mimikatz @ phdays

mimikatz

Benjamin DELPY `gentilkiwi`
focus on sekurlsa / pass-the-pass

Who ? Why ?

Benjamin DELPY `gentilkiwi`
– French
– 26y
– Kiwi addict
– Lazy programmer

Started to code mimikatz to :
– explain security concepts ;
– improve my knowledge ;
– prove to Microsoft that sometimes they must change old habits.

Why all in French ?
– because I’m 
– It limits script kiddies usage.
6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 2

mimikatz
working
On XP, 2003, Vista, 2008, Seven, 2008r2, 8, Server 8
– x86 & x64
– partial support for 8 & Server 8 (few kernel driver bugs ;))
– 2000 support dropped with mimikatz 1.0

Everywhere ; it’s statically compiled

Two modes
– direct action (local commands) – process or driver communication
m KeyIso m SamSS
« Isolation de clé CNG » « Gestionnaire de comptes de sécurité »
i LSASS.EXE i LSASS.EXE
m
i
m
i
 VirtualAllocEx,
Direct action :
k crypto::patchcng k WriteProcessMemory,
a a
t t  CreateRemoteThread...

EventLog sekurlsa.dll
z z
« Journal d’événements Windows »
. SVCHOST.EXE
.
Open a pipe
e e
x x Write a welcome message
Direct action :
e e Wait commands… and return results
divers::eventdrop


mimikatz
architecture
all in VC/C++ 2010 with some ASM…
mod_mimikatz_standard mod_parseur
KiwiCmd.exe

mod_mimikatz_winmine mod_text
KiwiRegedit.exe
mod_mimikatz_divers mod_memory

m mod_mimikatz_nogpo mod_secacl
mimikatz.sys

i KiwiTaskmgr.exe

m mod_mimikatz_impersonate mod_pipe

i mod_mimikatz_inject mod_inject
kappfree.dll

k mod_mimikatz_samdump mod_hive

a mod_mimikatz_crypto mod_crypto
kelloworld.dll
t
mod_mimikatz_handle mod_patch sam
z
. mod_mimikatz_privilege mod_privilege
klock.dll
secrets

e mod_mimikatz_system mod_system msv_1_0

x mod_mimikatz_service mod_service tspkg
sekurlsa.dll
e mod_mimikatz_process mod_process wdigest

mod_mimikatz_thread mod_thread livessp

mod_mimikatz_terminalserver mod_ts kerberos


mimikatz :: sekurlsa
what is it ?
My favorite library !

A thread that waits, in LSASS, commands from mimikatz (or mubix
meterpreter)

What sekurlsa can do from the inside ?
– Dump system secrets
– Dump SAM / DC base
– Dump clear text passwords/hashes
from interactive sessions
• MSV1_0 (dump/inject/delete)
• TsPkg
• WDigest
• LiveSSP
• Kerberos

Let’s start an injection & pass the hash !

history of « pass-the-* » 1/2
Pass-the-hash
– 1997 - Unix modified SAMBA client for Hashes usage ; Paul Ashton (EIGEN)
– 2000 - Private version of a Windows « LSA Logon Session Editor » ; Hernan
Ochoa (CoreSecurity)
– 2007 - TechEd @ Microsoft ; Marc Murray (TrueSec) present msvctl, and
provide some downloads of it 
– 2007 - « Pass the hash toolkit » published ; Hernan Ochoa (CoreSecurity)
– 2007 - mimikatz 0.1 includes pass the hash and is publicly available for x86
& x64 versions of Windows (yeah, by myself but in French; so not famous ;))

2007 was the year of pass the hash !

Pass-the-ticket
– 04/2011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support; Hernan Ochoa (Ampliasecurity)


history of « pass-the-* » 2/2
Pass-the-pass
– 05/2011 – mimikatz 1.0 dumps first clear text passwords from TsPkg provider (but limited
to NT 6 and some XP SP3)
• http://blog.gentilkiwi.com/securite/pass-the-pass
– 05/2011 – return of mimikatz ; it dumps clear text passwords from WDigest provider
(unlimited this time ;))
• http://blog.gentilkiwi.com/securite/re-pass-the-pass
– 05/2011 – Some organizations opened cases to Microsoft about it…

…Lots of time…

– begin of 2012 - Lots of blogs (and Kevin Mitnick ;)) say few words about mimikatz
– 03/2012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest
password extract…
• http://seclists.org/pen-test/2012/Mar/7
– 03/2012 – mimikatz strikes again with LiveSSP provider and extracts Live login passwords
from Windows 8 memory
• http://blog.gentilkiwi.com/securite/rere-pass-the-pass
– 03/2012 – yeah, once again…, more curious but Kerberos keeps passwords in memory
• http://blog.gentilkiwi.com/securite/rerere-pass-the-pass


let’s take a moment…
You noticed ?
It has been one year since Microsoft has been notified
about passwords extraction from LSASS
Without any reaction…
– But blacklisting mimikatz from MSE and FEP at 20120228 ;)


mimikatz :: sekurlsa :: tspkg

because sometimes hash is not enough…

what is it ?
Microsoft introduces SSO capability for Terminal Server with
NT 6 to improve RemoteApps and RemoteDestkop users’s
experience
– http://technet.microsoft.com/library/cc772108.aspx

Rely on CredSSP with Credentials Delegation (!= Account
delegation)
– Specs : http://download.microsoft.com/download/9/5/e/95ef66af-
9026-4bb0-a41d-a4f81802d92c/%5Bms-cssp%5D.pdf

First impression : it seems cool 
– User does not have to type its password
– Password is not in RDP file
– Password is not in user secrets

demo time !

Explanations follow…

questions ?
KB says that for it works, we must enable « Default credentials » delegation
– “Default credentials : The credentials obtained when the user first logs on to
Windows” - https://msdn.microsoft.com/library/bb204773.aspx
• What ? Our User/Domain/,Password | Hash | Ticket- ? It seems …
– In all cases, system seems to be vulnerable to pass-the-*…

In what form ?
Our specs : [MS-CSSP]
– 2.2.1.2.1 TSPasswordCreds
• The TSPasswordCreds structure contains the user's password credentials that are delegated
to the server. (or PIN)
TSPasswordCreds ::= SEQUENCE {
domainName [0] OCTET STRING,
userName [1] OCTET STRING,
password [2] OCTET STRING
}
– Challenge / response for authentication ?
• Serveur : YES (TLS / Kerberos)
• Client : NO ; *password* is sent to server…

So password resides somewhere in memory ?


symbols & theory
Let’s explore some symbols !
kd> x tspkg!*clear*
75016d1c tspkg!TSObtainClearCreds = <no type information>
kd> x tspkg!*password*
75011b68 tspkg!TSDuplicatePassword = <no type information>
75011cd4 tspkg!TSHidePassword = <no type information>
750195ee tspkg!TSRevealPassword = <no type information>
75012fbd tspkg!TSUpdateCredentialsPassword = <no type information>
kd> x tspkg!*locate*
7501158b tspkg!TSCredTableLocateDefaultCreds = <no type information>

– sounds cool… (thanks Microsoft)

Let’s imagine a scenario
– Enumerate all sessions to obtain informations :
• Username
• Domain
• LUID

– Call tspkg!TSCredTableLocateDefaultCreds with LUID to obtain :
• TS_CREDENTIAL

– Call tspkg!TSObtainClearCreds with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for :
• TS_PRIMARY_CREDENTIAL with clear text credentials…

test & data

LsaEnumerateLogonSessions

for each LUID

tspkg!TSCredTableLoca
teDefaultCreds

tspkg!TSObtainClearCr
eds

password
in clear ?

test & structures


lazy way
for each LUID

tspkg!TSCredTableLoca typedef struct _KIWI_TS_CREDENTIAL {
#ifdef _M_X64
teDefaultCreds BYTE unk0[0x88];
#elif defined _M_IX86
BYTE unk0[0x50];
KIWI_TS_CREDEN #endif
TIAL PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary;
} KIWI_TS_CREDENTIAL, *PKIWI_TS_CREDENTIAL;

KIWI_TS_PRIMAR typedef struct _KIWI_TS_PRIMARY_CREDENTIAL {
PVOID unk0;
Y_CREDENTIAL LSA_UNICODE_STRING Domaine;
LSA_UNICODE_STRING UserName;
LSA_UNICODE_STRING Password;
tspkg!TSObtainClearCr } KIWI_TS_PRIMARY_CREDENTIAL,
*PKIWI_TS_PRIMARY_CREDENTIAL;
eds

KIWI_TS_PRIMAR
Y_CREDENTIAL password
in clear ?

first result
It worked !

Since old Windows’s version I hadn’t seen my Windows password
– I’ve been a little bit afraid

After many hesitations, I published a post and a stable tool update
on my blog at 20110508
– http://blog.gentilkiwi.com/securite/pass-the-pass

But some issues :
– & tspkg!TSObtainClearCreds are not exported
tspkg!TSCredTableLocateDefaultCreds
– tspkg!TSObtainClearCreds not always present…
– Calling conventions can be a problem
– Only NT6 and few XP SP3 (manual provider activation)


final implementation
typedef struct _KIWI_TS_CREDENTIAL_AVL_SEARCH {
LsaEnumerateLogonSessions #ifdef _M_X64
BYTE unk0[108];
BYTE unk0[64];
#endif
for each LUID LUID LocallyUniqueIdentifier;
#ifdef _M_X64
BYTE unk1[46];
tspkg!TSGlobal KIWI_TS_CREDENTI BYTE unk1[16];
CredTable AL_AVL_SEARCH #endif
} KIWI_TS_CREDENTIAL_AVL_SEARCH,
*PKIWI_TS_CREDENTIAL_AVL_SEARCH;

RtlLookupElementGenericTabl typedef struct _KIWI_TS_CREDENTIAL {
eAvl #ifdef _M_X64
BYTE unk0[0x88];
KIWI_TS_CREDEN BYTE unk0[0x50];
TIAL #endif
KIWI_TS_PRIMAR PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary;
Y_CREDENTIAL } KIWI_TS_CREDENTIAL, *PKIWI_TS_CREDENTIAL;

typedef struct _KIWI_TS_PRIMARY_CREDENTIAL {
LsaUnprotectMemory PVOID unk0;
LSA_UNICODE_STRING Domaine;
password LSA_UNICODE_STRING Password;
} KIWI_TS_PRIMARY_CREDENTIAL,
in clear ! *PKIWI_TS_PRIMARY_CREDENTIAL;


demo time !


final result
It works better ;)
– No orphan referenced credentials
– More logic approach (We will see that latter…)

We have just to find :
– tspkg!TSGlobalCredTable
– SeckPkgFunctionTable->LsaUnprotectMemory
• LSA_SECPKG_FUNCTION_TABLE :
http://msdn.microsoft.com/library/windows/desktop/aa378510.aspx
• LsaUnprotectMemory :
http://msdn.microsoft.com/library/windows/desktop/ff714510.aspx

Find this…
We all have personal convictions to search unexported data :
– Hardcoded addresses / offsets (  ) ;
– Disassembly engine ;
– Pattern matching ;
– …


mimikatz :: sekurlsa :: wdigest

because clear text password over http/https is not cool

what is it ?
“Digest access authentication is one of the agreed-upon methods a
web server can use to negotiate credentials with a user's web
browser. It applies a hash function to a password before sending it
over the network *…+”
Wikipedia : http://en.wikipedia.org/wiki/Digest_access_authentication

“Common Digest Authentication Scenarios :
– Authenticated client access to a Web site
– Authenticated client access using SASL
– Authenticated client access with integrity protection to a directory service
using LDAP”
Microsoft : http://technet.microsoft.com/library/cc778868.aspx

Again, it seems cool 
– No password over the network, just hashes
– No reversible password in Active Directory ; hashes for each realm
• Only with Advanced Digest authentication


what is it ?
We speak about hashes, but what hashes ?
H = MD5(HA1:nonce:[…]:HA2)
• HA1 = MD5(username:realm:password)
• HA2 = MD5(method:digestURI:[…])

Even after login, HA1 may change… realm is from server
side and cannot be determined before Windows logon

WDigest provider must have elements to compute
responses for different servers :
– Username
– Realm (from server)
– Password

theory
This time, we know :
– that WDigest keeps password in memory « by protocol » for HA1 digest
– that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)

LsaUnprotectMemory
– At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE
– Let’s perform a research in WDigest :
.text:7409D151 _DigestCalcHA1@8 call dword ptr [eax+0B4h]

– Hypothesis seems verified 
LsaProtectMemory
– At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE
– Let’s perform a research in WDigest :
.text:74096C69 _SpAcceptCredentials@16 call dword ptr [eax+0B0h]

– SpAcceptCredentials takes clear password in args
• Protect it with LsaProtectMemory
• Update or insert data in double linked list : wdigest!l_LogSessList


test & data


for each LUID

wdigest!l_LogS
essList

search linked list for LUID

LsaUnprotectMemory

password
in clear ?




for each LUID

typedef struct _KIWI_WDIGEST_LIST_ENTRY {
struct _KIWI_WDIGEST_LIST_ENTRY *Flink;
wdigest!l_LogS struct _KIWI_WDIGEST_LIST_ENTRY *Blink;
DWORD UsageCount;
essList
struct _KIWI_WDIGEST_LIST_ENTRY *This;
LUID LocallyUniqueIdentifier;
[…]
search linked list for LUID LSA_UNICODE_STRING Domaine;
[…]
}
KIWI_WDIGEST_LIST_ENTRY, *PKIWI_WDIGEST_LIST_ENTRY
KIWI_WDIGEST_L ;
IST_ENTRY

LsaUnprotectMemory

password
in clear !


demo time !


result
It works again !

This time we just have to find :
– wdigest!l_LogSessList
– SeckPkgFunctionTable->LsaUnprotectMemory
• LSA_SECPKG_FUNCTION_TABLE :
http://msdn.microsoft.com/library/windows/desktop/aa378510.aspx
• LsaUnprotectMemory :
http://msdn.microsoft.com/library/windows/desktop/ff714510.aspx

Seems generalizable ?


and now what ?
In fact, with TsPkg and WDigest, passwords can be
retrieved from any version of Windows ...
– WDigest
• XP, 2003
• Vista / Seven / 2008 / 2008r2
• 8
But not with a Live account 
– TsPkg
• XP SP3 (manual install)
• Vista / Seven / 2008 / 2008r2
• 8
Even with a Live account 


and now what ?
wce had not copied my TsPkg functionalities
Only WDigest, so they missed 8 Live accounts…

– Kiwi WDigest patterns (last public release)
#ifdef _M_X64
BYTE ptrInsertInLogSess[] = {0x4C, 0x89, 0x1B, 0x48, 0x89, 0x43, 0x08, 0x49, 0x89, 0x5B, 0x08, 0x48, 0x8D};
BYTE ptrInsertInLogSess[] = {0x8B, 0x45, 0x08, 0x89, 0x08, 0xC7, 0x40, 0x04};
#endif

– wce patterns

Between ~17 occurrences of wdigest!l_LogSessList, maybe a coincidence…

for lack of TsPkg, they can be inspired by next releases ?

mimikatz :: sekurlsa :: livessp

because Microsoft was too good in closed networks

how ?
Actually I’ve only used logical (empirical) approach to
search passwords… :
– Protocol reading
– Symbols searching

~ Boring ~… be more brutal this time : make a WinDBG trap !
0: kd> !process 0 0 lsass.exe
PROCESS 83569040 SessionId: 0 Cid: 0224 Peb: 7f43f000 ParentCid: 01b4
DirBase: 5df58100 ObjectTable: 80ce4740 HandleCount: <Data Not Accessible>
Image: lsass.exe

0: kd> .process /i 83569040
You need to continue execution (press 'g' <enter>) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.
0: kd> g
Break instruction exception - code 80000003 (first chance)
nt!RtlpBreakWithStatusInstruction:
814b39d0 cc int 3
0: kd> .reload /user
Loading User Symbols
............................................................
0: kd> bp /p @$proc lsasrv!LsaProtectMemory "kc 5 ; g"
0: kd> g


how ?
Let’s login with a Live account on Windows 8 !
lsasrv!LsaProtectMemory
livessp!LiveMakeSupplementalCred
livessp!LiveMakeSecPkgCredentials Our LiveSSP provider
livessp!LsaApLogonUserEx2
livessp!SpiLogonUserEx2

msv1_0!NlpAddPrimaryCredential Yeah, Pass the Hash capability with Live
msv1_0!SspAcceptCredentials
msv1_0!SpAcceptCredentials account too…
tspkg!TSHidePassword Live user can logon through RDP via SSO
tspkg!SpAcceptCredentials

1: kd> uf /c livessp!LsaApLogonUserEx2
livessp!LsaApLogonUserEx2 (74781536)
[...]
livessp!LsaApLogonUserEx2+0x560 (74781a96):
call to livessp!LiveCreateLogonSession (74784867)

After credentials protection, LsaApLogonUserEx2 calls
LiveCreateLogonSession to insert data in
LiveGlobalLogonSessionList (similar to WDigest)

typedef struct _KIWI_LIVESSP_LIST_ENTRY {
LsaEnumerateLogonSessions struct _KIWI_LIVESSP_LIST_ENTRY *Flink;
struct _KIWI_LIVESSP_LIST_ENTRY *Blink;
PVOID unk0;
PVOID unk1;
PVOID unk2;
for each LUID PVOID unk3;
DWORD unk4;
DWORD unk5;
PVOID unk6;
livessp!LiveGloba LUID LocallyUniqueIdentifier;
lLogonSessionList LSA_UNICODE_STRING UserName;
PVOID unk7;
PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds;
} KIWI_LIVESSP_LIST_ENTRY,
search linked list for LUID *PKIWI_LIVESSP_LIST_ENTRY;

KIWI_LIVESSP_LIS
T_ENTRY typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL {
KIWI_LIVESSP_PRI DWORD isSupp;
MARY_CREDENTIAL DWORD unk0;
LsaUnprotectMemory } KIWI_LIVESSP_PRIMARY_CREDENTIAL,
*PKIWI_LIVESSP_PRIMARY_CREDENTIAL;
password
in clear !


demo time !


it was a cool trap no ?

Even if we already have tools for normal accounts, are you
not curious to test one with this trap ?*

* Me, yes

mimikatz :: sekurlsa :: kerberos
Let’s login normal account
kerberos!KerbHideKey
kerberos!KerbCreatePrimaryCredentials
kerberos!KerbCreateLogonSession
Kerberos, ticket part ? Maybe ;)
kerberos!SpAcceptCredentials

kerberos!KerbHidePassword
kerberos!KerbCreateLogonSession Kerberos part for password ??????
kerberos!SpAcceptCredentials

msv1_0!NlpAddPrimaryCredential
msv1_0!SspAcceptCredentials
msv1_0!SpAcceptCredentials

wdigest!SpAcceptCredentials

tspkg!TSHidePassword
tspkg!SpAcceptCredentials

After credentials protection, KerbCreateLogonSession calls :
– NT6 ; KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
– NT5 ; KerbInsertLogonSession to insert data in
KerbLogonSessionList

mimikatz :: sekurlsa :: kerberos (nt 6)
typedef struct _KIWI_KERBEROS_LOGON_AVL_SEARCH {
LsaEnumerateLogonSessions #ifdef _M_X64
BYTE unk0[64];
BYTE unk0[36];
#endif
for each LUID LUID LocallyUniqueIdentifier;
} KIWI_KERBEROS_LOGON_AVL_SEARCH,
*PKIWI_KERBEROS_LOGON_AVL_SEARCH;
Kerberos!KerbG
KIWI_KERBEROS_LO
lobalLogonSess
GON_AVL_SEARCH
ionTable typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL {
DWORD unk0;
PVOID unk1;
PVOID unk2;
RtlLookupElementGenericTabl #ifdef _M_X64
eAvl BYTE unk3[96];
BYTE unk3[68];
#endif
KIWI_KERBEROS_PR LSA_UNICODE_STRING Domaine;
IMARY_CREDENTIAL LSA_UNICODE_STRING Password;
} KIWI_KERBEROS_PRIMARY_CREDENTIAL,
*PKIWI_KERBEROS_PRIMARY_CREDENTIAL;

LsaUnprotectMemory

password
in clear !


mimikatz :: sekurlsa :: kerberos (nt 5)
typedef struct _KIWI_KERBEROS_LOGON_SESSION {
LsaEnumerateLogonSessions struct _KIWI_KERBEROS_LOGON_SESSION *Flink;
struct _KIWI_KERBEROS_LOGON_SESSION *Blink;
DWORD UsageCount;
PVOID unk0;
PVOID unk1;
for each LUID PVOID unk2;
DWORD unk3;
DWORD unk4;
PVOID unk5;
kerberos!KerbLog PVOID unk6;
onSessionList PVOID unk7;
LUID LocallyUniqueIdentifier;
#ifdef _M_IX86
DWORD unk8;
search linked list for LUID #endif
DWORD unk9;
DWORD unk10;
PVOID unk11;
DWORD unk12;
DWORD unk13;
KIWI_LIVESSP_PRI PVOID unk14;
MARY_CREDENTIAL PVOID unk15;
PVOID unk16;
[…]
LsaUnprotectMemory LSA_UNICODE_STRING Password;
} KIWI_KERBEROS_LOGON_SESSION,
*PKIWI_KERBEROS_LOGON_SESSION;
password
in clear !


demo time !


« hu ? »
Ok It works…*
But why ?

*Not at all logon on NT5
*Can need an unlock…

From my understanding of Microsoft explanations, no need of
passwords for the Kerberos protocol… all is based on the hash
(not very sexy too)

BONUS « hu ? »
Microsoft’s implementation of Kerberos is full of logical…

For password auth :
– password hash for shared secret, but keeping password in
memory

For full smartcard auth :
– No password on client
– No hash on client ?
• NTLM hash on client…
• KDC sent it back as a gift


why this is dangerous ?
Not a bug
Not a weakness
Not a vulnerability
Not a 0-day
– (for now, there may be too)

It’s “normal” that LSASS keeps passwords in memory for passwords based
providers when protocols need them
– And hashes for msv1_0…
All of these rely on shared secrets…

So you can’t prevent Windows internal behaviors… (in a supported way)
One change from Microsoft on protocols can impact all versions

I don’t count on a fix or others things in the next [5;10] years…


what we can do ?
Basics
– No physical access to computer (first step to pass the hash)
– No admin rights / system rights / debug privileges (…)
– Disable local admin accounts
– Strong passwords (haha, it was a joke)
– Network login instead of interactive (when possible)
– Audit ; pass the hash keeps traces and can lock accounts
– No admin rights / system rights / debug privileges, even VIP

More in depth
– Force strong authentication (SmartCard & Token) : $ / €
– Short validity for Kerberos tickets
– No delegation
– Disable NTLM (available with NT6)
– No exotic :
• biometrics (it keeps password somewhere and push it to Windows)
• single sign on
– Stop shared secrets for authentication : push Public / Private stuff (like keys ;))
– Let opportunities to stop retrocompatibility
– Disable faulty providers ?
• Is it supported by Microsoft ?
• Even if, you will disable Kerberos and msv1_0 ?


Code it ! Implement it in Meta ! Discover !
Pass the hash :
Package Symbols Description
msv1_0 SeckPkgFunctionTable->GetCredentials Get clear LM & NTLM hashes from LUID
SeckPkgFunctionTable->LsaUnprotectMemory
msv1_0 SeckPkgFunctionTable->LsaProtectMemory Push clear LM & NTLM hashes to LUID
SeckPkgFunctionTable->AddCredential
msv1_0 SeckPkgFunctionTable->DeleteCredential Delete hashes from LUID

Get passwords :
Package Symbols Type
tspkg tspkg!TSGlobalCredTable RTL_AVL_TABLE
wdigest wdigest!l_LogSessList LIST_ENTRY
livessp livessp!LiveGlobalLogonSessionList LIST_ENTRY
kerberos kerberos!KerbLogonSessionList LIST_ENTRY
(nt5) SeckPkgFunctionTable->LsaUnprotectMemory
kerberos Kerberos!KerbGlobalLogonSessionTable RTL_AVL_TABLE
(nt6) SeckPkgFunctionTable->LsaUnprotectMemory


little help to start !
Package Datas Little help
* @getLogonPasswords Use « full » keyword in argument of functions
msv1_0 @getMSV @getMSVFunctions
msv1_0 : ** lsasrv.dll ** ; Statut recherche : OK :) – 3
* Utilisateur : termuser @GetCredentials = 000007F9C1C62938
* Domaine : DEMO @AddCredential = 000007F9C1C71010
* Hash LM : d0e9aee149655a6075e4540af1f22d3b @DeleteCredential = 000007F9C1C61F58
* Hash NTLM : cc36cf7a8514893efccd332446158b1a @LsaUnprotectMemory = 000007F9C1C59960
@LsaProtectMemory = 000007F9C1C628A4
tspkg @getTsPkg @getTsPkgFunctions
tspkg : ** tspkg.dll/lsasrv.dll ** ; Statut recherche : OK :)
* Utilisateur : termuser @TSGlobalCredTable = 000007F9C1557B20
* Domaine : DEMO @LsaUnprotectMemory = 000007F9C1C59960
* Mot de passe : waza1234/

wdigest @getWDigest @getWDigestFunctions
wdigest : ** wdigest.dll/lsasrv.dll ** ; Statut recherche : OK :)
* Utilisateur : termuser @l_LogSessList = 000007F9C15E12B0
* Domaine : DEMO @LsaUnprotectMemory = 000007F9C1C59960

livessp @getLiveSSP @getLiveSSPFunctions
livessp : ** livessp.dll/lsasrv.dll ** ; Statut recherche : OK :)
* Utilisateur : sekurlsa@live.fr @LiveGlobalLogonSessionList = 000007F9C14E8C68
* Domaine : ps:password @LsaUnprotectMemory = 000007F9C1C59960

kerberos @getKerberos @getKerberosFunctions
kerberos : ** kerberos.dll/lsasrv.dll ** ; Statut recherche : OK :)
* Utilisateur : termuser @KerbGlobalLogonSessionTable = 000007F9C1955AE0
* Domaine : DEMO.LOCAL @KerbLogonSessionList = 0000000000000000
* Mot de passe : waza1234/ @LsaUnprotectMemory = 000007F9C1C59960


some ideas
Meterpreter post module
Standalone binary without injection
yeah, it’s easy !
– read all data (sessions, encrypted passwords)
– read all keys and implement your own (un)protectMemory routine !
– decrypt / crypt
Extract all of this from memory dump / hyberfile !
etc…

Make demonstrations to your chief information security
officer
Ask Microsoft to work on better implementation
– Maybe offer possibilities to disable or not some functionalities
– Think globally about data really needed for authentication


mimikatz
what else ?
Crypto mod_mimikatz_crypto mod_crypto

– Export non-exportable certificates and keys
• CryptoAPI
• CNG…
Stop event monitoring mod_mimikatz_divers

Basic GPO bypass mod_mimikatz_nogpo

Applocker / SRP bypass kappfree.dll

Driver mimikatz.sys

– Play with tokens & privileges
– Display SSDT x86 & x64
– List minifilters actions
– List Notifications (process / thread / image / registry)
– List Objects hooks and procedures
– …
…

mimikatz
that’s all folks !
Thanks’ to / Спасибо :
– my girlfriend for her support (her LSASS crashed few times)
– Positive Technologies to offer me this great opportunity
– Microsoft to consider it as normal/acceptable 
– Security friends/community for their ideas & challenges
– You, for your attention !

Questions ?
Don’t be shy ;)
especially if you have written the corresponding slide number


mimikatz
source code

Not now available
– I’m not proud of mixing C/C++ and STL in LSASS
– Script kiddies will use it without understanding

But a little part of it for “pass the pass” available
– So download it on mimikatz download page 
• http://blog.gentilkiwi.com/mimikatz


Blog & Contact

blog/mimikatz : http://blog.gentilkiwi.com/mimikatz
email : benjamin@gentilkiwi.com
Twitter : @gentilkiwi

mimikatz @ phdays

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à mimikatz @ phdays

Similaire à mimikatz @ phdays (20)

Plus de Benjamin Delpy

Plus de Benjamin Delpy (6)

Dernier

Dernier (20)

mimikatz @ phdays