any? Trying to narrow down for sure where it's at.

@Jormungand999
Copy link
Author

Jormungand999 commented Jun 24, 2020
edited
Loading

With that branch, I get errors like these:

ERROR: Could not parse authenticator for Vault GUID 77bc582b-f0a6-4e15-4e80-61736b6f3b29: System.NotImplementedException: VAULT_ELEMENT_TYPE 'ByteArray' is currently not implemented
   at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 295
   at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 185

@leechristensen
Copy link
Member

In the output, were the other fields(Identity, Resource, PackageSid, and LastModified) populating okay?

Also, what's the OS version? (Open cmd.exe and run ver)

@Jormungand999
Copy link
Author

The OS version is Microsoft Windows [Version 10.0.18363.836]

The full output looks like this:

ERROR: Could not parse authenticator for Vault GUID 77bc582b-f0a6-4e15-4e80-61736b6f3b29: System.NotImplementedException: VAULT_ELEMENT_TYPE 'ByteArray' is currently not implemented
   at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 295
   at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 185
ERROR: Could not parse authenticator for Vault GUID 77bc582b-f0a6-4e15-4e80-61736b6f3b29: System.NotImplementedException: VAULT_ELEMENT_TYPE 'ByteArray' is currently not implemented
   at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 295
   at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 185
ERROR: Could not parse authenticator for Vault GUID 77bc582b-f0a6-4e15-4e80-61736b6f3b29: System.NotImplementedException: VAULT_ELEMENT_TYPE 'ByteArray' is currently not implemented
   at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 295
   at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 185
ERROR: Could not parse authenticator for Vault GUID 77bc582b-f0a6-4e15-4e80-61736b6f3b29: System.NotImplementedException: VAULT_ELEMENT_TYPE 'ByteArray' is currently not implemented
   at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 295
   at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 185
ERROR: Could not parse authenticator for Vault GUID 77bc582b-f0a6-4e15-4e80-61736b6f3b29: System.NotImplementedException: VAULT_ELEMENT_TYPE 'ByteArray' is currently not implemented
   at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 295
   at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 185
ERROR: Could not parse authenticator for Vault GUID 77bc582b-f0a6-4e15-4e80-61736b6f3b29: System.NotImplementedException: VAULT_ELEMENT_TYPE 'ByteArray' is currently not implemented
   at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 295
   at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 185
ERROR: Could not parse authenticator for Vault GUID 77bc582b-f0a6-4e15-4e80-61736b6f3b29: System.NotImplementedException: VAULT_ELEMENT_TYPE 'ByteArray' is currently not implemented
   at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 295
   at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 185
ERROR: Could not parse authenticator for Vault GUID 77bc582b-f0a6-4e15-4e80-61736b6f3b29: System.NotImplementedException: VAULT_ELEMENT_TYPE 'ByteArray' is currently not implemented
   at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 295
   at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 185

  Vault GUID     : 77bc582b-f0a6-4e15-4e80-61736b6f3b29
  Vault Type     : Windows Credentials

@Jormungand999
Copy link
Author

Jormungand999 commented Jun 25, 2020
edited
Loading

Let me know if I can help with something, I can develop code, I only don't have any info about how these bytearrays are stored.
I'm guessing first an int that indicates the array size and then the array bytes, but I'm not sure...

@leechristensen leechristensen mentioned this issue Jun 30, 2020
Merged
@leechristensen
Copy link
Member

@Jormungand999 could you try the latest version of vaultbugs branch? I think I got it now.

@Jormungand999
Copy link
Author

@leechristensen it still errors out:

ERROR:   [!] Terminating exception running command 'WindowsVault': System.ArgumentNullException: Value cannot be null.
Parameter name: source
   at System.Runtime.InteropServices.Marshal.CopyToManaged(IntPtr source, Object destination, Int32 startIndex, Int32 length)
   at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 286
   at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 186
   at Seatbelt.Commands.Windows.WindowsVaultCommand.<Execute>d__10.MoveNext() in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 104
   at Seatbelt.Runtime.ExecuteCommand(CommandBase command, String[] commandArgs) in C:\git\tmp\Seatbelt\Seatbelt\Runtime.cs:line 320

@Jormungand999
Copy link
Author

It's crashing in this code:

                case VAULT_ELEMENT_TYPE.ByteArray:
                    var o = (VAULT_BYTE_ARRAY)Marshal.PtrToStructure(elementPtr, typeof(VAULT_BYTE_ARRAY));
                    var array = new byte[o.Length];
                    Marshal.Copy(o.pData, array, 0, o.Length);
                    value = array;
                    break;

The Length is 0 and pData is also a null pointer, so the Marshall.Copy throws an exception.

@Jormungand999
Copy link
Author

I tried to commit a small code change so that the array isn't copied if the byte array has zero length, but I do not have the permission to do that :-)

Anyway, I let the code run with the changed code and now it crashes when it wants to read the second item that is similar to the one before (also one with a ByteArray).

It crashes in this function VaultGetItem_WIN8 and I think that might be because tempIdentityElement == null in that case

            result = vaultItemType == typeof(VAULT_ITEM_WIN8) ?
                VaultGetItem_WIN8(vaultHandle, ref tempSchemaGuidId, tempResourceElement, tempIdentityElement, tempPackageSid ?? IntPtr.Zero, IntPtr.Zero, 0, ref passwordVaultItem) :
                VaultGetItem_WIN7(vaultHandle, ref tempSchemaGuidId, tempResourceElement, tempIdentityElement, IntPtr.Zero, 0, ref passwordVaultItem);

Exception message: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.

Stack trace:

   at Seatbelt.VaultCli.VaultGetItem_WIN8(IntPtr vaultHandle, Guid& schemaId, IntPtr pResourceElement, IntPtr pIdentityElement, IntPtr pPackageSid, IntPtr zero, Int32 arg6, IntPtr& passwordVaultPtr)
   at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultItem(IntPtr vaultHandle, IntPtr vaultItemPtr, Guid& schemaId, Nullable`1& pPackageSid, IntPtr& pResourceElement, IntPtr& pIdentityElement, UInt64& lastModified, IntPtr& pAuthenticatorElement) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 162
   at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 179
   at Seatbelt.Commands.Windows.WindowsVaultCommand.<Execute>d__10.MoveNext() in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 104
   at Seatbelt.Runtime.ExecuteCommand(CommandBase command, String[] commandArgs) in C:\git\tmp\Seatbelt\Seatbelt\Runtime.cs:line 320

@leechristensen
Copy link
Member

Hmm... does Mimikatz's vault::list command work for you by chance?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Added ByteArray support to Vault entries GhostPack/Seatbelt
3 participants
@leechristensen @HarmJ0y @Jormungand999