SLIDE 1
Figure 1: Kerberos Protocol
Introduction
2
Development of techniques to remove Kerberos credentials from - - PowerPoint PPT Presentation
Development of techniques to remove Kerberos credentials from - - PowerPoint PPT Presentation
Development of techniques to remove Kerberos credentials from Windows Systems. Nick Offerman Steffan Roobol 04-07-2019 Introduction Figure 1: Kerberos Protocol 2 Problem Figure 1: the LSASS process and Mimikatz. 3 Research Questions
SLIDE 2
SLIDE 3
Figure 1: the LSASS process and Mimikatz.
Problem
3
SLIDE 4
How can Kerberos credentials be completely purged out of a Windows Operating System without rebooting the system? (1) Mimikatz (2) klist (3) Remove credentials
Research Questions
4
SLIDE 5
Benjamin Delpy created open-source Mimikatz tool
- Read out credentials from LSASS
- Forge Kerberos tickets
Blog posts
- Anti-Mimikatz (debug privilege)
- Registry keys
- Group policies
Related Work
5
SLIDE 6
Figure 2: Test Environment
Methods - Test environment
6
Client-side
SLIDE 7
7
Methods - Experiments
∗ Analyse Mimikatz ∗ Analyse klist ∗ Create tool ∗ Test reading out of credentials
SLIDE 8
Table 1: Retrieving credentials on Windows systems before and after commands.
8
Methods - Experiments
Experiment 7 8 8.1 10 Baseline klist Yes Yes Yes Yes kerberos::list Yes No No No sekurlsa::kerberos Yes Yes No No After klist purge klist ? ? ? ? kerberos::list ? ? ? ? sekurlsa::kerberos ? ? ? ? After tool klist ? ? ? ? kerberos::list ? ? ? ? sekurlsa::kerberos ? ? ? ?
SLIDE 9
∗ Analysis Mimikatz code ∗ Visual Studio 2017
9
Methods - Tools
∗ Analysis klist executable ∗ IDA ∗ x64dbg ∗ Programming ∗ C ∗ Windows Powershell
SLIDE 10
Results - Mimikatz analysis
10
SLIDE 11
Results - Mimikatz analysis
11
SLIDE 12
∗ Mimikatz can read? We can write. ∗ Right after searching the credential blob
12
Results - Overwriting LSASS
SLIDE 13
Results - Overwriting LSASS
13
SLIDE 14
14
Results - Overwriting LSASS
SLIDE 15
Table 2: Retrieving credentials on Windows systems before and after overwriting.
15
Results - Overwriting LSASS
Experiment
7 8 8.1 10
Baseline klist
Yes Yes Yes Yes
kerberos::list
Yes No No No
sekurlsa::kerberos
Yes Yes No No
After overwriting klist
Yes Yes Yes Yes
kerberos::list
Yes No No No
sekurlsa::kerberos
No No* No* No*
SLIDE 16
16
Results - Overwriting LSASS
SLIDE 17
17
Results - klist command
SLIDE 18
Table 3: Retrieving credentials on Windows systems before and after klist purge.
18
Results - klist command
Experiment 7 8 8.1 10 Baseline klist Yes Yes Yes Yes kerberos::list Yes No No No sekurlsa::kerberos Yes Yes No No After klist purge klist No No No No kerberos::list No No No No sekurlsa::kerberos Yes Yes No No
SLIDE 19
Results - klist command
19
SLIDE 20
20
Results - klist command
SLIDE 21
21
Results - PowerShell script
SLIDE 22
∗ Mimikatz: ∗ LSASS memory ∗ Windows API calls ∗ klist: ∗ Kerberos memory ∗ Purge tool: ∗ Clears both locations
22
Discussion
SLIDE 23
∗ But… ∗ Get-WmiObject Win32_LogonSession ∗ Limitations: ∗ Tool overwrites all credentials ∗ Windows 7 ∗ Kerberos memory
23
Discussion
SLIDE 24
∗ Specific credential removal ∗ Expand for other OSs ∗ Further explore klist
24
Future Work
SLIDE 25
How can Kerberos credentials be completely purged out of a Windows Operating System without rebooting the system?
Conclusion
25
Read Remove LSASS Memory Mimikatz Tool Kerberos Memory Klist Klist purge
SLIDE 26
Experiment 7 8 8.1 10 Baseline klist Yes Yes Yes Yes kerberos::list Yes No No No sekurlsa::kerberos Yes Yes No No After klist purge klist No No No No kerberos::list No No No No sekurlsa::kerberos Yes Yes No No After our tool klist Yes Yes Yes Yes kerberos::list Yes No No No sekurlsa::kerberos No No No No After combination klist No No No No kerberos::list No No No No sekurlsa::kerberos No No No No
Table 4: Retrieving credentials on Windows systems before and after commands.
26
SLIDE 27
27