Wednesday, March 26, 2014

et voilà le mimikatz offline

In one of my recent cases, I needed to recover the windows user password: I had different OSes with various levels of cryptography, mainly at file level. Usually I think it's a good approach to recover as many hints as possible, to derive a scheme and/or to find a way to access the data. 

ODI


I like to call it ODI (Offensive Digital Investigations, in Italian "odi" means hear, find out). I remember an old case where I got 500+ strong encrypted archives... too many without a password catalog. I searched for the weakest protection and I found three zip-crypto (not a strong protection) archives: I cracked them in few days and then I was able to derive the schema to access all of them. I was lucky.

This time I felt that the Windows user password was the... key. Usually the dirty work is made with rainbow tables, but no way: I was unable to crack the Windows 7 user password.

mimikatz


I don't remember exactly why I was playing with mimikatz (hem, coff coff) but I had a dream: mimikatz offline... why not? For the few guys who do not know what mimikatz is, this is the site: suffice to say that it's an awesome work made by Gentil Kiwi, who made a deep reverse engineering of the lsass process and discovered how to extract plaintext credentials from it. Mimikatz is "normally" used on live Windows, where it injects itself inside the lsass and then it does a lot of stuffs, not only getting logged users credentials.

it's a matter of RAM


How to do the same during post-mortem ultra-died forensics? First, usually you don't have a RAM dump (don't pull the plug! don't pull THAT plug!.... too late...) but you could get the hiberfil! The hibernation file is like an easter egg: you can't bet on it, it could be corrupted, it could be too old and so on. But, if lucky, you'll get your RAM dump. Tell me the first word that comes to mind when speaking about RAM? volatility.

volatility + old-old-style approach


I got the RAM. I got volatility. I got mimikatz. I didn't get the password. There is something to do, and the first thing is to say uber-thanks to Gentil Kiwi who published the mimikatz source code. By digging inside that code I got the anchors he found as entry points for lsass and its authentication packages. So I started by dumping lsass memory, lsasrv module and the wdigest module: then I used mimikatz anchors and I moved inside lsass, finding what I was looking for (tools used: volatility, HxD, Notepad++, calc. Definitely oooold school, apart from volatility...). So I got the user name, the domain, the encrypted password, the 3DES key and its IV: a bit of python... et voilà. Uh, a fair password! (I forgot: I drank a good beer...).

mimikatz offline


Dumping processes, modules and moving in the hex view it's not always comfortable and it's quite slow. After two rounds of refactoring, I wrote the mimikatz offline plugin for volatility, which automates the previous steps, without dumping anything apart user credentials! It's a PoC which supports only the wdigest authentication package, Windows Vista and 7 both x86 and x64 versions. You can find it on hotoloti, as usual.

roadmap


I'm planning to add more authentications packages and other stuffs inside the plugin, but actually I had to freeze a bit since I'm getting fun (and loosing sleep) from another hot topic I will share as soon as possible. Basically this is the desired roadmap for the plugin: an external review on the high-level design; a consideration on plugin vs non-plugin approach ; what about rekall; adding authentication packages; testing; what else?

Windows password cracking? No thanks, I quit


Throw away those rainbow tables! Throw away dictionaries! You can get the password in few seconds! Sounds cool,  doesn't it? Unfortunately it's not always the case, but this is another possibility to be considered when you need credentials. Odi and happy hunting.