GithubHelp home page GithubHelp logo

Comments (17)

leechristensen avatar leechristensen commented on June 27, 2024

Do you happen to know what application or Windows component is creating the vault item?

from seatbelt.

Jormungand999 avatar Jormungand999 commented on June 27, 2024

In the Credential Manager I see entries like this:

TERMSRV/0.0.0.0

or

TERMSRV/the.fully.qualified.hostname.here

I think it's these entries causing the errors.

from seatbelt.

Jormungand999 avatar Jormungand999 commented on June 27, 2024

I've been doing some debugging and indeed there are the entries causing the problem

from seatbelt.

Jormungand999 avatar Jormungand999 commented on June 27, 2024

Maybe this helps a bit, using the CredMan.ps1 script found here:
https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde

I was able to read some more info using the Enum-Creds function.
Here's an example of the output:

Flags              : NONE
Type               : DOMAIN_PASSWORD
TargetName         : Domain:target=TERMSRV/[REDACTED]
Comment            :
LastWritten        : 1/8/2019 12:42:35 PM
CredentialBlobSize : 0
CredentialBlob     :
Persist            : LOCAL_MACHINE
AttributeCount     : 0
Attributes         : 0
TargetAlias        :
UserName           : [REDACTED]

from seatbelt.

HarmJ0y avatar HarmJ0y commented on June 27, 2024

We actually do have an implementation of that approach (using CredEnumerate) in the CredEnum. Does that command return similar results as CredMan.ps1 script?

We currently have several Vault element types unimplemented, as the code was based on Matt Graeber's Get-VaultCredential.ps1 code which purposely left those unimplemented. I want to implement at least the ByteArray scenario but I haven't been able to recreate a "real" entry of that type for testing.

from seatbelt.

Jormungand999 avatar Jormungand999 commented on June 27, 2024

Indeed, CredEnum outputs something similar as CredMan.ps1

  Target              : TERMSRV/[REDACTED]
  UserName            : [REDACTED]
  Password            :
  CredentialType      : DomainPassword
  PersistenceType     : LocalComputer
  LastWriteTime       : 1/9/2019 12:40:25 PM

Do you know why the password field is empty in this case?

from seatbelt.

leechristensen avatar leechristensen commented on June 27, 2024

They may not have saved a password, but it's hard to say. If you want to investigate more, you could use Mimikatz do manually decrypt the masterkey/credential files (that's beyond the scope of here).

Re. the Vault stuff, looks like Mimikatz just prints the byte array. It also has support for some parsing some of the known structures that are stored in those byte arrays

from seatbelt.

leechristensen avatar leechristensen commented on June 27, 2024

@Jormungand999 would you mind running the code in this branch and seeing if it helps any? Trying to narrow down for sure where it's at.

from seatbelt.

Jormungand999 avatar Jormungand999 commented on June 27, 2024

With that branch, I get errors like these:

ERROR: Could not parse authenticator for Vault GUID 77bc582b-f0a6-4e15-4e80-61736b6f3b29: System.NotImplementedException: VAULT_ELEMENT_TYPE 'ByteArray' is currently not implemented
   at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 295
   at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 185

from seatbelt.

leechristensen avatar leechristensen commented on June 27, 2024

In the output, were the other fields(Identity, Resource, PackageSid, and LastModified) populating okay?

Also, what's the OS version? (Open cmd.exe and run ver)

from seatbelt.

Jormungand999 avatar Jormungand999 commented on June 27, 2024

The OS version is Microsoft Windows [Version 10.0.18363.836]

The full output looks like this:

ERROR: Could not parse authenticator for Vault GUID 77bc582b-f0a6-4e15-4e80-61736b6f3b29: System.NotImplementedException: VAULT_ELEMENT_TYPE 'ByteArray' is currently not implemented
   at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 295
   at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 185
ERROR: Could not parse authenticator for Vault GUID 77bc582b-f0a6-4e15-4e80-61736b6f3b29: System.NotImplementedException: VAULT_ELEMENT_TYPE 'ByteArray' is currently not implemented
   at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 295
   at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 185
ERROR: Could not parse authenticator for Vault GUID 77bc582b-f0a6-4e15-4e80-61736b6f3b29: System.NotImplementedException: VAULT_ELEMENT_TYPE 'ByteArray' is currently not implemented
   at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 295
   at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 185
ERROR: Could not parse authenticator for Vault GUID 77bc582b-f0a6-4e15-4e80-61736b6f3b29: System.NotImplementedException: VAULT_ELEMENT_TYPE 'ByteArray' is currently not implemented
   at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 295
   at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 185
ERROR: Could not parse authenticator for Vault GUID 77bc582b-f0a6-4e15-4e80-61736b6f3b29: System.NotImplementedException: VAULT_ELEMENT_TYPE 'ByteArray' is currently not implemented
   at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 295
   at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 185
ERROR: Could not parse authenticator for Vault GUID 77bc582b-f0a6-4e15-4e80-61736b6f3b29: System.NotImplementedException: VAULT_ELEMENT_TYPE 'ByteArray' is currently not implemented
   at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 295
   at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 185
ERROR: Could not parse authenticator for Vault GUID 77bc582b-f0a6-4e15-4e80-61736b6f3b29: System.NotImplementedException: VAULT_ELEMENT_TYPE 'ByteArray' is currently not implemented
   at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 295
   at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 185
ERROR: Could not parse authenticator for Vault GUID 77bc582b-f0a6-4e15-4e80-61736b6f3b29: System.NotImplementedException: VAULT_ELEMENT_TYPE 'ByteArray' is currently not implemented
   at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 295
   at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 185

  Vault GUID     : 77bc582b-f0a6-4e15-4e80-61736b6f3b29
  Vault Type     : Windows Credentials

from seatbelt.

Jormungand999 avatar Jormungand999 commented on June 27, 2024

Let me know if I can help with something, I can develop code, I only don't have any info about how these bytearrays are stored.
I'm guessing first an int that indicates the array size and then the array bytes, but I'm not sure...

from seatbelt.

leechristensen avatar leechristensen commented on June 27, 2024

@Jormungand999 could you try the latest version of vaultbugs branch? I think I got it now.

from seatbelt.

Jormungand999 avatar Jormungand999 commented on June 27, 2024

@leechristensen it still errors out:

ERROR:   [!] Terminating exception running command 'WindowsVault': System.ArgumentNullException: Value cannot be null.
Parameter name: source
   at System.Runtime.InteropServices.Marshal.CopyToManaged(IntPtr source, Object destination, Int32 startIndex, Int32 length)
   at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 286
   at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 186
   at Seatbelt.Commands.Windows.WindowsVaultCommand.<Execute>d__10.MoveNext() in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 104
   at Seatbelt.Runtime.ExecuteCommand(CommandBase command, String[] commandArgs) in C:\git\tmp\Seatbelt\Seatbelt\Runtime.cs:line 320

from seatbelt.

Jormungand999 avatar Jormungand999 commented on June 27, 2024

It's crashing in this code:

                case VAULT_ELEMENT_TYPE.ByteArray:
                    var o = (VAULT_BYTE_ARRAY)Marshal.PtrToStructure(elementPtr, typeof(VAULT_BYTE_ARRAY));
                    var array = new byte[o.Length];
                    Marshal.Copy(o.pData, array, 0, o.Length);
                    value = array;
                    break;

The Length is 0 and pData is also a null pointer, so the Marshall.Copy throws an exception.

from seatbelt.

Jormungand999 avatar Jormungand999 commented on June 27, 2024

I tried to commit a small code change so that the array isn't copied if the byte array has zero length, but I do not have the permission to do that :-)

Anyway, I let the code run with the changed code and now it crashes when it wants to read the second item that is similar to the one before (also one with a ByteArray).

It crashes in this function VaultGetItem_WIN8 and I think that might be because tempIdentityElement == null in that case

            result = vaultItemType == typeof(VAULT_ITEM_WIN8) ?
                VaultGetItem_WIN8(vaultHandle, ref tempSchemaGuidId, tempResourceElement, tempIdentityElement, tempPackageSid ?? IntPtr.Zero, IntPtr.Zero, 0, ref passwordVaultItem) :
                VaultGetItem_WIN7(vaultHandle, ref tempSchemaGuidId, tempResourceElement, tempIdentityElement, IntPtr.Zero, 0, ref passwordVaultItem);

Exception message: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.

Stack trace:

   at Seatbelt.VaultCli.VaultGetItem_WIN8(IntPtr vaultHandle, Guid& schemaId, IntPtr pResourceElement, IntPtr pIdentityElement, IntPtr pPackageSid, IntPtr zero, Int32 arg6, IntPtr& passwordVaultPtr)
   at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultItem(IntPtr vaultHandle, IntPtr vaultItemPtr, Guid& schemaId, Nullable`1& pPackageSid, IntPtr& pResourceElement, IntPtr& pIdentityElement, UInt64& lastModified, IntPtr& pAuthenticatorElement) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 162
   at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 179
   at Seatbelt.Commands.Windows.WindowsVaultCommand.<Execute>d__10.MoveNext() in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 104
   at Seatbelt.Runtime.ExecuteCommand(CommandBase command, String[] commandArgs) in C:\git\tmp\Seatbelt\Seatbelt\Runtime.cs:line 320

from seatbelt.

leechristensen avatar leechristensen commented on June 27, 2024

Hmm... does Mimikatz's vault::list command work for you by chance?

from seatbelt.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.