Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290 4444 www.senseofsecurity.com.au Sense of Security Pty Ltd ABN 14 098 237 908 @ITSecurityAU Compliance, Protection & Business Confidence 31 August 18 mimikatz A little tool to play with Windows security Prashant Mahajan
or by mail (benjamin [at] gentilkiwi.com) or visit his blog (http://blog.gentilkiwi.com/) • Vincent LE TOUX, a few contributions to mimikatz including the DCSync function in lsadump module, you contact him on Twitter (@mysmartlogon) or by mail (vincent.letoux [at] gmail.com) or visit his website (http://www.mysmartlogon.com) 31 August 18 Authors
are generated and stored in the Local Security Authority Subsystem Service (LSASS) process in memory. • This is meant to facilitate Single Sign-On (SSO) ensuring a user isn’t prompted each time resource access is requested. • The credential data may include Kerberos tickets, NTLM password hashes, LM password hashes (if the password is <15 characters, depending on Windows OS version and patch level), and even clear-text passwords to support WDigest and SSP authentication among others. 31 August 18 Credentials in Memory ? ! https://adsecurity.org/?page_id=1821
Security Authority Security Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies. The Windows 8.1 operating system provides additional protection for the LSA to prevent code injection by non-protected processes. This provides added security for the credentials that the LSA stores and manages. This protected process setting for LSA can be configured in Windows 8.1 but is on by default in Windows RT 8.1 and cannot be changed. 31 August 18 RunAsPPL https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/credentials-protection-and-management
KRBTGT NTLM password hash to encrypt and sign. • A GT can be created to impersonate any user (real or imagined) in the domain as a member of any group in the domain (providing a virtually unlimited amount of rights) to any and every resource in the domain. • Since the GT is an authentication ticket, its scope is the entire domain (and the AD forest by leveraging SID History) since the TGT is used to get service tickets (TGS) used to access resources. • The GT contains user group membership information (PAC) and is signed and encrypted using the domain’s Kerberos service account (KRBTGT) which can only be opened and read by the KRBTGT account. 31 August 18 Golden Ticket https://adsecurity.org/?page_id=1821
password NTLM/RC4/AES128/AES256, they can create Golden Tickets (TGT) that can provide access to anything in AD at any time. Mimikatz adds the following groups to the ticket by default: • Domain Users SID: S-1-5-21<DOMAINID>-513 • Domain Admins SID: S-1-5-21<DOMAINID>-512 • Schema Admins SID: S-1-5-21<DOMAINID>-518 • Enterprise Admins SID: S-1-5-21<DOMAINID>-519 (this is only effective when the forged ticket is created in the Forest root domain, though add using /sids parameter for AD forest admin rights) • Group Policy Creator Owners SID: S-1-5-21<DOMAINID>-520 31 August 18 Golden Ticket https://adsecurity.org/?page_id=1821
account to be impersonated or any username • /id – RID of the account to be impersonated. This could be a real account ID, such as the default administrator ID of 500, or a fake ID. • /groups - list of groups to which the account in the ticket will belong • /sids – to insert a SID into the SIDHistory attribute of the account in the ticket • /ptt – Pass the Ticket to load the golden ticket into the current session 31 August 18 Golden Ticket
format) using the AD computer/service account (can be identified by SPN) NTLM password hash to encrypt and sign. Mimikatz adds the following groups to the ticket by default: • Domain Users SID: S-1-5-21<DOMAINID>-513 • Domain Admins SID: S-1-5-21<DOMAINID>-512 • Schema Admins SID: S-1-5-21<DOMAINID>-518 • Enterprise Admins SID: S-1-5-21<DOMAINID>-519 (this is only effective when the forged ticket is created in the Forest root domain, though add using /sids parameter for AD forest admin rights) • Group Policy Creator Owners SID: S-1-5-21<DOMAINID>-520 31 August 18 Silver Ticket https://adsecurity.org/?page_id=1821
/target –the host (SPN value). sos.labs domain has dc1.sos.labs • /service –the name of the service that we will create tickets for (must be a service running as the service account) • /user –the user that the ticket will be created for, and this can be any user account whatsoever, even user accounts that do not exist • /groups - list of groups to which the account in the ticket will belong to. Domain Admins is included by default • /rc4 – NTLM hash of the account or /aes128 /aes256 keys 31 August 18 Silver Ticket
• This enables all user authentication to the Skeleton Key patched DC to use a “master password (mimikatz)” (aka Skeleton Keys) as well as their usual password. • Reboot removes the Skeleton Key injection. 31 August 18 Skeleton Key
• DS-Install-Replica (Add/Remove Replica in Domain) • DS-Replication-Manage-Topology (Manage Replication Topology) • DS-Replication-Synchronize (Replication Synchornization) Sites object in the Configuration container • CreateChild and DeleteChild Computer object of the attacker's machine (which is registered as a Fake DC) • WriteProperty Target object (user or computer or ADSPath) • WriteProperty 31 August 18 DCShadow https://github.com/samratashok/nishang/blob/master/ActiveDirectory/Set-DCShadowPermissions.ps1