Mimikatz Phdays
Mimikatz Phdays
Mimikatz Phdays
Who ? Why ?
Benjamin DELPY `gentilkiwi`
French
26y
Kiwi addict
Lazy programmer
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz
working
On XP, 2003, Vista, 2008, Seven, 2008r2, 8, Server 8
x86 & x64
partial support for 8 & Server 8 (few kernel driver bugs ;))
2000 support dropped with mimikatz 1.0
8/21/2014
KeyIso
m
i
m
i
k
a
t
z
.
e
x
e
Isolation de cl CNG
LSASS.EXE
Direct action :
crypto::patchcng
EventLog
Journal dvnements Windows
SVCHOST.EXE
Direct action :
divers::eventdrop
Benjamin DELPY `gentilkiwi` @ PHDays 2012
SamSS
Gestionnaire de comptes de scurit
LSASS.EXE
VirtualAllocEx,
WriteProcessMemory,
CreateRemoteThread...
sekurlsa.dll
Open a pipe
Write a welcome message
Wait commands and return results
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz
architecture
all in VC/C++ 2010 with some ASM
mod_mimikatz_standard
mod_parseur
mod_mimikatz_winmine
mod_text
mod_mimikatz_divers
mod_memory
mod_mimikatz_nogpo
mod_secacl
mod_mimikatz_impersonate
mod_pipe
mod_mimikatz_inject
mod_inject
mod_mimikatz_samdump
mod_hive
mod_mimikatz_crypto
mod_crypto
mod_mimikatz_handle
mod_patch
mod_mimikatz_privilege
mod_privilege
mod_mimikatz_system
mod_system
mod_mimikatz_service
mod_service
mod_mimikatz_process
mod_process
wdigest
mod_mimikatz_thread
mod_thread
livessp
mod_mimikatz_terminalserver
mod_ts
kerberos
KiwiCmd.exe
KiwiRegedit.exe
m
i
m
i
k
a
t
z
.
e
x
e
8/21/2014
mimikatz.sys
KiwiTaskmgr.exe
kappfree.dll
kelloworld.dll
sam
klock.dll
secrets
msv_1_0
sekurlsa.dll
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
tspkg
mimikatz :: sekurlsa
what is it ?
My favorite library !
A thread that waits, in LSASS, commands from mimikatz (or mubix
meterpreter)
What sekurlsa can do from the inside ?
Dump system secrets
Dump SAM / DC base
Dump clear text passwords/hashes
from interactive sessions
MSV1_0 (dump/inject/delete)
TsPkg
WDigest
LiveSSP
Kerberos
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsa
history of pass-the-* 1/2
Pass-the-hash
1997 - Unix modified SAMBA client for Hashes usage ; Paul Ashton (EIGEN)
2000 - Private version of a Windows LSA Logon Session Editor ; Hernan
Ochoa (CoreSecurity)
2007 - TechEd @ Microsoft ; Marc Murray (TrueSec) present msvctl, and
provide some downloads of it
2007 - Pass the hash toolkit published ; Hernan Ochoa (CoreSecurity)
2007 - mimikatz 0.1 includes pass the hash and is publicly available for x86
& x64 versions of Windows (yeah, by myself but in French; so not famous ;))
Pass-the-ticket
04/2011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support; Hernan Ochoa (Ampliasecurity)
8/21/2014
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsa
history of pass-the-* 2/2
Pass-the-pass
05/2011 mimikatz 1.0 dumps first clear text passwords from TsPkg provider (but limited
to NT 6 and some XP SP3)
http://blog.gentilkiwi.com/securite/pass-the-pass
05/2011 return of mimikatz ; it dumps clear text passwords from WDigest provider
(unlimited this time ;))
http://blog.gentilkiwi.com/securite/re-pass-the-pass
03/2012 mimikatz strikes again with LiveSSP provider and extracts Live login passwords
from Windows 8 memory
http://blog.gentilkiwi.com/securite/rere-pass-the-pass
03/2012 yeah, once again, more curious but Kerberos keeps passwords in memory
http://blog.gentilkiwi.com/securite/rerere-pass-the-pass
8/21/2014
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsa
lets take a moment
You noticed ?
It has been one year since Microsoft has been notified
about passwords extraction from LSASS
Without any reaction
But blacklisting mimikatz from MSE and FEP at 20120228 ;)
8/21/2014
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
10
Explanations follow
8/21/2014
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
11
credentials
delegation
In what form ?
Our specs : [MS-CSSP]
2.2.1.2.1 TSPasswordCreds
The TSPasswordCreds structure contains the user's password credentials that are delegated
to the server. (or PIN)
TSPasswordCreds ::= SEQUENCE {
domainName [0] OCTET STRING,
userName [1] OCTET STRING,
password [2] OCTET STRING
}
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
12
TS_CREDENTIAL
8/21/2014
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
13
tspkg!TSCredTableLoca
teDefaultCreds
tspkg!TSObtainClearCr
eds
password
in clear ?
8/21/2014
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
14
lazy way
tspkg!TSCredTableLoca
teDefaultCreds
KIWI_TS_CREDEN
TIAL
KIWI_TS_PRIMAR
Y_CREDENTIAL
tspkg!TSObtainClearCr
eds
KIWI_TS_PRIMAR
Y_CREDENTIAL
8/21/2014
password
in clear ?
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
15
It worked !
tspkg!TSCredTableLocateDefaultCreds
8/21/2014
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
16
KIWI_TS_CREDENTI
AL_AVL_SEARCH
tspkg!TSGlobal
CredTable
RtlLookupElementGenericTabl
eAvl
KIWI_TS_CREDEN
TIAL
KIWI_TS_PRIMAR
Y_CREDENTIAL
LsaUnprotectMemory
password
in clear !
8/21/2014
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
17
8/21/2014
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
18
Find this
We all have personal convictions to search unexported data :
8/21/2014
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
19
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
20
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
21
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
22
LsaUnprotectMemory
At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE
Lets perform a research in WDigest :
.text:7409D151 _DigestCalcHA1@8
call
LsaProtectMemory
At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE
Lets perform a research in WDigest :
.text:74096C69 _SpAcceptCredentials@16 call
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
23
wdigest!l_LogS
essList
LsaUnprotectMemory
password
in clear ?
8/21/2014
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
24
wdigest!l_LogS
essList
KIWI_WDIGEST_L
IST_ENTRY
LsaUnprotectMemory
password
in clear !
8/21/2014
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
25
8/21/2014
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
26
It works again !
This time we just have to find :
wdigest!l_LogSessList
SeckPkgFunctionTable->LsaUnprotectMemory
LSA_SECPKG_FUNCTION_TABLE :
http://msdn.microsoft.com/library/windows/desktop/aa378510.aspx
LsaUnprotectMemory :
http://msdn.microsoft.com/library/windows/desktop/ff714510.aspx
Seems generalizable ?
8/21/2014
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
27
mimikatz :: sekurlsa
and now what ?
TsPkg
XP SP3 (manual install)
Vista / Seven / 2008 / 2008r2
8
Even with a Live account
8/21/2014
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
28
mimikatz :: sekurlsa
and now what ?
wce patterns
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
29
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
30
8/21/2014
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
31
lsasrv!LsaProtectMemory
msv1_0!NlpAddPrimaryCredential
msv1_0!SspAcceptCredentials
msv1_0!SpAcceptCredentials
lsasrv!LsaProtectMemory
tspkg!TSHidePassword
tspkg!SpAcceptCredentials
1: kd> uf /c livessp!LsaApLogonUserEx2
livessp!LsaApLogonUserEx2 (74781536)
[...]
livessp!LsaApLogonUserEx2+0x560 (74781a96):
call to livessp!LiveCreateLogonSession (74784867)
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
32
LsaEnumerateLogonSessions
livessp!LiveGloba
lLogonSessionList
KIWI_LIVESSP_LIS
T_ENTRY
KIWI_LIVESSP_PRI
MARY_CREDENTIAL
LsaUnprotectMemory
password
in clear !
8/21/2014
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
33
8/21/2014
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
34
mimikatz :: sekurlsa
it was a cool trap no ?
* Me, yes
8/21/2014
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
35
lsasrv!LsaProtectMemory
kerberos!KerbHidePassword
kerberos!KerbCreateLogonSession
kerberos!SpAcceptCredentials
lsasrv!LsaProtectMemory
msv1_0!NlpAddPrimaryCredential
msv1_0!SspAcceptCredentials
msv1_0!SpAcceptCredentials
lsasrv!LsaProtectMemory
wdigest!SpAcceptCredentials
lsasrv!LsaProtectMemory
tspkg!TSHidePassword
tspkg!SpAcceptCredentials
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
36
LsaEnumerateLogonSessions
Kerberos!KerbG
lobalLogonSess
ionTable
KIWI_KERBEROS_LO
GON_AVL_SEARCH
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL {
DWORD unk0;
PVOID unk1;
PVOID unk2;
#ifdef _M_X64
BYTE unk3[96];
#elif defined _M_IX86
BYTE unk3[68];
#endif
LSA_UNICODE_STRING UserName;
LSA_UNICODE_STRING Domaine;
LSA_UNICODE_STRING Password;
} KIWI_KERBEROS_PRIMARY_CREDENTIAL,
*PKIWI_KERBEROS_PRIMARY_CREDENTIAL;
RtlLookupElementGenericTabl
eAvl
KIWI_KERBEROS_PR
IMARY_CREDENTIAL
LsaUnprotectMemory
password
in clear !
8/21/2014
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
37
LsaEnumerateLogonSessions
kerberos!KerbLog
onSessionList
KIWI_LIVESSP_PRI
MARY_CREDENTIAL
LsaUnprotectMemory
password
in clear !
8/21/2014
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
38
8/21/2014
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
39
Ok It works*
But why ?
*Not at all logon on NT5
*Can need an unlock
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
40
8/21/2014
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
41
mimikatz :: sekurlsa
why this is dangerous ?
Not a bug
Not a weakness
Not a vulnerability
Not a 0-day
(for now, there may be too)
Its normal that LSASS keeps passwords in memory for passwords based
providers when protocols need them
And hashes for msv1_0
All of these rely on shared secrets
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
42
mimikatz :: sekurlsa
what we can do ?
Basics
More in depth
Stop shared secrets for authentication : push Public / Private stuff (like keys ;))
Let opportunities to stop retrocompatibility
Disable faulty providers ?
8/21/2014
Is it supported by Microsoft ?
Even if, you will disable Kerberos and msv1_0 ?
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
43
mimikatz :: sekurlsa
Code it ! Implement it in Meta ! Discover !
Symbols
Description
msv1_0
SeckPkgFunctionTable->GetCredentials
SeckPkgFunctionTable->LsaUnprotectMemory
msv1_0
SeckPkgFunctionTable->LsaProtectMemory
SeckPkgFunctionTable->AddCredential
msv1_0
SeckPkgFunctionTable->DeleteCredential
Get passwords :
Package
Symbols
Type
tspkg
tspkg!TSGlobalCredTable
SeckPkgFunctionTable->LsaUnprotectMemory
RTL_AVL_TABLE
wdigest
wdigest!l_LogSessList
SeckPkgFunctionTable->LsaUnprotectMemory
LIST_ENTRY
livessp
livessp!LiveGlobalLogonSessionList
SeckPkgFunctionTable->LsaUnprotectMemory
LIST_ENTRY
kerberos
(nt5)
kerberos!KerbLogonSessionList
SeckPkgFunctionTable->LsaUnprotectMemory
LIST_ENTRY
kerberos
(nt6)
Kerberos!KerbGlobalLogonSessionTable
SeckPkgFunctionTable->LsaUnprotectMemory
RTL_AVL_TABLE
8/21/2014
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
44
mimikatz :: sekurlsa
little help to start !
Package
Datas
Little help
@getLogonPasswords
msv1_0
@getMSV
@getMSVFunctions
msv1_0 :
* Utilisateur
* Domaine
* Hash LM
* Hash NTLM
tspkg
wdigest
livessp
kerberos
8/21/2014
:
:
:
:
termuser
DEMO
d0e9aee149655a6075e4540af1f22d3b
cc36cf7a8514893efccd332446158b1a
@getTsPkg
@getTsPkgFunctions
tspkg :
* Utilisateur : termuser
* Domaine
: DEMO
* Mot de passe : waza1234/
@getWDigest
@getWDigestFunctions
wdigest :
* Utilisateur : termuser
* Domaine
: DEMO
* Mot de passe : waza1234/
@getLiveSSP
@getLiveSSPFunctions
livessp :
* Utilisateur : sekurlsa@live.fr
* Domaine
: ps:password
* Mot de passe : waza1234/
@getKerberos
@getKerberosFunctions
kerberos :
* Utilisateur : termuser
* Domaine
: DEMO.LOCAL
* Mot de passe : waza1234/
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
45
mimikatz :: sekurlsa
some ideas
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
46
mimikatz :: sekurlsa
some ideas
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
47
mimikatz
what else ?
Crypto
mod_mimikatz_crypto
mod_crypto
mod_mimikatz_divers
mod_mimikatz_nogpo
kappfree.dll
mimikatz.sys
8/21/2014
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
48
mimikatz
thats all folks !
Thanks to / :
Questions ?
Dont be shy ;)
especially if you have written the corresponding slide number
8/21/2014
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
49
mimikatz
source code
8/21/2014
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
50
blog/mimikatz : http://blog.gentilkiwi.com/mimikatz
email :
benjamin@gentilkiwi.com
Twitter :
@gentilkiwi
8/21/2014
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
51