mimikatz @ phdays

mimikatz

Benjamin DELPY `gentilkiwi`focus on sekurlsa / pass-the-pass

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 2

Who ? Why ?

Benjamin DELPY `gentilkiwi`– French– 26y– Kiwi addict– Lazy programmer

Started to code mimikatz to :– explain security concepts ;– improve my knowledge ;– prove to Microsoft that sometimes they must change old habits.

Why all in French ?– because I’m – It limits script kiddies usage.

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 3

mimikatzworking

On XP, 2003, Vista, 2008, Seven, 2008r2, 8, Server 8– x86 & x64– partial support for 8 & Server 8 (few kernel driver bugs ;))– 2000 support dropped with mimikatz 1.0

Everywhere ; it’s statically compiled

Two modes– direct action (local commands) – process or driver communication

sekurlsa.dll

mimikatz.exe

KeyIso« Isolation de clé CNG »

LSASS.EXE

Direct action :crypto::patchcng

EventLog« Journal d’événements Windows »

SVCHOST.EXE

Direct action :divers::eventdrop

mimikatz.exe

SamSS«  Gestionnaire de comptes de sécurité »

LSASS.EXE

VirtualAllocEx, WriteProcessMemory, CreateRemoteThread...

Open a pipeWrite a welcome messageWait commands… and return results

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 4

mimikatzarchitecture

all in VC/C++ 2010 with some ASM…

mod_crypto

mod_pipe

mod_inject

mod_memory

mod_parseur

mod_patch

mod_hive

mod_secacl

mod_privilege

mod_process

mod_service

mod_system

mod_thread

mod_ts

mod_text

mod_mimikatz_nogpo

mod_mimikatz_crypto

mod_mimikatz_divers

mod_mimikatz_winmine

mod_mimikatz_impersonate

mod_mimikatz_inject

mod_mimikatz_samdump

mod_mimikatz_standard

mod_mimikatz_handle

mod_mimikatz_system

mod_mimikatz_service

mod_mimikatz_process

mod_mimikatz_thread

mod_mimikatz_terminalserver

mod_mimikatz_privilege

mimikatz.exe

KiwiCmd.exe

KiwiRegedit.exe

KiwiTaskmgr.exe

kappfree.dll

kelloworld.dll

klock.dll

sekurlsa.dll

sam

secrets

msv_1_0

wdigest

livessp

kerberos

tspkg

mimikatz.sys

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 5

mimikatz :: sekurlsawhat is it ?

My favorite library !

A thread that waits, in LSASS, commands from mimikatz (or mubix meterpreter)

What sekurlsa can do from the inside ?– Dump system secrets– Dump SAM / DC base– Dump clear text passwords/hashesfrom interactive sessions

• MSV1_0 (dump/inject/delete)• TsPkg• WDigest• LiveSSP• Kerberos

Let’s start an injection & pass the hash !

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 6

mimikatz :: sekurlsahistory of « pass-the-* » 1/2

Pass-the-hash– 1997 - Unix modified SAMBA client for Hashes usage ; Paul Ashton (EIGEN)– 2000 - Private version of a Windows « LSA Logon Session Editor » ; Hernan

Ochoa (CoreSecurity)– 2007 - TechEd @ Microsoft ; Marc Murray (TrueSec) present msvctl, and

provide some downloads of it – 2007 - « Pass the hash toolkit » published ; Hernan Ochoa (CoreSecurity)– 2007 - mimikatz 0.1 includes pass the hash and is publicly available for x86

& x64 versions of Windows (yeah, by myself but in French; so not famous ;))

2007 was the year of pass the hash !

Pass-the-ticket– 04/2011 - wce (pass the hash toolkit evolution) provides Kerberos ticket

support; Hernan Ochoa (Ampliasecurity)

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 7

mimikatz :: sekurlsahistory of « pass-the-* » 2/2

Pass-the-pass– 05/2011 – mimikatz 1.0 dumps first clear text passwords from TsPkg provider (but

limited to NT 6 and some XP SP3)• http://blog.gentilkiwi.com/securite/pass-the-pass

– 05/2011 – return of mimikatz ; it dumps clear text passwords from WDigest provider (unlimited this time ;))

• http://blog.gentilkiwi.com/securite/re-pass-the-pass

– 05/2011 – Some organizations opened cases to Microsoft about it…

…Lots of time…

– begin of 2012 - Lots of blogs (and Kevin Mitnick ;)) say few words about mimikatz– 03/2012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest

password extract…• http://seclists.org/pen-test/2012/Mar/7

– 03/2012 – mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory

• http://blog.gentilkiwi.com/securite/rere-pass-the-pass

– 03/2012 – yeah, once again…, more curious but Kerberos keeps passwords in memory• http://blog.gentilkiwi.com/securite/rerere-pass-the-pass

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 8

mimikatz :: sekurlsalet’s take a moment…

You noticed ?It has been one year since Microsoft has been notified about passwords extraction from LSASSWithout any reaction…– But blacklisting mimikatz from MSE and FEP at 20120228 ;)

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 9

mimikatz :: sekurlsa :: tspkg

because sometimes hash is not enough…

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 10

mimikatz :: sekurlsa :: tspkgwhat is it ?

Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop users’s experience– http://technet.microsoft.com/library/cc772108.aspx

Rely on CredSSP with Credentials Delegation (!= Account delegation)– Specs :

http://download.microsoft.com/download/9/5/e/95ef66af-9026-4bb0-a41d-a4f81802d92c/%5Bms-cssp%5D.pdf

First impression : it seems cool – User does not have to type its password– Password is not in RDP file– Password is not in user secrets

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 11

mimikatz :: sekurlsa :: tspkgdemo time !

Explanations follow…

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 12

mimikatz :: sekurlsa :: tspkgquestions ?

KB says that for it works, we must enable « Default credentials » delegation– “Default credentials : The credentials obtained when the user first logs on to

Windows” - https://msdn.microsoft.com/library/bb204773.aspx

• What ? Our User/Domain/{Password | Hash | Ticket} ? It seems …– In all cases, system seems to be vulnerable to pass-the-*…

In what form ?Our specs : [MS-CSSP]– 2.2.1.2.1 TSPasswordCreds

• The TSPasswordCreds structure contains the user's password credentials that are delegated to the server. (or PIN)

TSPasswordCreds ::= SEQUENCE { domainName [0] OCTET STRING, userName [1] OCTET STRING, password [2] OCTET STRING

}

– Challenge / response for authentication ?• Serveur : YES (TLS / Kerberos)• Client : NO ; *password* is sent to server…

So password resides somewhere in memory ?

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 13

mimikatz :: sekurlsa :: tspkgsymbols & theory

Let’s explore some symbols !

– sounds cool… (thanks Microsoft)

Let’s imagine a scenario– Enumerate all sessions to obtain informations :

• Username• Domain• LUID

– Call tspkg!TSCredTableLocateDefaultCreds with LUID to obtain :• TS_CREDENTIAL

– Call tspkg!TSObtainClearCreds with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for :• TS_PRIMARY_CREDENTIAL with clear text credentials…

kd> x tspkg!*clear*75016d1c tspkg!TSObtainClearCreds = <no type information>kd> x tspkg!*password*75011b68 tspkg!TSDuplicatePassword = <no type information>75011cd4 tspkg!TSHidePassword = <no type information>750195ee tspkg!TSRevealPassword = <no type information>75012fbd tspkg!TSUpdateCredentialsPassword = <no type information>kd> x tspkg!*locate*7501158b tspkg!TSCredTableLocateDefaultCreds = <no type information>

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 14

mimikatz :: sekurlsa :: tspkgtest & data

LsaEnumerateLogonSessions

for each LUID

password in clear ?

tspkg!TSCredTableLocateDe

faultCreds

tspkg!TSObtainClearCreds

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 15

mimikatz :: sekurlsa :: tspkgtest & structures

KIWI_TS_CREDENTIAL

tspkg!TSCredTableLocateDe

faultCreds

tspkg!TSObtainClearCreds

KIWI_TS_PRIMARY_CREDENTIAL

typedef struct _KIWI_TS_PRIMARY_CREDENTIAL {PVOID unk0;LSA_UNICODE_STRING Domaine;LSA_UNICODE_STRING UserName;LSA_UNICODE_STRING Password;

} KIWI_TS_PRIMARY_CREDENTIAL, *PKIWI_TS_PRIMARY_CREDENTIAL;

typedef struct _KIWI_TS_CREDENTIAL {#ifdef _M_X64

BYTE unk0[0x88];#elif defined _M_IX86

BYTE unk0[0x50];#endif

PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary;} KIWI_TS_CREDENTIAL, *PKIWI_TS_CREDENTIAL;

LsaEnumerateLogonSessions

for each LUID

KIWI_TS_PRIMARY_CREDENTIAL password

in clear ?

lazy way

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 16

mimikatz :: sekurlsa :: tspkgfirst result

It worked !

Since old Windows’s version I hadn’t seen my Windows password– I’ve been a little bit afraid

After many hesitations, I published a post and a stable tool update on my blog at 20110508– http://blog.gentilkiwi.com/securite/pass-the-pass

But some issues :– tspkg!TSCredTableLocateDefaultCreds & tspkg!TSObtainClearCreds are not

exported– tspkg!TSObtainClearCreds not always present…– Calling conventions can be a problem– Only NT6 and few XP SP3 (manual provider activation)

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 17

mimikatz :: sekurlsa :: tspkgfinal implementation

RtlLookupElementGenericTableAvl

LsaUnprotectMemory

KIWI_TS_CREDENTIAL

KIWI_TS_PRIMARY_CREDENTIAL

typedef struct _KIWI_TS_PRIMARY_CREDENTIAL {PVOID unk0;LSA_UNICODE_STRING Domaine;LSA_UNICODE_STRING UserName;LSA_UNICODE_STRING Password;

} KIWI_TS_PRIMARY_CREDENTIAL, *PKIWI_TS_PRIMARY_CREDENTIAL;

typedef struct _KIWI_TS_CREDENTIAL {#ifdef _M_X64

BYTE unk0[0x88];#elif defined _M_IX86

BYTE unk0[0x50];#endif

PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary;} KIWI_TS_CREDENTIAL, *PKIWI_TS_CREDENTIAL;

LsaEnumerateLogonSessions

for each LUID

password in clear !

KIWI_TS_CREDENTIAL_AVL_SEARCH

tspkg!TSGlobalCredTable

typedef struct _KIWI_TS_CREDENTIAL_AVL_SEARCH {#ifdef _M_X64

BYTE unk0[108];#elif defined _M_IX86

BYTE unk0[64];#endif

LUID LocallyUniqueIdentifier;#ifdef _M_X64

BYTE unk1[46];#elif defined _M_IX86

BYTE unk1[16];#endif} KIWI_TS_CREDENTIAL_AVL_SEARCH, *PKIWI_TS_CREDENTIAL_AVL_SEARCH;

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 18

mimikatz :: sekurlsa :: tspkgdemo time !

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 19

mimikatz :: sekurlsa :: tspkgfinal result

It works better ;)– No orphan referenced credentials– More logic approach (We will see that latter…)

We have just to find :– tspkg!TSGlobalCredTable– SeckPkgFunctionTable->LsaUnprotectMemory

• LSA_SECPKG_FUNCTION_TABLE : http://msdn.microsoft.com/library/windows/desktop/aa378510.aspx

• LsaUnprotectMemory : http://msdn.microsoft.com/library/windows/desktop/ff714510.aspx

Find this…We all have personal convictions to search unexported data :– Hardcoded addresses / offsets ( ) ;– Disassembly engine ;– Pattern matching ;– …

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 20

mimikatz :: sekurlsa :: wdigest

because clear text password over http/https is not cool

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 21

mimikatz :: sekurlsa :: wdigestwhat is it ?

“Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a user's web browser. It applies a hash function to a password before sending it over the network […]”Wikipedia : http://en.wikipedia.org/wiki/Digest_access_authentication

“Common Digest Authentication Scenarios :– Authenticated client access to a Web site– Authenticated client access using SASL– Authenticated client access with integrity protection to a directory service using

LDAP”Microsoft : http://technet.microsoft.com/library/cc778868.aspx

Again, it seems cool – No password over the network, just hashes– No reversible password in Active Directory ; hashes for each realm

• Only with Advanced Digest authentication

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 22

mimikatz :: sekurlsa :: wdigestwhat is it ?

We speak about hashes, but what hashes ?H = MD5(HA1:nonce:[…]:HA2)

• HA1 = MD5(username:realm:password)• HA2 = MD5(method:digestURI:[…])

Even after login, HA1 may change… realm is from server side and cannot be determined before Windows logon

WDigest provider must have elements to compute responses for different servers :– Username– Realm (from server)– Password

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 23

mimikatz :: sekurlsa :: wdigesttheory

This time, we know :– that WDigest keeps password in memory « by protocol » for HA1 digest– that LSASS love to unprotect password with LsaUnprotectMemory (so protect with

LsaProtectMemory)

LsaUnprotectMemory– At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE– Let’s perform a research in WDigest :

– Hypothesis seems verified

LsaProtectMemory– At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE– Let’s perform a research in WDigest :

– SpAcceptCredentials takes clear password in args• Protect it with LsaProtectMemory• Update or insert data in double linked list : wdigest!l_LogSessList

.text:7409D151 _DigestCalcHA1@8 call dword ptr [eax+0B4h]

.text:74096C69 _SpAcceptCredentials@16 call dword ptr [eax+0B0h]

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 24

mimikatz :: sekurlsa :: wdigesttest & data

LsaUnprotectMemory

LsaEnumerateLogonSessions

for each LUID

password in clear ?

wdigest!l_LogSessList

search linked list for LUID

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 25

mimikatz :: sekurlsa :: wdigestfinal implementation

LsaUnprotectMemory

LsaEnumerateLogonSessions

for each LUID

password in clear !

KIWI_WDIGEST_LIST_ENTRY

typedef struct _KIWI_WDIGEST_LIST_ENTRY {struct _KIWI_WDIGEST_LIST_ENTRY *Flink;struct _KIWI_WDIGEST_LIST_ENTRY *Blink;DWORD UsageCount;struct _KIWI_WDIGEST_LIST_ENTRY *This;LUID LocallyUniqueIdentifier;[…]LSA_UNICODE_STRING UserName;LSA_UNICODE_STRING Domaine;LSA_UNICODE_STRING Password;[…]

} KIWI_WDIGEST_LIST_ENTRY, *PKIWI_WDIGEST_LIST_ENTRY;

wdigest!l_LogSessList

search linked list for LUID

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 26

mimikatz :: sekurlsa :: wdigestdemo time !

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 27

mimikatz :: sekurlsa :: wdigestresult

It works again !

This time we just have to find :– wdigest!l_LogSessList– SeckPkgFunctionTable->LsaUnprotectMemory

• LSA_SECPKG_FUNCTION_TABLE : http://msdn.microsoft.com/library/windows/desktop/aa378510.aspx

• LsaUnprotectMemory : http://msdn.microsoft.com/library/windows/desktop/ff714510.aspx

Seems generalizable ?

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 28

mimikatz :: sekurlsaand now what ?

In fact, with TsPkg and WDigest, passwords can be retrieved from any version of Windows ...

– WDigest• XP, 2003• Vista / Seven / 2008 / 2008r2• 8

But not with a Live account

– TsPkg• XP SP3 (manual install)• Vista / Seven / 2008 / 2008r2• 8

Even with a Live account

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 29

mimikatz :: sekurlsaand now what ?

wce had not copied my TsPkg functionalitiesOnly WDigest, so they missed 8 Live accounts…

– Kiwi WDigest patterns (last public release)

– wce patterns

Between ~17 occurrences of wdigest!l_LogSessList, maybe a coincidence…

for lack of TsPkg, they can be inspired by next releases ?

#ifdef _M_X64 BYTE ptrInsertInLogSess[] = {0x4C, 0x89, 0x1B, 0x48, 0x89, 0x43, 0x08, 0x49, 0x89, 0x5B, 0x08, 0x48, 0x8D};#elif defined _M_IX86 BYTE ptrInsertInLogSess[] = {0x8B, 0x45, 0x08, 0x89, 0x08, 0xC7, 0x40, 0x04};#endif

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 30

mimikatz :: sekurlsa :: livessp

because Microsoft was too good in closed networks

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 31

mimikatz :: sekurlsa :: livessphow ?

Actually I’ve only used logical (empirical) approach to search passwords… :– Protocol reading– Symbols searching

~ Boring ~… be more brutal this time : make a WinDBG trap !0: kd> !process 0 0 lsass.exePROCESS 83569040 SessionId: 0 Cid: 0224 Peb: 7f43f000 ParentCid: 01b4 DirBase: 5df58100 ObjectTable: 80ce4740 HandleCount: <Data Not Accessible> Image: lsass.exe

0: kd> .process /i 83569040You need to continue execution (press 'g' <enter>) for the contextto be switched. When the debugger breaks in again, you will be inthe new process context.0: kd> gBreak instruction exception - code 80000003 (first chance)nt!RtlpBreakWithStatusInstruction:814b39d0 cc int 30: kd> .reload /userLoading User Symbols............................................................0: kd> bp /p @$proc lsasrv!LsaProtectMemory "kc 5 ; g"0: kd> g

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 32

mimikatz :: sekurlsa :: livessphow ?

Let’s login with a Live account on Windows 8 !

After credentials protection, LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)

lsasrv!LsaProtectMemorylivessp!LiveMakeSupplementalCredlivessp!LiveMakeSecPkgCredentialslivessp!LsaApLogonUserEx2livessp!SpiLogonUserEx2

lsasrv!LsaProtectMemorymsv1_0!NlpAddPrimaryCredentialmsv1_0!SspAcceptCredentialsmsv1_0!SpAcceptCredentials

lsasrv!LsaProtectMemorytspkg!TSHidePasswordtspkg!SpAcceptCredentials

1: kd> uf /c livessp!LsaApLogonUserEx2livessp!LsaApLogonUserEx2 (74781536)[...] livessp!LsaApLogonUserEx2+0x560 (74781a96): call to livessp!LiveCreateLogonSession (74784867)

Our LiveSSP provider

Yeah, Pass the Hash capability with Live account too…

Live user can logon through RDP via SSO

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 33

mimikatz :: sekurlsa :: livesspfinal implementation

LsaUnprotectMemory

LsaEnumerateLogonSessions

for each LUID

password in clear !

typedef struct _KIWI_LIVESSP_LIST_ENTRY {struct _KIWI_LIVESSP_LIST_ENTRY *Flink;struct _KIWI_LIVESSP_LIST_ENTRY *Blink;PVOID unk0;PVOID unk1;PVOID unk2;PVOID unk3;DWORD unk4;DWORD unk5;PVOID unk6;LUID LocallyUniqueIdentifier;LSA_UNICODE_STRING UserName;PVOID unk7;PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds;

} KIWI_LIVESSP_LIST_ENTRY, *PKIWI_LIVESSP_LIST_ENTRY;

livessp!LiveGlobalLogonSessionList

search linked list for LUID

KIWI_LIVESSP_LIST_ENTRYKIWI_LIVESSP_PRIMARY_CREDENTIAL

typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL {

DWORD isSupp;DWORD unk0;LSA_UNICODE_STRING UserName;LSA_UNICODE_STRING Domaine;LSA_UNICODE_STRING Password;

} KIWI_LIVESSP_PRIMARY_CREDENTIAL, *PKIWI_LIVESSP_PRIMARY_CREDENTIAL;

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 34

mimikatz :: sekurlsa :: livesspdemo time !

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 35

mimikatz :: sekurlsait was a cool trap no ?

Even if we already have tools for normal accounts, are you not curious to test one with this trap ?*

* Me, yes

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 36

mimikatz :: sekurlsa :: kerberos

Let’s login normal account

After credentials protection, KerbCreateLogonSession calls :– NT6 ; KerbInsertOrLocateLogonSession to insert data in

KerbGlobalLogonSessionTable

– NT5 ; KerbInsertLogonSession to insert data in KerbLogonSessionList

lsasrv!LsaProtectMemorykerberos!KerbHideKeykerberos!KerbCreatePrimaryCredentialskerberos!KerbCreateLogonSessionkerberos!SpAcceptCredentials

lsasrv!LsaProtectMemorykerberos!KerbHidePasswordkerberos!KerbCreateLogonSessionkerberos!SpAcceptCredentials

lsasrv!LsaProtectMemorymsv1_0!NlpAddPrimaryCredentialmsv1_0!SspAcceptCredentialsmsv1_0!SpAcceptCredentials

lsasrv!LsaProtectMemorywdigest!SpAcceptCredentials

lsasrv!LsaProtectMemorytspkg!TSHidePasswordtspkg!SpAcceptCredentials

Kerberos part for password ??????

Kerberos, ticket part ? Maybe ;)

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 37

mimikatz :: sekurlsa :: kerberos (nt 6)final implementation

RtlLookupElementGenericTableAvl

LsaUnprotectMemory

KIWI_KERBEROS_PRIMARY_CREDEN

TIAL

typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL {

DWORD unk0;PVOID unk1;PVOID unk2;

#ifdef _M_X64BYTE unk3[96];

#elif defined _M_IX86BYTE unk3[68];

#endifLSA_UNICODE_STRING UserName; LSA_UNICODE_STRING Domaine;LSA_UNICODE_STRING Password;

} KIWI_KERBEROS_PRIMARY_CREDENTIAL, *PKIWI_KERBEROS_PRIMARY_CREDENTIAL;

LsaEnumerateLogonSessions

for each LUID

password in clear !

KIWI_KERBEROS_LOGON_AVL_SEARCH

Kerberos!KerbGlobalLogonSessionTable

typedef struct _KIWI_KERBEROS_LOGON_AVL_SEARCH {#ifdef _M_X64

BYTE unk0[64];#elif defined _M_IX86

BYTE unk0[36];#endif

LUID LocallyUniqueIdentifier;} KIWI_KERBEROS_LOGON_AVL_SEARCH, *PKIWI_KERBEROS_LOGON_AVL_SEARCH;

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 38

mimikatz :: sekurlsa :: kerberos (nt 5)final implementation

LsaUnprotectMemory

LsaEnumerateLogonSessions

for each LUID

password in clear !

typedef struct _KIWI_KERBEROS_LOGON_SESSION {struct _KIWI_KERBEROS_LOGON_SESSION *Flink;struct _KIWI_KERBEROS_LOGON_SESSION *Blink; DWORD UsageCount;PVOID unk0;PVOID unk1;PVOID unk2;DWORD unk3;DWORD unk4;PVOID unk5;PVOID unk6;PVOID unk7;LUID LocallyUniqueIdentifier;

#ifdef _M_IX86DWORD unk8;

#endifDWORD unk9;DWORD unk10;PVOID unk11;DWORD unk12;DWORD unk13;PVOID unk14;PVOID unk15;PVOID unk16;[…]LSA_UNICODE_STRING UserName;LSA_UNICODE_STRING Domaine;LSA_UNICODE_STRING Password;

} KIWI_KERBEROS_LOGON_SESSION, *PKIWI_KERBEROS_LOGON_SESSION;

kerberos!KerbLogonSessionList

search linked list for LUID

KIWI_LIVESSP_PRIMARY_CREDENTIAL

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 39

mimikatz :: sekurlsa :: kerberosdemo time !

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 40

mimikatz :: sekurlsa :: kerberos« hu ? »

Ok It works…*But why ?

*Not at all logon on NT5*Can need an unlock…

From my understanding of Microsoft explanations, no need of passwords for the Kerberos protocol… all is based on the hash (not very sexy too)

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 41

mimikatz :: sekurlsa :: kerberosBONUS « hu ? »

Microsoft’s implementation of Kerberos is full of logical…

For password auth :– password hash for shared secret, but keeping password in

memory

For full smartcard auth :– No password on client– No hash on client ?

• NTLM hash on client…• KDC sent it back as a gift

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 42

mimikatz :: sekurlsawhy this is dangerous ?

Not a bugNot a weaknessNot a vulnerabilityNot a 0-day– (for now, there may be too)

It’s “normal” that LSASS keeps passwords in memory for passwords based providers when protocols need them– And hashes for msv1_0…All of these rely on shared secrets…

So you can’t prevent Windows internal behaviors… (in a supported way)One change from Microsoft on protocols can impact all versions

I don’t count on a fix or others things in the next [5;10] years…

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 43

mimikatz :: sekurlsawhat we can do ?

Basics– No physical access to computer (first step to pass the hash)– No admin rights / system rights / debug privileges (…)– Disable local admin accounts– Strong passwords (haha, it was a joke)– Network login instead of interactive (when possible)– Audit ; pass the hash keeps traces and can lock accounts– No admin rights / system rights / debug privileges, even VIP

More in depth– Force strong authentication (SmartCard & Token) : $ / €– Short validity for Kerberos tickets– No delegation– Disable NTLM (available with NT6)– No exotic :

• biometrics (it keeps password somewhere and push it to Windows)• single sign on

– Stop shared secrets for authentication : push Public / Private stuff (like keys ;))– Let opportunities to stop retrocompatibility– Disable faulty providers ?

• Is it supported by Microsoft ?• Even if, you will disable Kerberos and msv1_0 ?

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 44

mimikatz :: sekurlsaCode it ! Implement it in Meta ! Discover !

Pass the hash :

Get passwords :

Package Symbols Description

msv1_0 SeckPkgFunctionTable->GetCredentialsSeckPkgFunctionTable->LsaUnprotectMemory

Get clear LM & NTLM hashes from LUID

msv1_0 SeckPkgFunctionTable->LsaProtectMemorySeckPkgFunctionTable->AddCredential

Push clear LM & NTLM hashes to LUID

msv1_0 SeckPkgFunctionTable->DeleteCredential Delete hashes from LUID

Package Symbols Type

tspkg tspkg!TSGlobalCredTableSeckPkgFunctionTable->LsaUnprotectMemory

RTL_AVL_TABLE

wdigest wdigest!l_LogSessListSeckPkgFunctionTable->LsaUnprotectMemory

LIST_ENTRY

livessp livessp!LiveGlobalLogonSessionListSeckPkgFunctionTable->LsaUnprotectMemory

LIST_ENTRY

kerberos (nt5)

kerberos!KerbLogonSessionListSeckPkgFunctionTable->LsaUnprotectMemory

LIST_ENTRY

kerberos (nt6)

Kerberos!KerbGlobalLogonSessionTableSeckPkgFunctionTable->LsaUnprotectMemory

RTL_AVL_TABLE

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 45

mimikatz :: sekurlsalittle help to start !

Package Datas Little help

* @getLogonPasswords Use « full » keyword in argument of functions

msv1_0 @getMSVmsv1_0 : * Utilisateur : termuser * Domaine : DEMO * Hash LM : d0e9aee149655a6075e4540af1f22d3b * Hash NTLM : cc36cf7a8514893efccd332446158b1a

@getMSVFunctions** lsasrv.dll ** ; Statut recherche : OK :) – 3@GetCredentials = 000007F9C1C62938@AddCredential = 000007F9C1C71010@DeleteCredential = 000007F9C1C61F58@LsaUnprotectMemory = 000007F9C1C59960@LsaProtectMemory = 000007F9C1C628A4

tspkg @getTsPkgtspkg : * Utilisateur : termuser * Domaine : DEMO * Mot de passe : waza1234/

@getTsPkgFunctions** tspkg.dll/lsasrv.dll ** ; Statut recherche : OK :)@TSGlobalCredTable = 000007F9C1557B20@LsaUnprotectMemory = 000007F9C1C59960

wdigest @getWDigestwdigest : * Utilisateur : termuser * Domaine : DEMO * Mot de passe : waza1234/

@getWDigestFunctions** wdigest.dll/lsasrv.dll ** ; Statut recherche : OK :)@l_LogSessList = 000007F9C15E12B0@LsaUnprotectMemory = 000007F9C1C59960

livessp @getLiveSSPlivessp : * Utilisateur : sekurlsa@live.fr * Domaine : ps:password * Mot de passe : waza1234/

@getLiveSSPFunctions** livessp.dll/lsasrv.dll ** ; Statut recherche : OK :)@LiveGlobalLogonSessionList = 000007F9C14E8C68@LsaUnprotectMemory = 000007F9C1C59960

kerberos @getKerberoskerberos : * Utilisateur : termuser * Domaine : DEMO.LOCAL * Mot de passe : waza1234/

@getKerberosFunctions** kerberos.dll/lsasrv.dll ** ; Statut recherche : OK :)@KerbGlobalLogonSessionTable = 000007F9C1955AE0@KerbLogonSessionList = 0000000000000000@LsaUnprotectMemory = 000007F9C1C59960

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 46

mimikatz :: sekurlsasome ideas

Meterpreter post moduleStandalone binary without injectionyeah, it’s easy !– read all data (sessions, encrypted passwords)– read all keys and implement your own (un)protectMemory routine !– decrypt / crypt

Extract all of this from memory dump / hyberfile !etc…

Make demonstrations to your chief information security officerAsk Microsoft to work on better implementation– Maybe offer possibilities to disable or not some functionalities– Think globally about data really needed for authentication

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 47

mimikatz :: sekurlsasome ideas

Meterpreter post moduleStandalone binary without injectionyeah, it’s easy !– read all data (sessions, encrypted passwords)– read all keys and implement your own (un)protectMemory routine !– decrypt / crypt

Extract all of this from memory dump / hyberfile !etc…

Make demonstrations to your chief information security officerAsk Microsoft to work on better implementation– Maybe offer possibilities to disable or not some functionalities– Think globally about data really needed for authentication

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 48

mimikatzwhat else ?

Crypto– Export non-exportable certificates and keys

• CryptoAPI• CNG…

Stop event monitoringBasic GPO bypassApplocker / SRP bypassDriver– Play with tokens & privileges– Display SSDT x86 & x64– List minifilters actions– List Notifications (process / thread / image / registry)– List Objects hooks and procedures– …

…

mod_crypto

mod_mimikatz_divers

mod_mimikatz_crypto

kappfree.dll

mimikatz.sys

mod_mimikatz_nogpo

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 49

mimikatzthat’s all folks !

Thanks’ to / Спасибо :

– my girlfriend for her support (her LSASS crashed few times)– Positive Technologies to offer me this great opportunity– Microsoft to consider it as normal/acceptable – Security friends/community for their ideas & challenges– You, for your attention !

Questions ?

Don’t be shy ;)especially if you have written the corresponding slide number

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 50

mimikatzsource code

Not now available

– I’m not proud of mixing C/C++ and STL in LSASS– Script kiddies will use it without understanding

But a little part of it for “pass the pass” available– So download it on mimikatz download page

• http://blog.gentilkiwi.com/mimikatz

09/04/2023 Benjamin DELPY `gentilkiwi` @ PHDays 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 51

Blog & Contact

blog/mimikatz : http://blog.gentilkiwi.com/mimikatzemail : benjamin@gentilkiwi.comTwitter : @gentilkiwi