Practical approach to Golden Ticket Attacks: one technique, five useful tools
In the past, I’ve already written about Kerberos attacks, especially on Ticket Attacks. In all examples, I’ve always used only Mimikatz, because i think is the most know tool used for this kind of attacks.
Continue…Pypykatz: a Mimikatz Python implementation
Mimikatz is a famous post-exploitation tool written in C by Benjamin Delpy: it allows a local attacker to dump secrets from memory exploiting Windows single sign-on functionality.
Continue…Retrieving NTLM Hashes without touching LSASS: the “Internal Monologue” Attack
A new technique, called “Internal Monologue Attack”, allows and attack similar to Mimikatz without dumping memory area of LSASS process, avoiding antivirus and Windows Credential Guard.
Extracting credentials from Linux memory with MimiPenguin
The linux porting of Mimikatz
Adapted from the idea behind the popular Windows tool mimikatz, Mimipenguin is a tool, developed by Hunter Gregal, that dumps the login password from the current linux desktop user.
Takes advantage of cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords. Will attempt to calculate each word’s probability by checking hashes in /etc/shadow, hashes in memory, and regex searches.
The tool requires root permissions and come in two versions, a python script and a bash script, with different feature support:
- GDM password (Kali Desktop, Debian Desktop): Python
- Gnome Keyring (Ubuntu Desktop, ArchLinux Desktop): Bash and Python
- VSFTPd (Active FTP Connections): Bash and Python
- Apache2 (Active HTTP Basic Auth Sessions): Not yet implemented
- OpenSSH (Active SSH Sessions — Sudo Usage): Not yet implemented
Supported/Tested Systems
- Kali 4.3.0 (rolling) x64 (gdm3)
- Ubuntu Desktop 12.04 LTS x64 (Gnome Keyring 3.18.3–0ubuntu2)
- Ubuntu Desktop 16.04 LTS x64 (Gnome Keyring 3.18.3–0ubuntu2)
- XUbuntu Desktop 16.04 x64 (Gnome Keyring 3.18.3–0ubuntu2)
- Archlinux x64 Gnome 3 (Gnome Keyring 3.20)
- VSFTPd 3.0.3–8+b1 (Active FTP client connections)
- Apache2 2.4.25–3 (Active/Old HTTP BASIC AUTH Sessions) [Gcore dependency]
- openssh-server 1:7.3p1–1 (Active SSH connections — sudo usage)
I’ve tested the script also on my Debian laptop, and works great:
More information and downloads
mimikittenz, a PowerShell tool to extract plain-text passwords from memory
The tool utilizes the Windows function ReadProcessMemory() in order to extract plain-text passwords from various target processes
mimikittenz (the younger brother of Mimikatz?) provides a user-level extraction tool for sensitive data, focusing on running process memory address space:
once a process is killed it’s memory ‘should’ be cleaned up and inaccessible however there are some edge cases in which this does not happen.
Features
Currently mimikittenz is able to extract the following credentials from memory:
Webmail
- Gmail
- Office365
- Outlook Web
Accounting
- Xero
- MYOB
Remote Access
- Juniper SSL-VPN
- Citrix NetScaler
- Remote Desktop Web Access 2012
Development
- Jira
- Github
- Bugzilla
- Zendesk
- Cpanel
IHateReverseEngineers
- Malwr
- VirusTotal
- AnubisLabs
Misc
- Dropbox
- Microsoft Onedrive
- AWS Web Services
- Slack
More information and downloads
on the official GitHub repo:
Mimikatz: a swiss-army knife for Windows credential gathering
Really useful for penetration testing purposes!
If a program has been written in order to keep in memory some credentials in clear text, this can be a security risk.
When you make a security assessment, it will be useful a tool that scans processes memory searching for cleartext passwords, like Mimikatz, a tool written by Benjamin Delpy and Vincent Le Toux.
Mimikatz supports both Windows 32-bit and 64-bit and allows you to gather various credential types, using various techniques:
mimikatz is a tool I’ve made to learn C and make somes experiments with Windows security.
It’s well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory.
mimikatz can also perform pass-the-hash, pass-the-ticket, build Golden tickets, play with certificates or private keys, vault, … maybe make coffee?
Features
- Dump credentials from LSASS (Windows Local Security Account database)
- MSV1.0: hashes & keys (dpapi)
- Kerberos password, ekeys, tickets, & PIN
- TsPkg (password)
- WDigest (clear-text password)
- LiveSSP (clear-text password)
- SSP (clear-text password)
- Generate Kerberos Golden Tickets (Kerberos TGT logon token ticket attack)
- Generate Kerberos Silver Tickets (Kerberos TGS service ticket attack)
- Export certificates and keys (even those not normally exportable).
- Dump cached credentials
- Stop event monitoring.
- Bypass Microsoft AppLocker / Software Restriction Polcies
- Patch Terminal Server
- Basic GPO bypass
Usage example
An interesting tutorial on Windows OS Hub about the extraction of cleartext credentials from LSASS process:
Yes, two simple commands:
mimikatz # privilege::debug mimikatz # sekurlsa::logonPasswords full
and also a brief video demo:
Both examples shouldn’t works on system that have installed the KB2871997:
One of the credentials stored by LSASS is the user’s clear-text password. This update prevents every Microsoft SSP in LSASS, besides WDigest, from storing the user’s clear-text password. WDigest still stores the user’s clear-text password because it cannot function without the user’s password (Microsoft does not want to break existing customer setups by shipping an update to disable this).
However, because WDigest (used for credential storage) is used by many products (e.g. IIS), Microsoft left the Wdigest provider enabled which is why mimikatz can still obtain clear text password.
An attacker can simply re-enabling the credential storing in LSASS with this command:
reg add HKLM\SYSTEM\CurrentControlSet\Control\Security\Providers\WDigest /v UseLogonCredential /t REG_DWORD /d 1
(Obviously must be run as an administrator, but if you are using mimikatz is assumed that the privileges have been already gained!)