Retrieving NTLM Hashes without touching LSASS: the “Internal Monologue” Attack

A new technique, called “Internal Monologue Attack”, allows and attack similar to Mimikatz without dumping memory area of LSASS process, avoiding antivirus and Windows Credential Guard.

Continue reading “Retrieving NTLM Hashes without touching LSASS: the “Internal Monologue” Attack”

Extracting credentials from Linux memory with MimiPenguin

The linux porting of Mimikatz

 

Adapted from the idea behind the popular Windows tool mimikatz, Mimipenguin is a tool, developed by Hunter Gregal, that dumps the login password from the current linux desktop user.

Takes advantage of cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords. Will attempt to calculate each word’s probability by checking hashes in /etc/shadow, hashes in memory, and regex searches.

The tool requires root permissions and come in two versions, a python script and a bash script, with different feature support:

  • GDM password (Kali Desktop, Debian Desktop): Python
  • Gnome Keyring (Ubuntu Desktop, ArchLinux Desktop): Bash and Python
  • VSFTPd (Active FTP Connections): Bash and Python
  • Apache2 (Active HTTP Basic Auth Sessions): Not yet implemented
  • OpenSSH (Active SSH Sessions — Sudo Usage): Not yet implemented

Supported/Tested Systems

  • Kali 4.3.0 (rolling) x64 (gdm3)
  • Ubuntu Desktop 12.04 LTS x64 (Gnome Keyring 3.18.3–0ubuntu2)
  • Ubuntu Desktop 16.04 LTS x64 (Gnome Keyring 3.18.3–0ubuntu2)
  • XUbuntu Desktop 16.04 x64 (Gnome Keyring 3.18.3–0ubuntu2)
  • Archlinux x64 Gnome 3 (Gnome Keyring 3.20)
  • VSFTPd 3.0.3–8+b1 (Active FTP client connections)
  • Apache2 2.4.25–3 (Active/Old HTTP BASIC AUTH Sessions) [Gcore dependency]
  • openssh-server 1:7.3p1–1 (Active SSH connections — sudo usage)

I’ve tested the script also on my Debian laptop, and works great:


More information and downloads

https://github.com/huntergregal/mimipenguin

mimikittenz, a PowerShell tool to extract plain-text passwords from memory

The tool utilizes the Windows function ReadProcessMemory() in order to extract plain-text passwords from various target processes

mimikittenz (the younger brother of Mimikatz?) provides a user-level extraction tool for sensitive data, focusing on running process memory address space:

once a process is killed it’s memory ‘should’ be cleaned up and inaccessible however there are some edge cases in which this does not happen.

Features

Currently mimikittenz is able to extract the following credentials from memory:

Webmail

  • Gmail
  • Office365
  • Outlook Web

Accounting

  • Xero
  • MYOB

Remote Access

  • Juniper SSL-VPN
  • Citrix NetScaler
  • Remote Desktop Web Access 2012

Development

  • Jira
  • Github
  • Bugzilla
  • Zendesk
  • Cpanel

IHateReverseEngineers

  • Malwr
  • VirusTotal
  • AnubisLabs

Misc

  • Dropbox
  • Microsoft Onedrive
  • AWS Web Services
  • Slack
  • Twitter
  • Facebook

More information and downloads

on the official GitHub repo:

https://github.com/putterpanda/mimikittenz

Mimikatz: a swiss-army knife for Windows credential gathering

Really useful for penetration testing purposes!

If a program has been written in order to keep in memory some credentials in clear text, this can be a security risk.

When you make a security assessment, it will be useful a tool that scans processes memory searching for cleartext passwords, like Mimikatz, a tool written by Benjamin Delpy and Vincent Le Toux.

Mimikatz supports both Windows 32-bit and 64-bit and allows you to gather various credential types, using various techniques:

mimikatz is a tool I’ve made to learn C and make somes experiments with Windows security.

It’s well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory.
mimikatz can also perform pass-the-hash, pass-the-ticket, build Golden tickets, play with certificates or private keys, vault, … maybe make coffee?

Features

  • Dump credentials from LSASS (Windows Local Security Account database)
  • MSV1.0: hashes & keys (dpapi)
  • Kerberos password, ekeys, tickets, & PIN
  • TsPkg (password)
  • WDigest (clear-text password)
  • LiveSSP (clear-text password)
  • SSP (clear-text password)
  • Generate Kerberos Golden Tickets (Kerberos TGT logon token ticket attack)
  • Generate Kerberos Silver Tickets (Kerberos TGS service ticket attack)
  • Export certificates and keys (even those not normally exportable).
  • Dump cached credentials
  • Stop event monitoring.
  • Bypass Microsoft AppLocker / Software Restriction Polcies
  • Patch Terminal Server
  • Basic GPO bypass

Usage example

An interesting tutorial on Windows OS Hub about the extraction of cleartext credentials from LSASS process:

http://woshub.com/how-to-get-plain-text-passwords-of-windows-users/

Yes, two simple commands:

mimikatz # privilege::debug
mimikatz # sekurlsa::logonPasswords full

and also a brief video demo:

Both examples shouldn’t works on system that have installed the KB2871997:

One of the credentials stored by LSASS is the user’s clear-text password. This update prevents every Microsoft SSP in LSASS, besides WDigest, from storing the user’s clear-text password. WDigest still stores the user’s clear-text password because it cannot function without the user’s password (Microsoft does not want to break existing customer setups by shipping an update to disable this).

However, because WDigest (used for credential storage) is used by many products (e.g. IIS), Microsoft left the Wdigest provider enabled which is why mimikatz can still obtain clear text password.
An attacker can simply re-enabling the credential storing in LSASS with this command:

reg add HKLM\SYSTEM\CurrentControlSet\Control\Security\Providers\WDigest /v UseLogonCredential /t REG_DWORD /d 1

(Obviously must be run as an administrator, but if you are using mimikatz is assumed that the privileges have been already gained!)


More information and downloads