SlideShare a Scribd company logo

mimikatz @ phdays

mimikatz @ phdays - http://blog.gentilkiwi.com/mimikatz Focus on sekurlsa / pass-the-pass

1 of 51
Download to read offline
mimikatz




   Benjamin DELPY `gentilkiwi`
focus on sekurlsa / pass-the-pass
Who ? Why ?

  Benjamin DELPY `gentilkiwi`
    –      French
    –      26y
    –      Kiwi addict
    –      Lazy programmer


  Started to code mimikatz to :
    – explain security concepts ;
    – improve my knowledge ;
    – prove to Microsoft that sometimes they must change old habits.

  Why all in French ?
    – because I’m 
    – It limits script kiddies usage.
6/3/2012       Benjamin DELPY `gentilkiwi` @ PHDays 2012   -   benjamin@gentilkiwi.com ; blog.gentilkiwi.com   2
mimikatz
           working
  On XP, 2003, Vista, 2008, Seven, 2008r2, 8, Server 8
    – x86 & x64
    – partial support for 8 & Server 8 (few kernel driver bugs ;))
    – 2000 support dropped with mimikatz 1.0

  Everywhere ; it’s statically compiled

  Two modes
    – direct action (local commands)                           – process or driver communication
     m                        KeyIso                            m                                       SamSS
                       « Isolation de clé CNG »                                          « Gestionnaire de comptes de sécurité »
     i                      LSASS.EXE                           i                                    LSASS.EXE
     m
     i
                                                                m
                                                                i
                                                                                        VirtualAllocEx,
                 Direct action :
     k           crypto::patchcng                               k                        WriteProcessMemory,
     a                                                          a
     t                                                          t                       CreateRemoteThread...

                             EventLog                                                               sekurlsa.dll
     z                                                          z
                    « Journal d’événements Windows »
     .                    SVCHOST.EXE
                                                                .
                                                                                         Open a pipe
     e                                                          e
     x                                                          x                        Write a welcome message
                 Direct action :
     e                                                          e                        Wait commands… and return results
                 divers::eventdrop


6/3/2012      Benjamin DELPY `gentilkiwi` @ PHDays 2012   -   benjamin@gentilkiwi.com ; blog.gentilkiwi.com                        3
mimikatz
           architecture
  all in VC/C++ 2010 with some ASM…
             mod_mimikatz_standard                mod_parseur
                                                                                     KiwiCmd.exe

              mod_mimikatz_winmine                 mod_text
                                                                                   KiwiRegedit.exe
              mod_mimikatz_divers                  mod_memory

m              mod_mimikatz_nogpo                  mod_secacl
                                                                                                                      mimikatz.sys

i                                                                                  KiwiTaskmgr.exe


m           mod_mimikatz_impersonate               mod_pipe


i             mod_mimikatz_inject                  mod_inject
                                                                                     kappfree.dll

k             mod_mimikatz_samdump                 mod_hive

a             mod_mimikatz_crypto                  mod_crypto
                                                                                    kelloworld.dll
t
              mod_mimikatz_handle                  mod_patch                                                           sam
z
.            mod_mimikatz_privilege              mod_privilege
                                                                                      klock.dll
                                                                                                                     secrets


e             mod_mimikatz_system                  mod_system                                                        msv_1_0

x             mod_mimikatz_service                mod_service                                                         tspkg
                                                                                     sekurlsa.dll
e             mod_mimikatz_process                mod_process                                                        wdigest


              mod_mimikatz_thread                  mod_thread                                                        livessp


           mod_mimikatz_terminalserver              mod_ts                                                           kerberos


6/3/2012            Benjamin DELPY `gentilkiwi` @ PHDays 2012    -   benjamin@gentilkiwi.com ; blog.gentilkiwi.com                   4
mimikatz :: sekurlsa
           what is it ?
  My favorite library !

  A thread that waits, in LSASS, commands from mimikatz (or mubix
  meterpreter)

  What sekurlsa can do from the inside ?
    – Dump system secrets
    – Dump SAM / DC base
    – Dump clear text passwords/hashes
    from interactive sessions
           •   MSV1_0 (dump/inject/delete)
           •   TsPkg
           •   WDigest
           •   LiveSSP
           •   Kerberos


  Let’s start an injection & pass the hash !
6/3/2012         Benjamin DELPY `gentilkiwi` @ PHDays 2012   -   benjamin@gentilkiwi.com ; blog.gentilkiwi.com   5
mimikatz :: sekurlsa
           history of « pass-the-* » 1/2
  Pass-the-hash
    – 1997 - Unix modified SAMBA client for Hashes usage ; Paul Ashton (EIGEN)
    – 2000 - Private version of a Windows « LSA Logon Session Editor » ; Hernan
      Ochoa (CoreSecurity)
    – 2007 - TechEd @ Microsoft ; Marc Murray (TrueSec) present msvctl, and
      provide some downloads of it 
    – 2007 - « Pass the hash toolkit » published ; Hernan Ochoa (CoreSecurity)
    – 2007 - mimikatz 0.1 includes pass the hash and is publicly available for x86
      & x64 versions of Windows (yeah, by myself but in French; so not famous ;))

    2007 was the year of pass the hash !


  Pass-the-ticket
    – 04/2011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
      support; Hernan Ochoa (Ampliasecurity)

6/3/2012       Benjamin DELPY `gentilkiwi` @ PHDays 2012   -   benjamin@gentilkiwi.com ; blog.gentilkiwi.com   6

Recommended

DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
 

More Related Content

What's hot

Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security BoundaryWill Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatzBenjamin Delpy
 
Beyond the mcse red teaming active directory
Beyond the mcse  red teaming active directoryBeyond the mcse  red teaming active directory
Beyond the mcse red teaming active directoryPriyanka Aash
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdfKCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdfRaphaël PINSON
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 

What's hot (20)

Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatz
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-Owned
 
Beyond the mcse red teaming active directory
Beyond the mcse  red teaming active directoryBeyond the mcse  red teaming active directory
Beyond the mcse red teaming active directory
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
 
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdfKCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 
XSS
XSSXSS
XSS
 

Similar to mimikatz @ phdays

ASFWS 2012 - Mimikatz par Benjamin Delpy
ASFWS 2012 - Mimikatz par Benjamin DelpyASFWS 2012 - Mimikatz par Benjamin Delpy
ASFWS 2012 - Mimikatz par Benjamin DelpyCyber Security Alliance
 
Software diseases: memset
Software diseases: memsetSoftware diseases: memset
Software diseases: memsetPVS-Studio
 
Zotonic presentation Erlang Camp Boston, august 2011
Zotonic presentation Erlang Camp Boston, august 2011Zotonic presentation Erlang Camp Boston, august 2011
Zotonic presentation Erlang Camp Boston, august 2011Arjan
 
C++ Data-flow Parallelism sounds great! But how practical is it? Let’s see ho...
C++ Data-flow Parallelism sounds great! But how practical is it? Let’s see ho...C++ Data-flow Parallelism sounds great! But how practical is it? Let’s see ho...
C++ Data-flow Parallelism sounds great! But how practical is it? Let’s see ho...Jason Hearne-McGuiness
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Stefano Maccaglia
 
Windows post exploitation
Windows post exploitationWindows post exploitation
Windows post exploitationyarden hanan
 
Safe Clearing of Private Data
Safe Clearing of Private DataSafe Clearing of Private Data
Safe Clearing of Private DataPVS-Studio
 
Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesReverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesEran Goldstein
 
Intro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomIntro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomSiddharth Krishna Kumar
 
Serenity Project: Security in Software Enginering
Serenity Project: Security in Software EngineringSerenity Project: Security in Software Enginering
Serenity Project: Security in Software EngineringFrancisco Sanchez Cid
 
MODERN TECHNIQUES TO DEOBFUSCATE AND UEFI/BIOS MALWARE -- HITB 2019 AMSTERDAM
MODERN TECHNIQUES TO DEOBFUSCATE AND UEFI/BIOS MALWARE -- HITB 2019 AMSTERDAMMODERN TECHNIQUES TO DEOBFUSCATE AND UEFI/BIOS MALWARE -- HITB 2019 AMSTERDAM
MODERN TECHNIQUES TO DEOBFUSCATE AND UEFI/BIOS MALWARE -- HITB 2019 AMSTERDAMAlexandre Borges
 
Consequences of using the Copy-Paste method in C++ programming and how to dea...
Consequences of using the Copy-Paste method in C++ programming and how to dea...Consequences of using the Copy-Paste method in C++ programming and how to dea...
Consequences of using the Copy-Paste method in C++ programming and how to dea...Andrey Karpov
 
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wp
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wpBlack hat 2010-bannedit-advanced-command-injection-exploitation-1-wp
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wprgster
 

Similar to mimikatz @ phdays (20)

Mimikatz
MimikatzMimikatz
Mimikatz
 
ASFWS 2012 - Mimikatz par Benjamin Delpy
ASFWS 2012 - Mimikatz par Benjamin DelpyASFWS 2012 - Mimikatz par Benjamin Delpy
ASFWS 2012 - Mimikatz par Benjamin Delpy
 
mimikatz @ asfws
mimikatz @ asfwsmimikatz @ asfws
mimikatz @ asfws
 
Software diseases: memset
Software diseases: memsetSoftware diseases: memset
Software diseases: memset
 
Zotonic presentation Erlang Camp Boston, august 2011
Zotonic presentation Erlang Camp Boston, august 2011Zotonic presentation Erlang Camp Boston, august 2011
Zotonic presentation Erlang Camp Boston, august 2011
 
Metasploit
MetasploitMetasploit
Metasploit
 
Metasploit
MetasploitMetasploit
Metasploit
 
Pentesting with linux
Pentesting with linuxPentesting with linux
Pentesting with linux
 
C++ Data-flow Parallelism sounds great! But how practical is it? Let’s see ho...
C++ Data-flow Parallelism sounds great! But how practical is it? Let’s see ho...C++ Data-flow Parallelism sounds great! But how practical is it? Let’s see ho...
C++ Data-flow Parallelism sounds great! But how practical is it? Let’s see ho...
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...
 
Overview Of Msil
Overview Of MsilOverview Of Msil
Overview Of Msil
 
Windows post exploitation
Windows post exploitationWindows post exploitation
Windows post exploitation
 
Safe Clearing of Private Data
Safe Clearing of Private DataSafe Clearing of Private Data
Safe Clearing of Private Data
 
Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesReverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniques
 
Intro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomIntro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenom
 
Serenity Project: Security in Software Enginering
Serenity Project: Security in Software EngineringSerenity Project: Security in Software Enginering
Serenity Project: Security in Software Enginering
 
MODERN TECHNIQUES TO DEOBFUSCATE AND UEFI/BIOS MALWARE -- HITB 2019 AMSTERDAM
MODERN TECHNIQUES TO DEOBFUSCATE AND UEFI/BIOS MALWARE -- HITB 2019 AMSTERDAMMODERN TECHNIQUES TO DEOBFUSCATE AND UEFI/BIOS MALWARE -- HITB 2019 AMSTERDAM
MODERN TECHNIQUES TO DEOBFUSCATE AND UEFI/BIOS MALWARE -- HITB 2019 AMSTERDAM
 
Consequences of using the Copy-Paste method in C++ programming and how to dea...
Consequences of using the Copy-Paste method in C++ programming and how to dea...Consequences of using the Copy-Paste method in C++ programming and how to dea...
Consequences of using the Copy-Paste method in C++ programming and how to dea...
 
Metasploit Basics
Metasploit BasicsMetasploit Basics
Metasploit Basics
 
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wp
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wpBlack hat 2010-bannedit-advanced-command-injection-exploitation-1-wp
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wp
 

Recently uploaded

Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17Ana-Maria Mihalceanu
 
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, GoogleISPMAIndia
 
LF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIELF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIEDanBrown980551
 
AWS reInvent 2023 recaps from Chicago AWS user group
AWS reInvent 2023 recaps from Chicago AWS user groupAWS reInvent 2023 recaps from Chicago AWS user group
AWS reInvent 2023 recaps from Chicago AWS user groupAWS Chicago
 
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes", Volodymyr TsapFwdays
 
Breaking Barriers & Leveraging the Latest Developments in AI Technology
Breaking Barriers & Leveraging the Latest Developments in AI TechnologyBreaking Barriers & Leveraging the Latest Developments in AI Technology
Breaking Barriers & Leveraging the Latest Developments in AI TechnologySafe Software
 
The Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product SchoolThe Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product SchoolProduct School
 
Q1 Memory Fabric Forum: XConn CXL Switches for AI
Q1 Memory Fabric Forum: XConn CXL Switches for AIQ1 Memory Fabric Forum: XConn CXL Switches for AI
Q1 Memory Fabric Forum: XConn CXL Switches for AIMemory Fabric Forum
 
Bringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxBringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxMaarten Balliauw
 
My sample product research idea for you!
My sample product research idea for you!My sample product research idea for you!
My sample product research idea for you!KivenRaySarsaba
 
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxLeveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxVotarikari Shravan
 
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Adrian Sanabria
 
Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?MENGSAYLOEM1
 
From Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
From Challenger to Champion: How SpiraPlan Outperforms JIRA+PluginsFrom Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
From Challenger to Champion: How SpiraPlan Outperforms JIRA+PluginsInflectra
 
Q1 Memory Fabric Forum: Building Fast and Secure Chips with CXL IP
Q1 Memory Fabric Forum: Building Fast and Secure Chips with CXL IPQ1 Memory Fabric Forum: Building Fast and Secure Chips with CXL IP
Q1 Memory Fabric Forum: Building Fast and Secure Chips with CXL IPMemory Fabric Forum
 
Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)
Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)
Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)Memory Fabric Forum
 
Artificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdfArtificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdfIsidro Navarro
 
2024 February Patch Tuesday
2024 February Patch Tuesday2024 February Patch Tuesday
2024 February Patch TuesdayIvanti
 
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Umar Saif
 

Recently uploaded (20)

Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
 
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
 
LF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIELF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIE
 
5 Tech Trend to Notice in ESG Landscape- 47Billion
5 Tech Trend to Notice in ESG Landscape- 47Billion5 Tech Trend to Notice in ESG Landscape- 47Billion
5 Tech Trend to Notice in ESG Landscape- 47Billion
 
AWS reInvent 2023 recaps from Chicago AWS user group
AWS reInvent 2023 recaps from Chicago AWS user groupAWS reInvent 2023 recaps from Chicago AWS user group
AWS reInvent 2023 recaps from Chicago AWS user group
 
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
 
Breaking Barriers & Leveraging the Latest Developments in AI Technology
Breaking Barriers & Leveraging the Latest Developments in AI TechnologyBreaking Barriers & Leveraging the Latest Developments in AI Technology
Breaking Barriers & Leveraging the Latest Developments in AI Technology
 
The Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product SchoolThe Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product School
 
Q1 Memory Fabric Forum: XConn CXL Switches for AI
Q1 Memory Fabric Forum: XConn CXL Switches for AIQ1 Memory Fabric Forum: XConn CXL Switches for AI
Q1 Memory Fabric Forum: XConn CXL Switches for AI
 
Bringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxBringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptx
 
My sample product research idea for you!
My sample product research idea for you!My sample product research idea for you!
My sample product research idea for you!
 
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxLeveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
 
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
 
Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?
 
From Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
From Challenger to Champion: How SpiraPlan Outperforms JIRA+PluginsFrom Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
From Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
 
Q1 Memory Fabric Forum: Building Fast and Secure Chips with CXL IP
Q1 Memory Fabric Forum: Building Fast and Secure Chips with CXL IPQ1 Memory Fabric Forum: Building Fast and Secure Chips with CXL IP
Q1 Memory Fabric Forum: Building Fast and Secure Chips with CXL IP
 
Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)
Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)
Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)
 
Artificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdfArtificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdf
 
2024 February Patch Tuesday
2024 February Patch Tuesday2024 February Patch Tuesday
2024 February Patch Tuesday
 
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
 

mimikatz @ phdays

  • 1. mimikatz Benjamin DELPY `gentilkiwi` focus on sekurlsa / pass-the-pass
  • 2. Who ? Why ? Benjamin DELPY `gentilkiwi` – French – 26y – Kiwi addict – Lazy programmer Started to code mimikatz to : – explain security concepts ; – improve my knowledge ; – prove to Microsoft that sometimes they must change old habits. Why all in French ? – because I’m  – It limits script kiddies usage. 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 2
  • 3. mimikatz working On XP, 2003, Vista, 2008, Seven, 2008r2, 8, Server 8 – x86 & x64 – partial support for 8 & Server 8 (few kernel driver bugs ;)) – 2000 support dropped with mimikatz 1.0 Everywhere ; it’s statically compiled Two modes – direct action (local commands) – process or driver communication m KeyIso m SamSS « Isolation de clé CNG » « Gestionnaire de comptes de sécurité » i LSASS.EXE i LSASS.EXE m i m i  VirtualAllocEx, Direct action : k crypto::patchcng k WriteProcessMemory, a a t t  CreateRemoteThread... EventLog sekurlsa.dll z z « Journal d’événements Windows » . SVCHOST.EXE . Open a pipe e e x x Write a welcome message Direct action : e e Wait commands… and return results divers::eventdrop 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 3
  • 4. mimikatz architecture all in VC/C++ 2010 with some ASM… mod_mimikatz_standard mod_parseur KiwiCmd.exe mod_mimikatz_winmine mod_text KiwiRegedit.exe mod_mimikatz_divers mod_memory m mod_mimikatz_nogpo mod_secacl mimikatz.sys i KiwiTaskmgr.exe m mod_mimikatz_impersonate mod_pipe i mod_mimikatz_inject mod_inject kappfree.dll k mod_mimikatz_samdump mod_hive a mod_mimikatz_crypto mod_crypto kelloworld.dll t mod_mimikatz_handle mod_patch sam z . mod_mimikatz_privilege mod_privilege klock.dll secrets e mod_mimikatz_system mod_system msv_1_0 x mod_mimikatz_service mod_service tspkg sekurlsa.dll e mod_mimikatz_process mod_process wdigest mod_mimikatz_thread mod_thread livessp mod_mimikatz_terminalserver mod_ts kerberos 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 4
  • 5. mimikatz :: sekurlsa what is it ? My favorite library ! A thread that waits, in LSASS, commands from mimikatz (or mubix meterpreter) What sekurlsa can do from the inside ? – Dump system secrets – Dump SAM / DC base – Dump clear text passwords/hashes from interactive sessions • MSV1_0 (dump/inject/delete) • TsPkg • WDigest • LiveSSP • Kerberos Let’s start an injection & pass the hash ! 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 5
  • 6. mimikatz :: sekurlsa history of « pass-the-* » 1/2 Pass-the-hash – 1997 - Unix modified SAMBA client for Hashes usage ; Paul Ashton (EIGEN) – 2000 - Private version of a Windows « LSA Logon Session Editor » ; Hernan Ochoa (CoreSecurity) – 2007 - TechEd @ Microsoft ; Marc Murray (TrueSec) present msvctl, and provide some downloads of it  – 2007 - « Pass the hash toolkit » published ; Hernan Ochoa (CoreSecurity) – 2007 - mimikatz 0.1 includes pass the hash and is publicly available for x86 & x64 versions of Windows (yeah, by myself but in French; so not famous ;)) 2007 was the year of pass the hash ! Pass-the-ticket – 04/2011 - wce (pass the hash toolkit evolution) provides Kerberos ticket support; Hernan Ochoa (Ampliasecurity) 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 6
  • 7. mimikatz :: sekurlsa history of « pass-the-* » 2/2 Pass-the-pass – 05/2011 – mimikatz 1.0 dumps first clear text passwords from TsPkg provider (but limited to NT 6 and some XP SP3) • http://blog.gentilkiwi.com/securite/pass-the-pass – 05/2011 – return of mimikatz ; it dumps clear text passwords from WDigest provider (unlimited this time ;)) • http://blog.gentilkiwi.com/securite/re-pass-the-pass – 05/2011 – Some organizations opened cases to Microsoft about it… …Lots of time… – begin of 2012 - Lots of blogs (and Kevin Mitnick ;)) say few words about mimikatz – 03/2012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extract… • http://seclists.org/pen-test/2012/Mar/7 – 03/2012 – mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory • http://blog.gentilkiwi.com/securite/rere-pass-the-pass – 03/2012 – yeah, once again…, more curious but Kerberos keeps passwords in memory • http://blog.gentilkiwi.com/securite/rerere-pass-the-pass 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 7
  • 8. mimikatz :: sekurlsa let’s take a moment… You noticed ? It has been one year since Microsoft has been notified about passwords extraction from LSASS Without any reaction… – But blacklisting mimikatz from MSE and FEP at 20120228 ;) 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 8
  • 9. mimikatz :: sekurlsa :: tspkg because sometimes hash is not enough… 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 9
  • 10. mimikatz :: sekurlsa :: tspkg what is it ? Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop users’s experience – http://technet.microsoft.com/library/cc772108.aspx Rely on CredSSP with Credentials Delegation (!= Account delegation) – Specs : http://download.microsoft.com/download/9/5/e/95ef66af- 9026-4bb0-a41d-a4f81802d92c/%5Bms-cssp%5D.pdf First impression : it seems cool  – User does not have to type its password – Password is not in RDP file – Password is not in user secrets 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 10
  • 11. mimikatz :: sekurlsa :: tspkg demo time ! Explanations follow… 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 11
  • 12. mimikatz :: sekurlsa :: tspkg questions ? KB says that for it works, we must enable « Default credentials » delegation – “Default credentials : The credentials obtained when the user first logs on to Windows” - https://msdn.microsoft.com/library/bb204773.aspx • What ? Our User/Domain/,Password | Hash | Ticket- ? It seems … – In all cases, system seems to be vulnerable to pass-the-*… In what form ? Our specs : [MS-CSSP] – 2.2.1.2.1 TSPasswordCreds • The TSPasswordCreds structure contains the user's password credentials that are delegated to the server. (or PIN) TSPasswordCreds ::= SEQUENCE { domainName [0] OCTET STRING, userName [1] OCTET STRING, password [2] OCTET STRING } – Challenge / response for authentication ? • Serveur : YES (TLS / Kerberos) • Client : NO ; *password* is sent to server… So password resides somewhere in memory ? 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 12
  • 13. mimikatz :: sekurlsa :: tspkg symbols & theory Let’s explore some symbols ! kd> x tspkg!*clear* 75016d1c tspkg!TSObtainClearCreds = <no type information> kd> x tspkg!*password* 75011b68 tspkg!TSDuplicatePassword = <no type information> 75011cd4 tspkg!TSHidePassword = <no type information> 750195ee tspkg!TSRevealPassword = <no type information> 75012fbd tspkg!TSUpdateCredentialsPassword = <no type information> kd> x tspkg!*locate* 7501158b tspkg!TSCredTableLocateDefaultCreds = <no type information> – sounds cool… (thanks Microsoft) Let’s imagine a scenario – Enumerate all sessions to obtain informations : • Username • Domain • LUID – Call tspkg!TSCredTableLocateDefaultCreds with LUID to obtain : • TS_CREDENTIAL – Call tspkg!TSObtainClearCreds with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for : • TS_PRIMARY_CREDENTIAL with clear text credentials… 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 13
  • 14. mimikatz :: sekurlsa :: tspkg test & data LsaEnumerateLogonSessions for each LUID tspkg!TSCredTableLoca teDefaultCreds tspkg!TSObtainClearCr eds password in clear ? 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 14
  • 15. mimikatz :: sekurlsa :: tspkg test & structures LsaEnumerateLogonSessions lazy way for each LUID tspkg!TSCredTableLoca typedef struct _KIWI_TS_CREDENTIAL { #ifdef _M_X64 teDefaultCreds BYTE unk0[0x88]; #elif defined _M_IX86 BYTE unk0[0x50]; KIWI_TS_CREDEN #endif TIAL PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary; } KIWI_TS_CREDENTIAL, *PKIWI_TS_CREDENTIAL; KIWI_TS_PRIMAR typedef struct _KIWI_TS_PRIMARY_CREDENTIAL { PVOID unk0; Y_CREDENTIAL LSA_UNICODE_STRING Domaine; LSA_UNICODE_STRING UserName; LSA_UNICODE_STRING Password; tspkg!TSObtainClearCr } KIWI_TS_PRIMARY_CREDENTIAL, *PKIWI_TS_PRIMARY_CREDENTIAL; eds KIWI_TS_PRIMAR Y_CREDENTIAL password in clear ? 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 15
  • 16. mimikatz :: sekurlsa :: tspkg first result It worked ! Since old Windows’s version I hadn’t seen my Windows password – I’ve been a little bit afraid After many hesitations, I published a post and a stable tool update on my blog at 20110508 – http://blog.gentilkiwi.com/securite/pass-the-pass But some issues : – & tspkg!TSObtainClearCreds are not exported tspkg!TSCredTableLocateDefaultCreds – tspkg!TSObtainClearCreds not always present… – Calling conventions can be a problem – Only NT6 and few XP SP3 (manual provider activation) 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 16
  • 17. mimikatz :: sekurlsa :: tspkg final implementation typedef struct _KIWI_TS_CREDENTIAL_AVL_SEARCH { LsaEnumerateLogonSessions #ifdef _M_X64 BYTE unk0[108]; #elif defined _M_IX86 BYTE unk0[64]; #endif for each LUID LUID LocallyUniqueIdentifier; #ifdef _M_X64 BYTE unk1[46]; #elif defined _M_IX86 tspkg!TSGlobal KIWI_TS_CREDENTI BYTE unk1[16]; CredTable AL_AVL_SEARCH #endif } KIWI_TS_CREDENTIAL_AVL_SEARCH, *PKIWI_TS_CREDENTIAL_AVL_SEARCH; RtlLookupElementGenericTabl typedef struct _KIWI_TS_CREDENTIAL { eAvl #ifdef _M_X64 BYTE unk0[0x88]; #elif defined _M_IX86 KIWI_TS_CREDEN BYTE unk0[0x50]; TIAL #endif KIWI_TS_PRIMAR PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary; Y_CREDENTIAL } KIWI_TS_CREDENTIAL, *PKIWI_TS_CREDENTIAL; typedef struct _KIWI_TS_PRIMARY_CREDENTIAL { LsaUnprotectMemory PVOID unk0; LSA_UNICODE_STRING Domaine; LSA_UNICODE_STRING UserName; password LSA_UNICODE_STRING Password; } KIWI_TS_PRIMARY_CREDENTIAL, in clear ! *PKIWI_TS_PRIMARY_CREDENTIAL; 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 17
  • 18. mimikatz :: sekurlsa :: tspkg demo time ! 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 18
  • 19. mimikatz :: sekurlsa :: tspkg final result It works better ;) – No orphan referenced credentials – More logic approach (We will see that latter…) We have just to find : – tspkg!TSGlobalCredTable – SeckPkgFunctionTable->LsaUnprotectMemory • LSA_SECPKG_FUNCTION_TABLE : http://msdn.microsoft.com/library/windows/desktop/aa378510.aspx • LsaUnprotectMemory : http://msdn.microsoft.com/library/windows/desktop/ff714510.aspx Find this… We all have personal convictions to search unexported data : – Hardcoded addresses / offsets (  ) ; – Disassembly engine ; – Pattern matching ; – … 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 19
  • 20. mimikatz :: sekurlsa :: wdigest because clear text password over http/https is not cool 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 20
  • 21. mimikatz :: sekurlsa :: wdigest what is it ? “Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a user's web browser. It applies a hash function to a password before sending it over the network *…+” Wikipedia : http://en.wikipedia.org/wiki/Digest_access_authentication “Common Digest Authentication Scenarios : – Authenticated client access to a Web site – Authenticated client access using SASL – Authenticated client access with integrity protection to a directory service using LDAP” Microsoft : http://technet.microsoft.com/library/cc778868.aspx Again, it seems cool  – No password over the network, just hashes – No reversible password in Active Directory ; hashes for each realm • Only with Advanced Digest authentication 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 21
  • 22. mimikatz :: sekurlsa :: wdigest what is it ? We speak about hashes, but what hashes ? H = MD5(HA1:nonce:[…]:HA2) • HA1 = MD5(username:realm:password) • HA2 = MD5(method:digestURI:[…]) Even after login, HA1 may change… realm is from server side and cannot be determined before Windows logon WDigest provider must have elements to compute responses for different servers : – Username – Realm (from server) – Password 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 22
  • 23. mimikatz :: sekurlsa :: wdigest theory This time, we know : – that WDigest keeps password in memory « by protocol » for HA1 digest – that LSASS love to unprotect password with LsaUnprotectMemory (so protect with LsaProtectMemory) LsaUnprotectMemory – At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE – Let’s perform a research in WDigest : .text:7409D151 _DigestCalcHA1@8 call dword ptr [eax+0B4h] – Hypothesis seems verified  LsaProtectMemory – At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE – Let’s perform a research in WDigest : .text:74096C69 _SpAcceptCredentials@16 call dword ptr [eax+0B0h] – SpAcceptCredentials takes clear password in args • Protect it with LsaProtectMemory • Update or insert data in double linked list : wdigest!l_LogSessList 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 23
  • 24. mimikatz :: sekurlsa :: wdigest test & data LsaEnumerateLogonSessions for each LUID wdigest!l_LogS essList search linked list for LUID LsaUnprotectMemory password in clear ? 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 24
  • 25. mimikatz :: sekurlsa :: wdigest final implementation LsaEnumerateLogonSessions for each LUID typedef struct _KIWI_WDIGEST_LIST_ENTRY { struct _KIWI_WDIGEST_LIST_ENTRY *Flink; wdigest!l_LogS struct _KIWI_WDIGEST_LIST_ENTRY *Blink; DWORD UsageCount; essList struct _KIWI_WDIGEST_LIST_ENTRY *This; LUID LocallyUniqueIdentifier; […] LSA_UNICODE_STRING UserName; search linked list for LUID LSA_UNICODE_STRING Domaine; LSA_UNICODE_STRING Password; […] } KIWI_WDIGEST_LIST_ENTRY, *PKIWI_WDIGEST_LIST_ENTRY KIWI_WDIGEST_L ; IST_ENTRY LsaUnprotectMemory password in clear ! 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 25
  • 26. mimikatz :: sekurlsa :: wdigest demo time ! 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 26
  • 27. mimikatz :: sekurlsa :: wdigest result It works again ! This time we just have to find : – wdigest!l_LogSessList – SeckPkgFunctionTable->LsaUnprotectMemory • LSA_SECPKG_FUNCTION_TABLE : http://msdn.microsoft.com/library/windows/desktop/aa378510.aspx • LsaUnprotectMemory : http://msdn.microsoft.com/library/windows/desktop/ff714510.aspx Seems generalizable ? 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 27
  • 28. mimikatz :: sekurlsa and now what ? In fact, with TsPkg and WDigest, passwords can be retrieved from any version of Windows ... – WDigest • XP, 2003 • Vista / Seven / 2008 / 2008r2 • 8 But not with a Live account  – TsPkg • XP SP3 (manual install) • Vista / Seven / 2008 / 2008r2 • 8 Even with a Live account  6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 28
  • 29. mimikatz :: sekurlsa and now what ? wce had not copied my TsPkg functionalities Only WDigest, so they missed 8 Live accounts… – Kiwi WDigest patterns (last public release) #ifdef _M_X64 BYTE ptrInsertInLogSess[] = {0x4C, 0x89, 0x1B, 0x48, 0x89, 0x43, 0x08, 0x49, 0x89, 0x5B, 0x08, 0x48, 0x8D}; #elif defined _M_IX86 BYTE ptrInsertInLogSess[] = {0x8B, 0x45, 0x08, 0x89, 0x08, 0xC7, 0x40, 0x04}; #endif – wce patterns Between ~17 occurrences of wdigest!l_LogSessList, maybe a coincidence… for lack of TsPkg, they can be inspired by next releases ? 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 29
  • 30. mimikatz :: sekurlsa :: livessp because Microsoft was too good in closed networks 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 30
  • 31. mimikatz :: sekurlsa :: livessp how ? Actually I’ve only used logical (empirical) approach to search passwords… : – Protocol reading – Symbols searching ~ Boring ~… be more brutal this time : make a WinDBG trap ! 0: kd> !process 0 0 lsass.exe PROCESS 83569040 SessionId: 0 Cid: 0224 Peb: 7f43f000 ParentCid: 01b4 DirBase: 5df58100 ObjectTable: 80ce4740 HandleCount: <Data Not Accessible> Image: lsass.exe 0: kd> .process /i 83569040 You need to continue execution (press 'g' <enter>) for the context to be switched. When the debugger breaks in again, you will be in the new process context. 0: kd> g Break instruction exception - code 80000003 (first chance) nt!RtlpBreakWithStatusInstruction: 814b39d0 cc int 3 0: kd> .reload /user Loading User Symbols ............................................................ 0: kd> bp /p @$proc lsasrv!LsaProtectMemory "kc 5 ; g" 0: kd> g 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 31
  • 32. mimikatz :: sekurlsa :: livessp how ? Let’s login with a Live account on Windows 8 ! lsasrv!LsaProtectMemory livessp!LiveMakeSupplementalCred livessp!LiveMakeSecPkgCredentials Our LiveSSP provider livessp!LsaApLogonUserEx2 livessp!SpiLogonUserEx2 lsasrv!LsaProtectMemory msv1_0!NlpAddPrimaryCredential Yeah, Pass the Hash capability with Live msv1_0!SspAcceptCredentials msv1_0!SpAcceptCredentials account too… lsasrv!LsaProtectMemory tspkg!TSHidePassword Live user can logon through RDP via SSO tspkg!SpAcceptCredentials 1: kd> uf /c livessp!LsaApLogonUserEx2 livessp!LsaApLogonUserEx2 (74781536) [...] livessp!LsaApLogonUserEx2+0x560 (74781a96): call to livessp!LiveCreateLogonSession (74784867) After credentials protection, LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest) 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 32
  • 33. mimikatz :: sekurlsa :: livessp final implementation typedef struct _KIWI_LIVESSP_LIST_ENTRY { LsaEnumerateLogonSessions struct _KIWI_LIVESSP_LIST_ENTRY *Flink; struct _KIWI_LIVESSP_LIST_ENTRY *Blink; PVOID unk0; PVOID unk1; PVOID unk2; for each LUID PVOID unk3; DWORD unk4; DWORD unk5; PVOID unk6; livessp!LiveGloba LUID LocallyUniqueIdentifier; lLogonSessionList LSA_UNICODE_STRING UserName; PVOID unk7; PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds; } KIWI_LIVESSP_LIST_ENTRY, search linked list for LUID *PKIWI_LIVESSP_LIST_ENTRY; KIWI_LIVESSP_LIS T_ENTRY typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL { KIWI_LIVESSP_PRI DWORD isSupp; MARY_CREDENTIAL DWORD unk0; LSA_UNICODE_STRING UserName; LSA_UNICODE_STRING Domaine; LSA_UNICODE_STRING Password; LsaUnprotectMemory } KIWI_LIVESSP_PRIMARY_CREDENTIAL, *PKIWI_LIVESSP_PRIMARY_CREDENTIAL; password in clear ! 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 33
  • 34. mimikatz :: sekurlsa :: livessp demo time ! 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 34
  • 35. mimikatz :: sekurlsa it was a cool trap no ? Even if we already have tools for normal accounts, are you not curious to test one with this trap ?* * Me, yes 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 35
  • 36. mimikatz :: sekurlsa :: kerberos Let’s login normal account lsasrv!LsaProtectMemory kerberos!KerbHideKey kerberos!KerbCreatePrimaryCredentials kerberos!KerbCreateLogonSession Kerberos, ticket part ? Maybe ;) kerberos!SpAcceptCredentials lsasrv!LsaProtectMemory kerberos!KerbHidePassword kerberos!KerbCreateLogonSession Kerberos part for password ?????? kerberos!SpAcceptCredentials lsasrv!LsaProtectMemory msv1_0!NlpAddPrimaryCredential msv1_0!SspAcceptCredentials msv1_0!SpAcceptCredentials lsasrv!LsaProtectMemory wdigest!SpAcceptCredentials lsasrv!LsaProtectMemory tspkg!TSHidePassword tspkg!SpAcceptCredentials After credentials protection, KerbCreateLogonSession calls : – NT6 ; KerbInsertOrLocateLogonSession to insert data in KerbGlobalLogonSessionTable – NT5 ; KerbInsertLogonSession to insert data in KerbLogonSessionList 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 36
  • 37. mimikatz :: sekurlsa :: kerberos (nt 6) final implementation typedef struct _KIWI_KERBEROS_LOGON_AVL_SEARCH { LsaEnumerateLogonSessions #ifdef _M_X64 BYTE unk0[64]; #elif defined _M_IX86 BYTE unk0[36]; #endif for each LUID LUID LocallyUniqueIdentifier; } KIWI_KERBEROS_LOGON_AVL_SEARCH, *PKIWI_KERBEROS_LOGON_AVL_SEARCH; Kerberos!KerbG KIWI_KERBEROS_LO lobalLogonSess GON_AVL_SEARCH ionTable typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL { DWORD unk0; PVOID unk1; PVOID unk2; RtlLookupElementGenericTabl #ifdef _M_X64 eAvl BYTE unk3[96]; #elif defined _M_IX86 BYTE unk3[68]; #endif LSA_UNICODE_STRING UserName; KIWI_KERBEROS_PR LSA_UNICODE_STRING Domaine; IMARY_CREDENTIAL LSA_UNICODE_STRING Password; } KIWI_KERBEROS_PRIMARY_CREDENTIAL, *PKIWI_KERBEROS_PRIMARY_CREDENTIAL; LsaUnprotectMemory password in clear ! 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 37
  • 38. mimikatz :: sekurlsa :: kerberos (nt 5) final implementation typedef struct _KIWI_KERBEROS_LOGON_SESSION { LsaEnumerateLogonSessions struct _KIWI_KERBEROS_LOGON_SESSION *Flink; struct _KIWI_KERBEROS_LOGON_SESSION *Blink; DWORD UsageCount; PVOID unk0; PVOID unk1; for each LUID PVOID unk2; DWORD unk3; DWORD unk4; PVOID unk5; kerberos!KerbLog PVOID unk6; onSessionList PVOID unk7; LUID LocallyUniqueIdentifier; #ifdef _M_IX86 DWORD unk8; search linked list for LUID #endif DWORD unk9; DWORD unk10; PVOID unk11; DWORD unk12; DWORD unk13; KIWI_LIVESSP_PRI PVOID unk14; MARY_CREDENTIAL PVOID unk15; PVOID unk16; […] LSA_UNICODE_STRING UserName; LSA_UNICODE_STRING Domaine; LsaUnprotectMemory LSA_UNICODE_STRING Password; } KIWI_KERBEROS_LOGON_SESSION, *PKIWI_KERBEROS_LOGON_SESSION; password in clear ! 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 38
  • 39. mimikatz :: sekurlsa :: kerberos demo time ! 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 39
  • 40. mimikatz :: sekurlsa :: kerberos « hu ? » Ok It works…* But why ? *Not at all logon on NT5 *Can need an unlock… From my understanding of Microsoft explanations, no need of passwords for the Kerberos protocol… all is based on the hash (not very sexy too) 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 40
  • 41. mimikatz :: sekurlsa :: kerberos BONUS « hu ? » Microsoft’s implementation of Kerberos is full of logical… For password auth : – password hash for shared secret, but keeping password in memory For full smartcard auth : – No password on client – No hash on client ? • NTLM hash on client… • KDC sent it back as a gift 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 41
  • 42. mimikatz :: sekurlsa why this is dangerous ? Not a bug Not a weakness Not a vulnerability Not a 0-day – (for now, there may be too) It’s “normal” that LSASS keeps passwords in memory for passwords based providers when protocols need them – And hashes for msv1_0… All of these rely on shared secrets… So you can’t prevent Windows internal behaviors… (in a supported way) One change from Microsoft on protocols can impact all versions I don’t count on a fix or others things in the next [5;10] years… 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 42
  • 43. mimikatz :: sekurlsa what we can do ? Basics – No physical access to computer (first step to pass the hash) – No admin rights / system rights / debug privileges (…) – Disable local admin accounts – Strong passwords (haha, it was a joke) – Network login instead of interactive (when possible) – Audit ; pass the hash keeps traces and can lock accounts – No admin rights / system rights / debug privileges, even VIP More in depth – Force strong authentication (SmartCard & Token) : $ / € – Short validity for Kerberos tickets – No delegation – Disable NTLM (available with NT6) – No exotic : • biometrics (it keeps password somewhere and push it to Windows) • single sign on – Stop shared secrets for authentication : push Public / Private stuff (like keys ;)) – Let opportunities to stop retrocompatibility – Disable faulty providers ? • Is it supported by Microsoft ? • Even if, you will disable Kerberos and msv1_0 ? 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 43
  • 44. mimikatz :: sekurlsa Code it ! Implement it in Meta ! Discover ! Pass the hash : Package Symbols Description msv1_0 SeckPkgFunctionTable->GetCredentials Get clear LM & NTLM hashes from LUID SeckPkgFunctionTable->LsaUnprotectMemory msv1_0 SeckPkgFunctionTable->LsaProtectMemory Push clear LM & NTLM hashes to LUID SeckPkgFunctionTable->AddCredential msv1_0 SeckPkgFunctionTable->DeleteCredential Delete hashes from LUID Get passwords : Package Symbols Type tspkg tspkg!TSGlobalCredTable RTL_AVL_TABLE SeckPkgFunctionTable->LsaUnprotectMemory wdigest wdigest!l_LogSessList LIST_ENTRY SeckPkgFunctionTable->LsaUnprotectMemory livessp livessp!LiveGlobalLogonSessionList LIST_ENTRY SeckPkgFunctionTable->LsaUnprotectMemory kerberos kerberos!KerbLogonSessionList LIST_ENTRY (nt5) SeckPkgFunctionTable->LsaUnprotectMemory kerberos Kerberos!KerbGlobalLogonSessionTable RTL_AVL_TABLE (nt6) SeckPkgFunctionTable->LsaUnprotectMemory 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 44
  • 45. mimikatz :: sekurlsa little help to start ! Package Datas Little help * @getLogonPasswords Use « full » keyword in argument of functions msv1_0 @getMSV @getMSVFunctions msv1_0 : ** lsasrv.dll ** ; Statut recherche : OK :) – 3 * Utilisateur : termuser @GetCredentials = 000007F9C1C62938 * Domaine : DEMO @AddCredential = 000007F9C1C71010 * Hash LM : d0e9aee149655a6075e4540af1f22d3b @DeleteCredential = 000007F9C1C61F58 * Hash NTLM : cc36cf7a8514893efccd332446158b1a @LsaUnprotectMemory = 000007F9C1C59960 @LsaProtectMemory = 000007F9C1C628A4 tspkg @getTsPkg @getTsPkgFunctions tspkg : ** tspkg.dll/lsasrv.dll ** ; Statut recherche : OK :) * Utilisateur : termuser @TSGlobalCredTable = 000007F9C1557B20 * Domaine : DEMO @LsaUnprotectMemory = 000007F9C1C59960 * Mot de passe : waza1234/ wdigest @getWDigest @getWDigestFunctions wdigest : ** wdigest.dll/lsasrv.dll ** ; Statut recherche : OK :) * Utilisateur : termuser @l_LogSessList = 000007F9C15E12B0 * Domaine : DEMO @LsaUnprotectMemory = 000007F9C1C59960 * Mot de passe : waza1234/ livessp @getLiveSSP @getLiveSSPFunctions livessp : ** livessp.dll/lsasrv.dll ** ; Statut recherche : OK :) * Utilisateur : sekurlsa@live.fr @LiveGlobalLogonSessionList = 000007F9C14E8C68 * Domaine : ps:password @LsaUnprotectMemory = 000007F9C1C59960 * Mot de passe : waza1234/ kerberos @getKerberos @getKerberosFunctions kerberos : ** kerberos.dll/lsasrv.dll ** ; Statut recherche : OK :) * Utilisateur : termuser @KerbGlobalLogonSessionTable = 000007F9C1955AE0 * Domaine : DEMO.LOCAL @KerbLogonSessionList = 0000000000000000 * Mot de passe : waza1234/ @LsaUnprotectMemory = 000007F9C1C59960 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 45
  • 46. mimikatz :: sekurlsa some ideas Meterpreter post module Standalone binary without injection yeah, it’s easy ! – read all data (sessions, encrypted passwords) – read all keys and implement your own (un)protectMemory routine ! – decrypt / crypt Extract all of this from memory dump / hyberfile ! etc… Make demonstrations to your chief information security officer Ask Microsoft to work on better implementation – Maybe offer possibilities to disable or not some functionalities – Think globally about data really needed for authentication 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 46
  • 47. mimikatz :: sekurlsa some ideas Meterpreter post module Standalone binary without injection yeah, it’s easy ! – read all data (sessions, encrypted passwords) – read all keys and implement your own (un)protectMemory routine ! – decrypt / crypt Extract all of this from memory dump / hyberfile ! etc… Make demonstrations to your chief information security officer Ask Microsoft to work on better implementation – Maybe offer possibilities to disable or not some functionalities – Think globally about data really needed for authentication 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 47
  • 48. mimikatz what else ? Crypto mod_mimikatz_crypto mod_crypto – Export non-exportable certificates and keys • CryptoAPI • CNG… Stop event monitoring mod_mimikatz_divers Basic GPO bypass mod_mimikatz_nogpo Applocker / SRP bypass kappfree.dll Driver mimikatz.sys – Play with tokens & privileges – Display SSDT x86 & x64 – List minifilters actions – List Notifications (process / thread / image / registry) – List Objects hooks and procedures – … … 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 48
  • 49. mimikatz that’s all folks ! Thanks’ to / Спасибо : – my girlfriend for her support (her LSASS crashed few times) – Positive Technologies to offer me this great opportunity – Microsoft to consider it as normal/acceptable  – Security friends/community for their ideas & challenges – You, for your attention ! Questions ? Don’t be shy ;) especially if you have written the corresponding slide number 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 49
  • 50. mimikatz source code Not now available – I’m not proud of mixing C/C++ and STL in LSASS – Script kiddies will use it without understanding But a little part of it for “pass the pass” available – So download it on mimikatz download page  • http://blog.gentilkiwi.com/mimikatz 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 50
  • 51. Blog & Contact blog/mimikatz : http://blog.gentilkiwi.com/mimikatz email : benjamin@gentilkiwi.com Twitter : @gentilkiwi 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 51