Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
mimikatz   Benjamin DELPY `gentilkiwi`focus on sekurlsa / pass-the-pass
Who ? Why ?  Benjamin DELPY `gentilkiwi`    –      French    –      26y    –      Kiwi addict    –      Lazy programmer  S...
mimikatz           working  On XP, 2003, Vista, 2008, Seven, 2008r2, 8, Server 8    – x86 & x64    – partial support for 8...
mimikatz           architecture  all in VC/C++ 2010 with some ASM…             mod_mimikatz_standard                mod_pa...
mimikatz :: sekurlsa           what is it ?  My favorite library !  A thread that waits, in LSASS, commands from mimikatz ...
mimikatz :: sekurlsa           history of « pass-the-* » 1/2  Pass-the-hash    – 1997 - Unix modified SAMBA client for Has...
mimikatz :: sekurlsa     history of « pass-the-* » 2/2  Pass-the-pass    – 05/2011 – mimikatz 1.0 dumps first clear text p...
mimikatz :: sekurlsa           let’s take a moment…  You noticed ?  It has been one year since Microsoft has been notified...
mimikatz :: sekurlsa :: tspkg  because sometimes hash is not enough…6/3/2012      Benjamin DELPY `gentilkiwi` @ PHDays 201...
mimikatz :: sekurlsa :: tspkg           what is it ?  Microsoft introduces SSO capability for Terminal Server with  NT 6 t...
mimikatz :: sekurlsa :: tspkg           demo time !  Explanations follow…6/3/2012      Benjamin DELPY `gentilkiwi` @ PHDay...
mimikatz :: sekurlsa :: tspkg           questions ?  KB says that for it works, we must enable « Default                  ...
mimikatz :: sekurlsa :: tspkg           symbols & theory  Let’s explore some symbols !   kd> x tspkg!*clear*   75016d1c   ...
mimikatz :: sekurlsa :: tspkg           test & data           LsaEnumerateLogonSessions                for each LUID      ...
mimikatz :: sekurlsa :: tspkg           test & structures           LsaEnumerateLogonSessions                             ...
mimikatz :: sekurlsa :: tspkg            first result  It worked !  Since old Windows’s version I hadn’t seen my Windows p...
mimikatz :: sekurlsa :: tspkg           final implementation                                                              ...
mimikatz :: sekurlsa :: tspkg           demo time !6/3/2012      Benjamin DELPY `gentilkiwi` @ PHDays 2012   -   benjamin@...
mimikatz :: sekurlsa :: tspkg      final result  It works better ;)    – No orphan referenced credentials    – More logic ...
mimikatz :: sekurlsa :: wdigest  because clear text password over http/https is not cool6/3/2012      Benjamin DELPY `gent...
mimikatz :: sekurlsa :: wdigest      what is it ?  “Digest access authentication is one of the agreed-upon methods a  web ...
mimikatz :: sekurlsa :: wdigest           what is it ?  We speak about hashes, but what hashes ?    H = MD5(HA1:nonce:[…]:...
mimikatz :: sekurlsa :: wdigest      theory  This time, we know :    – that WDigest keeps password in memory « by protocol...
mimikatz :: sekurlsa :: wdigest           test & data           LsaEnumerateLogonSessions                 for each LUID   ...
mimikatz :: sekurlsa :: wdigest           final implementation           LsaEnumerateLogonSessions                 for eac...
mimikatz :: sekurlsa :: wdigest           demo time !6/3/2012      Benjamin DELPY `gentilkiwi` @ PHDays 2012   -   benjami...
mimikatz :: sekurlsa :: wdigest           result  It works again !  This time we just have to find :    – wdigest!l_LogSes...
mimikatz :: sekurlsa           and now what ?  In fact, with TsPkg and WDigest, passwords can be  retrieved from any versi...
mimikatz :: sekurlsa           and now what ?  wce had not copied my TsPkg functionalities    Only WDigest, so they missed...
mimikatz :: sekurlsa :: livessp  because Microsoft was too good in closed networks6/3/2012      Benjamin DELPY `gentilkiwi...
mimikatz :: sekurlsa :: livessp           how ?  Actually I’ve only used logical (empirical) approach to  search passwords...
mimikatz :: sekurlsa :: livessp           how ?  Let’s login with a Live account on Windows 8 !lsasrv!LsaProtectMemorylive...
mimikatz :: sekurlsa :: livessp           final implementation                                                            ...
mimikatz :: sekurlsa :: livessp           demo time !6/3/2012      Benjamin DELPY `gentilkiwi` @ PHDays 2012   -   benjami...
mimikatz :: sekurlsa           it was a cool trap no ?  Even if we already have tools for normal accounts, are you  not cu...
mimikatz :: sekurlsa :: kerberos  Let’s login normal accountlsasrv!LsaProtectMemorykerberos!KerbHideKeykerberos!KerbCreate...
mimikatz :: sekurlsa :: kerberos (nt 6)           final implementation                                                    ...
mimikatz :: sekurlsa :: kerberos (nt 5)           final implementation                                                    ...
mimikatz :: sekurlsa :: kerberos           demo time !6/3/2012      Benjamin DELPY `gentilkiwi` @ PHDays 2012   -   benjam...
mimikatz :: sekurlsa :: kerberos           « hu ? »  Ok It works…*    But why ?    *Not at all logon on NT5    *Can need a...
mimikatz :: sekurlsa :: kerberos            BONUS « hu ? »Microsoft’s implementation of Kerberos is full of logical…   For...
mimikatz :: sekurlsa           why this is dangerous ?  Not a bug  Not a weakness  Not a vulnerability  Not a 0-day    – (...
mimikatz :: sekurlsa           what we can do ?  Basics    –      No physical access to computer (first step to pass the h...
mimikatz :: sekurlsa           Code it ! Implement it in Meta ! Discover !  Pass the hash :Package        Symbols         ...
mimikatz :: sekurlsa               little help to start !Package         Datas                                            ...
mimikatz :: sekurlsa           some ideas  Meterpreter post module  Standalone binary without injection    yeah, it’s easy...
mimikatz :: sekurlsa           some ideas  Meterpreter post module  Standalone binary without injection    yeah, it’s easy...
mimikatz           what else ?  Crypto                                                mod_mimikatz_crypto                 ...
mimikatz           that’s all folks !  Thanks’ to / Спасибо :    –      my girlfriend for her support (her LSASS crashed f...
mimikatz           source code  Not now available    – I’m not proud of mixing C/C++ and STL in LSASS    – Script kiddies ...
Blog & Contact           blog/mimikatz : http://blog.gentilkiwi.com/mimikatz           email :         benjamin@gentilkiwi...
Upcoming SlideShare
Loading in …5
×

mimikatz @ phdays

17,873 views

Published on

mimikatz @ phdays - http://blog.gentilkiwi.com/mimikatz
Focus on sekurlsa / pass-the-pass

mimikatz @ phdays

  1. 1. mimikatz Benjamin DELPY `gentilkiwi`focus on sekurlsa / pass-the-pass
  2. 2. Who ? Why ? Benjamin DELPY `gentilkiwi` – French – 26y – Kiwi addict – Lazy programmer Started to code mimikatz to : – explain security concepts ; – improve my knowledge ; – prove to Microsoft that sometimes they must change old habits. Why all in French ? – because I’m  – It limits script kiddies usage.6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 2
  3. 3. mimikatz working On XP, 2003, Vista, 2008, Seven, 2008r2, 8, Server 8 – x86 & x64 – partial support for 8 & Server 8 (few kernel driver bugs ;)) – 2000 support dropped with mimikatz 1.0 Everywhere ; it’s statically compiled Two modes – direct action (local commands) – process or driver communication m KeyIso m SamSS « Isolation de clé CNG » « Gestionnaire de comptes de sécurité » i LSASS.EXE i LSASS.EXE m i m i  VirtualAllocEx, Direct action : k crypto::patchcng k WriteProcessMemory, a a t t  CreateRemoteThread... EventLog sekurlsa.dll z z « Journal d’événements Windows » . SVCHOST.EXE . Open a pipe e e x x Write a welcome message Direct action : e e Wait commands… and return results divers::eventdrop6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 3
  4. 4. mimikatz architecture all in VC/C++ 2010 with some ASM… mod_mimikatz_standard mod_parseur KiwiCmd.exe mod_mimikatz_winmine mod_text KiwiRegedit.exe mod_mimikatz_divers mod_memorym mod_mimikatz_nogpo mod_secacl mimikatz.sysi KiwiTaskmgr.exem mod_mimikatz_impersonate mod_pipei mod_mimikatz_inject mod_inject kappfree.dllk mod_mimikatz_samdump mod_hivea mod_mimikatz_crypto mod_crypto kelloworld.dllt mod_mimikatz_handle mod_patch samz. mod_mimikatz_privilege mod_privilege klock.dll secretse mod_mimikatz_system mod_system msv_1_0x mod_mimikatz_service mod_service tspkg sekurlsa.dlle mod_mimikatz_process mod_process wdigest mod_mimikatz_thread mod_thread livessp mod_mimikatz_terminalserver mod_ts kerberos6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 4
  5. 5. mimikatz :: sekurlsa what is it ? My favorite library ! A thread that waits, in LSASS, commands from mimikatz (or mubix meterpreter) What sekurlsa can do from the inside ? – Dump system secrets – Dump SAM / DC base – Dump clear text passwords/hashes from interactive sessions • MSV1_0 (dump/inject/delete) • TsPkg • WDigest • LiveSSP • Kerberos Let’s start an injection & pass the hash !6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 5
  6. 6. mimikatz :: sekurlsa history of « pass-the-* » 1/2 Pass-the-hash – 1997 - Unix modified SAMBA client for Hashes usage ; Paul Ashton (EIGEN) – 2000 - Private version of a Windows « LSA Logon Session Editor » ; Hernan Ochoa (CoreSecurity) – 2007 - TechEd @ Microsoft ; Marc Murray (TrueSec) present msvctl, and provide some downloads of it  – 2007 - « Pass the hash toolkit » published ; Hernan Ochoa (CoreSecurity) – 2007 - mimikatz 0.1 includes pass the hash and is publicly available for x86 & x64 versions of Windows (yeah, by myself but in French; so not famous ;)) 2007 was the year of pass the hash ! Pass-the-ticket – 04/2011 - wce (pass the hash toolkit evolution) provides Kerberos ticket support; Hernan Ochoa (Ampliasecurity)6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 6
  7. 7. mimikatz :: sekurlsa history of « pass-the-* » 2/2 Pass-the-pass – 05/2011 – mimikatz 1.0 dumps first clear text passwords from TsPkg provider (but limited to NT 6 and some XP SP3) • http://blog.gentilkiwi.com/securite/pass-the-pass – 05/2011 – return of mimikatz ; it dumps clear text passwords from WDigest provider (unlimited this time ;)) • http://blog.gentilkiwi.com/securite/re-pass-the-pass – 05/2011 – Some organizations opened cases to Microsoft about it… …Lots of time… – begin of 2012 - Lots of blogs (and Kevin Mitnick ;)) say few words about mimikatz – 03/2012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extract… • http://seclists.org/pen-test/2012/Mar/7 – 03/2012 – mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory • http://blog.gentilkiwi.com/securite/rere-pass-the-pass – 03/2012 – yeah, once again…, more curious but Kerberos keeps passwords in memory • http://blog.gentilkiwi.com/securite/rerere-pass-the-pass6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 7
  8. 8. mimikatz :: sekurlsa let’s take a moment… You noticed ? It has been one year since Microsoft has been notified about passwords extraction from LSASS Without any reaction… – But blacklisting mimikatz from MSE and FEP at 20120228 ;)6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 8
  9. 9. mimikatz :: sekurlsa :: tspkg because sometimes hash is not enough…6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 9
  10. 10. mimikatz :: sekurlsa :: tspkg what is it ? Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop users’s experience – http://technet.microsoft.com/library/cc772108.aspx Rely on CredSSP with Credentials Delegation (!= Account delegation) – Specs : http://download.microsoft.com/download/9/5/e/95ef66af- 9026-4bb0-a41d-a4f81802d92c/%5Bms-cssp%5D.pdf First impression : it seems cool  – User does not have to type its password – Password is not in RDP file – Password is not in user secrets6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 10
  11. 11. mimikatz :: sekurlsa :: tspkg demo time ! Explanations follow…6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 11
  12. 12. mimikatz :: sekurlsa :: tspkg questions ? KB says that for it works, we must enable « Default credentials » delegation – “Default credentials : The credentials obtained when the user first logs on to Windows” - https://msdn.microsoft.com/library/bb204773.aspx • What ? Our User/Domain/,Password | Hash | Ticket- ? It seems … – In all cases, system seems to be vulnerable to pass-the-*… In what form ? Our specs : [MS-CSSP] – 2.2.1.2.1 TSPasswordCreds • The TSPasswordCreds structure contains the users password credentials that are delegated to the server. (or PIN) TSPasswordCreds ::= SEQUENCE { domainName [0] OCTET STRING, userName [1] OCTET STRING, password [2] OCTET STRING } – Challenge / response for authentication ? • Serveur : YES (TLS / Kerberos) • Client : NO ; *password* is sent to server… So password resides somewhere in memory ?6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 12
  13. 13. mimikatz :: sekurlsa :: tspkg symbols & theory Let’s explore some symbols ! kd> x tspkg!*clear* 75016d1c tspkg!TSObtainClearCreds = <no type information> kd> x tspkg!*password* 75011b68 tspkg!TSDuplicatePassword = <no type information> 75011cd4 tspkg!TSHidePassword = <no type information> 750195ee tspkg!TSRevealPassword = <no type information> 75012fbd tspkg!TSUpdateCredentialsPassword = <no type information> kd> x tspkg!*locate* 7501158b tspkg!TSCredTableLocateDefaultCreds = <no type information> – sounds cool… (thanks Microsoft) Let’s imagine a scenario – Enumerate all sessions to obtain informations : • Username • Domain • LUID – Call tspkg!TSCredTableLocateDefaultCreds with LUID to obtain : • TS_CREDENTIAL – Call tspkg!TSObtainClearCreds with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for : • TS_PRIMARY_CREDENTIAL with clear text credentials…6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 13
  14. 14. mimikatz :: sekurlsa :: tspkg test & data LsaEnumerateLogonSessions for each LUID tspkg!TSCredTableLoca teDefaultCreds tspkg!TSObtainClearCr eds password in clear ?6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 14
  15. 15. mimikatz :: sekurlsa :: tspkg test & structures LsaEnumerateLogonSessions lazy way for each LUID tspkg!TSCredTableLoca typedef struct _KIWI_TS_CREDENTIAL { #ifdef _M_X64 teDefaultCreds BYTE unk0[0x88]; #elif defined _M_IX86 BYTE unk0[0x50]; KIWI_TS_CREDEN #endif TIAL PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary; } KIWI_TS_CREDENTIAL, *PKIWI_TS_CREDENTIAL; KIWI_TS_PRIMAR typedef struct _KIWI_TS_PRIMARY_CREDENTIAL { PVOID unk0; Y_CREDENTIAL LSA_UNICODE_STRING Domaine; LSA_UNICODE_STRING UserName; LSA_UNICODE_STRING Password; tspkg!TSObtainClearCr } KIWI_TS_PRIMARY_CREDENTIAL, *PKIWI_TS_PRIMARY_CREDENTIAL; eds KIWI_TS_PRIMAR Y_CREDENTIAL password in clear ?6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 15
  16. 16. mimikatz :: sekurlsa :: tspkg first result It worked ! Since old Windows’s version I hadn’t seen my Windows password – I’ve been a little bit afraid After many hesitations, I published a post and a stable tool update on my blog at 20110508 – http://blog.gentilkiwi.com/securite/pass-the-pass But some issues : – & tspkg!TSObtainClearCreds are not exported tspkg!TSCredTableLocateDefaultCreds – tspkg!TSObtainClearCreds not always present… – Calling conventions can be a problem – Only NT6 and few XP SP3 (manual provider activation)6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 16
  17. 17. mimikatz :: sekurlsa :: tspkg final implementation typedef struct _KIWI_TS_CREDENTIAL_AVL_SEARCH { LsaEnumerateLogonSessions #ifdef _M_X64 BYTE unk0[108]; #elif defined _M_IX86 BYTE unk0[64]; #endif for each LUID LUID LocallyUniqueIdentifier; #ifdef _M_X64 BYTE unk1[46]; #elif defined _M_IX86 tspkg!TSGlobal KIWI_TS_CREDENTI BYTE unk1[16]; CredTable AL_AVL_SEARCH #endif } KIWI_TS_CREDENTIAL_AVL_SEARCH, *PKIWI_TS_CREDENTIAL_AVL_SEARCH; RtlLookupElementGenericTabl typedef struct _KIWI_TS_CREDENTIAL { eAvl #ifdef _M_X64 BYTE unk0[0x88]; #elif defined _M_IX86 KIWI_TS_CREDEN BYTE unk0[0x50]; TIAL #endif KIWI_TS_PRIMAR PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary; Y_CREDENTIAL } KIWI_TS_CREDENTIAL, *PKIWI_TS_CREDENTIAL; typedef struct _KIWI_TS_PRIMARY_CREDENTIAL { LsaUnprotectMemory PVOID unk0; LSA_UNICODE_STRING Domaine; LSA_UNICODE_STRING UserName; password LSA_UNICODE_STRING Password; } KIWI_TS_PRIMARY_CREDENTIAL, in clear ! *PKIWI_TS_PRIMARY_CREDENTIAL;6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 17
  18. 18. mimikatz :: sekurlsa :: tspkg demo time !6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 18
  19. 19. mimikatz :: sekurlsa :: tspkg final result It works better ;) – No orphan referenced credentials – More logic approach (We will see that latter…) We have just to find : – tspkg!TSGlobalCredTable – SeckPkgFunctionTable->LsaUnprotectMemory • LSA_SECPKG_FUNCTION_TABLE : http://msdn.microsoft.com/library/windows/desktop/aa378510.aspx • LsaUnprotectMemory : http://msdn.microsoft.com/library/windows/desktop/ff714510.aspx Find this… We all have personal convictions to search unexported data : – Hardcoded addresses / offsets (  ) ; – Disassembly engine ; – Pattern matching ; – …6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 19
  20. 20. mimikatz :: sekurlsa :: wdigest because clear text password over http/https is not cool6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 20
  21. 21. mimikatz :: sekurlsa :: wdigest what is it ? “Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser. It applies a hash function to a password before sending it over the network *…+” Wikipedia : http://en.wikipedia.org/wiki/Digest_access_authentication “Common Digest Authentication Scenarios : – Authenticated client access to a Web site – Authenticated client access using SASL – Authenticated client access with integrity protection to a directory service using LDAP” Microsoft : http://technet.microsoft.com/library/cc778868.aspx Again, it seems cool  – No password over the network, just hashes – No reversible password in Active Directory ; hashes for each realm • Only with Advanced Digest authentication6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 21
  22. 22. mimikatz :: sekurlsa :: wdigest what is it ? We speak about hashes, but what hashes ? H = MD5(HA1:nonce:[…]:HA2) • HA1 = MD5(username:realm:password) • HA2 = MD5(method:digestURI:[…]) Even after login, HA1 may change… realm is from server side and cannot be determined before Windows logon WDigest provider must have elements to compute responses for different servers : – Username – Realm (from server) – Password6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 22
  23. 23. mimikatz :: sekurlsa :: wdigest theory This time, we know : – that WDigest keeps password in memory « by protocol » for HA1 digest – that LSASS love to unprotect password with LsaUnprotectMemory (so protect with LsaProtectMemory) LsaUnprotectMemory – At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE – Let’s perform a research in WDigest : .text:7409D151 _DigestCalcHA1@8 call dword ptr [eax+0B4h] – Hypothesis seems verified  LsaProtectMemory – At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE – Let’s perform a research in WDigest : .text:74096C69 _SpAcceptCredentials@16 call dword ptr [eax+0B0h] – SpAcceptCredentials takes clear password in args • Protect it with LsaProtectMemory • Update or insert data in double linked list : wdigest!l_LogSessList6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 23
  24. 24. mimikatz :: sekurlsa :: wdigest test & data LsaEnumerateLogonSessions for each LUID wdigest!l_LogS essList search linked list for LUID LsaUnprotectMemory password in clear ?6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 24
  25. 25. mimikatz :: sekurlsa :: wdigest final implementation LsaEnumerateLogonSessions for each LUID typedef struct _KIWI_WDIGEST_LIST_ENTRY { struct _KIWI_WDIGEST_LIST_ENTRY *Flink; wdigest!l_LogS struct _KIWI_WDIGEST_LIST_ENTRY *Blink; DWORD UsageCount; essList struct _KIWI_WDIGEST_LIST_ENTRY *This; LUID LocallyUniqueIdentifier; […] LSA_UNICODE_STRING UserName; search linked list for LUID LSA_UNICODE_STRING Domaine; LSA_UNICODE_STRING Password; […] } KIWI_WDIGEST_LIST_ENTRY, *PKIWI_WDIGEST_LIST_ENTRY KIWI_WDIGEST_L ; IST_ENTRY LsaUnprotectMemory password in clear !6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 25
  26. 26. mimikatz :: sekurlsa :: wdigest demo time !6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 26
  27. 27. mimikatz :: sekurlsa :: wdigest result It works again ! This time we just have to find : – wdigest!l_LogSessList – SeckPkgFunctionTable->LsaUnprotectMemory • LSA_SECPKG_FUNCTION_TABLE : http://msdn.microsoft.com/library/windows/desktop/aa378510.aspx • LsaUnprotectMemory : http://msdn.microsoft.com/library/windows/desktop/ff714510.aspx Seems generalizable ?6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 27
  28. 28. mimikatz :: sekurlsa and now what ? In fact, with TsPkg and WDigest, passwords can be retrieved from any version of Windows ... – WDigest • XP, 2003 • Vista / Seven / 2008 / 2008r2 • 8 But not with a Live account  – TsPkg • XP SP3 (manual install) • Vista / Seven / 2008 / 2008r2 • 8 Even with a Live account 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 28
  29. 29. mimikatz :: sekurlsa and now what ? wce had not copied my TsPkg functionalities Only WDigest, so they missed 8 Live accounts… – Kiwi WDigest patterns (last public release) #ifdef _M_X64 BYTE ptrInsertInLogSess[] = {0x4C, 0x89, 0x1B, 0x48, 0x89, 0x43, 0x08, 0x49, 0x89, 0x5B, 0x08, 0x48, 0x8D}; #elif defined _M_IX86 BYTE ptrInsertInLogSess[] = {0x8B, 0x45, 0x08, 0x89, 0x08, 0xC7, 0x40, 0x04}; #endif – wce patterns Between ~17 occurrences of wdigest!l_LogSessList, maybe a coincidence… for lack of TsPkg, they can be inspired by next releases ?6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 29
  30. 30. mimikatz :: sekurlsa :: livessp because Microsoft was too good in closed networks6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 30
  31. 31. mimikatz :: sekurlsa :: livessp how ? Actually I’ve only used logical (empirical) approach to search passwords… : – Protocol reading – Symbols searching ~ Boring ~… be more brutal this time : make a WinDBG trap ! 0: kd> !process 0 0 lsass.exe PROCESS 83569040 SessionId: 0 Cid: 0224 Peb: 7f43f000 ParentCid: 01b4 DirBase: 5df58100 ObjectTable: 80ce4740 HandleCount: <Data Not Accessible> Image: lsass.exe 0: kd> .process /i 83569040 You need to continue execution (press g <enter>) for the context to be switched. When the debugger breaks in again, you will be in the new process context. 0: kd> g Break instruction exception - code 80000003 (first chance) nt!RtlpBreakWithStatusInstruction: 814b39d0 cc int 3 0: kd> .reload /user Loading User Symbols ............................................................ 0: kd> bp /p @$proc lsasrv!LsaProtectMemory "kc 5 ; g" 0: kd> g6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 31
  32. 32. mimikatz :: sekurlsa :: livessp how ? Let’s login with a Live account on Windows 8 !lsasrv!LsaProtectMemorylivessp!LiveMakeSupplementalCredlivessp!LiveMakeSecPkgCredentials Our LiveSSP providerlivessp!LsaApLogonUserEx2livessp!SpiLogonUserEx2lsasrv!LsaProtectMemorymsv1_0!NlpAddPrimaryCredential Yeah, Pass the Hash capability with Livemsv1_0!SspAcceptCredentialsmsv1_0!SpAcceptCredentials account too…lsasrv!LsaProtectMemorytspkg!TSHidePassword Live user can logon through RDP via SSOtspkg!SpAcceptCredentials1: kd> uf /c livessp!LsaApLogonUserEx2livessp!LsaApLogonUserEx2 (74781536)[...] livessp!LsaApLogonUserEx2+0x560 (74781a96): call to livessp!LiveCreateLogonSession (74784867) After credentials protection, LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 32
  33. 33. mimikatz :: sekurlsa :: livessp final implementation typedef struct _KIWI_LIVESSP_LIST_ENTRY { LsaEnumerateLogonSessions struct _KIWI_LIVESSP_LIST_ENTRY *Flink; struct _KIWI_LIVESSP_LIST_ENTRY *Blink; PVOID unk0; PVOID unk1; PVOID unk2; for each LUID PVOID unk3; DWORD unk4; DWORD unk5; PVOID unk6; livessp!LiveGloba LUID LocallyUniqueIdentifier; lLogonSessionList LSA_UNICODE_STRING UserName; PVOID unk7; PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds; } KIWI_LIVESSP_LIST_ENTRY, search linked list for LUID *PKIWI_LIVESSP_LIST_ENTRY; KIWI_LIVESSP_LIS T_ENTRY typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL { KIWI_LIVESSP_PRI DWORD isSupp; MARY_CREDENTIAL DWORD unk0; LSA_UNICODE_STRING UserName; LSA_UNICODE_STRING Domaine; LSA_UNICODE_STRING Password; LsaUnprotectMemory } KIWI_LIVESSP_PRIMARY_CREDENTIAL, *PKIWI_LIVESSP_PRIMARY_CREDENTIAL; password in clear !6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 33
  34. 34. mimikatz :: sekurlsa :: livessp demo time !6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 34
  35. 35. mimikatz :: sekurlsa it was a cool trap no ? Even if we already have tools for normal accounts, are you not curious to test one with this trap ?* * Me, yes6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 35
  36. 36. mimikatz :: sekurlsa :: kerberos Let’s login normal accountlsasrv!LsaProtectMemorykerberos!KerbHideKeykerberos!KerbCreatePrimaryCredentialskerberos!KerbCreateLogonSession Kerberos, ticket part ? Maybe ;)kerberos!SpAcceptCredentialslsasrv!LsaProtectMemorykerberos!KerbHidePasswordkerberos!KerbCreateLogonSession Kerberos part for password ??????kerberos!SpAcceptCredentialslsasrv!LsaProtectMemorymsv1_0!NlpAddPrimaryCredentialmsv1_0!SspAcceptCredentialsmsv1_0!SpAcceptCredentialslsasrv!LsaProtectMemorywdigest!SpAcceptCredentialslsasrv!LsaProtectMemorytspkg!TSHidePasswordtspkg!SpAcceptCredentials After credentials protection, KerbCreateLogonSession calls : – NT6 ; KerbInsertOrLocateLogonSession to insert data in KerbGlobalLogonSessionTable – NT5 ; KerbInsertLogonSession to insert data in KerbLogonSessionList6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 36
  37. 37. mimikatz :: sekurlsa :: kerberos (nt 6) final implementation typedef struct _KIWI_KERBEROS_LOGON_AVL_SEARCH { LsaEnumerateLogonSessions #ifdef _M_X64 BYTE unk0[64]; #elif defined _M_IX86 BYTE unk0[36]; #endif for each LUID LUID LocallyUniqueIdentifier; } KIWI_KERBEROS_LOGON_AVL_SEARCH, *PKIWI_KERBEROS_LOGON_AVL_SEARCH; Kerberos!KerbG KIWI_KERBEROS_LO lobalLogonSess GON_AVL_SEARCH ionTable typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL { DWORD unk0; PVOID unk1; PVOID unk2; RtlLookupElementGenericTabl #ifdef _M_X64 eAvl BYTE unk3[96]; #elif defined _M_IX86 BYTE unk3[68]; #endif LSA_UNICODE_STRING UserName; KIWI_KERBEROS_PR LSA_UNICODE_STRING Domaine; IMARY_CREDENTIAL LSA_UNICODE_STRING Password; } KIWI_KERBEROS_PRIMARY_CREDENTIAL, *PKIWI_KERBEROS_PRIMARY_CREDENTIAL; LsaUnprotectMemory password in clear !6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 37
  38. 38. mimikatz :: sekurlsa :: kerberos (nt 5) final implementation typedef struct _KIWI_KERBEROS_LOGON_SESSION { LsaEnumerateLogonSessions struct _KIWI_KERBEROS_LOGON_SESSION *Flink; struct _KIWI_KERBEROS_LOGON_SESSION *Blink; DWORD UsageCount; PVOID unk0; PVOID unk1; for each LUID PVOID unk2; DWORD unk3; DWORD unk4; PVOID unk5; kerberos!KerbLog PVOID unk6; onSessionList PVOID unk7; LUID LocallyUniqueIdentifier; #ifdef _M_IX86 DWORD unk8; search linked list for LUID #endif DWORD unk9; DWORD unk10; PVOID unk11; DWORD unk12; DWORD unk13; KIWI_LIVESSP_PRI PVOID unk14; MARY_CREDENTIAL PVOID unk15; PVOID unk16; […] LSA_UNICODE_STRING UserName; LSA_UNICODE_STRING Domaine; LsaUnprotectMemory LSA_UNICODE_STRING Password; } KIWI_KERBEROS_LOGON_SESSION, *PKIWI_KERBEROS_LOGON_SESSION; password in clear !6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 38
  39. 39. mimikatz :: sekurlsa :: kerberos demo time !6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 39
  40. 40. mimikatz :: sekurlsa :: kerberos « hu ? » Ok It works…* But why ? *Not at all logon on NT5 *Can need an unlock… From my understanding of Microsoft explanations, no need of passwords for the Kerberos protocol… all is based on the hash (not very sexy too)6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 40
  41. 41. mimikatz :: sekurlsa :: kerberos BONUS « hu ? »Microsoft’s implementation of Kerberos is full of logical… For password auth : – password hash for shared secret, but keeping password in memory For full smartcard auth : – No password on client – No hash on client ? • NTLM hash on client… • KDC sent it back as a gift 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 41
  42. 42. mimikatz :: sekurlsa why this is dangerous ? Not a bug Not a weakness Not a vulnerability Not a 0-day – (for now, there may be too) It’s “normal” that LSASS keeps passwords in memory for passwords based providers when protocols need them – And hashes for msv1_0… All of these rely on shared secrets… So you can’t prevent Windows internal behaviors… (in a supported way) One change from Microsoft on protocols can impact all versions I don’t count on a fix or others things in the next [5;10] years…6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 42
  43. 43. mimikatz :: sekurlsa what we can do ? Basics – No physical access to computer (first step to pass the hash) – No admin rights / system rights / debug privileges (…) – Disable local admin accounts – Strong passwords (haha, it was a joke) – Network login instead of interactive (when possible) – Audit ; pass the hash keeps traces and can lock accounts – No admin rights / system rights / debug privileges, even VIP More in depth – Force strong authentication (SmartCard & Token) : $ / € – Short validity for Kerberos tickets – No delegation – Disable NTLM (available with NT6) – No exotic : • biometrics (it keeps password somewhere and push it to Windows) • single sign on – Stop shared secrets for authentication : push Public / Private stuff (like keys ;)) – Let opportunities to stop retrocompatibility – Disable faulty providers ? • Is it supported by Microsoft ? • Even if, you will disable Kerberos and msv1_0 ?6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 43
  44. 44. mimikatz :: sekurlsa Code it ! Implement it in Meta ! Discover ! Pass the hash :Package Symbols Descriptionmsv1_0 SeckPkgFunctionTable->GetCredentials Get clear LM & NTLM hashes from LUID SeckPkgFunctionTable->LsaUnprotectMemorymsv1_0 SeckPkgFunctionTable->LsaProtectMemory Push clear LM & NTLM hashes to LUID SeckPkgFunctionTable->AddCredentialmsv1_0 SeckPkgFunctionTable->DeleteCredential Delete hashes from LUID Get passwords :Package Symbols Typetspkg tspkg!TSGlobalCredTable RTL_AVL_TABLE SeckPkgFunctionTable->LsaUnprotectMemorywdigest wdigest!l_LogSessList LIST_ENTRY SeckPkgFunctionTable->LsaUnprotectMemorylivessp livessp!LiveGlobalLogonSessionList LIST_ENTRY SeckPkgFunctionTable->LsaUnprotectMemorykerberos kerberos!KerbLogonSessionList LIST_ENTRY(nt5) SeckPkgFunctionTable->LsaUnprotectMemorykerberos Kerberos!KerbGlobalLogonSessionTable RTL_AVL_TABLE(nt6) SeckPkgFunctionTable->LsaUnprotectMemory6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 44
  45. 45. mimikatz :: sekurlsa little help to start !Package Datas Little help* @getLogonPasswords Use « full » keyword in argument of functionsmsv1_0 @getMSV @getMSVFunctions msv1_0 : ** lsasrv.dll ** ; Statut recherche : OK :) – 3 * Utilisateur : termuser @GetCredentials = 000007F9C1C62938 * Domaine : DEMO @AddCredential = 000007F9C1C71010 * Hash LM : d0e9aee149655a6075e4540af1f22d3b @DeleteCredential = 000007F9C1C61F58 * Hash NTLM : cc36cf7a8514893efccd332446158b1a @LsaUnprotectMemory = 000007F9C1C59960 @LsaProtectMemory = 000007F9C1C628A4tspkg @getTsPkg @getTsPkgFunctions tspkg : ** tspkg.dll/lsasrv.dll ** ; Statut recherche : OK :) * Utilisateur : termuser @TSGlobalCredTable = 000007F9C1557B20 * Domaine : DEMO @LsaUnprotectMemory = 000007F9C1C59960 * Mot de passe : waza1234/wdigest @getWDigest @getWDigestFunctions wdigest : ** wdigest.dll/lsasrv.dll ** ; Statut recherche : OK :) * Utilisateur : termuser @l_LogSessList = 000007F9C15E12B0 * Domaine : DEMO @LsaUnprotectMemory = 000007F9C1C59960 * Mot de passe : waza1234/livessp @getLiveSSP @getLiveSSPFunctions livessp : ** livessp.dll/lsasrv.dll ** ; Statut recherche : OK :) * Utilisateur : sekurlsa@live.fr @LiveGlobalLogonSessionList = 000007F9C14E8C68 * Domaine : ps:password @LsaUnprotectMemory = 000007F9C1C59960 * Mot de passe : waza1234/kerberos @getKerberos @getKerberosFunctions kerberos : ** kerberos.dll/lsasrv.dll ** ; Statut recherche : OK :) * Utilisateur : termuser @KerbGlobalLogonSessionTable = 000007F9C1955AE0 * Domaine : DEMO.LOCAL @KerbLogonSessionList = 0000000000000000 * Mot de passe : waza1234/ @LsaUnprotectMemory = 000007F9C1C59960 6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 45
  46. 46. mimikatz :: sekurlsa some ideas Meterpreter post module Standalone binary without injection yeah, it’s easy ! – read all data (sessions, encrypted passwords) – read all keys and implement your own (un)protectMemory routine ! – decrypt / crypt Extract all of this from memory dump / hyberfile ! etc… Make demonstrations to your chief information security officer Ask Microsoft to work on better implementation – Maybe offer possibilities to disable or not some functionalities – Think globally about data really needed for authentication6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 46
  47. 47. mimikatz :: sekurlsa some ideas Meterpreter post module Standalone binary without injection yeah, it’s easy ! – read all data (sessions, encrypted passwords) – read all keys and implement your own (un)protectMemory routine ! – decrypt / crypt Extract all of this from memory dump / hyberfile ! etc… Make demonstrations to your chief information security officer Ask Microsoft to work on better implementation – Maybe offer possibilities to disable or not some functionalities – Think globally about data really needed for authentication6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 47
  48. 48. mimikatz what else ? Crypto mod_mimikatz_crypto mod_crypto – Export non-exportable certificates and keys • CryptoAPI • CNG… Stop event monitoring mod_mimikatz_divers Basic GPO bypass mod_mimikatz_nogpo Applocker / SRP bypass kappfree.dll Driver mimikatz.sys – Play with tokens & privileges – Display SSDT x86 & x64 – List minifilters actions – List Notifications (process / thread / image / registry) – List Objects hooks and procedures – … …6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 48
  49. 49. mimikatz that’s all folks ! Thanks’ to / Спасибо : – my girlfriend for her support (her LSASS crashed few times) – Positive Technologies to offer me this great opportunity – Microsoft to consider it as normal/acceptable  – Security friends/community for their ideas & challenges – You, for your attention ! Questions ? Don’t be shy ;) especially if you have written the corresponding slide number6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 49
  50. 50. mimikatz source code Not now available – I’m not proud of mixing C/C++ and STL in LSASS – Script kiddies will use it without understanding But a little part of it for “pass the pass” available – So download it on mimikatz download page  • http://blog.gentilkiwi.com/mimikatz6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 50
  51. 51. Blog & Contact blog/mimikatz : http://blog.gentilkiwi.com/mimikatz email : benjamin@gentilkiwi.com Twitter : @gentilkiwi6/3/2012 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 51

×