Retrieving Passwords with the Mimikatz Tool | Using Mimikatz and SSP
Before examining Mimikatz in detail, it is useful to know what Mimikatz and SSP are. Therefore What is Mimikatz and SSP? The article may be of interest to you.
In Windows operating systems, the user name and password check during the login request is located in the System32 directory. LSASS.exe program takes over. Basically LSASS.exe (Local Security Authority Subsystem Service) is responsible for user processes and identity control in the Windows system. Login control entered data in Windows system SAM by comparing it with the data in the table. If the data is kept (True) as a result of the comparison, it simultaneously stores the user's password information (NTLM hash) in memory while adding the user to the system. Softwares such as Mimikatz and WCE bypass the control mechanism by reading the hash in the memory area where the data is stored and injecting it into any other LSASS session.
The reason for designing such a security structure on Windows is that SSO (Single sign-on) services do not support classical authentication methods such as Kerberos and NTLM. To overcome this, first tspkg and then updated SSP (Security Support Provider) called wdigest were developed on the Windows side.
With the developed SSPs, the password information is kept encrypted in the memory and almost all Windows have this feature by default.
All together now mimikatzLet's consider in detail:
Mimikatz; It is an open source program intended as a PoC, written in C language in 2007 by a programmer named Benjamin Delpy (gentilkiwi), which is frequently used in Pass-The-Hash attacks on Windows (x86/x64 architectures) operating systems. Basically, it performs its features with the help of files named “mimilib.dll” and “mimidrv.sys”. While Mimilib has tasks such as accessing SSP session packages, bypassing AppLocker software on Windows, filtering passwords; Mimidrv is the driver that enables the interaction between the Windows kernel and Mimikatz. An administrator user or a system user is required to run Mimikatz. In addition, it must be able to interact with the LSASS process and have debugging rights in order to work stably.
Benjamin Delpy has published an Excel chart showing what type of credential data is in memory (LSASS) and the percentage of credentials held in memory, including Windows 8.1 and Windows 2012 R2 with advanced protection mechanisms. (shared below)
What is Mimilib?
Just now mimilib We briefly mentioned the file named, basically its job is to provide access to SSP packages. mimilib; RPC uses ServerLevelPluginDll to act as lateral movement on DHCP Server and even as an extension on WinDBG. We'll look at how attackers expose this library as an SSP for their purposes.
Mimilib works by taking advantage of calling a security support provider with plain text credentials through the SSP interface.
- SpInitialize – Used to initialize the SSP and provide a list of function pointers.
- SpShutDown – Invoked by draining an SSP and releasing resources.
- SpGetInfoFn – Provides information about the SSP, including version, name, and description.
- SpAcceptCredentials – Retrieves clear-text credentials forwarded by the LSA to be cached by the SSP.
Flowchart
Test Environment
The entry point for Mimilib's SSP functionality is found in kssp.c, specifically kssp_SpLsaModeInitialize. This function is exported as SpLsaModeInitialize from the DLL via the mimilib.def definition file and is used by LSASS to initialize a structure with several callbacks.
Thus, mimilib.dll will be registered as a Windows Security Package as Mimikatz SSP. After the Security Package is registered and the system is rebooted, mimilib.dll lsass.exe will be loaded into process memory and save all login passwords the next time someone logs on or otherwise authenticates to the system, for example via runas.exe. This process takes place in brief with the following steps:
- Creating the mimilib.dll file and copying it to the target machine system32 folder.
- Retrieval of the LSA Security Packages list.
- Addition of mimilib.dll to the SSP list.
The following shows the kiwissp.log file with the Security Packages registry value added to mimilib and the user password saved at user login (after the Security Package is registered and after the system is rebooted):
The important point here is; is that the new SSP requires a reboot to reactivate after being added to the list of Security Packages.
detection
In order to determine the technique used above, hklm\system\currentcontrolset\control\lsa\ This technique can be monitored or detected in any change.
miter T1101 In order to use this Persistence technique, it is necessary to have Administrator privileges.
Installing SSP without Reboot
Windows API to install SSP without rebooting AddSecurityPackage available, i.e. Mimilib can actually be added without a reboot. When installed, we can also see that the credentials are written to the kiwissp.log file after each authentication. The goal is to add SSP from a malicious dll file using the AddSecurityPackage function, which is accomplished using Secur32.lib. An example piece of malicious code is shared below.
Below is a gif showing how lsass installs the new Security Package spotless.dll and takes effect immediately.
With this method, we can now get passwords when any user authenticates to the system without rebooting the system. Here, the DLL codes used to add SSP extract the authentication details and save them in the c:\temp\log-pw.txt file.
detection
The technique here requires Administrator privileges in practice. For their detection, the registry records given above can be followed. Except this;
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe
Windows 8.1 and Windows Server 2012 R2 can generate events when unsigned DLLs try to load into the LSA by setting the above registry key.
miter T1131
In this text What is Mimikatz and how to use it We examined the question in detail. See you in our next articles.