A few days ago saw a foreigner speaking mimikatz defense articles, I feel pretty good idea of the wording, but the content is slightly less than, the country will also have a translation, but only shining wrong translation, so on the initiation of the thing I read an excellent article, translation reproduce, and add some other things, but to stimulate this article, there is an error in the text, welcome Tucao.
mimikatz including the network penetration is a very useful tool. It could allow an attacker to catch the plain text password from memory. We all know that this tool is very powerful, Microsoft certainly know, so I do some security mechanism for mimikatz catch a password. But on the system prior to win2008 you can still catch a password. Under normal circumstances, as long as there is a local administrator rights will be able to catch the password from memory. After the password is typically caught and can provide the right lateral movement.
Debug Privilege
In the windows, the debugging permissions can be used to debug the process, and even debugging kernel. For mimikatz, the usual routine, he wanted to read the memory you have to get permission to debug, and then to open the process. By default, the local Administrators group by the authority. However, unless the administrator is a programmer, he should be less than this general authority.
Local security policy is set by default to administrator privileges.
However, the default group policy domain in this one is not defined.
According to rank the effectiveness of policy windows, eventually an administrator group that owns the rights.
Complemented effectiveness rank:
By default, the case of a number of policies that do not conflict, a number of strategies are combined relationship; if conflict, priority applies a high priority from low to high local policy (local) -> site policy (site) -> domain policy (domain) -> ou policy (organization unit)
The impact of different configurations of mimikatz
By default, the debugging permissions successes.
The group has debugging permissions set to null. Log out again landing.
Run mimikatz, get debug privilege failure.
WDigest
WDigest xp agreement as early as age has been introduced. At that time the agreement is designed to exist in order to http lsass plaintext password authentication. Before win2008 default is enabled by default. Then the attacker can use to obtain the plaintext.
但是在 win2008 之后的系统上,默认是关闭的。如果在 win2008 之前的系统上打了 KB2871997 补丁,那么就可以去启用或者禁用 WDigest,配置如下键值:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest
UseLogonCredential 值设置为 0, WDigest 不把凭证缓存在内存;UseLogonCredential 值设置为 1, WDigest 就把凭证缓存在内存。
不同配置对 mimikatz 的影响
启用缓存,直接抓明文,很舒服。
关了缓存之后,重启再抓,什么东西也没抓到。
Credential Caching
Domain Cached Credentials 简称 DDC,也叫 mscache。有两个版本,XP/2003 年代的叫第一代,Vasta/2008 之后的是第二代。
计算机在加入域之后就得通过 kerberos 进行认证,通过 kerberos 认证就得有域控的参与,但是如果域成员暂时无法访问到域控的话,岂不是无法认证了?域凭证缓存就是为了解决这个问题的。如果暂时访问不到域控,windows 就尝试使用本机缓存的凭证进行认证,默认缓存十条。
缓存位置(默认本地管理员也没有权限访问):
HKEY_LOCAL_MACHINE\SECURITY\Cache
修改组策略缓存条数为0,即为不缓存。
不同配置对 mimikatz 的影响
默认配置缓存 10 条。登陆本地管理员,提权到 system 权限,然后运行 mimikatz,成功抓到 mscachev2。
设置缓存数为 0,停掉域控,然后再登陆域账号。域成员发现无法登陆了。
登陆本地管理员账号,提取到 system,然后什么也没抓到。
Protected Users Group
受保护的用户组,可以用来让像本地管理员这样的高权限用户只能通过 kerberos 来认 证(真是六的一比)。这是在 win2012 之后引入的一个新的安全组(win2008 之前的系统打了 KB2871997 补丁也会增加这个安全组)。来防止明文存储在内存中和 ntlm hash 泄露(因为是通过 kerberos 认证所以也就不会泄露 net ntlm hash 了)。这个配置起来比较简单。把想要保护的用户加入这个组就行了(由于本机硬件限制,没法复现了,跑一个 win2016,再跑一个 win10 就已经卡的不行了)。
Restricted Admin Mode
受限管理员模式,反正就是一种安全措施,让你的账户不暴露在目标系统里。在 win8.1/win2012r2(切记是 R2)引入。win7/win2008 想用这个功能就得打 KB2871997、KB2973351。这项功能的使用需要客户端和服务端相互配合。在服务端开启的方法是在注册表添加如下键值。
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 00000000 /f
右键->关于,查看下客户端的版本是不是 rdp8.1 版本。
潜在风险-RDP PTH
受限管理员模式可以直接用当前登录凭据进行登录,所以这“始终要求凭据”的勾肯定不能勾。
sekurlsa::pth /user:<username> /domain:<comptername or ip> /ntlm:<ntlm hash> "/run:mstsc.exe /restrictedadmin"
domain 位置用计算机名或者ip皆可。(需要管理员权限来获取 debug 权限)
一路确定下去就 OK 了。
成功把域控上的管理员顶了。
顺道抓包看一下貌似只有RDP的流量。
总结
1、禁止调试权限对获取 system 的攻击者来说没有任何作用。
2、WDigest 默认是禁用的,但是我们手动打开,挖个坑等人跳。
3、mscache 目前貌似只能用 hashcat 来破解,破出明文再利用。
4、Protected Users Group 需要再研究研究,等电脑配置好了再说 23333。
5、Restricted Admin Mode下pth 攻击只能适用于特定版本,限制还是比较多的,如果限制比较狠的内网(把135和445的流量都禁了),这个算是个突破手法吧。
参考资料
https://labs.portcullis.co.uk/tools/freerdp-pth/
https://blogs.technet.microsoft.com/kfalde/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2/
http://wwwtt0401.blog.163.com/blog/static/361493062012010114020272/
https://medium.com/blue-team/preventing-mimikatz-attacks-ed283e7ebdd5