Comments (17)
Do you happen to know what application or Windows component is creating the vault item?
from seatbelt.
In the Credential Manager I see entries like this:
TERMSRV/0.0.0.0
or
TERMSRV/the.fully.qualified.hostname.here
I think it's these entries causing the errors.
from seatbelt.
I've been doing some debugging and indeed there are the entries causing the problem
from seatbelt.
Maybe this helps a bit, using the CredMan.ps1 script found here:
https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde
I was able to read some more info using the Enum-Creds function.
Here's an example of the output:
Flags : NONE
Type : DOMAIN_PASSWORD
TargetName : Domain:target=TERMSRV/[REDACTED]
Comment :
LastWritten : 1/8/2019 12:42:35 PM
CredentialBlobSize : 0
CredentialBlob :
Persist : LOCAL_MACHINE
AttributeCount : 0
Attributes : 0
TargetAlias :
UserName : [REDACTED]
from seatbelt.
We actually do have an implementation of that approach (using CredEnumerate) in the CredEnum. Does that command return similar results as CredMan.ps1 script?
We currently have several Vault element types unimplemented, as the code was based on Matt Graeber's Get-VaultCredential.ps1 code which purposely left those unimplemented. I want to implement at least the ByteArray scenario but I haven't been able to recreate a "real" entry of that type for testing.
from seatbelt.
Indeed, CredEnum outputs something similar as CredMan.ps1
Target : TERMSRV/[REDACTED]
UserName : [REDACTED]
Password :
CredentialType : DomainPassword
PersistenceType : LocalComputer
LastWriteTime : 1/9/2019 12:40:25 PM
Do you know why the password field is empty in this case?
from seatbelt.
They may not have saved a password, but it's hard to say. If you want to investigate more, you could use Mimikatz do manually decrypt the masterkey/credential files (that's beyond the scope of here).
Re. the Vault stuff, looks like Mimikatz just prints the byte array. It also has support for some parsing some of the known structures that are stored in those byte arrays
from seatbelt.
@Jormungand999 would you mind running the code in this branch and seeing if it helps any? Trying to narrow down for sure where it's at.
from seatbelt.
With that branch, I get errors like these:
ERROR: Could not parse authenticator for Vault GUID 77bc582b-f0a6-4e15-4e80-61736b6f3b29: System.NotImplementedException: VAULT_ELEMENT_TYPE 'ByteArray' is currently not implemented
at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 295
at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 185
from seatbelt.
In the output, were the other fields(Identity, Resource, PackageSid, and LastModified) populating okay?
Also, what's the OS version? (Open cmd.exe and run ver
)
from seatbelt.
The OS version is Microsoft Windows [Version 10.0.18363.836]
The full output looks like this:
ERROR: Could not parse authenticator for Vault GUID 77bc582b-f0a6-4e15-4e80-61736b6f3b29: System.NotImplementedException: VAULT_ELEMENT_TYPE 'ByteArray' is currently not implemented
at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 295
at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 185
ERROR: Could not parse authenticator for Vault GUID 77bc582b-f0a6-4e15-4e80-61736b6f3b29: System.NotImplementedException: VAULT_ELEMENT_TYPE 'ByteArray' is currently not implemented
at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 295
at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 185
ERROR: Could not parse authenticator for Vault GUID 77bc582b-f0a6-4e15-4e80-61736b6f3b29: System.NotImplementedException: VAULT_ELEMENT_TYPE 'ByteArray' is currently not implemented
at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 295
at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 185
ERROR: Could not parse authenticator for Vault GUID 77bc582b-f0a6-4e15-4e80-61736b6f3b29: System.NotImplementedException: VAULT_ELEMENT_TYPE 'ByteArray' is currently not implemented
at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 295
at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 185
ERROR: Could not parse authenticator for Vault GUID 77bc582b-f0a6-4e15-4e80-61736b6f3b29: System.NotImplementedException: VAULT_ELEMENT_TYPE 'ByteArray' is currently not implemented
at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 295
at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 185
ERROR: Could not parse authenticator for Vault GUID 77bc582b-f0a6-4e15-4e80-61736b6f3b29: System.NotImplementedException: VAULT_ELEMENT_TYPE 'ByteArray' is currently not implemented
at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 295
at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 185
ERROR: Could not parse authenticator for Vault GUID 77bc582b-f0a6-4e15-4e80-61736b6f3b29: System.NotImplementedException: VAULT_ELEMENT_TYPE 'ByteArray' is currently not implemented
at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 295
at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 185
ERROR: Could not parse authenticator for Vault GUID 77bc582b-f0a6-4e15-4e80-61736b6f3b29: System.NotImplementedException: VAULT_ELEMENT_TYPE 'ByteArray' is currently not implemented
at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 295
at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 185
Vault GUID : 77bc582b-f0a6-4e15-4e80-61736b6f3b29
Vault Type : Windows Credentials
from seatbelt.
Let me know if I can help with something, I can develop code, I only don't have any info about how these bytearrays are stored.
I'm guessing first an int that indicates the array size and then the array bytes, but I'm not sure...
from seatbelt.
@Jormungand999 could you try the latest version of vaultbugs branch? I think I got it now.
from seatbelt.
@leechristensen it still errors out:
ERROR: [!] Terminating exception running command 'WindowsVault': System.ArgumentNullException: Value cannot be null.
Parameter name: source
at System.Runtime.InteropServices.Marshal.CopyToManaged(IntPtr source, Object destination, Int32 startIndex, Int32 length)
at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultElementValue(IntPtr vaultElementPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 286
at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 186
at Seatbelt.Commands.Windows.WindowsVaultCommand.<Execute>d__10.MoveNext() in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 104
at Seatbelt.Runtime.ExecuteCommand(CommandBase command, String[] commandArgs) in C:\git\tmp\Seatbelt\Seatbelt\Runtime.cs:line 320
from seatbelt.
It's crashing in this code:
case VAULT_ELEMENT_TYPE.ByteArray:
var o = (VAULT_BYTE_ARRAY)Marshal.PtrToStructure(elementPtr, typeof(VAULT_BYTE_ARRAY));
var array = new byte[o.Length];
Marshal.Copy(o.pData, array, 0, o.Length);
value = array;
break;
The Length is 0 and pData is also a null pointer, so the Marshall.Copy throws an exception.
from seatbelt.
I tried to commit a small code change so that the array isn't copied if the byte array has zero length, but I do not have the permission to do that :-)
Anyway, I let the code run with the changed code and now it crashes when it wants to read the second item that is similar to the one before (also one with a ByteArray).
It crashes in this function VaultGetItem_WIN8 and I think that might be because tempIdentityElement == null in that case
result = vaultItemType == typeof(VAULT_ITEM_WIN8) ?
VaultGetItem_WIN8(vaultHandle, ref tempSchemaGuidId, tempResourceElement, tempIdentityElement, tempPackageSid ?? IntPtr.Zero, IntPtr.Zero, 0, ref passwordVaultItem) :
VaultGetItem_WIN7(vaultHandle, ref tempSchemaGuidId, tempResourceElement, tempIdentityElement, IntPtr.Zero, 0, ref passwordVaultItem);
Exception message: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
Stack trace:
at Seatbelt.VaultCli.VaultGetItem_WIN8(IntPtr vaultHandle, Guid& schemaId, IntPtr pResourceElement, IntPtr pIdentityElement, IntPtr pPackageSid, IntPtr zero, Int32 arg6, IntPtr& passwordVaultPtr)
at Seatbelt.Commands.Windows.WindowsVaultCommand.GetVaultItem(IntPtr vaultHandle, IntPtr vaultItemPtr, Guid& schemaId, Nullable`1& pPackageSid, IntPtr& pResourceElement, IntPtr& pIdentityElement, UInt64& lastModified, IntPtr& pAuthenticatorElement) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 162
at Seatbelt.Commands.Windows.WindowsVaultCommand.ParseVaultItem(IntPtr vaultHandle, Guid vaultGuid, IntPtr vaultItemPtr) in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 179
at Seatbelt.Commands.Windows.WindowsVaultCommand.<Execute>d__10.MoveNext() in C:\git\tmp\Seatbelt\Seatbelt\Commands\Windows\WindowsVaultCommand.cs:line 104
at Seatbelt.Runtime.ExecuteCommand(CommandBase command, String[] commandArgs) in C:\git\tmp\Seatbelt\Seatbelt\Runtime.cs:line 320
from seatbelt.
Hmm... does Mimikatz's vault::list
command work for you by chance?
from seatbelt.
Related Issues (20)
- Execution fails if FIPS algorithms are enforced HOT 1
- PrintNightmare in 2024
- Environment.Exit() is bad HOT 3
- Hotfixes command error HOT 1
- To enumerate a remote system, supply -computername=COMPUTER.DOMAIN.COM - an alternate username and password can be specified with -username=DOMAIN\USER -password=PASSWORD For example, the following command runs remote-focused checks against a remote system: Seatbelt.exe -group=remote -computername=192.168.230.209 -username=THESHIRE\sam -password="yum \"po-ta-toes\"" HOT 3
- Compile error on .NET 4.5 HOT 4
- PowerShellHistory Exception
- CredEnum Exception HOT 4
- OfficeMRUs Exception
- IETabs Exception
- WMI Error in the InterestingProcesses Command HOT 1
- OSInfo Exception
- SearchIndex Exception
- PSSessionSettings null value exception HOT 1
- Release HOT 3
- ChromiumHistory: IO exception, history file likely in use HOT 1
- Non-nullable property 'Path' must contain a non-null value when exiting constructor. HOT 1
- Powershell cmd exception HOT 1
- License file states wrong project HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from seatbelt.