hackerbrother

Learn Penetration Testing And Ethical Hacking Online.

facebook

  • Facebook
  • Popular Posts

    Mimikatz   (mimi katz) became an extremely effective attack tool against Windows clients, allowing to recover secure passwords, as well as password hashes in memory. Dubbed the Swiss Army knife of Windows credentialing tools as well as, Windows Credential Editor (WCE) of Hernán Ochoa .







    Mimikatz, written for the first time by Frenchman Benjamin Delpy (akk gentilkiwi) in 2011, has greatly simplified and automated the collection of credentials in Windows systems. 

    Mimikatz: cute cat


    Mimikatz is an open source utility that allows you to view the credentials information of Windows lsass (Subsystem Service of the Local Security Authority) through its sekurlsa module that includes plain text passwords and Kerberos tickets that could then be used for attacks such as pass-the-hash and pass the ticket. Most antivirus tools will detect the presence of Mimikatz as a threat and eliminate it, but it may be interesting to test the security of the systems.

    Mimikatz provides a large number of tools to collect and use Windows credentials on target systems, including recovery of clear text passwords, Lan Manager hashes and NTLM hashes, certificates and Kerberos tickets. The tools run with varying success in all versions of Windows from XP onwards, with somewhat limited functionality in Windows 8.1 and later.



    It has also come to light as a component of two ransomware worms that have crossed Ukraine and have spread across Europe, Russia and the USA. US: Both NotPetya and BadRabbit ransomware used Mimikatz along with NSA-filtered tools to create automated attacks whose infections quickly saturated networks, with disastrous results. NotPetya alone led to the paralysis of thousands of computers at companies such as Maersk, Merck and FedEx, and is believed to have caused more than a billion dollars in damages.


    WDigest


    Mimikatz became for the first time a key asset for hackers thanks to its ability to exploit a dark Windows function called WDigest . That feature is designed to make it more convenient for corporate and government Windows users to test their identity to different applications on their network or on the web; It contains your authentication credentials in the memory and reuses them automatically, so you only have to enter your username and password once. While Windows keeps the copy of the user's password encrypted, it also saves a copy of the secret key to decrypt it in memory


    In 2014, Microsoft responded to this security hole with a patch that allows system administrators to disable the " WDiges t" passwords so that they are not stored. This notice from Microsoft explains how to update a special registry entry.


    HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ SecurityProviders \ WDigest




    In Windows 8 and above, the default setting is to not store clear text passwords in lsass.



    mimikatz comes in two flavors: x64 or Win32, depending on your version of Windows (32/64 bits). 
    The flavor of Win32 can not access the 64-bit process memory (such as lsass), but it can open a 32-bit minidump in Windows 64 bits. Some operations need administrator privileges or system token, so consider the UAC of the Vista version. 


    privilege :: debug 
    inject :: process lsass.exe s 
    ekurlsa.dll@getLogonPasswords 
    sekurlsa :: logonpasswords

    Modules of use of mimikatz with Metasploit



    meterpreter > mimikatz_command -f fu ::
    Module: 'fu' introuvable
    
    Modules available: 
                    - Standard
          crypto - Cryptographie et certificats
            hash - Hash
          system - Gestion système
         process - Manipulation des processus
          thread - Manipulation of threads
         service - Manipulation des services
       privilege - Manipulation des privilèges
          handle - Manipulation des handles
     impersonate - Manipulation tokens d'accès
         winmine - Manipulation du démineur
     minesweeper - Manipulation du démineur 7
           nogpo - Anti-gpo et patchs divers
         samdump - SAM Dump
          inject - Injecteur de librairies
              ts - Terminal Server
          divers - Fonctions diverses n'ayant pas encore assez de corps pour avoir leurs propres module
        sekurlsa - Dump des sessions courants for providers LSASS
             efs - Manipulations EFS


    Modules of mimikatz





    Technical characteristics (features)

    • Dump credentials from LSASS (Windows Local Security Account database)
    • MSV1.0: hashes & keys (dpapi)
    • Kerberos password, ekeys, tickets, & PIN
    • TsPkg (password)
    • WDigest (clear-text password)
    • LiveSSP (clear-text password)
    • SSP (clear-text password)
    • Generate Kerberos Golden Tickets (Kerberos TGT logon token ticket attack)
    • Generate Kerberos Silver Tickets (Kerberos TGS service ticket attack)
    • Export certificates and keys (even those not normally exportable).
    • Dump cached credentials
    • Stop event monitoring.
    • Bypass Microsoft AppLocker / Software Restriction Polcies
    • Patch Terminal Server
    • Basic GPO bypass
    Yara rules for tool detection

    LaZagne Project



    The LaZagne project is an open source application used to recover many passwords stored on local computers. Many software products store access passwords using different techniques, from common plain text, through databases, APIs and proprietary algorithms. 

    This tool was developed for the purpose of finding such passwords for the most commonly used software products. It currently supports 22 Windows programs and 12 Linux / Unix operating systems:



    In the GitHub repository of the product there are more details about its use and alternatives to extend it.


    An important precaution that we can take in our teams, to avoid the findings of programs like LaZagne is to clean up the traces of our activities, for example through a program like CCleaner (although it does not eliminate everything that LaZagne finds, if it does with everything related to the clues that remain of the use of Internet browsers for example). 

    0 Comments