Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Mimikatz
1. Sydney
Level 8, 59 Goulburn Street
Sydney NSW 2000
Melbourne
Level 15, 401 Docklands Drive
Docklands VIC 3008
Tel. 1300 922 923
Intl. +61 2 9290 4444
www.senseofsecurity.com.au
Sense of Security Pty Ltd
ABN 14 098 237 908
@ITSecurityAU
Compliance, Protection & Business Confidence
31 August 18
mimikatz
A little tool to play with Windows security
Prashant Mahajan
7. • Benjamin DELPY, you can contact him on Twitter (@gentilkiwi) or by
mail (benjamin [at] gentilkiwi.com) or visit his blog
(http://blog.gentilkiwi.com/)
• Vincent LE TOUX, a few contributions to mimikatz including the DCSync
function in lsadump module, you contact him on Twitter
(@mysmartlogon) or by mail (vincent.letoux [at] gmail.com) or visit his
website (http://www.mysmartlogon.com)
31 August 18
Authors
8. Agenda
31 August 18
• sekurlsa::logonpasswords
• Just scratching the surface on the capabilities
• SekurLSA module
• Event module
• DCSync
• Golden Ticket
• Silver Ticket
• Skeleton Key
• SIDHistory
• DCShadow
9. • After a user logs on, a variety of credentials are generated and stored
in the Local Security Authority Subsystem Service (LSASS) process in
memory.
• This is meant to facilitate Single Sign-On (SSO) ensuring a user isn’t
prompted each time resource access is requested.
• The credential data may include Kerberos tickets, NTLM password
hashes, LM password hashes (if the password is <15 characters,
depending on Windows OS version and patch level), and even clear-text
passwords to support WDigest and SSP authentication among others.
31 August 18
Credentials in Memory ? !
https://adsecurity.org/?page_id=1821
10. 31 August 18
Credential Data Chart
Benjamin Delpy posted an Excel chart on OneDrive (no longer available)
http://adsecurity.org/wp-content/uploads/2014/11/Delpy-CredentialDataChart.png
16. 31 August 18
No Debug Privs ? !
https://twitter.com/gentilkiwi/status/1032161555964723200 https://twitter.com/gentilkiwi/status/1032270189444911104
17. The Local Security Authority (LSA), which resides within the Local
Security Authority Security Service (LSASS) process, validates users
for local and remote sign-ins and enforces local security policies.
The Windows 8.1 operating system provides additional protection
for the LSA to prevent code injection by non-protected processes.
This provides added security for the credentials that the LSA stores
and manages.
This protected process setting for LSA can be configured in
Windows 8.1 but is on by default in Windows RT 8.1 and cannot be
changed.
31 August 18
RunAsPPL
https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/credentials-protection-and-management
20. 31 August 18
Pass the Hash
sekurlsa::pth /user:da /domain:sos.labs /ntlm:eaabfdbde55b39c1a9b8d6786afd251e /run:powershell.exe
21. privilege::debug
Get Debug Privs J
event::drop
Patch Events service to avoid new events.
event::clear
Clear the event log without any log cleared event (1102) being logged.
31 August 18
Event module
28. • A Golden Ticket (GT) is a TGT using the KRBTGT NTLM password hash to
encrypt and sign.
• A GT can be created to impersonate any user (real or imagined) in the
domain as a member of any group in the domain (providing a virtually
unlimited amount of rights) to any and every resource in the domain.
• Since the GT is an authentication ticket, its scope is the entire domain
(and the AD forest by leveraging SID History) since the TGT is used to
get service tickets (TGS) used to access resources.
• The GT contains user group membership information (PAC) and is signed
and encrypted using the domain’s Kerberos service account (KRBTGT)
which can only be opened and read by the KRBTGT account.
31 August 18
Golden Ticket
https://adsecurity.org/?page_id=1821
29. To summarize, once an attacker gets access to the KRBTGT password
NTLM/RC4/AES128/AES256, they can create Golden Tickets (TGT) that
can provide access to anything in AD at any time.
Mimikatz adds the following groups to the ticket by default:
• Domain Users SID: S-1-5-21<DOMAINID>-513
• Domain Admins SID: S-1-5-21<DOMAINID>-512
• Schema Admins SID: S-1-5-21<DOMAINID>-518
• Enterprise Admins SID: S-1-5-21<DOMAINID>-519 (this is only effective
when the forged ticket is created in the Forest root domain, though add
using /sids parameter for AD forest admin rights)
• Group Policy Creator Owners SID: S-1-5-21<DOMAINID>-520
31 August 18
Golden Ticket
https://adsecurity.org/?page_id=1821
30. kerberos::golden /user:doesnotexist /domain:sos.labs
/id:9999
/sid:S-1-5-21-2872888145-3513486857-3924934394
/krbtgt:99d196d2968eb268cb69529153a48623 /ptt
• /user – account to be impersonated or any username
• /id – RID of the account to be impersonated. This could be a real
account ID, such as the default administrator ID of 500, or a fake ID.
• /groups - list of groups to which the account in the ticket will belong
• /sids – to insert a SID into the SIDHistory attribute of the account in the
ticket
• /ptt – Pass the Ticket to load the golden ticket into the current session
31 August 18
Golden Ticket
31. A Silver Ticket is a TGS (similar to TGT in format) using the AD
computer/service account (can be identified by SPN) NTLM password hash
to encrypt and sign.
Mimikatz adds the following groups to the ticket by default:
• Domain Users SID: S-1-5-21<DOMAINID>-513
• Domain Admins SID: S-1-5-21<DOMAINID>-512
• Schema Admins SID: S-1-5-21<DOMAINID>-518
• Enterprise Admins SID: S-1-5-21<DOMAINID>-519 (this is only effective
when the forged ticket is created in the Forest root domain, though add
using /sids parameter for AD forest admin rights)
• Group Policy Creator Owners SID: S-1-5-21<DOMAINID>-520
31 August 18
Silver Ticket
https://adsecurity.org/?page_id=1821
32. kerberos::golden /user:user1 /domain:sos.labs /id:1108
/sid:S-1-5-21-2872888145-3513486857-3924934394
/target:dc1.sos.labs
/rc4:fbdcd5041c96ddbd82224270b57f11fc /server:http /ptt
• /target –the host (SPN value). sos.labs domain has dc1.sos.labs
• /service –the name of the service that we will create tickets for (must
be a service running as the service account)
• /user –the user that the ticket will be created for, and this can be any
user account whatsoever, even user accounts that do not exist
• /groups - list of groups to which the account in the ticket will belong
to. Domain Admins is included by default
• /rc4 – NTLM hash of the account or /aes128 /aes256 keys
31 August 18
Silver Ticket
36. • Inject Skeleton Key into LSASS process on Domain Controller.
• This enables all user authentication to the Skeleton Key patched DC to
use a “master password (mimikatz)” (aka Skeleton Keys) as well as their
usual password.
• Reboot removes the Skeleton Key injection.
31 August 18
Skeleton Key
46. What can you do ?
• Add user to privileged groups such as Domain Admins, Enterprise Admins
• Add SIDHistory
• Change PrimaryGroupID
• Etc
31 August 18
DCShadow
47. The following permissions on AD Object’s are required:
Domain object
• DS-Install-Replica (Add/Remove Replica in Domain)
• DS-Replication-Manage-Topology (Manage Replication Topology)
• DS-Replication-Synchronize (Replication Synchornization)
Sites object in the Configuration container
• CreateChild and DeleteChild
Computer object of the attacker's machine (which is registered as a Fake DC)
• WriteProperty
Target object (user or computer or ADSPath)
• WriteProperty
31 August 18
DCShadow
https://github.com/samratashok/nishang/blob/master/ActiveDirectory/Set-DCShadowPermissions.ps1