Mimikatz Extravaganza 2.0
Download
Report
Transcript Mimikatz Extravaganza 2.0
Mimikatz Extravaganza 2.0
ERIK LOEF
Erik Loef, Msc
CTO PROXSYS
Certified Ethical Hacker
@erikloef
Komend uur
•
Theorie
•
Demo
•
Powershell
•
Demo
•
Mitigations ?
•
Demo
•
Windows 10
•
Demo
Mimikatz
* Dump credentials from LSASS
* Generate Kerberos Golden
* Generate Kerberos Silver Tickets
* Export certificates and keys
* Dump cached credentials
* Stop event monitoring.
* Bypass Microsoft AppLocker / Software Restriction Polcies
* Patch Terminal Server
* Basic GPO bypass
* Alter cached credentials
THEORIE
LSASS
Local Security Authority (LSASS)
NTLM
Digest
Kerberos
NTOWF: C9DF4E56A2D1…
Password: P@ssw0rd
Ticket-Granting
Ticket
Service
Ticket
Service
Service
Ticket
ServiceTicket
Ticket
Single-Sign On (NTLM)
Erik’s Laptop
4
2
File Server
Erik’s User Session
Erik’s User Session
User: Erik
Password hash: C9DF4E…
3
User: Erik
Password hash: C9DF4E…
User: Erik
1
Password: P@ssw0rd
1.
2.
3.
4.
Erik enters username and password
PC creates Erik’s user session
PC proves knowledge of Erik’s hash to Server
Server creates a session for Erik
Single-Sign On Architecture
Local Security Authority (LSASS)
NTLM
Digest
Kerberos
NTOWF: C9DF4E56A2D1…
Password: P@ssw0rd
Ticket-Granting
Ticket
Service
Ticket
Service
Service
Ticket
ServiceTicket
Ticket
Service Ticket
DC01
User: Erik
Hash: C9DF4E…
192.168.100.10
“Credential footprint”
DC01
Pass-the-Hash technique
Fred’s laptop
1
Fred’s User Session
User: Fred
Password hash: A3D7…
File Server
Erik’s User Session
User: Fred
Password hash: A3D7…
Malware User Session
2
Erik’s laptop
User: Erik
Password hash: C9DF…
User: Fred
Hash:A3D7
Malware User Session
User: Fred
Hash: A3D7
User: Erik
Hash: C9DF
1.
2.
3.
User: Erik
Hash:C9DF
Fred runs malware
Malware infects Erik’s laptop as Fred
Malware infects File Server as Erik
3
DEMO!
- pass the hash
- MS 14-068
- Golden Ticket
- Skeleton Key
DEMO SCENARIO
fred
erik
LOCAL ADMIN
DC01
DOMAIN CONTROLLER
PC01
DEMO!
- Powershell
………….Antivirus …………..?
Powershell examples
- Invoke-Modikatz.ps1
- Invoke-Mimikatz.ps1
- Invoke-DCsync.ps1
- Invoke-MassMimikatz.ps1
DEMO!
Mitigations …?
- LSASS protected process
- Plain Text Passwords ?
DEMO!
MICROSOFT
ADVANCED THREAD ANALYTICS
DEMO SCENARIO
DC01
DOMAIN CONTROLLER
fred
erik
LOCAL ADMIN
APP1
TWO NICS
MS ATA CONSOLE
ATA GATWAY
PC01
#Windows 10
CREDENTIAL GUARD
DEMO Windows 10
Realistisch ?
•
Windows 10 ENTERPRISE
•
UEFI version 2.3.1
•
Virtualization extensions
•
SecureBoot
•
TPM 1.2 or 2.0
#RECAP
RECAP
•
NTLM & KERBEROS basics
•
Mimikatz is een proof of concept
•
Powershell is krachtig!
•
Windows 10 …? Niet voor iedereen
•
LAPS
•
MS ATA
#VRAGEN?
@erikloef
Onze Sponsoren