SlideShare a Scribd company logo
mimikatz 2.0
Benjamin DELPY `gentilkiwi`
Our little story
`whoami`, why am I doing this?
mimikatz 2.0 & sekurlsa
Focus on Windows 8.1 et 2012r2
Kerberos & strong authentication
Questions / Answers
And of course, some demos during the session
(and stickers ;)
09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 2
`whoami`? Why mimikatz ?
Benjamin DELPY `gentilkiwi`
– Kiwi addict, I code, but when it’s done, I tweet about it: @gentilkiwi
– lazy efficient ;
– I don’t work as pentester/searcher/technical guy, I do it as a Kiwi (nights) ;
– I use Windows (but also OpenBSD)
• is the enemy of your enemy your friend? ;)
`mimikatz`
– born 2007 ;
– is not a hacking tool (seriously) ;
– is coded for my personal needs ;
– can demonstrate some security concept ;
• Have you ever try to demonstrate “theoretical” risks and to obtain reaction? acts?
(budgets?)
– try to follow Microsoft's evolution (who’s the cat/mouse?)
– is not enough documented ! (I know, but I work on it on GitHub…)
09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 3
mimikatz 2.0
fully recoded in C, with system’s runtimes (≠ VC9, 10…)
– strict code (no goto ;))
– smaller (~180 kb)
– Deal relatively transparently with memory/process/dumps, and with
registry/hives.
Works on XP/2003, Vista/2008, Seven/2008r2, 8/2012 and 8.1/2012r2
– x86 & x64 ;)
– Windows 2000 support dropped with 1.0 version
Two other components, not mandatory:
1. mimidrv ; a driver to interact with the Windows Kernel (hooks, tokens, process…)
2. mimilib ; a library with some goodies :
• AppLocker bypass ;
• Authentication Package (SSP) ;
• Password filter ;
• mimikatz::sekurlsa for WinDBG.
09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 4
mimikatz :: sekurlsa
LSA (level )
09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 5
LsaSSWinLogon
Authentication
Packages
msv1_0
tspkg
wdigest
livessp
kerberos
Authentication
msv1_0
kerberos
SAM
Challenge
Response
user:domain:password
PLAYSKOOL
mimikatz :: sekurlsa
LSA (level )
Authentication packages :
– take user’s credentials ;
– do their job (hash, asking for ticket…) ;
– keep enough data in memory to compute the answers to the challenges
(Single Sign On).
• Not in all case, eg: LiveSSP provider does not keep data for a SmartCard authentication
If we can get data, and inject it in another session of LSASS, we
avoid authentication part.
If we put data in right places, we can still answer to the challenges.
This is the principle of « Pass-the-hash »
– In fact, of « Pass-the-* »
09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 6
PLAYSKOOL
mimikatz :: sekurlsa
demo ! - sekurlsa::logonpasswords
09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 7
mimikatz :: sekurlsa
what is it ?
This module of mimikatz read data from SamSs service (known as
LSASS process) or from a memory dump!
sekurlsa module can retrieve:
– MSV1_0 hash & keys (dpapi)
– TsPkg password
– WDigest password
– LiveSSP password
– Kerberos password, ekeys, tickets & pin
– SSP password
And also :
– pass-the-hash
– overpass-the-hash / pass-the-(e)key
• RC4 (ntlm), AES128 & AES256
– pass-the-ticket (official MSDN API !)
09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 8
mimikatz :: sekurlsa
workflow
09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 9
for each session
typedef struct _KIWI_struct {
LUID LocallyUniqueIdentifier;
[…]
LSA_UNICODE_STRING UserName;
LSA_UNICODE_STRING Domaine;
LSA_UNICODE_STRING Password;
[…]
} KIWI_struct, *PKIWI_struct;
module!symbol
search list/AVL for LUID
KIWI_struct
Credentials
in clear !
lsasrv!LogonSessionList
lsasrv!LogonSessionListCount
Package Symbols Type
tspkg tspkg!TSGlobalCredTable RTL_AVL_TABLE
wdigest wdigest!l_LogSessList LIST_ENTRY
livessp livessp!LiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberos!KerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberos!KerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrv!LogonSessionList
lsasrv!LogonSessionListCount
LIST_ENTRY
ULONG
ssp msv1_0!SspCredentialList LIST_ENTRY
Key NT 5 Symbols
RC4 lsasrv!g_cbRandomKey
lsasrv!g_pRandomKey
DESx lsasrv!g_pDESXKey
lsasrv!g_Feedback
Key NT 6 Symbols
lsasrv!InitializationVector
3DES lsasrv!h3DesKey
AES lsasrv!hAesKey
LsaUnprotectMemory
mimikatz :: sekurlsa
memo
Security Packages
Protection Keys
09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 10
Package Symbols Type
tspkg tspkg!TSGlobalCredTable RTL_AVL_TABLE
wdigest wdigest!l_LogSessList LIST_ENTRY
livessp livessp!LiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberos!KerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberos!KerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrv!LogonSessionList
lsasrv!LogonSessionListCount
LIST_ENTRY
ULONG
ssp msv1_0!SspCredentialList LIST_ENTRY
Key NT 5 Symbols
RC4 lsasrv!g_cbRandomKey
lsasrv!g_pRandomKey
DESx lsasrv!g_pDESXKey
lsasrv!g_Feedback
Key NT 6 Symbols
lsasrv!InitializationVector
3DES lsasrv!h3DesKey
AES lsasrv!hAesKey
mimikatz :: sekurlsa
LsaEncryptMemory
All credentials in memory are encrypted, but in a reversible way to
be used (ok, not ~all~ are encrypted)
Encryption is symmetric, keys are in the memory of the LSASS
process
– It’s like sending an encrypted ZIP with the password in the same email…
– Encrypt works with LsaProtectMemory, decrypt with LsaUnprotectMemory
Both deal with LsaEncryptMemory
Depending on the secret size, algorithm is different:
NT5 NT6
– RC4 – 3DES
– DESx – AES
09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 11
g_pRandomKey
g_cbRandomKey
l
s
a
s
s
l
s
a
s
r
v
m
i
m
i
k
a
t
z
l
s
a
s
r
v
/
e
m
u
l
copy…
h3DesKey
g_Feedback
g_pDESXKey
hAesKey
InitializationVector
mimikatz :: sekurlsa
demo ! - sekurlsa::logonpasswords
09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 12
mimikatz
Focus on Windows 8.1 & 2012r2
After a lot of customers cases, time, credentials stolen...Microsoft had to react!
(a little bit, ok ;))
“In Windows Server 2012 R2 and Windows 8.1, new credential protection and domain
authentication controls have been added to address credential theft.”
– http://technet.microsoft.com/library/dn344918.aspx#BKMK_CredentialsProtectionManagement
“Restricted Admin mode for Remote Desktop Connection”
Avoid user credentials to be sent to the server (and stolen)
Allow authentication by pass-the-hash, pass-the-ticket & overpass-the-hash with CredSSP
“LSA Protection”
Deny memory access to LSASS process (protected process)
Bypassed by a driver or another protected process (remember? mimikatz has a driver ;))
“Protected Users security group”
No more NTLM, WDigest, CredSSP, no delegation nor SSO... Strengthening Kerberos only!
Kerberos tickets can still be stolen and replayed (and smartcard/pin code is in memory =))
09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 13
mimikatz
Focus on Windows 8.1 & 2012r2
09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 14
LM NTLM SHA1 NTLM SHA1 Root DPAPI off on off on pass 1 PIN 4 tickets eKeys
Local Account 2
Domain Account 2 5
Local Account
Domain Account
Microsoft Account
Local Account
Domain Account
Microsoft Account 3 3
Local Account 3 3 7
Domain Account 3 3
Domain Protected Users 3 3
not applicable 1. can need an unlock on NT5, not available with smartcard
Fingerprint data in memory 2. tspkg is not installed by default on XP, not available on 2003
code pass gestures pass pass no data in memory 3. tspkg is off by default (but needed for SSO with remoteapps/ts), wdigest too
Microsoft Account http://technet.microsoft.com/library/dn303404.aspx
Local Account 4. PIN code when SmartCard used for native Logon
5. PIN code is NOT encrypted in memory (XP/2003)
6. When accessed/used by owner
7. When local admin, UAC and after unlock
.#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" (Jul 8 2014 01:44:40)
.## ^ ##.
## /  ## /* * *
##  / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
'## v ##' http://blog.gentilkiwi.com/mimikatz
'#####' (oe.eo) 15th RMLL/LSM (oe.eo) with 14 modules * * */
ssp
tspkg
livessp
wdigest
dpapi
PIN Picture
Windows 8.1 vault for user's authentication
credman 6
Windows XP/2003
Windows Vista/2008 & 7/2008r2
Windows 8/2012
kerberosPrimary CredentialKeys
Windows 8.1/2012r2
mimikatz
Focus on Windows 8.1 & 2012r2
06/12/2012 - Mitigating Pass-the-Hash-Attacks and Other Credential Theft
– http://blogs.technet.com/b/security/archive/2012/12/06/new-guidance-to-mitigate-
determined-adversaries-favorite-attack-pass-the-hash.aspx
– http://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-
6ECFB10CB4B9/Mitigating%20Pass-the-
Hash%20(PtH)%20Attacks%20and%20Other%20Credential%20Theft%20Techniques_English.pdf
13/05/2014 - KB2871997 - Backport of Windows 8.1/2012r2 nice stuff to
7/2008r2 & 8/2012
– http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx
08/07/2014 - Mitigating Pass-the-Hash-Attacks and Other Credential Theft -
Version 2
– http://blogs.technet.com/b/security/archive/2014/07/08/new-strategies-and-features-to-help-
organizations-better-protect-against-pass-the-hash-attacks.aspx
– http://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-
6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf
09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 15
mimikatz :: kerberos
« Kerberos is a computer network authentication
protocol which works on the basis of 'tickets' to
allow nodes communicating over a non-secure
network to prove their identity to one another in
a secure manner »
– http://en.wikipedia.org/wiki/Kerberos_%28protocol%29
Two kinds of ticket:
– TGT : for account in the domain;
– TGS : to access a service on a node, for one user.
Some resources more accurate than me:
– http://technet.microsoft.com/library/bb742516.aspx
– http://www.ietf.org/rfc/rfc4120.txt
– http://msdn.microsoft.com/library/windows/desktop/aa
378170.aspx
– http://msdn.microsoft.com/library/cc237917.aspx
09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 16
mimikatz :: kerberos 1/3 authentication
Kerberos (level )
09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 17
① AS-REQ
I would like a ticket for
‘Administrateur’ on
the domain ‘chocolate’
② AS-REP
Here is a TGT ticket for ‘Administrateur’ on
the domain ‘chocolate’
If you have its credentials (good passwords, so
good keys), you can use it to ask me TGS, thanks
to the session key
rid username ntlm
500Administrateur cc36cf7a8514893efccd332446158b1a
502krbtgt 310b643c5316c8c3c70a10cfb17e2e31
1106Equipement 57a087d98bfac9df10df27a564b77ad6
1107Utilisateur 8e3a18d453ec2450c321003772d678d5
1108serveur$ 77d4b1409b7e5b97263b0f0230f73041
Start/End/MaxRenew
krbtgt / chocolate.local
Administrateur @ chocolate.local
Session key + metadata
Administrateur
PLAYSKOOL
KDC
Start/End/MaxRenew
krbtgt / chocolate.local
Administrateur @ chocolate.local
Session key + metadata
SID : S-1-5-21-a-b-c
User RID : 500 (Administrateur)
Groups RID : 520,512,519,518,572
(Admins du domaine, entreprise, …)
Dernier changmt. 04/02/2014 23:21:07
Expire Jamais
Modifiable 05/02/2014 23:21:07
krbtgt
username password ntlm
Administrateur waza1234/ cc36cf7a8514893efccd332446158b1a
mimikatz :: kerberos 2/3 asking for service
Kerberos (level )
09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 18
③ TGS-REQ
I would like a ticket for the ‘cifs’ service on
‘serveur’ of ‘chocolate’ domain.
Here is my TGT and some information
encrypted with session key. I know it,
because I’m really ‘Administrateur’.
④ TGS-REP
Here is a TGS for ‘cifs/serveur’ on the
‘chocolate’ domain
If you know intial session key, you can decrypt
TGS session key and use it for communicate with
‘serveur’
rid username ntlm
500Administrateur cc36cf7a8514893efccd332446158b1a
502krbtgt 310b643c5316c8c3c70a10cfb17e2e31
1106Equipement 57a087d98bfac9df10df27a564b77ad6
1107Utilisateur 8e3a18d453ec2450c321003772d678d5
1108serveur$ 77d4b1409b7e5b97263b0f0230f73041
KDC
Start/End/MaxRenew
Administrateur @ chocolate.local
krbtgt / chocolate.local
Session key + metadata
SID : S-1-5-21-a-b-c
User RID : 500 (Administrateur)
Groups RID : 520,512,519,518,572
(Admins du domaine, entreprise, …)
Dernier changmt. 04/02/2014 23:21:07
Expire Jamais
Modifiable 05/02/2014 23:21:07
krbtgt
req-data
Session key
Start/End/MaxRenew
cifs/serveur @ chocolate.local
Administrateur @ chocolate.local
Session key + metadata
Session key
Start/End/MaxRenew
cifs/serveur @ chocolate.local
Administrateur @ chocolate.local
Session key + metadata
SID : S-1-5-21-a-b-c
User RID : 500 (Administrateur)
Groups RID : 520,512,519,518,572
(Admins du domaine, entreprise, …)
Dernier changmt. 04/02/2014 23:21:07
Expire Jamais
Modifiable 05/02/2014 23:21:07
serveur$
PLAYSKOOL
mimikatz :: kerberos 3/3 access
Kerberos (level )
09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 19
⑤ Hello ‘serveur’, here is a TGS for you. It show that the KDC knows me as ‘Administrateur’
on the ‘chocolate’ domain for using your ‘cifs’ service.
All that with all the benefits that the KDC me recognize me (groups, privileges, time…)
You can check this ticket because you know the secret key of this ticket (it’s your secret),
so you check session key of the request.
rid username ntlm
1108serveur$ 77d4b1409b7e5b97263b0f0230f73041
Start/End/MaxRenew
cifs/serveur @ chocolate.local
Administrateur @ chocolate.local
Session key + metadata
SID : S-1-5-21-a-b-c
User RID : 500 (Administrateur)
Groups RID : 520,512,519,518,572
(Admins du domaine, entreprise, …)
Dernier changmt. 04/02/2014 23:21:07
Expire Jamais
Modifiable 05/02/2014 23:21:07
serveur$
req-data
Session key
PLAYSKOOL
mimikatz :: kerberos
pass-the-ticket
TGS theft – access to a service on a server for 10h (can vary)
TGT theft – full identity of one user for 10h (can vary)
09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 20
KDC
Start/End/MaxRenew
cifs/serveur @ chocolate.local
Administrateur @ chocolate.local
Session key + metadata
Session key
Start/End/MaxRenew
cifs/serveur @ chocolate.local
Administrateur @ chocolate.local
Session key + metadata
SID : S-1-5-21-a-b-c
User RID : 500 (Administrateur)
Groups RID : 520,512,519,518,572
(Admins du domaine, entreprise, …)
Dernier changmt. 04/02/2014 23:21:07
Expire Jamais
Modifiable 05/02/2014 23:21:07
serveur1$
Start/End/MaxRenew
krbtgt / chocolate.local
Administrateur @ chocolate.local
Session key + metadata
SID : S-1-5-21-a-b-c
User RID : 500 (Administrateur)
Groups RID : 520,512,519,518,572
(Admins du domaine, entreprise, …)
Dernier changmt. 04/02/2014 23:21:07
Expire Jamais
Modifiable 05/02/2014 23:21:07
krbtgt
Start/End/MaxRenew
krbtgt / chocolate.local
Administrateur @ chocolate.local
Session key + metadata
Start/End/MaxRenew
cifs/serveur @ chocolate.local
Administrateur @ chocolate.local
Session key + metadata
Session key
Start/End/MaxRenew
cifs/serveur @ chocolate.local
Administrateur @ chocolate.local
Session key + metadata
SID : S-1-5-21-a-b-c
User RID : 500 (Administrateur)
Groups RID : 520,512,519,518,572
(Admins du domaine, entreprise, …)
Dernier changmt. 04/02/2014 23:21:07
Expire Jamais
Modifiable 05/02/2014 23:21:07
serveur2$
Start/End/MaxRenew
cifs/serveur @ chocolate.local
Administrateur @ chocolate.local
Session key + metadata
Start/End/MaxRenew
cifs/serveur @ chocolate.local
Administrateur @ chocolate.local
Session key + metadata
SID : S-1-5-21-a-b-c
User RID : 500 (Administrateur)
Groups RID : 520,512,519,518,572
(Admins du domaine, entreprise, …)
Dernier changmt. 04/02/2014 23:21:07
Expire Jamais
Modifiable 05/02/2014 23:21:07
serveur1$
mimikatz :: kerberos
overpass-the-hash
eKey theft – full identity of one user for password lifetime on the domain
09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 21
KDC
Start/End/MaxRenew
cifs/serveur @ chocolate.local
Administrateur @ chocolate.local
Session key + metadata
Session key
Start/End/MaxRenew
cifs/serveur @ chocolate.local
Administrateur @ chocolate.local
Session key + metadata
SID : S-1-5-21-a-b-c
User RID : 500 (Administrateur)
Groups RID : 520,512,519,518,572
(Admins du domaine, entreprise, …)
Dernier changmt. 04/02/2014 23:21:07
Expire Jamais
Modifiable 05/02/2014 23:21:07
serveur1$
Start/End/MaxRenew
cifs/serveur @ chocolate.local
Administrateur @ chocolate.local
Session key + metadata
Session key
Start/End/MaxRenew
cifs/serveur @ chocolate.local
Administrateur @ chocolate.local
Session key + metadata
SID : S-1-5-21-a-b-c
User RID : 500 (Administrateur)
Groups RID : 520,512,519,518,572
(Admins du domaine, entreprise, …)
Dernier changmt. 04/02/2014 23:21:07
Expire Jamais
Modifiable 05/02/2014 23:21:07
serveur2$
username ntlm
Administrateur cc36cf7a8514893efccd332446158b1a
KDC
① AS-REQ
I would like a ticket for
‘Administrateur’ on
the domain ‘chocolate’
Start/End/MaxRenew
krbtgt / chocolate.local
Administrateur @ chocolate.local
Session key + metadata
SID : S-1-5-21-a-b-c
User RID : 500 (Administrateur)
Groups RID : 520,512,519,518,572
(Admins du domaine, entreprise, …)
Dernier changmt. 04/02/2014 23:21:07
Expire Jamais
Modifiable 05/02/2014 23:21:07
krbtgt
Start/End/MaxRenew
krbtgt / chocolate.local
Administrateur @ chocolate.local
Session key + metadata
② AS-REP
Here is a TGT ticket for
‘Administrateur’ on
the domain ‘chocolate’
mimikatz :: kerberos
overpass-the-hash
wait? I can obtain a Kerberos ticket with a NTLM hash? Like in “pass-the-hash”?
– Only a hash ?
– Yeah, you can =)
So what is that?
– Preauth & first data are encrypted with user key, but what is that key ?
– For RC4, the key is the NTLM hash!
09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 22
Domain : CHOCOLATE / S-1-5-21-130452501-2365100805-3685010670
RID : 000001f4 (500)
User : Administrateur
* Primary
LM :
NTLM : cc36cf7a8514893efccd332446158b1a
* Kerberos
Default Salt : CHOCOLATE.LOCALAdministrateur
Credentials
des_cbc_md5 : f8fd987fa7153185
* Kerberos-Newer-Keys
Default Salt : CHOCOLATE.LOCALAdministrateur
Default Iterations : 4096
Credentials
aes256_hmac (4096) : b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
aes128_hmac (4096) : 8451bb37aa6d7ce3d2a5c2d24d317af3
des_cbc_md5 (4096) : f8fd987fa7153185
mimikatz :: kerberos
demo ! - sekurlsa::tickets
09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 23
mimikatz :: kerberos
Golden Ticket
TGT are limited to 10 hours and can be renewed
– configurable time
TGT are nothing more than TGS for a service named ‘krbtgt’ for all KDC in a
domain
For that, they’re encrypted with a common key for each KDC. With RC4, the
NTLM hash of the fictive account ‘krbtgt’ (or AES)
I don’t really know why, but this key is “never” renewed (only when migrating to
>= 2008 functional level domain)
– However, using the passwords history (2) of this account, a full renew can be done in two moves.
What could we do with a permanent key, which allow creating TGT ?
09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 24
Nom d’utilisateur krbtgt
Commentaire Compte de service du centre de distribution de clés
Compte : actif Non
rid username type key
502 krbtgt
rc4 310b643c5316c8c3c70a10cfb17e2e31
aes128 Da3128afc899a298b72d365bd753dbfb
aes256 15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42
mimikatz :: kerberos
Golden Ticket – TGT Create (extract)
Client name : Administrateur
Service name : krbtgt/chocolate.local
Validity
– Start Time 09/07/2014 10:25:00
– End Time 09/07/2024 10:25:00
…
Authorization data Microsoft (PAC)
– Username : Administrateur
– Domain SID
• S-1-5-21-130452501-2365100805-3685010670
– User ID
• 500 Administrateur
– Groups ID
• 512 Admins du domaine
• 519 Administrateurs de l’entreprise
• 518 Administrateurs du schéma
• …
– …
09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 25
rid username ntlm
502krbtgt 310b643c5316c8c3c70a10cfb17e2e31
mimikatz :: kerberos
demo ! - kerberos::golden
09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 26
mimikatz :: sekurlsa
What we can do ?
Basics
– No physical access to computer / servers
• Volume/disk encryption
– No admin rights! (even for VIP) – no Debug privilege!
– Disable local admin accounts
– Strong passwords (haha, it was a joke, so useless )
– For privileged account, network login instead of interactive (when possible)
– Audit ; pass the hash keeps traces and can lock accounts
– Use separated network (or forest) for privileged tasks
More in depth
– Force strong authentication (SmartCard & Token) : $ / €
– Short validity for Kerberos tickets
– No delegation
– Disable LM & NTLM (force Kerberos)
– No exotic biometric!
– Let opportunities to stop retro compatibility
To study
– TPM on Windows 8.1
• Virtual SmartCard seems promising
– Verify TPM CSP/KSP of specific provider (Lenovo, Dell, …)
• Remember biometric? ;)
09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 27
Use HSM / Kerberos Box for crypto operations
mimikatz
what else?
Retrieve system/users secrets (like saved passwords)
Export keys/certificates, even those that are not exportable
(software CAPI & CNG)
Stop event monitoring…
Bypass Applocker / SRP
Manipulate some Handles
Patch Terminal Server
Basic GPO bypass
Driver
– Play with Tokens & Privilèges
– Display SSDT x86 & x64
– List MiniFilters
– List Notifications (process/thread/image/registry)
– List hooks et and procedures of Objects
09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 28
mimikatz
That’s all Folks!
Thanks’ to / Merci à :
– RMLL / LSM & partners ;
• Especially Christian for his invitation!
– Microsoft to change some behaviors!  ;
– Community for ideas (∞) ;
– Folks, friends supporting me every day (oe.eo) ;
– You, for your attention and your nice messages!
Questions, remarks?
Please! Don’t be shy!
09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 29
Blog, Source Code & Contact
09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 30
blog http://blog.gentilkiwi.com
mimikatz http://blog.gentilkiwi.com/mimikatz
source https://github.com/gentilkiwi/mimikatz
contact @gentilkiwi / benjamin@gentilkiwi.com

More Related Content

What's hot

Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...RootedCON
 
OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowWilliam Lee
 
Tatu: ssh as a service
Tatu: ssh as a serviceTatu: ssh as a service
Tatu: ssh as a servicePino deCandia
 
Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authenticationshytikov
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Password Security
Password SecurityPassword Security
Password SecurityCSCJournals
 
Crypto With OpenSSL
Crypto With OpenSSLCrypto With OpenSSL
Crypto With OpenSSLZhi Guan
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
Cryptography in PHP: use cases
Cryptography in PHP: use casesCryptography in PHP: use cases
Cryptography in PHP: use casesEnrico Zimuel
 
9 password security
9   password security9   password security
9 password securitydrewz lin
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITYSupanShah2
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
 
penetration testing - black box type.
penetration testing - black box type.penetration testing - black box type.
penetration testing - black box type.luigi capuzzello
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
Essentials of Multithreaded System Programming in C++
Essentials of Multithreaded System Programming in C++Essentials of Multithreaded System Programming in C++
Essentials of Multithreaded System Programming in C++Shuo Chen
 

What's hot (20)

mimikatz @ asfws
mimikatz @ asfwsmimikatz @ asfws
mimikatz @ asfws
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
 
OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call Flow
 
Tatu: ssh as a service
Tatu: ssh as a serviceTatu: ssh as a service
Tatu: ssh as a service
 
Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authentication
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)security
 
Password Security
Password SecurityPassword Security
Password Security
 
Crypto With OpenSSL
Crypto With OpenSSLCrypto With OpenSSL
Crypto With OpenSSL
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
 
Cryptography in PHP: use cases
Cryptography in PHP: use casesCryptography in PHP: use cases
Cryptography in PHP: use cases
 
Sicurezza informatica
Sicurezza informaticaSicurezza informatica
Sicurezza informatica
 
9 password security
9   password security9   password security
9 password security
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITY
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
 
penetration testing - black box type.
penetration testing - black box type.penetration testing - black box type.
penetration testing - black box type.
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
 
Essentials of Multithreaded System Programming in C++
Essentials of Multithreaded System Programming in C++Essentials of Multithreaded System Programming in C++
Essentials of Multithreaded System Programming in C++
 

Viewers also liked

BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy
 
Cecyf / Coriin - mimikatz et la mémoire de Windows
Cecyf / Coriin - mimikatz et la mémoire de WindowsCecyf / Coriin - mimikatz et la mémoire de Windows
Cecyf / Coriin - mimikatz et la mémoire de WindowsBenjamin Delpy
 
Golden ticket, pass the ticket mi tm kerberos attacks explained
Golden ticket, pass the ticket mi tm   kerberos attacks explainedGolden ticket, pass the ticket mi tm   kerberos attacks explained
Golden ticket, pass the ticket mi tm kerberos attacks explainedPeter Swedin
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 

Viewers also liked (7)

BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
 
mimikatz @ sthack
mimikatz @ sthackmimikatz @ sthack
mimikatz @ sthack
 
Cecyf / Coriin - mimikatz et la mémoire de Windows
Cecyf / Coriin - mimikatz et la mémoire de WindowsCecyf / Coriin - mimikatz et la mémoire de Windows
Cecyf / Coriin - mimikatz et la mémoire de Windows
 
Golden ticket, pass the ticket mi tm kerberos attacks explained
Golden ticket, pass the ticket mi tm   kerberos attacks explainedGolden ticket, pass the ticket mi tm   kerberos attacks explained
Golden ticket, pass the ticket mi tm kerberos attacks explained
 
HP ArcSight
HP ArcSight HP ArcSight
HP ArcSight
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
mimikatz @ ossir
mimikatz @ ossirmimikatz @ ossir
mimikatz @ ossir
 

Similar to mimikatz @ rmll

Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...OWASP Kyiv
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-daysZoltan Balazs
 
JSON Web Tokens Will Improve Your Life
JSON Web Tokens Will Improve Your LifeJSON Web Tokens Will Improve Your Life
JSON Web Tokens Will Improve Your LifeJohn Anderson
 
Mozilla Persona for your domain
Mozilla Persona for your domainMozilla Persona for your domain
Mozilla Persona for your domainFrancois Marier
 
(De)serial Killers - BSides Las Vegas & AppSec IL 2018
(De)serial Killers - BSides Las Vegas & AppSec IL 2018(De)serial Killers - BSides Las Vegas & AppSec IL 2018
(De)serial Killers - BSides Las Vegas & AppSec IL 2018Dor Tumarkin
 
(De)serial Killers - BSides Las Vegas & AppSec IL 2018
(De)serial Killers - BSides Las Vegas & AppSec IL 2018(De)serial Killers - BSides Las Vegas & AppSec IL 2018
(De)serial Killers - BSides Las Vegas & AppSec IL 2018Checkmarx
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
2012 03 The Death of Passwords
2012 03 The Death of Passwords2012 03 The Death of Passwords
2012 03 The Death of PasswordsRaleigh ISSA
 
Deep Geek Diving into the iPhone OS and Frameworks
Deep Geek Diving into the iPhone OS and FrameworksDeep Geek Diving into the iPhone OS and Frameworks
Deep Geek Diving into the iPhone OS and FrameworksTim Burks
 
Deep Geek Diving into the iPhone OS and Framework
Deep Geek Diving into the iPhone OS and FrameworkDeep Geek Diving into the iPhone OS and Framework
Deep Geek Diving into the iPhone OS and FrameworkJohn Wilker
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwordsFrancois Marier
 
JSON Web Tokens Will Improve Your Life
JSON Web Tokens Will Improve Your LifeJSON Web Tokens Will Improve Your Life
JSON Web Tokens Will Improve Your LifeJohn Anderson
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteHostedGraphite
 
Prometheus as exposition format for eBPF programs running on Kubernetes
Prometheus as exposition format for eBPF programs running on KubernetesPrometheus as exposition format for eBPF programs running on Kubernetes
Prometheus as exposition format for eBPF programs running on KubernetesLeonardo Di Donato
 
리눅스 드라이버 실습 #3
리눅스 드라이버 실습 #3리눅스 드라이버 실습 #3
리눅스 드라이버 실습 #3Sangho Park
 
Roberto Clapis/Stefano Zanero - Night of the living vulnerabilities: forever-...
Roberto Clapis/Stefano Zanero - Night of the living vulnerabilities: forever-...Roberto Clapis/Stefano Zanero - Night of the living vulnerabilities: forever-...
Roberto Clapis/Stefano Zanero - Night of the living vulnerabilities: forever-...Codemotion
 
[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory AnalysisMoabi.com
 
PLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursPLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursDavid Busby, CISSP
 
Password hacking
Password hackingPassword hacking
Password hackingMr. FM
 
Smart Cards & Devices Forum 2012 - Smart Phones Security
Smart Cards & Devices Forum 2012 - Smart Phones SecuritySmart Cards & Devices Forum 2012 - Smart Phones Security
Smart Cards & Devices Forum 2012 - Smart Phones SecurityOKsystem
 

Similar to mimikatz @ rmll (20)

Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
 
JSON Web Tokens Will Improve Your Life
JSON Web Tokens Will Improve Your LifeJSON Web Tokens Will Improve Your Life
JSON Web Tokens Will Improve Your Life
 
Mozilla Persona for your domain
Mozilla Persona for your domainMozilla Persona for your domain
Mozilla Persona for your domain
 
(De)serial Killers - BSides Las Vegas & AppSec IL 2018
(De)serial Killers - BSides Las Vegas & AppSec IL 2018(De)serial Killers - BSides Las Vegas & AppSec IL 2018
(De)serial Killers - BSides Las Vegas & AppSec IL 2018
 
(De)serial Killers - BSides Las Vegas & AppSec IL 2018
(De)serial Killers - BSides Las Vegas & AppSec IL 2018(De)serial Killers - BSides Las Vegas & AppSec IL 2018
(De)serial Killers - BSides Las Vegas & AppSec IL 2018
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
2012 03 The Death of Passwords
2012 03 The Death of Passwords2012 03 The Death of Passwords
2012 03 The Death of Passwords
 
Deep Geek Diving into the iPhone OS and Frameworks
Deep Geek Diving into the iPhone OS and FrameworksDeep Geek Diving into the iPhone OS and Frameworks
Deep Geek Diving into the iPhone OS and Frameworks
 
Deep Geek Diving into the iPhone OS and Framework
Deep Geek Diving into the iPhone OS and FrameworkDeep Geek Diving into the iPhone OS and Framework
Deep Geek Diving into the iPhone OS and Framework
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwords
 
JSON Web Tokens Will Improve Your Life
JSON Web Tokens Will Improve Your LifeJSON Web Tokens Will Improve Your Life
JSON Web Tokens Will Improve Your Life
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
 
Prometheus as exposition format for eBPF programs running on Kubernetes
Prometheus as exposition format for eBPF programs running on KubernetesPrometheus as exposition format for eBPF programs running on Kubernetes
Prometheus as exposition format for eBPF programs running on Kubernetes
 
리눅스 드라이버 실습 #3
리눅스 드라이버 실습 #3리눅스 드라이버 실습 #3
리눅스 드라이버 실습 #3
 
Roberto Clapis/Stefano Zanero - Night of the living vulnerabilities: forever-...
Roberto Clapis/Stefano Zanero - Night of the living vulnerabilities: forever-...Roberto Clapis/Stefano Zanero - Night of the living vulnerabilities: forever-...
Roberto Clapis/Stefano Zanero - Night of the living vulnerabilities: forever-...
 
[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis
 
PLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursPLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yours
 
Password hacking
Password hackingPassword hacking
Password hacking
 
Smart Cards & Devices Forum 2012 - Smart Phones Security
Smart Cards & Devices Forum 2012 - Smart Phones SecuritySmart Cards & Devices Forum 2012 - Smart Phones Security
Smart Cards & Devices Forum 2012 - Smart Phones Security
 

Recently uploaded

SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...CzechDreamin
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsStefano
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...CzechDreamin
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...CzechDreamin
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2DianaGray10
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessUXDXConf
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaRTTS
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsExpeed Software
 
Transforming The New York Times: Empowering Evolution through UX
Transforming The New York Times: Empowering Evolution through UXTransforming The New York Times: Empowering Evolution through UX
Transforming The New York Times: Empowering Evolution through UXUXDXConf
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsUXDXConf
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Julian Hyde
 
Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.Boni Yeamin
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024Stephanie Beckett
 
Intelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdfIntelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdfAnthony Lucente
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastUXDXConf
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityScyllaDB
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераMark Opanasiuk
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxAbida Shariff
 

Recently uploaded (20)

SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 
Transforming The New York Times: Empowering Evolution through UX
Transforming The New York Times: Empowering Evolution through UXTransforming The New York Times: Empowering Evolution through UX
Transforming The New York Times: Empowering Evolution through UX
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering Teams
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
Intelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdfIntelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdf
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 

mimikatz @ rmll

  • 2. Our little story `whoami`, why am I doing this? mimikatz 2.0 & sekurlsa Focus on Windows 8.1 et 2012r2 Kerberos & strong authentication Questions / Answers And of course, some demos during the session (and stickers ;) 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 2
  • 3. `whoami`? Why mimikatz ? Benjamin DELPY `gentilkiwi` – Kiwi addict, I code, but when it’s done, I tweet about it: @gentilkiwi – lazy efficient ; – I don’t work as pentester/searcher/technical guy, I do it as a Kiwi (nights) ; – I use Windows (but also OpenBSD) • is the enemy of your enemy your friend? ;) `mimikatz` – born 2007 ; – is not a hacking tool (seriously) ; – is coded for my personal needs ; – can demonstrate some security concept ; • Have you ever try to demonstrate “theoretical” risks and to obtain reaction? acts? (budgets?) – try to follow Microsoft's evolution (who’s the cat/mouse?) – is not enough documented ! (I know, but I work on it on GitHub…) 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 3
  • 4. mimikatz 2.0 fully recoded in C, with system’s runtimes (≠ VC9, 10…) – strict code (no goto ;)) – smaller (~180 kb) – Deal relatively transparently with memory/process/dumps, and with registry/hives. Works on XP/2003, Vista/2008, Seven/2008r2, 8/2012 and 8.1/2012r2 – x86 & x64 ;) – Windows 2000 support dropped with 1.0 version Two other components, not mandatory: 1. mimidrv ; a driver to interact with the Windows Kernel (hooks, tokens, process…) 2. mimilib ; a library with some goodies : • AppLocker bypass ; • Authentication Package (SSP) ; • Password filter ; • mimikatz::sekurlsa for WinDBG. 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 4
  • 5. mimikatz :: sekurlsa LSA (level ) 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 5 LsaSSWinLogon Authentication Packages msv1_0 tspkg wdigest livessp kerberos Authentication msv1_0 kerberos SAM Challenge Response user:domain:password PLAYSKOOL
  • 6. mimikatz :: sekurlsa LSA (level ) Authentication packages : – take user’s credentials ; – do their job (hash, asking for ticket…) ; – keep enough data in memory to compute the answers to the challenges (Single Sign On). • Not in all case, eg: LiveSSP provider does not keep data for a SmartCard authentication If we can get data, and inject it in another session of LSASS, we avoid authentication part. If we put data in right places, we can still answer to the challenges. This is the principle of « Pass-the-hash » – In fact, of « Pass-the-* » 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 6 PLAYSKOOL
  • 7. mimikatz :: sekurlsa demo ! - sekurlsa::logonpasswords 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 7
  • 8. mimikatz :: sekurlsa what is it ? This module of mimikatz read data from SamSs service (known as LSASS process) or from a memory dump! sekurlsa module can retrieve: – MSV1_0 hash & keys (dpapi) – TsPkg password – WDigest password – LiveSSP password – Kerberos password, ekeys, tickets & pin – SSP password And also : – pass-the-hash – overpass-the-hash / pass-the-(e)key • RC4 (ntlm), AES128 & AES256 – pass-the-ticket (official MSDN API !) 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 8
  • 9. mimikatz :: sekurlsa workflow 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 9 for each session typedef struct _KIWI_struct { LUID LocallyUniqueIdentifier; […] LSA_UNICODE_STRING UserName; LSA_UNICODE_STRING Domaine; LSA_UNICODE_STRING Password; […] } KIWI_struct, *PKIWI_struct; module!symbol search list/AVL for LUID KIWI_struct Credentials in clear ! lsasrv!LogonSessionList lsasrv!LogonSessionListCount Package Symbols Type tspkg tspkg!TSGlobalCredTable RTL_AVL_TABLE wdigest wdigest!l_LogSessList LIST_ENTRY livessp livessp!LiveGlobalLogonSessionList LIST_ENTRY kerberos (nt5) kerberos!KerbLogonSessionList LIST_ENTRY kerberos (nt6) kerberos!KerbGlobalLogonSessionTable RTL_AVL_TABLE msv1_0 lsasrv!LogonSessionList lsasrv!LogonSessionListCount LIST_ENTRY ULONG ssp msv1_0!SspCredentialList LIST_ENTRY Key NT 5 Symbols RC4 lsasrv!g_cbRandomKey lsasrv!g_pRandomKey DESx lsasrv!g_pDESXKey lsasrv!g_Feedback Key NT 6 Symbols lsasrv!InitializationVector 3DES lsasrv!h3DesKey AES lsasrv!hAesKey LsaUnprotectMemory
  • 10. mimikatz :: sekurlsa memo Security Packages Protection Keys 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 10 Package Symbols Type tspkg tspkg!TSGlobalCredTable RTL_AVL_TABLE wdigest wdigest!l_LogSessList LIST_ENTRY livessp livessp!LiveGlobalLogonSessionList LIST_ENTRY kerberos (nt5) kerberos!KerbLogonSessionList LIST_ENTRY kerberos (nt6) kerberos!KerbGlobalLogonSessionTable RTL_AVL_TABLE msv1_0 lsasrv!LogonSessionList lsasrv!LogonSessionListCount LIST_ENTRY ULONG ssp msv1_0!SspCredentialList LIST_ENTRY Key NT 5 Symbols RC4 lsasrv!g_cbRandomKey lsasrv!g_pRandomKey DESx lsasrv!g_pDESXKey lsasrv!g_Feedback Key NT 6 Symbols lsasrv!InitializationVector 3DES lsasrv!h3DesKey AES lsasrv!hAesKey
  • 11. mimikatz :: sekurlsa LsaEncryptMemory All credentials in memory are encrypted, but in a reversible way to be used (ok, not ~all~ are encrypted) Encryption is symmetric, keys are in the memory of the LSASS process – It’s like sending an encrypted ZIP with the password in the same email… – Encrypt works with LsaProtectMemory, decrypt with LsaUnprotectMemory Both deal with LsaEncryptMemory Depending on the secret size, algorithm is different: NT5 NT6 – RC4 – 3DES – DESx – AES 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 11 g_pRandomKey g_cbRandomKey l s a s s l s a s r v m i m i k a t z l s a s r v / e m u l copy… h3DesKey g_Feedback g_pDESXKey hAesKey InitializationVector
  • 12. mimikatz :: sekurlsa demo ! - sekurlsa::logonpasswords 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 12
  • 13. mimikatz Focus on Windows 8.1 & 2012r2 After a lot of customers cases, time, credentials stolen...Microsoft had to react! (a little bit, ok ;)) “In Windows Server 2012 R2 and Windows 8.1, new credential protection and domain authentication controls have been added to address credential theft.” – http://technet.microsoft.com/library/dn344918.aspx#BKMK_CredentialsProtectionManagement “Restricted Admin mode for Remote Desktop Connection” Avoid user credentials to be sent to the server (and stolen) Allow authentication by pass-the-hash, pass-the-ticket & overpass-the-hash with CredSSP “LSA Protection” Deny memory access to LSASS process (protected process) Bypassed by a driver or another protected process (remember? mimikatz has a driver ;)) “Protected Users security group” No more NTLM, WDigest, CredSSP, no delegation nor SSO... Strengthening Kerberos only! Kerberos tickets can still be stolen and replayed (and smartcard/pin code is in memory =)) 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 13
  • 14. mimikatz Focus on Windows 8.1 & 2012r2 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 14 LM NTLM SHA1 NTLM SHA1 Root DPAPI off on off on pass 1 PIN 4 tickets eKeys Local Account 2 Domain Account 2 5 Local Account Domain Account Microsoft Account Local Account Domain Account Microsoft Account 3 3 Local Account 3 3 7 Domain Account 3 3 Domain Protected Users 3 3 not applicable 1. can need an unlock on NT5, not available with smartcard Fingerprint data in memory 2. tspkg is not installed by default on XP, not available on 2003 code pass gestures pass pass no data in memory 3. tspkg is off by default (but needed for SSO with remoteapps/ts), wdigest too Microsoft Account http://technet.microsoft.com/library/dn303404.aspx Local Account 4. PIN code when SmartCard used for native Logon 5. PIN code is NOT encrypted in memory (XP/2003) 6. When accessed/used by owner 7. When local admin, UAC and after unlock .#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" (Jul 8 2014 01:44:40) .## ^ ##. ## / ## /* * * ## / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##' http://blog.gentilkiwi.com/mimikatz '#####' (oe.eo) 15th RMLL/LSM (oe.eo) with 14 modules * * */ ssp tspkg livessp wdigest dpapi PIN Picture Windows 8.1 vault for user's authentication credman 6 Windows XP/2003 Windows Vista/2008 & 7/2008r2 Windows 8/2012 kerberosPrimary CredentialKeys Windows 8.1/2012r2
  • 15. mimikatz Focus on Windows 8.1 & 2012r2 06/12/2012 - Mitigating Pass-the-Hash-Attacks and Other Credential Theft – http://blogs.technet.com/b/security/archive/2012/12/06/new-guidance-to-mitigate- determined-adversaries-favorite-attack-pass-the-hash.aspx – http://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C- 6ECFB10CB4B9/Mitigating%20Pass-the- Hash%20(PtH)%20Attacks%20and%20Other%20Credential%20Theft%20Techniques_English.pdf 13/05/2014 - KB2871997 - Backport of Windows 8.1/2012r2 nice stuff to 7/2008r2 & 8/2012 – http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx 08/07/2014 - Mitigating Pass-the-Hash-Attacks and Other Credential Theft - Version 2 – http://blogs.technet.com/b/security/archive/2014/07/08/new-strategies-and-features-to-help- organizations-better-protect-against-pass-the-hash-attacks.aspx – http://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C- 6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 15
  • 16. mimikatz :: kerberos « Kerberos is a computer network authentication protocol which works on the basis of 'tickets' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner » – http://en.wikipedia.org/wiki/Kerberos_%28protocol%29 Two kinds of ticket: – TGT : for account in the domain; – TGS : to access a service on a node, for one user. Some resources more accurate than me: – http://technet.microsoft.com/library/bb742516.aspx – http://www.ietf.org/rfc/rfc4120.txt – http://msdn.microsoft.com/library/windows/desktop/aa 378170.aspx – http://msdn.microsoft.com/library/cc237917.aspx 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 16
  • 17. mimikatz :: kerberos 1/3 authentication Kerberos (level ) 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 17 ① AS-REQ I would like a ticket for ‘Administrateur’ on the domain ‘chocolate’ ② AS-REP Here is a TGT ticket for ‘Administrateur’ on the domain ‘chocolate’ If you have its credentials (good passwords, so good keys), you can use it to ask me TGS, thanks to the session key rid username ntlm 500Administrateur cc36cf7a8514893efccd332446158b1a 502krbtgt 310b643c5316c8c3c70a10cfb17e2e31 1106Equipement 57a087d98bfac9df10df27a564b77ad6 1107Utilisateur 8e3a18d453ec2450c321003772d678d5 1108serveur$ 77d4b1409b7e5b97263b0f0230f73041 Start/End/MaxRenew krbtgt / chocolate.local Administrateur @ chocolate.local Session key + metadata Administrateur PLAYSKOOL KDC Start/End/MaxRenew krbtgt / chocolate.local Administrateur @ chocolate.local Session key + metadata SID : S-1-5-21-a-b-c User RID : 500 (Administrateur) Groups RID : 520,512,519,518,572 (Admins du domaine, entreprise, …) Dernier changmt. 04/02/2014 23:21:07 Expire Jamais Modifiable 05/02/2014 23:21:07 krbtgt username password ntlm Administrateur waza1234/ cc36cf7a8514893efccd332446158b1a
  • 18. mimikatz :: kerberos 2/3 asking for service Kerberos (level ) 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 18 ③ TGS-REQ I would like a ticket for the ‘cifs’ service on ‘serveur’ of ‘chocolate’ domain. Here is my TGT and some information encrypted with session key. I know it, because I’m really ‘Administrateur’. ④ TGS-REP Here is a TGS for ‘cifs/serveur’ on the ‘chocolate’ domain If you know intial session key, you can decrypt TGS session key and use it for communicate with ‘serveur’ rid username ntlm 500Administrateur cc36cf7a8514893efccd332446158b1a 502krbtgt 310b643c5316c8c3c70a10cfb17e2e31 1106Equipement 57a087d98bfac9df10df27a564b77ad6 1107Utilisateur 8e3a18d453ec2450c321003772d678d5 1108serveur$ 77d4b1409b7e5b97263b0f0230f73041 KDC Start/End/MaxRenew Administrateur @ chocolate.local krbtgt / chocolate.local Session key + metadata SID : S-1-5-21-a-b-c User RID : 500 (Administrateur) Groups RID : 520,512,519,518,572 (Admins du domaine, entreprise, …) Dernier changmt. 04/02/2014 23:21:07 Expire Jamais Modifiable 05/02/2014 23:21:07 krbtgt req-data Session key Start/End/MaxRenew cifs/serveur @ chocolate.local Administrateur @ chocolate.local Session key + metadata Session key Start/End/MaxRenew cifs/serveur @ chocolate.local Administrateur @ chocolate.local Session key + metadata SID : S-1-5-21-a-b-c User RID : 500 (Administrateur) Groups RID : 520,512,519,518,572 (Admins du domaine, entreprise, …) Dernier changmt. 04/02/2014 23:21:07 Expire Jamais Modifiable 05/02/2014 23:21:07 serveur$ PLAYSKOOL
  • 19. mimikatz :: kerberos 3/3 access Kerberos (level ) 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 19 ⑤ Hello ‘serveur’, here is a TGS for you. It show that the KDC knows me as ‘Administrateur’ on the ‘chocolate’ domain for using your ‘cifs’ service. All that with all the benefits that the KDC me recognize me (groups, privileges, time…) You can check this ticket because you know the secret key of this ticket (it’s your secret), so you check session key of the request. rid username ntlm 1108serveur$ 77d4b1409b7e5b97263b0f0230f73041 Start/End/MaxRenew cifs/serveur @ chocolate.local Administrateur @ chocolate.local Session key + metadata SID : S-1-5-21-a-b-c User RID : 500 (Administrateur) Groups RID : 520,512,519,518,572 (Admins du domaine, entreprise, …) Dernier changmt. 04/02/2014 23:21:07 Expire Jamais Modifiable 05/02/2014 23:21:07 serveur$ req-data Session key PLAYSKOOL
  • 20. mimikatz :: kerberos pass-the-ticket TGS theft – access to a service on a server for 10h (can vary) TGT theft – full identity of one user for 10h (can vary) 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 20 KDC Start/End/MaxRenew cifs/serveur @ chocolate.local Administrateur @ chocolate.local Session key + metadata Session key Start/End/MaxRenew cifs/serveur @ chocolate.local Administrateur @ chocolate.local Session key + metadata SID : S-1-5-21-a-b-c User RID : 500 (Administrateur) Groups RID : 520,512,519,518,572 (Admins du domaine, entreprise, …) Dernier changmt. 04/02/2014 23:21:07 Expire Jamais Modifiable 05/02/2014 23:21:07 serveur1$ Start/End/MaxRenew krbtgt / chocolate.local Administrateur @ chocolate.local Session key + metadata SID : S-1-5-21-a-b-c User RID : 500 (Administrateur) Groups RID : 520,512,519,518,572 (Admins du domaine, entreprise, …) Dernier changmt. 04/02/2014 23:21:07 Expire Jamais Modifiable 05/02/2014 23:21:07 krbtgt Start/End/MaxRenew krbtgt / chocolate.local Administrateur @ chocolate.local Session key + metadata Start/End/MaxRenew cifs/serveur @ chocolate.local Administrateur @ chocolate.local Session key + metadata Session key Start/End/MaxRenew cifs/serveur @ chocolate.local Administrateur @ chocolate.local Session key + metadata SID : S-1-5-21-a-b-c User RID : 500 (Administrateur) Groups RID : 520,512,519,518,572 (Admins du domaine, entreprise, …) Dernier changmt. 04/02/2014 23:21:07 Expire Jamais Modifiable 05/02/2014 23:21:07 serveur2$ Start/End/MaxRenew cifs/serveur @ chocolate.local Administrateur @ chocolate.local Session key + metadata Start/End/MaxRenew cifs/serveur @ chocolate.local Administrateur @ chocolate.local Session key + metadata SID : S-1-5-21-a-b-c User RID : 500 (Administrateur) Groups RID : 520,512,519,518,572 (Admins du domaine, entreprise, …) Dernier changmt. 04/02/2014 23:21:07 Expire Jamais Modifiable 05/02/2014 23:21:07 serveur1$
  • 21. mimikatz :: kerberos overpass-the-hash eKey theft – full identity of one user for password lifetime on the domain 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 21 KDC Start/End/MaxRenew cifs/serveur @ chocolate.local Administrateur @ chocolate.local Session key + metadata Session key Start/End/MaxRenew cifs/serveur @ chocolate.local Administrateur @ chocolate.local Session key + metadata SID : S-1-5-21-a-b-c User RID : 500 (Administrateur) Groups RID : 520,512,519,518,572 (Admins du domaine, entreprise, …) Dernier changmt. 04/02/2014 23:21:07 Expire Jamais Modifiable 05/02/2014 23:21:07 serveur1$ Start/End/MaxRenew cifs/serveur @ chocolate.local Administrateur @ chocolate.local Session key + metadata Session key Start/End/MaxRenew cifs/serveur @ chocolate.local Administrateur @ chocolate.local Session key + metadata SID : S-1-5-21-a-b-c User RID : 500 (Administrateur) Groups RID : 520,512,519,518,572 (Admins du domaine, entreprise, …) Dernier changmt. 04/02/2014 23:21:07 Expire Jamais Modifiable 05/02/2014 23:21:07 serveur2$ username ntlm Administrateur cc36cf7a8514893efccd332446158b1a KDC ① AS-REQ I would like a ticket for ‘Administrateur’ on the domain ‘chocolate’ Start/End/MaxRenew krbtgt / chocolate.local Administrateur @ chocolate.local Session key + metadata SID : S-1-5-21-a-b-c User RID : 500 (Administrateur) Groups RID : 520,512,519,518,572 (Admins du domaine, entreprise, …) Dernier changmt. 04/02/2014 23:21:07 Expire Jamais Modifiable 05/02/2014 23:21:07 krbtgt Start/End/MaxRenew krbtgt / chocolate.local Administrateur @ chocolate.local Session key + metadata ② AS-REP Here is a TGT ticket for ‘Administrateur’ on the domain ‘chocolate’
  • 22. mimikatz :: kerberos overpass-the-hash wait? I can obtain a Kerberos ticket with a NTLM hash? Like in “pass-the-hash”? – Only a hash ? – Yeah, you can =) So what is that? – Preauth & first data are encrypted with user key, but what is that key ? – For RC4, the key is the NTLM hash! 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 22 Domain : CHOCOLATE / S-1-5-21-130452501-2365100805-3685010670 RID : 000001f4 (500) User : Administrateur * Primary LM : NTLM : cc36cf7a8514893efccd332446158b1a * Kerberos Default Salt : CHOCOLATE.LOCALAdministrateur Credentials des_cbc_md5 : f8fd987fa7153185 * Kerberos-Newer-Keys Default Salt : CHOCOLATE.LOCALAdministrateur Default Iterations : 4096 Credentials aes256_hmac (4096) : b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 aes128_hmac (4096) : 8451bb37aa6d7ce3d2a5c2d24d317af3 des_cbc_md5 (4096) : f8fd987fa7153185
  • 23. mimikatz :: kerberos demo ! - sekurlsa::tickets 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 23
  • 24. mimikatz :: kerberos Golden Ticket TGT are limited to 10 hours and can be renewed – configurable time TGT are nothing more than TGS for a service named ‘krbtgt’ for all KDC in a domain For that, they’re encrypted with a common key for each KDC. With RC4, the NTLM hash of the fictive account ‘krbtgt’ (or AES) I don’t really know why, but this key is “never” renewed (only when migrating to >= 2008 functional level domain) – However, using the passwords history (2) of this account, a full renew can be done in two moves. What could we do with a permanent key, which allow creating TGT ? 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 24 Nom d’utilisateur krbtgt Commentaire Compte de service du centre de distribution de clés Compte : actif Non rid username type key 502 krbtgt rc4 310b643c5316c8c3c70a10cfb17e2e31 aes128 Da3128afc899a298b72d365bd753dbfb aes256 15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42
  • 25. mimikatz :: kerberos Golden Ticket – TGT Create (extract) Client name : Administrateur Service name : krbtgt/chocolate.local Validity – Start Time 09/07/2014 10:25:00 – End Time 09/07/2024 10:25:00 … Authorization data Microsoft (PAC) – Username : Administrateur – Domain SID • S-1-5-21-130452501-2365100805-3685010670 – User ID • 500 Administrateur – Groups ID • 512 Admins du domaine • 519 Administrateurs de l’entreprise • 518 Administrateurs du schéma • … – … 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 25 rid username ntlm 502krbtgt 310b643c5316c8c3c70a10cfb17e2e31
  • 26. mimikatz :: kerberos demo ! - kerberos::golden 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 26
  • 27. mimikatz :: sekurlsa What we can do ? Basics – No physical access to computer / servers • Volume/disk encryption – No admin rights! (even for VIP) – no Debug privilege! – Disable local admin accounts – Strong passwords (haha, it was a joke, so useless ) – For privileged account, network login instead of interactive (when possible) – Audit ; pass the hash keeps traces and can lock accounts – Use separated network (or forest) for privileged tasks More in depth – Force strong authentication (SmartCard & Token) : $ / € – Short validity for Kerberos tickets – No delegation – Disable LM & NTLM (force Kerberos) – No exotic biometric! – Let opportunities to stop retro compatibility To study – TPM on Windows 8.1 • Virtual SmartCard seems promising – Verify TPM CSP/KSP of specific provider (Lenovo, Dell, …) • Remember biometric? ;) 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 27 Use HSM / Kerberos Box for crypto operations
  • 28. mimikatz what else? Retrieve system/users secrets (like saved passwords) Export keys/certificates, even those that are not exportable (software CAPI & CNG) Stop event monitoring… Bypass Applocker / SRP Manipulate some Handles Patch Terminal Server Basic GPO bypass Driver – Play with Tokens & Privilèges – Display SSDT x86 & x64 – List MiniFilters – List Notifications (process/thread/image/registry) – List hooks et and procedures of Objects 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 28
  • 29. mimikatz That’s all Folks! Thanks’ to / Merci à : – RMLL / LSM & partners ; • Especially Christian for his invitation! – Microsoft to change some behaviors!  ; – Community for ideas (∞) ; – Folks, friends supporting me every day (oe.eo) ; – You, for your attention and your nice messages! Questions, remarks? Please! Don’t be shy! 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 29
  • 30. Blog, Source Code & Contact 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 30 blog http://blog.gentilkiwi.com mimikatz http://blog.gentilkiwi.com/mimikatz source https://github.com/gentilkiwi/mimikatz contact @gentilkiwi / benjamin@gentilkiwi.com

Editor's Notes

  1. procdump / powershell / taskmgr…
  2. process::start "runas /noprofile /netonly /user:equipement@chocolate.local cmd" psexec -s -c \win81.chocolate.local c:securitymimikatzWin32mimikatz.exe sekurlsa::logonpasswords
  3. sekurlsa::tickets /exports