Komend uur
• NTLM, Kerberos en Mimikatz
• Demo
• Powershell & Mimikatz
• Demo
• Mitigations ?
• Demo
• Windows 10 en Mimikatz
• Demo
Mimikatz functies
* Dump credentials from LSASS * Generate Kerberos Golden * Generate Kerberos Silver Tickets * Export certificates and keys (even those not normally exportable). * Dump cached credentials * Stop event monitoring. * Bypass Microsoft AppLocker / Software Restriction Polcies * Patch Terminal Server * Basic GPO bypass * Alter cached credentials
Local Security Authority (LSASS)
NTLM
Digest
Kerberos
NTOWF: C9DF4E56A2D1…
Password: P@ssw0rd
Ticket-Granting Ticket
Service Ticket Service Ticket Service Ticket Service Ticket
LSASS
Single-Sign On (NTLM)
User: Erik Password hash: C9DF4E…
Erik’s Laptop
User: Erik Password: P@ssw0rd
Erik’s User Session User: Erik Password hash: C9DF4E…
File Server
1
2
3
Erik’s User Session
4
1. Erik enters username and password 2. PC creates Erik’s user session 3. PC proves knowledge of Erik’s hash to Server 4. Server creates a session for Erik
Single-Sign On Architecture
User: Erik Hash: C9DF4E…
DC01
Local Security Authority (LSASS)
NTLM
Digest
Kerberos
NTOWF: C9DF4E56A2D1…
Password: P@ssw0rd
Ticket-Granting Ticket
Service Ticket Service Ticket Service Ticket Service Ticket 192.168.100.10
DC01
Service Ticket
“Credential footprint”
Pass-the-Hash technique
User: Fred Hash:A3D7
Fred’s laptop
Fred’s User Session User: Fred Password hash: A3D7…
Erik’s laptop
Erik’s User Session
Malware User Session User: Fred Password hash: A3D7…
Malware User Session User: Fred Hash: A3D7
User: Erik Hash: C9DF
User: Erik Password hash: C9DF…
File Server
User: Erik Hash:C9DF
1 2 3
1. Fred runs malware 2. Malware infects Erik’s laptop as Fred 3. Malware infects File Server as Erik
Toepassingen Mimikatz
• Binary (source available)
• Windows Debugger (mimilib.dll)
• Analyse offline (memorydumps)
Scripts
• Powershell
• Embedded Metasploit
RECAP
• Mimikatz kent veel functies, toepassingen en varianten
• Mimikatz is slechts een Proof Of Concept
• Windows 10 new architecture
Zelf aan de slag?
• Mimikatz http://blog.gentilkiwi.com/mimikatz
• https://clymb3r.wordpress.com/
• https://github.com/besimorhino/powercat
• https://github.com/clymb3r/PowerShell/tree/master/Inv
oke-Mimikatz
• https://github.com/samratashok/nishang/blob/master/C
lient/Out-Word.ps1
• http://www.labofapenetrationtester.com
• https://hak5.org/store
• www.microsoft.com/pth
Your feedback is important!
Scan the QR Code and let us know via the TechDays App.
Laat ons weten wat u van de sessie vindt via de TechDays App!
Scan de QR Code.
Bent u al lid van de Microsoft Virtual Academy?! Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft. Meld u vandaag aan op de MVA Stand. MVA biedt 7/24 gratis online training on-demand voor IT-Professionals en Ontwikkelaars.