Mimikatz Meterpreter extension

During a PenTest one of the main objectives of the PenTester when a Windows host is compromised is to obtain the user authentication hashes, to try pivot to other systems on the target network using the “Pass The Hash” attack.

This post is about how to get those credentials in clear text, using a tool named “Mimikatz”.

Mimikatz is a powerful tool developed by Benjamin Delpy (aka gentilkiwi) used to extract user credentials directly from the memory of a windows system among other things like export certificates marked as non-exportable or obtain SAM hashes.

Mimikatz (the standalone tool), has several libraries with defined methods to perform its duties.

For most of the Mimikatz features the user running the tool need the “SeDebugPrivilege” privilege witch means that we need a user with admin or system rights to run the tool.

Mimikatz works in all Windows flavors, in 32 bit and 64 bit.

Can be downloaded here.

Mimikatz is detected by some AV vendors as Malicious Software like occurs with “WCE”, so having to upload the binary to the target box can be a problem.

A first solution to this problem using Metasploit was to run the binary directly into memory with the “-m” switch of the command “execute” in a Meterpreter session.

Now, this powerful tool has been included in Metasploit Meterpreter as an extension. The extension adds some commands to meterpreter which let’s you obtain user credentials in plain text, and offers the advantage that the binary never touches the disk cause is directly injected into memory. We can get credentials from several providers, such as “kerberos”,  Web Auth Digest (WDigest), Windows Live accounts (livessp) in Windows 8, etc..

Also the extension adds to meterpreter the “mimikatz_command” command that lets the user to execute more mimikatz advanced features only available on the “Mimikatz” standalone tool, like the ones used to export digital certificates.

To start, I’m going to show step by step how to get plain text credentials from a Windows 8 box using the mimikatz extension of meterpreter.

Get clear text passwords from Windows 8

As usual, we start from a meterpreter session like shows next image.

mimikatz1

We try to escalate privileges but we couldn’t because of the UAC Windows protection. Then we use “bypassuac” exploit to avoid this.

mimikatz2

Now we got a meterpreter session with privileges so we can load the “mimikatz” extension.

As we can see in the image above, on the “sysinfo” output the architecture of the box is “x64”, but the Meterpreter is “x86/win32” because is running in a 32 bits process. If we try to load “mimikatz” now, the 32 bits extension will be loaded and most of features wouldn’t work.

To avoid this problem, first we have to migrate “Meterpreter” to a 64 bits process and later load “mimikatz” extension.

(Note: If you migrate the process after getting the system, make sure you choose a 64 bits process owned by SYSTEM or the environment of the session would be corrupted. If you do it before you can choose a 64 bits process of the current user and later use “getsystem” to elevate privileges).

mimikatz3

We showed box processes with the “ps” command and use “migrate” with PID 3544 to migrate meterpreter to that process ID marked as “x86_64” in the image above. Then “sysinfo” shows that Meterpreter is “x64/win64”.

Now we can load “mimikatz”.

mimikatz4

We made a mistake before because PID 3544 was from user “Ignacio Sorribas” and after migrated, the effective user ID change from “System” to “Ignacio” so “mimikatz” doesn’t work properly.

 

Let’s repeat the process but this time wi migrate to “spoolsv.exe        x86_64  0           NT AUTHORITY\SYSTEM” process. After the migration as we can see in the next image the user still been “SYSTEM”.

Loading “mimikatz” and just execute “wdigest” shows the plain text credentials residing in memory.

mimikatz5

You can see marked in red the password for user “Administrador” and user “Ignacio Sorribas”.

Exporting certificates marked as non-exportable.

Mimikatz also lets you export digital certificates from the box, and the corresponding private key even if it was marked as non-exportable.

The meterpreter extension doesn’t provide commands to perform the exportation, but provide de “mimikatz_command” command that lets the user to use Mimikatz as if were the standalone tool.

First we execute “mimikatz_command –f crypto::listCertificates” to see the digital certificates of the current user.

mimikatz6

As we see in the image above, there are no certificates in “CERT_SYSTEM_STORE_CURRENT_USER\My”. That’s because by default Mimikatz search certificates in the “My” store of the current user, and our user is “SYSTEM” witch has no certificates.

We can check for certificates in other stores, like show the next image.

mimikatz7

The digital certificate we are looking for should be in the “My” store of the user “Ignacio Sorribas”.

First, we search the stores for all users using the key “CERT_SYSTEM_STORE_USERS”.

meterpreter > mimikatz_command -f crypto::listStores -a “CERT_SYSTEM_STORE_USERS”

Emplacement : ‘CERT_SYSTEM_STORE_USERS’

.DEFAULT\My

.DEFAULT\Root

.DEFAULT\Trust

.DEFAULT\CA

.DEFAULT\TrustedPublisher

.DEFAULT\Disallowed

.DEFAULT\AuthRoot

.DEFAULT\TrustedPeople

.DEFAULT\ClientAuthIssuer

.DEFAULT\SmartCardRoot

S-1-5-19\My

S-1-5-19\Root

S-1-5-19\Trust

S-1-5-19\CA

S-1-5-19\TrustedPublisher

S-1-5-19\Disallowed

S-1-5-19\AuthRoot

S-1-5-19\TrustedPeople

S-1-5-19\ClientAuthIssuer

S-1-5-19\SmartCardRoot

S-1-5-20\My

S-1-5-20\Root

S-1-5-20\Trust

S-1-5-20\CA

S-1-5-20\TrustedPublisher

S-1-5-20\Disallowed

S-1-5-20\AuthRoot

S-1-5-20\TrustedPeople

S-1-5-20\ClientAuthIssuer

S-1-5-20\SmartCardRoot

S-1-5-21-2410177577-3384890958-3281790908-1001\My

S-1-5-21-2410177577-3384890958-3281790908-1001\Root

S-1-5-21-2410177577-3384890958-3281790908-1001\Trust

S-1-5-21-2410177577-3384890958-3281790908-1001\CA

S-1-5-21-2410177577-3384890958-3281790908-1001\TrustedPublisher

S-1-5-21-2410177577-3384890958-3281790908-1001\Disallowed

S-1-5-21-2410177577-3384890958-3281790908-1001\AuthRoot

S-1-5-21-2410177577-3384890958-3281790908-1001\TrustedPeople

S-1-5-21-2410177577-3384890958-3281790908-1001\ClientAuthIssuer

S-1-5-21-2410177577-3384890958-3281790908-1001\addressbook

S-1-5-21-2410177577-3384890958-3281790908-1001\REQUEST

S-1-5-21-2410177577-3384890958-3281790908-1001\SmartCardRoot

S-1-5-21-2410177577-3384890958-3281790908-1001\UserDS

S-1-5-21-2410177577-3384890958-3281790908-1001_Classes\My

S-1-5-21-2410177577-3384890958-3281790908-1001_Classes\Root

S-1-5-21-2410177577-3384890958-3281790908-1001_Classes\Trust

S-1-5-21-2410177577-3384890958-3281790908-1001_Classes\CA

S-1-5-21-2410177577-3384890958-3281790908-1001_Classes\TrustedPublisher

S-1-5-21-2410177577-3384890958-3281790908-1001_Classes\Disallowed

S-1-5-21-2410177577-3384890958-3281790908-1001_Classes\AuthRoot

S-1-5-21-2410177577-3384890958-3281790908-1001_Classes\TrustedPeople

S-1-5-21-2410177577-3384890958-3281790908-1001_Classes\ClientAuthIssuer

S-1-5-21-2410177577-3384890958-3281790908-500\My

S-1-5-21-2410177577-3384890958-3281790908-500\Root

S-1-5-21-2410177577-3384890958-3281790908-500\Trust

S-1-5-21-2410177577-3384890958-3281790908-500\CA

S-1-5-21-2410177577-3384890958-3281790908-500\TrustedPublisher

S-1-5-21-2410177577-3384890958-3281790908-500\Disallowed

S-1-5-21-2410177577-3384890958-3281790908-500\AuthRoot

S-1-5-21-2410177577-3384890958-3281790908-500\TrustedPeople

S-1-5-21-2410177577-3384890958-3281790908-500\ClientAuthIssuer

S-1-5-21-2410177577-3384890958-3281790908-500\SmartCardRoot

S-1-5-21-2410177577-3384890958-3281790908-500_Classes\My

S-1-5-21-2410177577-3384890958-3281790908-500_Classes\Root

S-1-5-21-2410177577-3384890958-3281790908-500_Classes\Trust

S-1-5-21-2410177577-3384890958-3281790908-500_Classes\CA

S-1-5-21-2410177577-3384890958-3281790908-500_Classes\TrustedPublisher

S-1-5-21-2410177577-3384890958-3281790908-500_Classes\Disallowed

S-1-5-21-2410177577-3384890958-3281790908-500_Classes\AuthRoot

S-1-5-21-2410177577-3384890958-3281790908-500_Classes\TrustedPeople

S-1-5-21-2410177577-3384890958-3281790908-500_Classes\ClientAuthIssuer

S-1-5-18\My

S-1-5-18\Root

S-1-5-18\Trust

S-1-5-18\CA

S-1-5-18\TrustedPublisher

S-1-5-18\Disallowed

S-1-5-18\AuthRoot

S-1-5-18\TrustedPeople

S-1-5-18\ClientAuthIssuer

S-1-5-18\SmartCardRoot

meterpreter >

In the table above, we see all the “stores” of the box. The first field in each store name is the SID of the user. We know that the Administrator SID always end with “500”, so the one ending in “1001” should be the one corresponding to the user Ignacio Sorribas (S-1-5-21-2410177577-3384890958-3281790908-1001).

Let’s try to see the digital certificates in the “My” store.

mimikatz8

As we can see, the “My” store is empty while the “Root” store shows certificates. Something is wrong here cause this is a demo and we know the user has one certificate installed.

We try standalone “Mimikatz” on the Windows 8 box to see what happens.

Running it with user “Ignacio Sorribas” we get the following.

mimikatz9

We can see the certificate marked as non-exportable. If we try to export, we get the public key, but private key exportation fails.

We can solve this applying a patch to the crypto API with “crypto::patchcapi” if the user has “SeDebugPrivilege” privilege.

If we try to use the standalone tool with the user “Administrator” and get the certificate from  “CERT_SYSTEM_STORE_USERS”, we get the same result as we get with “meterpreter”, the store is empty.

We need to figure out how to make this work…

In summary we know that using Mimikatz with the user we want to get certificates from, we can find the certificate with no problem, but we need to use the “Administrator” o “system” users to get the “SeDebugPrivilege” privilege to patch the Crypto API.

Well, what if we load “mimikatz” as SYSTEM, patch the Crypto API, and then impersonate the victim user with “Incognito” to export the certificate?

Here is the answer.

mimikatz10

Now we see the certificate. Let’s try to export it.

mimikatz11

Bingo!!!, we got the certificate.

Note: The certificate is exported to the current directory where meterpreter is executing, so you have to be sure you have write permissions on that directory. The best is to create a directory before export the certificate where the victim user could write with no problems.

Meterpreter> cd “c:\\users\\Ignacio Sorribas”

Meterpreter> mkdir demo

Meterpreter> cd demo

Once certificate is exported, we can download it to our box and delete all the evidences from the compromised box.

mimikatz12

Note: If the file name has blank spaces, you have to use double quotes to download it.

Well, this is all. I hope you enjoy it.

 

Posted in Metasploit, mimikatz, Post-Exploitation
2 comments on “Mimikatz Meterpreter extension
  1. OJ says:

    Hey there,

    Nice post.

    Just so you know, I’m currently in the process of merging Ben’s latest version (mimikatz 2.0) into the Meterpreter source base. There’s still a bit to go, but we’ll end up with a new extension that comes with all the goodness of things like golden ticket creation.

    Cheers
    OJ — @TheColonial — Current dev of Meterpreter.

Leave a Reply

Your email address will not be published. Required fields are marked *

*