A new technique, called “Internal Monologue Attack”, allows and attack similar to Mimikatz without dumping memory area of LSASS process, avoiding antivirus and Windows Credential Guard.
The linux porting of Mimikatz
Takes advantage of cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords. Will attempt to calculate each word’s probability by checking hashes in /etc/shadow, hashes in memory, and regex searches.
The tool requires root permissions and come in two versions, a python script and a bash script, with different feature support:
- GDM password (Kali Desktop, Debian Desktop): Python
- Gnome Keyring (Ubuntu Desktop, ArchLinux Desktop): Bash and Python
- VSFTPd (Active FTP Connections): Bash and Python
- Apache2 (Active HTTP Basic Auth Sessions): Not yet implemented
- OpenSSH (Active SSH Sessions — Sudo Usage): Not yet implemented
- Kali 4.3.0 (rolling) x64 (gdm3)
- Ubuntu Desktop 12.04 LTS x64 (Gnome Keyring 3.18.3–0ubuntu2)
- Ubuntu Desktop 16.04 LTS x64 (Gnome Keyring 3.18.3–0ubuntu2)
- XUbuntu Desktop 16.04 x64 (Gnome Keyring 3.18.3–0ubuntu2)
- Archlinux x64 Gnome 3 (Gnome Keyring 3.20)
- VSFTPd 3.0.3–8+b1 (Active FTP client connections)
- Apache2 2.4.25–3 (Active/Old HTTP BASIC AUTH Sessions) [Gcore dependency]
- openssh-server 1:7.3p1–1 (Active SSH connections — sudo usage)
I’ve tested the script also on my Debian laptop, and works great:
More information and downloads
The tool utilizes the Windows function ReadProcessMemory() in order to extract plain-text passwords from various target processes
once a process is killed it’s memory ‘should’ be cleaned up and inaccessible however there are some edge cases in which this does not happen.
Currently mimikittenz is able to extract the following credentials from memory:
- Outlook Web
- Juniper SSL-VPN
- Citrix NetScaler
- Remote Desktop Web Access 2012
- Microsoft Onedrive
- AWS Web Services
More information and downloads
on the official GitHub repo:
Really useful for penetration testing purposes!
If a program has been written in order to keep in memory some credentials in clear text, this can be a security risk.
Mimikatz supports both Windows 32-bit and 64-bit and allows you to gather various credential types, using various techniques:
mimikatz is a tool I’ve made to learn C and make somes experiments with Windows security.
It’s well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory.
mimikatz can also perform pass-the-hash, pass-the-ticket, build Golden tickets, play with certificates or private keys, vault, … maybe make coffee?
- Dump credentials from LSASS (Windows Local Security Account database)
- MSV1.0: hashes & keys (dpapi)
- Kerberos password, ekeys, tickets, & PIN
- TsPkg (password)
- WDigest (clear-text password)
- LiveSSP (clear-text password)
- SSP (clear-text password)
- Generate Kerberos Golden Tickets (Kerberos TGT logon token ticket attack)
- Generate Kerberos Silver Tickets (Kerberos TGS service ticket attack)
- Export certificates and keys (even those not normally exportable).
- Dump cached credentials
- Stop event monitoring.
- Bypass Microsoft AppLocker / Software Restriction Polcies
- Patch Terminal Server
- Basic GPO bypass
An interesting tutorial on Windows OS Hub about the extraction of cleartext credentials from LSASS process:
Yes, two simple commands:
mimikatz # privilege::debug mimikatz # sekurlsa::logonPasswords full
and also a brief video demo:
Both examples shouldn’t works on system that have installed the KB2871997:
One of the credentials stored by LSASS is the user’s clear-text password. This update prevents every Microsoft SSP in LSASS, besides WDigest, from storing the user’s clear-text password. WDigest still stores the user’s clear-text password because it cannot function without the user’s password (Microsoft does not want to break existing customer setups by shipping an update to disable this).
However, because WDigest (used for credential storage) is used by many products (e.g. IIS), Microsoft left the Wdigest provider enabled which is why mimikatz can still obtain clear text password.
An attacker can simply re-enabling the credential storing in LSASS with this command:
reg add HKLM\SYSTEM\CurrentControlSet\Control\Security\Providers\WDigest /v UseLogonCredential /t REG_DWORD /d 1
(Obviously must be run as an administrator, but if you are using mimikatz is assumed that the privileges have been already gained!)