So Long, and Thanks for All the Fish
Just some random thoughts about the Meaning of Life, The Universe, and Everything
A new technique, called “Internal Monologue Attack”, allows and attack similar to Mimikatz without dumping memory area of LSASS process, avoiding antivirus and Windows Credential Guard.
Continue reading “Retrieving NTLM Hashes without touching LSASS: the “Internal Monologue” Attack”
Adapted from the idea behind the popular Windows tool mimikatz, Mimipenguin is a tool, developed by Hunter Gregal, that dumps the login password from the current linux desktop user.
Takes advantage of cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords. Will attempt to calculate each word’s probability by checking hashes in /etc/shadow, hashes in memory, and regex searches.
The tool requires root permissions and come in two versions, a python script and a bash script, with different feature support:
I’ve tested the script also on my Debian laptop, and works great:
mimikittenz (the younger brother of Mimikatz?) provides a user-level extraction tool for sensitive data, focusing on running process memory address space:
once a process is killed it’s memory ‘should’ be cleaned up and inaccessible however there are some edge cases in which this does not happen.
Currently mimikittenz is able to extract the following credentials from memory:
Webmail
Accounting
Remote Access
Development
IHateReverseEngineers
Misc
on the official GitHub repo:
If a program has been written in order to keep in memory some credentials in clear text, this can be a security risk.
When you make a security assessment, it will be useful a tool that scans processes memory searching for cleartext passwords, like Mimikatz, a tool written by Benjamin Delpy and Vincent Le Toux.
Mimikatz supports both Windows 32-bit and 64-bit and allows you to gather various credential types, using various techniques:
mimikatz is a tool I’ve made to learn C and make somes experiments with Windows security.
It’s well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory.
mimikatz can also perform pass-the-hash, pass-the-ticket, build Golden tickets, play with certificates or private keys, vault, … maybe make coffee?
An interesting tutorial on Windows OS Hub about the extraction of cleartext credentials from LSASS process:
http://woshub.com/how-to-get-plain-text-passwords-of-windows-users/
Yes, two simple commands:
mimikatz # privilege::debug mimikatz # sekurlsa::logonPasswords full
and also a brief video demo:
Both examples shouldn’t works on system that have installed the KB2871997:
One of the credentials stored by LSASS is the user’s clear-text password. This update prevents every Microsoft SSP in LSASS, besides WDigest, from storing the user’s clear-text password. WDigest still stores the user’s clear-text password because it cannot function without the user’s password (Microsoft does not want to break existing customer setups by shipping an update to disable this).
However, because WDigest (used for credential storage) is used by many products (e.g. IIS), Microsoft left the Wdigest provider enabled which is why mimikatz can still obtain clear text password.
An attacker can simply re-enabling the credential storing in LSASS with this command:
reg add HKLM\SYSTEM\CurrentControlSet\Control\Security\Providers\WDigest /v UseLogonCredential /t REG_DWORD /d 1
(Obviously must be run as an administrator, but if you are using mimikatz is assumed that the privileges have been already gained!)