What is Mimikatz and SSP?
What is Mimikatz?
“mimikatz why?" Before answering the question, it is necessary to know how the login process in Windows systems is done. When we open the system, an application called “lsass.exe” comes into play to verify our password and user name information while logging in. This application manages the authentication policies and some other security policies in the systems.
After the user gives the user name and password information to the system, lsass.exe compares the data it receives with the data in the SAM and LDAP files. If the comparison returns a true value, the user is allowed to log in and the authentication process is complete. Lsass.exe keeps the password information in memory in an NTLM hash and encrypted format while including the user in the system. While the NTLM hash is irreversible, the encrypted version of the password can be obtained as clear text by reverse engineering the encryption algorithm.
So what does the mimikatz do? This tool is used to obtain the password on the target system as clear text using this verification process in windows. Two files enable Mimikatz to perform password reading; “mimilib.dll” and “mimidrv.sys”. While mimidrv provides the communication between the Windows kernel and Mimikatz, mimilib undertakes the most important part of the work.
What Does Mimilib.dll Do?
mimilib, which has tasks such as accessing SSP session packets, bypassing AppLocker software on Windows, and filtering passwords; It uses ServerLevelPluginDll to act laterally on RPC and DHCP Server and even as an extension in WinDBG. If we examine the content of Mimilib, we see the following table:
– SpInitialize: Used to initialize the SSP and provide a list of function pointers.
– SpShutDown: Invoked by unloading an SSP and releasing resources.
– SpGetInfoFn: Provides information about the SSP, including version, name, and description.
– SpAcceptCredentials: Retrieves clear-text credentials transmitted by the LSA for the SSP to cache.
After the user logs on to the system, mimikatz reads the NTLM hash and encrypted data kept in memory, and reverts the encrypted data with reverse engineering techniques to obtain the clear text version of the password. Now that we understand what Mimikatz is, SSP is next…
What is SSP (Security Support Provider)?
Security Support Provider, or SSP for short, which forms the basis of the Windows authentication mechanism, is used as SSPI (Security Support Service Provider Interface) by applications that require authentication. As an interface, SSPI can use distributed programming libraries such as RPC for authentication processes. There are basically 3 different SSPs on Windows systems:
– Kerberos Protocol Security Package
– Schannel SSP
– NTLM Security Package
Now that we've touched on the SSP, let's talk about the relationship between Mimikatz and SSP. Now you understand how Mimikatz and windows provided SSP work together. Mimikatz obtains password information using the Security Support Provider, which allows users to quickly log in and authenticate.
How Does Mimikatz Work?
Now that we understand what Mimikatz and SSP are, it's time to understand the working logic of Mimikatz. Mimikatz essentially works by exploiting the single sign-on (SSO) system on Windows systems. WDigest, which came as a default feature in all Windows systems until Windows 10, saved the encrypted password to the memory and at the same time loaded the "secret key" to the memory to decrypt it. In Mimikatz, it was possible to obtain the password in memory in clear text easily by taking advantage of this feature.
Realizing that WDigest was causing such a problem, Microsoft made this feature possible in Windows 8.1 if the user wanted to disable it, and turned it off completely on Windows 10 devices. However, WDigest is still a feature that exists on systems. If the attacker has Administrator privileges on the target system, they can run WDigest and mimikatz can easily obtain the password.