Initial release

.gitignore

@@ -0,0 +1,3 @@
+.vs/
+SecurityPackage/x64/*
+PassTheChallenge/x64/*

PassTheChallenge.sln

@@ -0,0 +1,41 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 17
+VisualStudioVersion = 17.3.32825.248
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "PassTheChallenge", "PassTheChallenge\PassTheChallenge.vcxproj", "{8F018213-4136-4D97-9084-F0346BBED04F}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SecurityPackage", "SecurityPackage\SecurityPackage.vcxproj", "{2116E6C5-F609-4CA8-B1A1-E87B7BE770A4}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{8F018213-4136-4D97-9084-F0346BBED04F}.Debug|x64.ActiveCfg = Debug|x64
+		{8F018213-4136-4D97-9084-F0346BBED04F}.Debug|x64.Build.0 = Debug|x64
+		{8F018213-4136-4D97-9084-F0346BBED04F}.Debug|x86.ActiveCfg = Debug|Win32
+		{8F018213-4136-4D97-9084-F0346BBED04F}.Debug|x86.Build.0 = Debug|Win32
+		{8F018213-4136-4D97-9084-F0346BBED04F}.Release|x64.ActiveCfg = Release|x64
+		{8F018213-4136-4D97-9084-F0346BBED04F}.Release|x64.Build.0 = Release|x64
+		{8F018213-4136-4D97-9084-F0346BBED04F}.Release|x86.ActiveCfg = Release|Win32
+		{8F018213-4136-4D97-9084-F0346BBED04F}.Release|x86.Build.0 = Release|Win32
+		{2116E6C5-F609-4CA8-B1A1-E87B7BE770A4}.Debug|x64.ActiveCfg = Debug|x64
+		{2116E6C5-F609-4CA8-B1A1-E87B7BE770A4}.Debug|x64.Build.0 = Debug|x64
+		{2116E6C5-F609-4CA8-B1A1-E87B7BE770A4}.Debug|x86.ActiveCfg = Debug|Win32
+		{2116E6C5-F609-4CA8-B1A1-E87B7BE770A4}.Debug|x86.Build.0 = Debug|Win32
+		{2116E6C5-F609-4CA8-B1A1-E87B7BE770A4}.Release|x64.ActiveCfg = Release|x64
+		{2116E6C5-F609-4CA8-B1A1-E87B7BE770A4}.Release|x64.Build.0 = Release|x64
+		{2116E6C5-F609-4CA8-B1A1-E87B7BE770A4}.Release|x86.ActiveCfg = Release|Win32
+		{2116E6C5-F609-4CA8-B1A1-E87B7BE770A4}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {645B693B-12C2-41D9-9A8E-894AA1656594}
+	EndGlobalSection
+EndGlobal

PassTheChallenge/Constants.h

@@ -0,0 +1,10 @@
+#pragma once
+
+#define MSV1_0_CREDENTIAL_KEY_LENGTH 20
+#define MSV1_0_CHALLENGE_LENGTH 8
+#define MSV1_0_RESPONSE_LENGTH 24
+#define MSV1_0_NTLM3_RESPONSE_LENGTH 16
+#define MSV1_0_USER_SESSION_KEY_LENGTH 16
+#define MSV1_0_NT_OWF_PASSWORD_LENGTH 16
+#define MSV1_0_LM_OWF_PASSWORD_LENGTH 16
+#define MSV1_0_SHA_OWF_PASSWORD_LENGTH 20

PassTheChallenge/Menu.cpp

@@ -0,0 +1,72 @@
+#include "Menu.h"
+
+PARAM CHALLENGE_PARAMS[] = {
+    {"<addresses>", "<context handle>:<proxy info>"},
+    {"<encrypted blob>", "<HEX>"},
+    {"<server challenge>", "<UTF16_HEX domain>:<UTF16_HEX username>:<HEX server name>:<HEX server challenge>"},
+    {NULL, NULL}
+};
+
+PARAM NTHASH_PARAMS[] = {
+    {"<addresses>", "<context handle>:<proxy info>"},
+    {"<encrypted blob>", "<HEX>"},
+    {"[<server challenge>]", "If omitted, a static challenge of 1122334455667788 will be used"},
+    {NULL, NULL}
+};
+
+PARAM PROTECT_PARAMS[] = {
+    {"<addresses>", "<context handle>:<proxy info>"},
+    {"<nt hash>", "<HEX>"},
+    {NULL, NULL}
+};
+
+PARAM COMPARE_PARAMS[] = {
+    {"<addresses>", "<context handle>:<proxy info>"},
+    {"<encrypted blob>", "<HEX>"},
+    {"<encrypted blob/NT hash>", "<HEX>"},
+    {NULL, NULL}
+};
+
+COMMAND_PTR Inject, Ping, Challenge, Compare, NtHash, Protect;
+
+COMMAND COMMANDS[] = {
+    { "inject", "Inject module and start PtC-RPC server inside LSASS", NULL, Inject},
+    { "ping", "Ping the PtC-RPC server inside LSASS", NULL, Ping },
+    { "challenge", "Calculate NTLMv2 Response using encrypted credentials", CHALLENGE_PARAMS, Challenge },
+    { "nthash", "Calculate NTLMv1 Response using encrypted credentials", NTHASH_PARAMS, NtHash },
+    { "protect", "Convert NT hash to encrypted blob", PROTECT_PARAMS, Protect },
+    { "compare", "Compare two encrypted blobs or an encrypted blob with a NT hash", COMPARE_PARAMS, Compare },
+    { NULL, NULL }
+};
+
+LPCCH EXAMPLES[] = {
+    "PtC.exe inject [<module>]",
+    "PtC.exe ping",
+    "PtC.exe challenge 0x1a34b[...]:0x7fff7[...] 0a92a82feb4[...] 6c0079[...]:610064[...]:020008[...]:66a98b[...]",
+    "PtC.exe nthash 0x1a34b[...]:0x7fff7[...] 0a92a82feb4[...]",
+    "PtC.exe protect 0x1a34b[...]:0x7fff7[...] 0a92a82feb4[...]",
+    "PtC.exe compare 0x1a34b[...]:0x7fff7[...] 0a92a82feb4[...] 66a98b[...]",
+    NULL
+};
+
+void PrintMenu() {
+    printf("Usage: <command> [<parameters...>]\n");
+    printf("\nCommands:\n");
+    for (int i = 0; ; i++) {
+        if (COMMANDS[i].name == NULL) break;
+        printf("    %s - %s\n", COMMANDS[i].name, COMMANDS[i].description);
+
+        if (COMMANDS[i].params != NULL) {
+            for (int n = 0; ; n++) {
+                if (COMMANDS[i].params[n].name == NULL) break;
+                printf("      %s - %s\n", COMMANDS[i].params[n].name, COMMANDS[i].params[n].description);
+            }
+        }
+    }
+    printf("\nExamples:\n");
+    for (int i = 0; ; i++) {
+        if (EXAMPLES[i] == NULL) break;
+        printf("    %s\n", EXAMPLES[i]);
+    }
+}
+

PassTheChallenge/Menu.h

@@ -0,0 +1,21 @@
+#pragma once
+
+#include <Windows.h>
+#include <stdio.h>
+
+typedef int COMMAND_PTR(int, LPCCH*);
+
+typedef struct _PARAM {
+    LPCCH name;
+    LPCCH description;
+} PARAM, * PPARAM;
+
+typedef struct _COMMAND {
+    LPCCH name;
+    LPCCH description;
+    PPARAM params;
+    COMMAND_PTR* func;
+} COMMAND, * PCOMMAND;
+
+COMMAND COMMANDS[];
+void PrintMenu();