Codebase list mimikatz / debian/2.1.1-20171219-0kali1 mimicom.idl
debian/2.1.1-20171219-0kali1

Tree @debian/2.1.1-20171219-0kali1 (Download .tar.gz)

mimicom.idl @debian/2.1.1-20171219-0kali1raw · history · blame 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
import "ms-dtyp.idl";
[
   uuid(17FC11E9-C258-4B8D-8D07-2F4125156244),
   version(1.0)
]
interface MimiCom
{
	typedef [context_handle] void* MIMI_HANDLE;

	typedef unsigned int ALG_ID;
	typedef struct _MIMI_PUBLICKEY {
		ALG_ID sessionType;
		DWORD cbPublicKey;
		[size_is(cbPublicKey)] BYTE *pbPublicKey;
	} MIMI_PUBLICKEY, *PMIMI_PUBLICKEY;
		
	NTSTATUS MimiBind(
		[in] handle_t rpc_handle,
		[in, ref] PMIMI_PUBLICKEY clientPublicKey,
		[out, ref] PMIMI_PUBLICKEY serverPublicKey,
		[out, ref] MIMI_HANDLE *phMimi
	);
	
	NTSTATUS MiniUnbind(
		[in, out, ref] MIMI_HANDLE *phMimi
	);

	NTSTATUS MimiCommand(
		[in, ref] MIMI_HANDLE phMimi,
		[in] DWORD szEncCommand,
		[in, size_is(szEncCommand), unique] BYTE *encCommand,
		[out, ref] DWORD *szEncResult,
		[out, size_is(, *szEncResult)] BYTE **encResult
	);

	NTSTATUS MimiClear(
		[in] handle_t rpc_handle,
		[in, string] wchar_t *command,
		[out] DWORD *size,
		[out, size_is(, *size)] wchar_t **result
	);
}

// Privacy of RPC exchange can be ~guaranteed by protocol, *except when not using authentication*
// mimikatz try to avoid clear credentials on the network by using basic encryption at application level.
//
// Diffie-Hellman key exchange
// ===========================
//
// > Parameters used: Second Oakley Group ( https://tools.ietf.org/html/rfc2409#section-6.2 )
// 
// * ALG_ID sessionType
//   session key type to use after DH exchange, it can be: CALG_CYLINK_MEK(0x660c), CALG_RC2(0x6602), CALG_RC4(0x6801), CALG_DES(0x6601), CALG_3DES_112(0x6609) or CALG_3DES(0x6603)
//   see: https://msdn.microsoft.com/library/windows/desktop/bb394802.aspx and https://msdn.microsoft.com/library/windows/desktop/aa375549.aspx
//
// * DWORD cbPublicKey
//   size of pbPublicKey: 144 (sizeof(PUBLICKEYSTRUC) + sizeof(DHPUBKEY) + sizeof(1024bits key)
//
// * BYTE *pbPublicKey
//   PUBLICKEYBLOB structure of the DH key ( https://msdn.microsoft.com/en-us/library/windows/desktop/aa381970(v=vs.85).aspx#code-snippet-1 )
//
//   Example:
//   --------
//   06 02 00 00	PUBLICKEYBLOB (06), CUR_BLOB_VERSION (02), reserved (00 00)
//   02 aa 00 00	ALG_ID: CALG_DH_EPHEM(0xaa02)
//
//   00 44 48 31	Magic : \0DH1
//   00 04 00 00	1024bits (128bytes bellow)
//   a9 90 e8 86 59 2d 88 a7 32 e1 05 35 26 24 d9 fd
//   ae f5 53 46 ca a4 79 cc a9 a3 57 45 e8 54 e7 fd
//   fe 99 24 df 71 6a 44 2c f7 0a 09 ac e4 e6 44 f8
//   4c 51 63 c3 86 1e 14 4a 9a f0 e0 a9 e0 38 26 72
//   75 27 cb 60 9f 0d 15 2c 37 39 a0 b0 72 b6 14 85
//   5f 18 7f c0 0d 26 d1 3b 6f 14 c1 99 22 8f 74 ef
//   68 0c 24 bb 77 ff b3 c5 9e ed ff 76 71 c1 ee ce
//   eb 77 46 00 52 d8 4c 5c bc af fd 28 3d 76 83 b3
//
// > Don't forget you may need to reverse some key bytearrays from Windows point of view, and to reset session key state between calls ;)