Saturday, August 16, 2014

Do you know mimikatz?

mimikatz is a tool which is written by Benjamin Delpy. There are some functions which are provided by mimikatz. mimikatz can easily grab passwords and kerberos TGT from lsass memory. When someone like server administrator or domain administrator logged in and out on a workstation or server which is installed Windows 7, 8, Server 2008, Server 2008 R2 or Server 2012, the user (might be an attacker) who has local administrator right can run mimikatz to grab the password of domain administrator from lsass memory on this workstation or server. 

Remark: mimikatz can grab passwords from a lsass process dump file.

Then, mimikatz also can export and import any kerberos TGT from one user account to another one after a user logged in and out a workstation or server. In the latest version of mimikatz, it can export the non-exportable certificate private key from a computer. It's a fantastic tool for testing and studying.

Using mimikatz to grab password from Windows 8


  • Please do not use this tool in your production environment
  • I do not guarantee the tool will not damage or destroy your system(s) and environment
  • Use this tool at your own risk
  • Make sure you understand the tool before you use it

Download link

How to protect LSA
In Windows 8.1 or Windows Server 2012 R2, Microsoft updated the lsass process to reduce credential theft. When someone used a tool like mimikatz to grab passwords, it just showed the password hashes.

Using mimikatz to grab password from Windows 8.1

For Windows 7, 8, 2008 R2 and 2012, administrators can install the patch, KB2871997. After installing the patch, mimikatz just showed password hashed on these Windows versions except wdigest.

Using mimikatz to grab password from Windows 8 applied KB2871997

However, administrator can modify the following registry settings to disable cache credentials of wdigest or download and run the Microsoft Fix it of KB2871997.

Remark: Make sure you backed up the registry key before you modify it.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\] “UseLogonCredential” =dword:0

In addition, administrator can configure additional LSA protection for Windows 8.1 and Windows Server 2012 R2.  Windows 8.1 and Windows Server 2012 R2 provide additional security to prevent reading memory and code injection by non-protected process. To configure additional LSA protection, administrators can create the following registry key.

Remark: Make sure you backed up the registry key before you modify it.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA] “RunAsPPL” =dword:1

To disable additional LSA protection, change "RunAsPPL" to 0.

After configuring the additional LSA protection, the attacker tool might not access and read the lsass process.

Administrators cannot create a dump file of lsass process.

Configuring Additional LSA Protection

What's Changed in Security Technologies in Windows 8.1

Documents for Pass-the-hash
Microsoft published some documents to talk about protecting LSA.

For an example, high privileged users shouldn't log in workstations to do the administrative tasks. They should set up a dedicated admin workstation for doing administrative tasks.

Installing the latest patch to the admin workstation.

For more information, please download and read Mitigating Pass-the-Hash (Pth) Attacks and Other Credential Theft, Version 2.

Further information
TWC: Recalling Windows Memories: Useful Guide to Retrieving and Analyzing Memory Content

TWC: Pass-the-Hash and Credential Theft Mitigation Architectures

Benjamin Delpy (twitter)

Protection from Kerberos Golden Ticket

Credentials Protection and Management

This posting is provided “AS IS” with no warranties, and confers no rights!

No comments:

Post a Comment