mimikatz 2 0
play

mimikatz 2.0 Benjamin DELPY ` gentilkiwi ` Our little story - PowerPoint PPT Presentation

Sep 15, 2022 •661 likes •970 views

mimikatz 2.0 Benjamin DELPY ` gentilkiwi ` Our little story `whoami`, why am I doing this? mimikatz 2.0 & sekurlsa Focus on Windows 8.1 et 2012r2 Kerberos & strong authentication Questions / Answers And of course, some demos during

  1. mimikatz 2.0 Benjamin DELPY ` gentilkiwi `

  2. Our little story `whoami`, why am I doing this? mimikatz 2.0 & sekurlsa Focus on Windows 8.1 et 2012r2 Kerberos & strong authentication Questions / Answers And of course, some demos during the session (and stickers ;) 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 2

  3. `whoami`? Why mimikatz ? Benjamin DELPY ` gentilkiwi ` – Kiwi addict, I code, but when it’s done, I tweet about it: @gentilkiwi – lazy efficient ; – I don’t work as pentester/searcher/technical guy, I do it as a Kiwi (nights) ; – I use Windows (but also OpenBSD) • is the enemy of your enemy your friend? ;) `mimikatz` – born 2007 ; – is not a hacking tool (seriously) ; – is coded for my personal needs ; – can demonstrate some security concept ; • Have you ever try to demonstrate “theoretical” risks and to obtain reaction? acts? (budgets?) – try to follow Microsoft's evolution (who’s the cat/mouse?) – is not enough documented ! (I know, but I work on it on GitHub … ) 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 3

  4. mimikatz 2.0 fully recoded in C, with system’s runtimes (≠ VC9, 10…) – strict code (no goto ;)) – smaller (~180 kb) – Deal relatively transparently with memory/process/dumps , and with registry/hives . Works on XP/2003, Vista/2008, Seven/2008r2, 8/2012 and 8.1/2012r2 – x86 & x64 ;) – Windows 2000 support dropped with 1.0 version Two other components, not mandatory : 1. mimidrv ; a driver to interact with the Windows Kernel (hooks, tokens, process…) 2. mimilib ; a library with some goodies : • AppLocker bypass ; • Authentication Package (SSP) ; • Password filter ; • mimikatz::sekurlsa for WinDBG. 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 4

  5. mimikatz :: sekurlsa PLAYSKOOL LSA (level ) Authentication msv1_0 SAM WinLogon LsaSS user:domain:password kerberos Authentication Packages msv1_0 Challenge tspkg Response wdigest livessp kerberos 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 5

  6. mimikatz :: sekurlsa PLAYSKOOL LSA (level ) Authentication packages : – take user’s credentials ; – do their job (hash, asking for ticket…) ; – keep enough data in memory to compute the answers to the challenges (Single Sign On). • Not in all case, eg: LiveSSP provider does not keep data for a SmartCard authentication If we can get data , and inject it in another session of LSASS , we avoid authentication part. If we put data in right places, we can still answer to the challenges. This is the principle of « Pass-the-hash » – In fact, of « Pass-the-* » 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 6

  7. mimikatz :: sekurlsa demo ! - sekurlsa::logonpasswords 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 7

  8. mimikatz :: sekurlsa what is it ? This module of mimikatz read data from SamSs service (known as LSASS process) or from a memory dump ! sekurlsa module can retrieve: – hash & keys (dpapi) MSV1_0 – password TsPkg – WDigest password – LiveSSP password – Kerberos password, ekeys , tickets & pin – password SSP And also : – pass-the-hash – overpass-the-hash / pass-the-(e)key • RC4 ( ntlm ), AES128 & AES256 – pass-the-ticket (official MSDN API !) 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 8

  9. mimikatz :: sekurlsa workflow lsasrv!LogonSessionList lsasrv!LogonSessionListCount Package Symbols Type tspkg tspkg! TSGlobalCredTable RTL_AVL_TABLE wdigest wdigest! l_LogSessList LIST_ENTRY livessp livessp! LiveGlobalLogonSessionList LIST_ENTRY for each session kerberos (nt5) kerberos! KerbLogonSessionList LIST_ENTRY kerberos (nt6) kerberos! KerbGlobalLogonSessionTable RTL_AVL_TABLE msv1_0 lsasrv!LogonSessionList LIST_ENTRY lsasrv!LogonSessionListCount ULONG ssp msv1_0! SspCredentialList LIST_ENTRY module!symbol typedef struct _KIWI_ struct { LUID LocallyUniqueIdentifier; […] LSA_UNICODE_STRING UserName; search list/AVL for LUID LSA_UNICODE_STRING Domaine; LSA_UNICODE_STRING Password; […] } KIWI_ struct , *PKIWI_ struct ; KIWI_ struct LsaUnprotectMemory Key NT 5 Symbols RC4 lsasrv! g_cbRandomKey lsasrv! g_pRandomKey DES x lsasrv! g_pDESXKey Credentials lsasrv! g_Feedback Key NT 6 Symbols lsasrv! InitializationVector in clear ! 3DES lsasrv! h3DesKey AES lsasrv! hAesKey 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 9

  10. mimikatz :: sekurlsa memo Security Packages Package Symbols Type tspkg tspkg! TSGlobalCredTable RTL_AVL_TABLE wdigest wdigest! l_LogSessList LIST_ENTRY livessp livessp! LiveGlobalLogonSessionList LIST_ENTRY kerberos (nt5) kerberos! KerbLogonSessionList LIST_ENTRY kerberos (nt6) kerberos! KerbGlobalLogonSessionTable RTL_AVL_TABLE msv1_0 lsasrv!LogonSessionList LIST_ENTRY lsasrv!LogonSessionListCount ULONG ssp msv1_0! SspCredentialList LIST_ENTRY Protection Keys Key NT 5 Symbols Key NT 6 Symbols RC4 lsasrv! g_cbRandomKey lsasrv! InitializationVector lsasrv! g_pRandomKey 3DES lsasrv! h3DesKey DES x lsasrv! g_pDESXKey AES lsasrv! hAesKey lsasrv! g_Feedback 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 10

  11. mimikatz :: sekurlsa LsaEncryptMemory All credentials in memory are encrypted, but in a reversible way to be used (ok, not ~all~ are encrypted) Encryption is symmetric , keys are in the memory of the LSASS process – It’s like sending an encrypted ZIP with the password in the same email… – Encrypt works with LsaProtectMemory , decrypt with LsaUnprotectMemory Both deal with LsaEncryptMemory Depending on the secret size, algorithm is different: NT5 NT6 InitializationVector l m – RC4 s – 3DES g_cbRandomKey i a l h3DesKey l g_pRandomKey s m s s r a i a copy… v s k / s r a e s – DES x v t – AES m g_pDESXKey u z hAesKey l g_Feedback 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 11

  12. mimikatz :: sekurlsa demo ! - sekurlsa::logonpasswords 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 12

  13. mimikatz Focus on Windows 8.1 & 2012r2 After a lot of customers cases, time, credentials stolen...Microsoft had to react! (a little bit, ok ;)) “In Windows Server 2012 R2 and Windows 8.1, new credential protection and domain authentication controls have been added to address credential theft.” – http://technet.microsoft.com/library/dn344918.aspx#BKMK_CredentialsProtectionManagement “Restricted Admin mode for Remote Desktop Connection” Avoid user credentials to be sent to the server (and stolen) Allow authentication by pass-the-hash , pass-the-ticket & overpass-the-hash with CredSSP “LSA Protection” Deny memory access to LSASS process (protected process) Bypassed by a driver or another protected process (remember? mimikatz has a driver ;)) “Protected Users security group” No more NTLM , WDigest , CredSSP , no delegation nor SSO... Strengthening Kerberos only! Kerberos tickets can still be stolen and replayed (and smartcard/pin code is in memory =)) 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 13

  14. mimikatz Focus on Windows 8.1 & 2012r2 .#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" (Jul 8 2014 01:44:40) .## ^ ##. ## / \ ## /* * * ## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##' http://blog.gentilkiwi.com/mimikatz '#####' (oe.eo) 15th RMLL/LSM (oe.eo) with 14 modules * * */ Primary CredentialKeys tspkg wdigest kerberos livessp ssp dpapi credman 6 LM NTLM SHA1 NTLM SHA1 Root DPAPI off on off on pass 1 PIN 4 tickets eKeys Windows XP/2003 Local Account 2 Domain Account 2 5 Windows Vista/2008 & 7/2008r2 Local Account Domain Account Windows 8/2012 Microsoft Account Local Account Domain Account Windows 8.1/2012r2 Microsoft Account 3 3 Local Account 3 3 7 Domain Account 3 3 Domain Protected Users 3 3 Windows 8.1 vault for user's authentication not applicable 1. can need an unlock on NT5, not available with smartcard PIN Picture Fingerprint data in memory 2. tspkg is not installed by default on XP, not available on 2003 code pass gestures pass pass no data in memory 3. tspkg is off by default (but needed for SSO with remoteapps/ts), wdigest too Microsoft Account http://technet.microsoft.com/library/dn303404.aspx Local Account 4. PIN code when SmartCard used for native Logon 5. PIN code is NOT encrypted in memory (XP/2003) 6. When accessed/used by owner 7. When local admin, UAC and after unlock 09/07/2014 Benjamin DELPY `gentilkiwi` @ 15th RMLL/LSM benjamin@gentilkiwi.com ; blog.gentilkiwi.com 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MIMIKATZ ;) Whoami Vincent LE TOUX @mysmartlogon Does this remind something to you? <Insert

MIMIKATZ ;) Whoami Vincent LE TOUX @mysmartlogon Does this remind something to you? <Insert

YOU TRY TO DETECT MIMIKATZ ;) Whoami Vincent LE TOUX @mysmartlogon Does this remind something to you? <Insert vendor> <Insert vendor> Busylight stops mimikatz! Busylight Dem o COMMON MISTAKE: MIMIKATZ IS NOT JUST ABOUT

1.02k views • 46 slides
Using Mimikatz driver to unhook antivirus on Windows Supervisor: Cedric van Bockhaven Bram

Using Mimikatz driver to unhook antivirus on Windows Supervisor: Cedric van Bockhaven Bram

Using Mimikatz driver to unhook antivirus on Windows Supervisor: Cedric van Bockhaven Bram Blaauwendraad & Thomas Ouddeken Mimikatz Post exploitation tool created by Benjamin Delpy Administrative privileges required Used to extract

355 views • 20 slides
Development of techniques to remove Kerberos credentials from Windows Systems. Nick Offerman

Development of techniques to remove Kerberos credentials from Windows Systems. Nick Offerman

Development of techniques to remove Kerberos credentials from Windows Systems. Nick Offerman Steffan Roobol 04-07-2019 Introduction Figure 1: Kerberos Protocol 2 Problem Figure 1: the LSASS process and Mimikatz. 3 Research Questions

520 views • 27 slides
Ecosystem Services and Green Growth Jeffrey R. Vincent (Duke

Ecosystem Services and Green Growth Jeffrey R. Vincent (Duke

Ecosystem Services and Green Growth Jeffrey R. Vincent (Duke University / Beijer Ins3tute / SANDEE) Inaugural Conference World Bank Green Growth

628 views • 17 slides
Farm Direct FAQ (1) When is the Farm Direct law effective? January 1, 2012. The Oregon

Farm Direct FAQ (1) When is the Farm Direct law effective? January 1, 2012. The Oregon

Farm Direct FAQ (1) When is the Farm Direct law effective? January 1, 2012. The Oregon Department of Agriculture rules implementing the law will be adopted as the Farm Direct Marketing Rules and will be found at OAR 603-025-0221through

408 views • 7 slides
Nicolas Verstaevel IRIT DAY 2: SMART CITIES TABLE 4: IMPLEMENTATION OF THE SMART CITY CONCEPT

Nicolas Verstaevel IRIT DAY 2: SMART CITIES TABLE 4: IMPLEMENTATION OF THE SMART CITY CONCEPT

Nicolas Verstaevel IRIT DAY 2: SMART CITIES TABLE 4: IMPLEMENTATION OF THE SMART CITY CONCEPT INTERNATIONAL SUMMER SCHOOL SMART GRIDS AND SMART CITIES Barcelona, 6-8 June 2017 700 members 7 Topics 21 Teams - 4 Strategic axis

604 views • 23 slides
CaSE: Cache-Assisted Secure Execu3on on ARM Processors N1NG N1NG ZHANG ZHANG , KUN SUN, WENJING

CaSE: Cache-Assisted Secure Execu3on on ARM Processors N1NG N1NG ZHANG ZHANG , KUN SUN, WENJING

CaSE: Cache-Assisted Secure Execu3on on ARM Processors N1NG N1NG ZHANG ZHANG , KUN SUN, WENJING LOU, TOM HOU Who am I ? - 10 years, working on different security products data forensic, mul;-level security systems - did my undergrad @

552 views • 34 slides
WISCONSIN TAX UPDATE Presented by WISCONSIN DEPARTMENT OF REVENUE Fall 2017 1 Agenda Tax Law

WISCONSIN TAX UPDATE Presented by WISCONSIN DEPARTMENT OF REVENUE Fall 2017 1 Agenda Tax Law

11/13/2017 WISCONSIN TAX UPDATE Presented by WISCONSIN DEPARTMENT OF REVENUE Fall 2017 1 Agenda Tax Law Changes, Updates, and Reminders Tax Processing Update Fraud Prevention DOR Initiatives Audit Update 2 1 11/13/2017 Tax

1.56k views • 100 slides
Robson E. De Grande Azzedine Boukerche PARADISE Laboratory SITE University of Ottawa

Robson E. De Grande Azzedine Boukerche PARADISE Laboratory SITE University of Ottawa

Robson E. De Grande Azzedine Boukerche PARADISE Laboratory SITE University of Ottawa September 2010 DS-RT 2011 . Introduction High Level Architecture Dynamic Load Balancing Related

831 views • 24 slides
Proofs of Storage SENY KAMARA MICROSOFT RESEARCH Computing as a Service 2 Computing is a

Proofs of Storage SENY KAMARA MICROSOFT RESEARCH Computing as a Service 2 Computing is a

Proofs of Storage SENY KAMARA MICROSOFT RESEARCH Computing as a Service 2 Computing is a vital resource Enterprises, governments, scientists, consumers, Computing is manageable at small scales e.g., PCs, laptops, smart

638 views • 47 slides
Where are we? Informatics 2D Reasoning and Agents Semester 2, 20192020 Last time . . .

Where are we? Informatics 2D Reasoning and Agents Semester 2, 20192020 Last time . . .

Introduction Introduction Execution monitoring and replanning Execution monitoring and replanning Hierarchical Planning Hierarchical Planning Summary Summary Where are we? Informatics 2D Reasoning and Agents Semester 2, 20192020

537 views • 6 slides
Topics neo-antigens vs shared antigens as targets for vaccines new clinical settings

Topics neo-antigens vs shared antigens as targets for vaccines new clinical settings

3/5/2018 The Evolving Role of Cancer Vaccines COL (ret) George E Peoples, MD, FACS Topics neo-antigens vs shared antigens as targets for vaccines new clinical settings (hence endpoints) for vaccine trials vaccines to improve

790 views • 12 slides
Outline ! High Level Architecture (HLA): Background ! Rules ! Interface Specification CSCI 8220

Outline ! High Level Architecture (HLA): Background ! Rules ! Interface Specification CSCI 8220

Outline ! High Level Architecture (HLA): Background ! Rules ! Interface Specification CSCI 8220 Parallel & Distributed Overview Class Based Subscription Simulation Attribute updates PDES: Distributed Virtual Environments

355 views • 6 slides
Angelic Hierarchical Planning: Optimal and Online Algorithms Bhaskara Marthi Stuart Russell

Angelic Hierarchical Planning: Optimal and Online Algorithms Bhaskara Marthi Stuart Russell

Angelic Hierarchical Planning: Optimal and Online Algorithms Bhaskara Marthi Stuart Russell Jason Wolfe MIT/Willow Garage UC Berkeley UC Berkeley bhaskara@csail.mit.edu russell@cs.berkeley.edu jawolfe@cs.berkeley.edu ICAPS 08 1

1.39k views • 111 slides
Netflix Generation? How Todays Undergraduates Watch Videos Peter Shirts HLA conference, 12

Netflix Generation? How Todays Undergraduates Watch Videos Peter Shirts HLA conference, 12

Netflix Generation? How Todays Undergraduates Watch Videos Peter Shirts HLA conference, 12 November 2016 Hilo, Hawaii Streaming video On campuses, after 5pm, Netflix accounts for 70% of internet traffic Source: Streaming Video in

504 views • 28 slides
HIGH LEVEL ARCHITECTURE Introduction Concepts Technical Architecture Overview Ximing Yu HLA

HIGH LEVEL ARCHITECTURE Introduction Concepts Technical Architecture Overview Ximing Yu HLA

HIGH LEVEL ARCHITEC- TURE Ximing Yu HIGH LEVEL ARCHITECTURE Introduction Concepts Technical Architecture Overview Ximing Yu HLA Interface Specification HLA Object Model Template Department of Electrical and Computer Engineering HLA

284 views • 13 slides
F inanc e Ba sic s o f F ina nc ia l Sta te me nts 1 02/09/2018 What ar e F inanc ial R

F inanc e Ba sic s o f F ina nc ia l Sta te me nts 1 02/09/2018 What ar e F inanc ial R

02/09/2018 F ina nc ia l Ac c o unta b ility I mpo rta nt Stuff No npro fit Bo a rds MUS T K no w Pre se nte r Miria m Ro b e so n, Atto rne y F e b rua ry 9, 2018 F ina nc ia l Ac c o unta b ility fo r No npro fits F ina nc e

349 views • 14 slides
AN INTEROPERABILITY FRAMEWORK FOR TRIALS AND EXERCISES TEST-BED INFRASTRUCTURE Martijn

AN INTEROPERABILITY FRAMEWORK FOR TRIALS AND EXERCISES TEST-BED INFRASTRUCTURE Martijn

AN INTEROPERABILITY FRAMEWORK FOR TRIALS AND EXERCISES TEST-BED INFRASTRUCTURE Martijn Hendriks, XVR Simulation ITEC 2019 Conference DRIVER+ OVERALL OBJECTIVES To develop a pan- TRIALS FINAL DEMO To develop a European Test-bed for Poland,

562 views • 10 slides
JPDSC Meeting October 16, 2009 SAE Consortium 1 Introduction Thank you for the invitation

JPDSC Meeting October 16, 2009 SAE Consortium 1 Introduction Thank you for the invitation

International SAE Consortium, Ltd An Int ernat ional Indust rial Biomedical Consort ium Researching t he Genet ic Basis of Drug Relat ed S erious Adverse Event s JPDSC Meeting October 16, 2009 SAE Consortium 1 Introduction Thank you for

957 views • 58 slides
Im Immuno-Onc Oncolo logy: gy: Be Beyon ond PD1 D1 Single Agent Michael Overman, MD

Im Immuno-Onc Oncolo logy: gy: Be Beyon ond PD1 D1 Single Agent Michael Overman, MD

Im Immuno-Onc Oncolo logy: gy: Be Beyon ond PD1 D1 Single Agent Michael Overman, MD Professor Gastrointestinal Medical Oncology MD Anderson Cancer Center moverman@mdanderson.org Agenda/Disclosures Agenda The Challenge Status

1.21k views • 31 slides
Towards an HLA Run-time Infrastructure with Hard Real-time Capabilities ( 10E-SIW-011 ) Pierre

Towards an HLA Run-time Infrastructure with Hard Real-time Capabilities ( 10E-SIW-011 ) Pierre

Towards an HLA Run-time Infrastructure with Hard Real-time Capabilities ( 10E-SIW-011 ) Pierre Siron Jean-Baptiste Chaudron Martin Adelantado DMIA Department, ONERA/DTIM/SER ONERA/DTIM/SER Universit de Toulouse, ISAE ONERA, Centre de

676 views • 21 slides
Synthetic long read technologies in genome phasing and beyond Volodymyr Kuleshov Stanford

Synthetic long read technologies in genome phasing and beyond Volodymyr Kuleshov Stanford

Synthetic long read technologies in genome phasing and beyond Volodymyr Kuleshov Stanford University Batzoglou & Snyder Labs + Latest ongoing research on synthetic long reads Genome phasing ----- [A/T] ------ [C/G] ----- [G/T] ------

275 views • 23 slides
Towards personalized p immunotherapy of cancer Hans-Georg Rammensee Interfakultres Institut

Towards personalized p immunotherapy of cancer Hans-Georg Rammensee Interfakultres Institut

NCT Conference 2013 New Cancer Targets Towards personalized p immunotherapy of cancer Hans-Georg Rammensee Interfakultres Institut fr Zellbiologie Abteilung Immunologie Prof. Dr. Hans Georg Rammensee Towards patient-specific tumor

1.41k views • 89 slides
MISSION Clinical Program GWG Recommendations Shyam Patel, Ph.D. Associate Director, Portfolio

MISSION Clinical Program GWG Recommendations Shyam Patel, Ph.D. Associate Director, Portfolio

MISSION Clinical Program GWG Recommendations Shyam Patel, Ph.D. Associate Director, Portfolio Development and Review California Institute for Regenerative Medicine December 13, 2018 Clinical Stage Programs MISSION CLINICAL STAGE CLIN 1

492 views • 20 slides

More recommend