Friday, March 28, 2014

mimikatz offline addendum

I must admit I did not expect so many acknowledgments by writing the volatility mimikatz plugin. I want to say thanks to all people that tweeted, emailed - and so on - me: it is just a piece of the puzzle, and the big pieces are those from volatility and from mimikatz.

First, I want to say thanks to Andrew Case, for the support and for having tweeted about the plugin: probably all those acks are because Andrew is an uber-well-known DFIR expert! Then I want to say thanks to Kristinn Gudjonsson, my favorite plaso “harsh” reviewer, who spotted some “devil” (you wrote it! ;) issues in my code, as the multiple inheritance I used… lol, I will fix it! Last but not least I want to once again say thanks to Benjamin aka gentilkiwi, who wrote an e-mail to me making the congratulations for the plugin.

With this post, I want to point out some features of mimikatz that I had not considered in the first instance.

mimikatz can work offline

In the previous post I wrote “Mimikatz is "normally" used on live Windows, where it injects itself inside the lsass and then it does a lot of stuffs”. That is not entirely true: since July 2012, mimikatz uses memory reading, and this is a key point. Moreover, mimikatz deals with minidump, and mimilib with full dump/minidump. Let's start with the first reference



mimikatz minidump

Probably this could be the best approach during a pentest: do not send mimikatz on the target, use (for example) sysinternals procdump. Then, create a crash dump for the lsass process (pay attention to specify the right parameters) and get it on your machine.


Once you have the crash dump, you can load it in mimikatz by using just two commands (!!):

sekurlsa::minidump <name of the lsass crash dump file>
sekurlsa::logonPasswords

You’ll get all the info! Awesome!



Just a quick note: use mimikatz on a platform of the same major version and same architecture as the original dump. The following image comes from his blog.


But mimikatz has another great ODI capability, as pointed in the following post (2nd reference):



mimikatz with RAM and hiberfil

In my previous post I asked “How to do the same during post-mortem ultra-died forensics?”. Well, you can use mimikatz if you have a Windows OS! How? Benjamin explained it, and I followed his instructions to get the job done.

First, you have to convert your memory dump or hiberfil to a windows crash dump: you can do with the immense volatility or with Matthieu Suiche’s memory tools (bin2dmp and hibr2dmp).


Then, launch windbg (better if with the right architecture… x86 or x64 depending or your target) and load the target crash dump (note: I changed the target, a Windows 7 SP1 x86).


At this point you have to load – guess what? – mimikatz, and specifically mimilib.dll. It will even provide the instructions for the next steps!


Follow the instructions (red square in the next figure, pay attention to symbols) et… voilà! Logged users’ credentials.


You can even work with VmWare vmem files! Let’s say that’s awesome! Finally, some considerations.


mimikatz or volatility? mimikatz AND volatility!

Finally, you can achieve the same result directly with mimikatz and without volatility. Which is the best approach? It depends: actually mimikatz+minidump are Windows only, so, if you are working with another OS, volatility+mimikatz plugin is the way, unless virtualization. Besides that consider that the engine (I mean signatures and data structures) is the same: I have an idea to add, and I will share it with Benjamin, so they should be aligned. If in Windows, it’s up to the user.


some instructions

Some people wrote to me asking how to use the mimikatz volatility plugin. Remember, it’s a PoC, anyway, this is how I’m using it.

·         python 2.7 (www.python.org)
·         volatility >= 2.3 (python, not binaries)
I use trunk code (svn checkout http://volatility.googlecode.com/svn/trunk/ volatility)
·         volatility dependencies (https://code.google.com/p/volatility/wiki/VolatilityInstallation)
·         mimikatz plugin (https://code.google.com/p/hotoloti/)
copy the “mimikatz.py” in <volatility directory>/volatility/plugins
·         mimikatz plugin python dependencies
construct
pycrypto
·         a memory dump? =)



keep updated

Actually, the volatility plugin lacks several features with respect to mimikatz: I will post when major updates are ready, meanwhile you could check the source code here:


Have fun!

Wednesday, March 26, 2014

et voilà le mimikatz offline

In one of my recent cases, I needed to recover the windows user password: I had different OSes with various levels of cryptography, mainly at file level. Usually I think it's a good approach to recover as many hints as possible, to derive a scheme and/or to find a way to access the data. 

ODI


I like to call it ODI (Offensive Digital Investigations, in Italian "odi" means hear, find out). I remember an old case where I got 500+ strong encrypted archives... too many without a password catalog. I searched for the weakest protection and I found three zip-crypto (not a strong protection) archives: I cracked them in few days and then I was able to derive the schema to access all of them. I was lucky.

This time I felt that the Windows user password was the... key. Usually the dirty work is made with rainbow tables, but no way: I was unable to crack the Windows 7 user password.

mimikatz


I don't remember exactly why I was playing with mimikatz (hem, coff coff) but I had a dream: mimikatz offline... why not? For the few guys who do not know what mimikatz is, this is the site: suffice to say that it's an awesome work made by Gentil Kiwi, who made a deep reverse engineering of the lsass process and discovered how to extract plaintext credentials from it. Mimikatz is "normally" used on live Windows, where it injects itself inside the lsass and then it does a lot of stuffs, not only getting logged users credentials.

it's a matter of RAM


How to do the same during post-mortem ultra-died forensics? First, usually you don't have a RAM dump (don't pull the plug! don't pull THAT plug!.... too late...) but you could get the hiberfil! The hibernation file is like an easter egg: you can't bet on it, it could be corrupted, it could be too old and so on. But, if lucky, you'll get your RAM dump. Tell me the first word that comes to mind when speaking about RAM? volatility.

volatility + old-old-style approach


I got the RAM. I got volatility. I got mimikatz. I didn't get the password. There is something to do, and the first thing is to say uber-thanks to Gentil Kiwi who published the mimikatz source code. By digging inside that code I got the anchors he found as entry points for lsass and its authentication packages. So I started by dumping lsass memory, lsasrv module and the wdigest module: then I used mimikatz anchors and I moved inside lsass, finding what I was looking for (tools used: volatility, HxD, Notepad++, calc. Definitely oooold school, apart from volatility...). So I got the user name, the domain, the encrypted password, the 3DES key and its IV: a bit of python... et voilà. Uh, a fair password! (I forgot: I drank a good beer...).

mimikatz offline


Dumping processes, modules and moving in the hex view it's not always comfortable and it's quite slow. After two rounds of refactoring, I wrote the mimikatz offline plugin for volatility, which automates the previous steps, without dumping anything apart user credentials! It's a PoC which supports only the wdigest authentication package, Windows Vista and 7 both x86 and x64 versions. You can find it on hotoloti, as usual.

roadmap


I'm planning to add more authentications packages and other stuffs inside the plugin, but actually I had to freeze a bit since I'm getting fun (and loosing sleep) from another hot topic I will share as soon as possible. Basically this is the desired roadmap for the plugin: an external review on the high-level design; a consideration on plugin vs non-plugin approach ; what about rekall; adding authentication packages; testing; what else?

Windows password cracking? No thanks, I quit


Throw away those rainbow tables! Throw away dictionaries! You can get the password in few seconds! Sounds cool,  doesn't it? Unfortunately it's not always the case, but this is another possibility to be considered when you need credentials. Odi and happy hunting.