New extension for Mimkatz v2.0 #79
Conversation
This is a seprate extension because the old Mimikatz supports more operating systems, while the new Mimikatz has more features for less operating systems.
Also fix up a few other niggles.
|
Test FAILED. |
|
Test PASSED. |
In some cases this extension would crash. This was due to the code using the incorrect "length" variable when dumping LSA data. This commit includes addition of some debug output, removal of other debug output, and changing of the kiwi-specific debug definition. Another packet function was added to aid in construction of this fix, and the group packet function was added to one of the calls.
|
Test PASSED. |
|
Test PASSED. |
|
Test PASSED. |
| targetTlv->buffer = lpStr; | ||
| } | ||
|
|
||
| return lpStr; |
There was a problem hiding this comment.
This function appears to leak lpStr, no?
There was a problem hiding this comment.
See the function sig mate:
@remark On success, the Tlv will contain a pointer to memory that needs to be released using \c free().
However, this function has been effectively deprecated thanks to the group TLV thing, which allows the other version to be used. I think I can safely remove this function anyway.
|
Test PASSED. |
|
Hey guys, is there anything else majorly concerning about this? |
|
This indeed requires more attention. Quite a large PR, but I'll allocate time to this tomorrow. |
|
Yeah sorry mate. I realise it's a biggie, which is why I haven't implemented all the features yet. Cheers for the response! |
|
Thank you @jlee-r7 :) |
Behold! This is the guts of a new extension called Kiwi, and it embodies the beginnings of a fully fledged container for all of the new goodness that Ben Delpy has baked into Mimkatz v2.0. There's lots of stuff in here so I don't expect this thing to land overnight.
The crux of its use and rationel will be in the MSF side of this PR. So for full details head over there rapid7/metasploit-framework#3121.
This includes all source up to and including revision
r107from the Mimikatz source repo. All copyright/file headers have been retained to adhere to the licence agreement. Extra code has been added to enable Meterpreter to do a better job of pulling out the details that Mimikatz has extracted.Instead of doing the CSV-style approach like the original mimikatz extension did, this one actually operates directly on the data structures that this code operates on, which means we don't have to serialise everything to strings prior to sending it over to Metasploit.
This functionality, while inclusive of all the Mimikatz 2.0 code, has not exposed all the functions that are available. For details of the functions that have been exposed, please see the MSF PR.
The MSF PR is here: rapid7/metasploit-framework#3121