Mimikatz Extravaganza 29 mei | 08:30 - 09:30 | Europe

Erik Loef Technisch Directeur

@erikloef

Komend uur

• NTLM, Kerberos en Mimikatz

• Demo

• Powershell & Mimikatz

• Demo

• Mitigations ?

• Demo

• Windows 10 en Mimikatz

• Demo

Mimikatz functies

* Dump credentials from LSASS * Generate Kerberos Golden * Generate Kerberos Silver Tickets * Export certificates and keys (even those not normally exportable). * Dump cached credentials * Stop event monitoring. * Bypass Microsoft AppLocker / Software Restriction Polcies * Patch Terminal Server * Basic GPO bypass * Alter cached credentials

LSASS NTLM & KERBEROS

Local Security Authority (LSASS)

NTLM

Digest

Kerberos

NTOWF: C9DF4E56A2D1…

Password: P@ssw0rd

Ticket-Granting Ticket

Service Ticket Service Ticket Service Ticket Service Ticket

LSASS

Single-Sign On (NTLM)

User: Erik Password hash: C9DF4E…

Erik’s Laptop

User: Erik Password: P@ssw0rd

Erik’s User Session User: Erik Password hash: C9DF4E…

File Server

1

2

3

Erik’s User Session

4

1. Erik enters username and password 2. PC creates Erik’s user session 3. PC proves knowledge of Erik’s hash to Server 4. Server creates a session for Erik

LSASS pass-the-hash & pass-the-ticket

Single-Sign On Architecture

User: Erik Hash: C9DF4E…

DC01

Local Security Authority (LSASS)

NTLM

Digest

Kerberos

NTOWF: C9DF4E56A2D1…

Password: P@ssw0rd

Ticket-Granting Ticket

Service Ticket Service Ticket Service Ticket Service Ticket 192.168.100.10

DC01

Service Ticket

“Credential footprint”

Pass-the-Hash technique

User: Fred Hash:A3D7

Fred’s laptop

Fred’s User Session User: Fred Password hash: A3D7…

Erik’s laptop

Erik’s User Session

Malware User Session User: Fred Password hash: A3D7…

Malware User Session User: Fred Hash: A3D7

User: Erik Hash: C9DF

User: Erik Password hash: C9DF…

File Server

User: Erik Hash:C9DF

1 2 3

1. Fred runs malware 2. Malware infects Erik’s laptop as Fred 3. Malware infects File Server as Erik

See it in action Let’s start mimikatz

DEMO 1

• basic pass-the-hash

• MS 14-068

• Golden Ticket

• Skeleton Key

Toepassingen Mimikatz

• Binary (source available)

• Windows Debugger (mimilib.dll)

• Analyse offline (memorydumps)

Scripts

• Powershell

• Embedded Metasploit

Powershell Mimikatz antivirus??

DEMO 2

• rubber ducky powershell

• remote (armed word document)

Mitigations Try some

DEMO 3

• LSASS protected process

• No more Plain Tekst Password in windows 8.1

LSASS?

• Minidump

Windows 10 to the rescue

Windows 10 Isolated Secure Mode

RECAP

• Mimikatz kent veel functies, toepassingen en varianten

• Mimikatz is slechts een Proof Of Concept

• Windows 10 new architecture

Zelf aan de slag?

• Mimikatz http://blog.gentilkiwi.com/mimikatz

• https://clymb3r.wordpress.com/

• https://github.com/besimorhino/powercat

• https://github.com/clymb3r/PowerShell/tree/master/Inv

oke-Mimikatz

• https://github.com/samratashok/nishang/blob/master/C

lient/Out-Word.ps1

• http://www.labofapenetrationtester.com

• https://hak5.org/store

• www.microsoft.com/pth

Your feedback is important!

Scan the QR Code and let us know via the TechDays App.

Laat ons weten wat u van de sessie vindt via de TechDays App!

Scan de QR Code.

Bent u al lid van de Microsoft Virtual Academy?! Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft. Meld u vandaag aan op de MVA Stand. MVA biedt 7/24 gratis online training on-demand voor IT-Professionals en Ontwikkelaars.