msv kerberos wdigest fix for 24H2

SkelSec · SkelSec · commit c32178752c2c · 2025-02-22T03:59:03.000-08:00
diff --git a/pypykatz/lsadecryptor/packages/kerberos/templates.py b/pypykatz/lsadecryptor/packages/kerberos/templates.py
@@ -10,6 +10,7 @@
 	DWORD, LSA_UNICODE_STRING, PKERB_EXTERNAL_NAME, KIWI_GENERIC_PRIMARY_CREDENTIAL, \
 	LUID, PLSAISO_DATA_BLOB
 from pypykatz.lsadecryptor.package_commons import PackageTemplate
+from pypykatz.commons.common import hexdump
 
 class KerberosTemplate(PackageTemplate):
 	def __init__(self, sysinfo):
@@ -101,10 +102,19 @@ def get_template(sysinfo):
 				template.hash_password_struct = KERB_HASHPASSWORD_6_1607
 				template.csp_info_struct = KIWI_KERBEROS_CSP_INFOS_10
 			
-			elif sysinfo.buildnumber >= WindowsBuild.WIN_11_2022.value:
+			#elif sysinfo.buildnumber >= WindowsBuild.WIN_11_2022.value:
+			#	template.signature = b'\x48\x8b\x18\x48\x8d\x0d'
+			#	template.first_entry_offset = 6
+			#	template.kerberos_session_struct = KIWI_KERBEROS_LOGON_SESSION_10_1607
+			#	template.kerberos_ticket_struct = KIWI_KERBEROS_INTERNAL_TICKET_11
+			#	template.keys_list_struct = KIWI_KERBEROS_KEYS_LIST_6
+			#	template.hash_password_struct = KERB_HASHPASSWORD_6_1607
+			#	template.csp_info_struct = KIWI_KERBEROS_CSP_INFOS_10
+
+			elif sysinfo.buildnumber >= WindowsBuild.WIN_11_24H2.value:
 				template.signature = b'\x48\x8b\x18\x48\x8d\x0d'
 				template.first_entry_offset = 6
-				template.kerberos_session_struct = KIWI_KERBEROS_LOGON_SESSION_10_1607
+				template.kerberos_session_struct = KIWI_KERBEROS_LOGON_SESSION_24H2
 				template.kerberos_ticket_struct = KIWI_KERBEROS_INTERNAL_TICKET_11
 				template.keys_list_struct = KIWI_KERBEROS_KEYS_LIST_6
 				template.hash_password_struct = KERB_HASHPASSWORD_6_1607
@@ -607,7 +617,6 @@ def __init__(self, reader):
 		
 class KIWI_KERBEROS_LOGON_SESSION_10_1607:
 	def __init__(self, reader):
-		#input('aaaaaaaaa\n' + hexdump(reader.peek(0x300)))
 		self.UsageCount = ULONG(reader).value
 		reader.align()
 		self.unk0 = LIST_ENTRY(reader)
@@ -653,6 +662,62 @@ def __init__(self, reader):
 		self.Tickets_3 = LIST_ENTRY(reader)
 		self.unk29 = FILETIME(reader).value
 		self.SmartcardInfos = PVOID(reader)
+
+
+# looks the same as the 10_1607
+class KIWI_KERBEROS_24H2_PRIMARY_CREDENTIAL:
+	def __init__(self, reader):
+		self.UserName = LSA_UNICODE_STRING(reader)
+		self.Domaine = LSA_UNICODE_STRING(reader)
+		self.unkFunction = PVOID(reader).value
+		self.type = DWORD(reader).value # // or flags 2 = normal, 1 = ISO(reader).value
+		reader.align()
+		self.Password = LSA_UNICODE_STRING(reader) #	union {
+		self.IsoPassword = KIWI_KERBEROS_10_PRIMARY_CREDENTIAL_1607_ISO(reader)
+
+class KIWI_KERBEROS_LOGON_SESSION_24H2:
+	def __init__(self, reader):
+		#input('aaaaaaaaa\n' + hexdump(reader.peek(0x300), start = reader.tell()))
+		self.UsageCount = ULONG(reader).value
+		reader.align()
+		self.unk0 = LIST_ENTRY(reader)
+		#self.unk1 = PVOID(reader).value
+		self.unk1b = ULONG(reader).value
+		reader.align()
+		self.unk2 = FILETIME(reader).value
+		self.unk4 = PVOID(reader).value
+		self.unk5 = PVOID(reader).value
+		self.unk6 = PVOID(reader).value
+		self.LocallyUniqueIdentifier = LUID(reader).value
+		self.unk7 = FILETIME(reader).value
+		self.unk8 = PVOID(reader).value
+		self.unk8b = ULONG(reader).value
+		reader.align()
+		self.unk9 = FILETIME(reader).value
+		self.unk11 = PVOID(reader).value
+		self.unk12 = PVOID(reader).value
+		reader.align(8)	
+		self.credentials = KIWI_KERBEROS_24H2_PRIMARY_CREDENTIAL(reader)
+		self.unk14 = ULONG(reader).value
+		self.unk15 = ULONG(reader).value
+		self.unk16 = ULONG(reader).value
+		self.unk17 = ULONG(reader).value
+		self.unk18 = PVOID(reader).value
+		self.unk19 = PVOID(reader).value
+		self.unk20 = PVOID(reader).value
+		self.unk21 = PVOID(reader).value
+		self.unk22 = PVOID(reader).value
+		self.unk23 = PVOID(reader).value
+		reader.align()
+		self.pKeyList = PVOID(reader)
+		self.unk26 = PVOID(reader).value
+		self.Tickets_1 = LIST_ENTRY(reader)
+		self.unk27 = FILETIME(reader).value
+		self.Tickets_2 = LIST_ENTRY(reader)
+		self.unk28 = FILETIME(reader).value
+		self.Tickets_3 = LIST_ENTRY(reader)
+		self.unk29 = FILETIME(reader).value
+		self.SmartcardInfos = PVOID(reader)
 		
 		
 class KIWI_KERBEROS_LOGON_SESSION_10_1607_X86:
diff --git a/pypykatz/lsadecryptor/packages/msv/decryptor.py b/pypykatz/lsadecryptor/packages/msv/decryptor.py
@@ -323,7 +323,16 @@ def find_first_entry(self):
 
 		#getting logon session ptr
 		self.log('Logon session PTR @ %s' % hex(position + self.decryptor_template.first_entry_offset))
-		ptr_entry_loc = self.reader.get_ptr_with_offset(position + self.decryptor_template.first_entry_offset) + self.decryptor_template.first_entry_offset_correction
+		additional_offset = 0
+		if self.decryptor_template.first_entry_offset_correction != 0:
+			self.log('This template uses offset correction!')
+			offsetpos = position + self.decryptor_template.first_entry_offset_correction
+			self.log('Fetching additional offset from %s' % hex(offsetpos))
+			self.reader.move(offsetpos)
+			additional_offset = int.from_bytes(self.reader.read(4), byteorder = 'little', signed = False)
+			self.log('Additional offset value: %s' % hex(additional_offset))
+			
+		ptr_entry_loc = self.reader.get_ptr_with_offset(position + self.decryptor_template.first_entry_offset) + additional_offset		
 		self.log('Logon session PTR -> %s' % hex(ptr_entry_loc))
 		ptr_entry = self.reader.get_ptr(ptr_entry_loc) 
 		self.log('Logon session @ %s' % hex(ptr_entry))
diff --git a/pypykatz/lsadecryptor/packages/msv/templates.py b/pypykatz/lsadecryptor/packages/msv/templates.py
@@ -152,11 +152,10 @@ def get_template(sysinfo):
 				template.offset2 = -4
 			
 			else:
-				print(11111)
 				template.signature = b'\x45\x89\x34\x24\x8b\xfb\x45\x85\xc0\x0f'
 				template.first_entry_offset = 25
 				template.offset2 = -16
-				template.first_entry_offset_correction = 0x184250
+				template.first_entry_offset_correction = 34
 		
 		elif sysinfo.architecture == KatzSystemArchitecture.X86:
 			if WindowsMinBuild.WIN_XP.value <= sysinfo.buildnumber < WindowsMinBuild.WIN_2K3.value:
diff --git a/pypykatz/lsadecryptor/packages/wdigest/decryptor.py b/pypykatz/lsadecryptor/packages/wdigest/decryptor.py
@@ -8,6 +8,7 @@
 
 from pypykatz.lsadecryptor.package_commons import PackageDecryptor
 from pypykatz.commons.win_datatypes import LSA_UNICODE_STRING
+from pypykatz.commons.common import hexdump
 
 class WdigestCredential:
 	def __init__(self):
@@ -72,6 +73,7 @@ def add_entry(self, wdigest_entry):
 		wc.username = UserName.read_string(self.reader)
 		wc.domainname = DomainName.read_string(self.reader)
 		wc.encrypted_password = Password.read_maxdata(self.reader)
+
 		if wc.username.endswith('$') is True:
 			wc.password, wc.password_raw = self.decrypt_password(wc.encrypted_password, bytes_expected=True)
 			if wc.password is not None:
