13. Demonstration MimiKatz
Now guys, if nothing I have shown you has scared you yet, this will definitely scare you if you’re not familiar with it. Microsoft in Vista and above attempted to create a single sign on in its Windows Seven and above operating system. We know that the LSAS, the Local System Authority, stores credentials in memory on behalf of users with active Windows sessions. It can store them as a Kerberos ticket, a ticket granting ticket, a service ticket, an Nt hash and an LM hash and the one that’s really going to flip you out. It can also store it as reversibly encrypted plain text. Now Microsoft has told us there is never a time when the plaintext password will be revealed within Windows.
Well, we’re going to make a liar out and I kind of say that tongue in cheek because in reality we have to do a couple of things or take a couple of steps to do that. Now as I said before, the Local Security Authority stores Cringes a memory on the behalf of the Windows sessions. So it allows users to seamlessly access network resources like file shares, exchange Server mailboxes, and SharePoint sites without having to reenter the credentials for each remote service. This is a concept of single sign on. We don’t want to have to sign on for every single machine we go on to. We would like for it to transparently authenticate so the LSAS can store Credential formats in multiple forms which includes all of those as well as the reversible encrypted plain text.
The one that you can see that I’m harping on here is the Reversibly encrypted plaintext. We just got through saying it’s never a good idea to store plaintext password anywhere that the user would authenticate against. So Microsoft said, well we’ll go ahead and encrypt it with the symmetric key. Now if you remember from your cryptography section, the symmetric key means the same key locks it as it does to unlock it. So that same key has to be in the system somewhere. Ironically enough, Microsoft encrypted this with a very tough and battle hardened symmetric encryption. Yes, they used AES 256 bit encryption. The only problem was in one of their technique articles they told people what the encryption key was.
I sure hope the guy that did that at Microsoft got fired because I’m going to show you something in this demonstration that’s absolutely going to knock your socks off. C, it’s downloaded the mimicats trunk Z Seven and I’m just going to tell that I want to extract it. Should create a directory out here. When I go into the directory I’m going to need to know whether I’m using a 32 bit system or whether I’m using a 64 bit system. Now since this is running in my cloud lab, I try to keep the resources down as much as possible. So I try to run a 32 bit operating system wherever I can and that includes this Windows seven. So I’m going to utilize this right here, this Wind 32. Okay. And what I’m going to do right here is I’m going to take this mimicat exe.
I’m going to right click on it and I’m going to run it as administrator. You must run it as administrator. So you have to have the administrator privileges to be able to do this. I’m then going to come back out and open up this little readme file and I’ll just open it up with notepad plus. Plus is perfectly fine. Make it a little bit smaller so I can easily see it here. And it’s having me type in this command right here. Privilege, colon, colon, debug. It should come back and say Privilege 20. Okay. The next thing it’s going to do, I’m going to ask it to dump all of my local system authority log on passwords. So I’m going to put in that string. Now I want you to notice what’s happened right here and I’m going to make this a lot bigger and hopefully I can see it real easy.
Okay, perfect. That’s much better than it. Okay, fantastical. Almost made a little too big in there. All right, that’s fine though. Okeydoke, now I’m going to scroll back up to the top and I want you to notice a couple of things. First off, it says the username I’m logged in as is administrator. This is the domain. In other words, that’s the machine’s name here is the password in clear text. Yes, that is the password that I would use to log on to this system. Let me let that sink in for just a moment. Okay, here is the Sid for that particular user. I can scroll down a little bit further. Now, what I’ve done for you right here is I’ve created a number of strings where it will create these users. Net user Bob with a password, if you’ll never guess. Net user Rob with my first wife took all my money.
Net user Sam. I thought Windows passwords were encrypted. Okay, so what I’m going to do next is I’m just simply going to save this file right here and I’m going to execute that, hopefully adding. So if I were to go out here and type in net users, you can see I do indeed have Bob, Rob and Sam. Okay, I’m going to pause for just a second because what I’m going to do is I’m going to log on and log back off with Bob using the password you’ll never guess, then log back off. Then I’m going to log on with Rob using the password My first wife took all my money, then log off, log on with the user Sam. And I thought when his passwords were encrypted, question mark, and then log off. And we’re going to run mimicats again to see if we have any other information in here.
Okay? So hold on to your boots now, guys, because I have just completed that exercise, I created all these users and I logged on with Bob using a password if you never guessed, logged back off, logged on with the user of Rob. My first wife took all my money. Logged back off, logged on with a user called Sam, and with a password of I thought Windows passwords were encrypted. I’ve logged off and logged back on as administrator. Now so let’s try this one more time here. Let’s go over to the Win 32. Right click on Mimikats, run it as administrator. And we’re going to need to type in the URL and we’re going to enter in the SDK URL log on passwords, and it’s going to scroll down through here, and we’re just simply going to scroll back up and see if we can find some of those users.
So here’s a username of Sam. Here’s. Its NTLM hash. Here’s its Shaw one hash, the domain Kerberos. And notice right here, it’s told us our plain text password. I thought Windows passwords were encrypted. Sam was I thought Windows passwords were encrypted. Okay, so let’s scroll down a little bit further. Rob’s password was My first wife took all my money. My first wife took all my money. Well, there’s Bob right here. Okay? And Bob was? You’ll never guess. All right, so what is this telling us here? This is telling us that Windows with Vista and above, including Server 2016, stores plain text passwords in an encrypted form. And we already know what the symmetric key is.
So if we have administrator access to this system, we can decrypt everyone’s plain text password. This is a huge, huge vulnerability as far as I’m concerned. Microsoft considers this to be a feature because they wanted to make sure their single signon worked with all of their products. And the product that they had to relax it with. And get this, it was their gaming console is what they had to send in plain text. They wanted it to transparently authenticate. The only way to get rid of this now is to reboot the Windows Seven machine. So that means that anyone that attaches to me for a file share logs on as a domain controller. If this was a domain controller, I would have everyone’s plain text password in the entire oriented.
14. Privilege Escalation, Countermeasures
Now I’m hoping that you’ve seen that as we progress through this course, we’ve done several things. For example, we started off talking about footprinting and we said we gathered broad, publicly available information from websites, Ariana, and various things. We then with that information moved on to scanning. We did our port scanning, our Nmap, that kind of thing. And then we went ahead and did our enumeration. Remember that’s what services gave something up for free, you didn’t have to authenticate to get that information. And then finally, after we’ve done all of that, this is where we try the penetration or we try the first attack. So we try the first attack. It’s going to end in one of two ways. We’re going to get in or we’re not.
I mean, it’s pretty straightforward, isn’t it? Let’s assume it failed. If it did fail, more than likely we’re going to experience a denial of service attack. And I used the example earlier where they couldn’t get into your store, so they took a brick and threw it through the bars in your windows just to do damage because you just really made them mad. The next thing is, let’s say it was successful. And here’s the part that I’m wanting you to understand. I want you to understand what we’ve gone through so far in this course. And now we’re right here. We’ve got our foot in the door. We may have got our foot in the door, but we just got our baby toe in there. We don’t really have any privileges or anything.
So the first thing that’s going to happen is we’re going to try and elevate those privileges, do whatever we can to attempt to become root or super user or admin whatever it might happen to be. And so the next couple of slides we’re going to talk about these things. And I just wanted to come back and rehash these to make sure we’re all on the same page. After that we’re going to basically do any devil tree that we want to do. Then we’re going to attempt to cover our tracks. We’re going to erase the audit logs, we’re going to sweep up our footprints. Whatever the case may be, we don’t want them to be able to track back to it. In reality, statistics have shown the average user that gets in stays in.
And you won’t believe this, but it’s almost a year before we actually detect them. Yes, that’s correct. Then finally the attacker is going to leave some kind of a back door so he can come back and terrorize you just more and more and more. Okay, now we already saw that slide before, but I just wanted to provide us a checkpoint here. Let’s talk about privilege escalation. Now we know privilege escalation is a process of moving from the initial user account that you may have compromised to one with higher access rights. It could be done in a number of different ways.
A lot of people ask me, well, how do people do privilege escalation? That’s about like saying how do bank robbers rob banks? Well, there’s a lot of different ways of doing it. Tools like Git admin, which is actually a very old tool, but I use it because it does an extremely good job of illustrating that purpose. You may have remembered me doing that. It exploits vulnerabilities in the kernel to gain access to processes running with the core Windows security rights and using that access to add another user to the local administrators group. There are also configuration faults that can be exploited, like web server with resource files that are writable by a non privileged user.
These can all be used to execute malicious commands with the rights assigned to the web server user or whatever application is being exploited. Hopefully your web server is only being assigned the I user underscore or a nominal account. This is the reason we don’t ever want to run our web server as root or admin because if it’s compromised, not such a good thing. So there’s a number of different tools we can use to do this with meterpreter, which is part of metasploit. It’s got a Git system, a command line, this Git admin. And then there’s also a number of things that we can use that are built inside the WCMI. I’m going to give you another example here in just a couple of moments and I’m going to give you a demo of some things that we can do to escalate our privileges.
Before we do that, let’s talk real quickly about some countermeasures. First off, monitoring the event viewer log. Now actually the log is really of no use whatsoever. If no one ever looks at the logs, you might as well not even have it. Monitoring multiple servers, events long, it can be time consuming because there’s no real automated method for collecting the logs and then correlating them. Now there are software tools that you can purchase to do that for you and even alert you. These are things like the Siem device that give us that capability. There are many Windows event log management tools are available. I’ve just listed a couple of them for you here selm from Gfi here’s event log manager, event tracker, sentry Pro, so on and so forth.
15. Covering Tracks, Disable Auditing, Clearing the Event Log
Okay, so let’s say we understand the countermeasures of monitoring or event logs and that type of thing, but let’s assume for just a moment we don’t have something like a syslog or something where the logs are sent to another location. Well, that actually is really pretty good news for the hacker because what he’s going to try and do if and only if he has been given the permissions to do this, which he won’t have if he’s just a lowly user, he’s going to try and disable auditing when he logs onto the system. It allows the hacker to hide their activities from the administrator investigating after the breach has been discovered.
If the hacker manages to complete their session on the server and reenable auditing before they log off, then the lack of audit logs may lead to the breach not even being discovered. Alternately, the hacker may leave the audit policies disabled to facilitate further access and the systems administrator doesn’t even know it. Now, I should mention there’s a number of ways we can set our audit log. We can set the audit log to where it overrides itself when it gets so big. And if the perpetrator knows this, he could go in and fill up the audit log, which is a whole bunch of junk overriding what he’s done maliciously.
So there are many ways to think about it. So let’s talk real quickly about clearing the event log. So while clearing the event log will hide records exactly what the hacker is doing whilst logged on, it’s not really a foolproof method since an empty event log will be an indication of something has happened. Most likely, unless you’re using some kind of a special tool, if you delete the event logs, there will be a record left behind that says ex user has cleared the event log. And more than likely that somebody from the administrators group has cleared the event log.
And this is another one that I told you about earlier, things that make you go another covering our tracks once hacker compromises the system. So we talked about disabling the auditing, clearing the event log. Now we’re going to get into some stuff that’s really going to blow you away. We’re going to hide data in an Ntfs alternate data stream, hide data in images called steganography. We can even shred files that may give clues to the hackers actions and even install a rootkit to hide processes and files and give them a backdoor for future use. So all I can say guys, is buckle up because the next several slides are going to be very, very interesting.
16. Alternate Data Streams Demonstration – A
Okay, guys, this is one of my favorite demos to do, and I think you’ll really enjoy this one. What I’m going to do is I’m going to open up a computer, and this happens to be a Windows xp machine. And I’m just going to make a directory out here, and I’m going to call that directory Tim. Okay? I’m then going to open up a command prompt and let’s go ahead and make this command prompt a little bit easier for everybody to see. So I’m going to bring up the font on this a little bit and make it really easy to see. Okay. Then I’m going to type in cd backslash, and I wonder if it would be easier to see if we change the color a little bit. A lot of times this and the screen text of black works real well.
We can usually see that a little bit easier. Okay, so I’m going to change down to that directory. As you can see right here, if I type in Dir, there’s nothing in that particular directory. I’m going to copy a file called Lads Exe from the root drive, and I’ll explain what that’s going to do in just a moment or two. Now I’m going to actually copy from the console to a file called Tim. Txt. And I’m just going to put in a whole bunch of gibberish in here. Control Z finishes the file, and some of you guys that have been around for a while may remember this is how we used to have to edit the Auto exec or the config sys when we didn’t have an editor on our machine.
Now, if I were to just simply type in Dir, would you all agree with me that file has 50 bytes in it? Okay? You could see that from right here. Of course. That’s easily seen. All right. So if I were to go in here and just use Notepad tim. Txt, there is all of that information. Let’s make this a little bit bigger as well so we can easily see that that’s all the gibberish that I typed in. Okay, great. Fantastic. The next thing I’m going to do is I’m going to type in Notepad tim. Txt, but I’m going to put in a colon and type in secret press Enter on here. I’m going to now open up Internet exploder because I want to make sure you don’t think this is some cheap trick. I’m going to take today’s headlines.
I’m just going to grab all the information that’s on that page. I’m just going to do a ctrl A right there and I’m going to paste. Okay. Now I think everyone in here would agree with me that this amount of text is larger than 50 bytes. Would everybody agree with that? Of course we would. Okay, so I’m going to go ahead and click on File and Save, all right? And then I’m going to click to get out. Now let’s do a directory dir and oh, it’s still 50 bytes. Something must have happened. Let’s take a look. All right, here is notepad tim txt. Well, there that is, that looks fine, but let’s take a look at the other one. Wow, there that is as well. But Microsoft didn’t keep track of this second area.
Here what’s going on. I’ve had people that had been in my class before when I’ve explained an alternate data stream. They’ve been using Windows for 15, even 20 years and have never even heard it. And if that’s the case with you, I think you’re going to be a lot more impressed. So let’s go ahead and bring this down for just a moment and I’m going to explain actually what’s going on. Now we know that our file system is composed of allocation units. You can call it a block, you can call it a sector, you can call it a cluster. I really don’t care for this demonstration, but these allocation units are chained together in a linked list format until it gets to an end of file marker. That’s what we consider to be a file. And we put this in various places on our hard drive.
Okay, great. In order to support the macintosh file system, microsoft had to add another stream to it. On a macintosh file system, we identify a second stream or they call it a fork. A second fork. And they call this the resource fork. So you have your data fork and your resource fork. Now what that does is written inside of this allocation unit is, let’s say Microsoft Word. Microsoft Word would be used to open up this stream of allocation units, or this file, if you will. We could name our file whatever we want in a macintosh. Whatever is in this resource fork, when you double click on it, is what opens it up. Okay, that’s great. So in order to support the macintosh file system, microsoft gave us the capability of having multiple data streams.
But here’s the kick, they didn’t want to just stop right there. Well, if we’re going to have two, let’s just go ahead, give them 256 of them. And the really sad part about this is it only keeps track of the very first one. So if you put a disk quota on me of one gig, and I will never be able to save more than one gig to your hard drive, I’ll take your whole stink and drive. If I have any writable access to any file, I’ll fill the entire thing up. So let’s go back over to our demonstration here and see what else we can find. All right, so let’s try this. Let’s try type Cwindows system 32. Whatever is in the code segment of the calc exe executable will be displayed to the screen.
Now what I would like to do is do that again, but I want to redirect that. How about into tim dot txt colonprog one dot exe. Okay, let’s see. Dir still 50 bytes. Surely nothing else is in there. But if I type in start tim txtrog one exe. Here it is. So wait a minute, Tim. You’re telling us that I could have malware attached to a simple text file and not even know it? Yeah, that’s what I’m telling you. Exactly what I’m telling you. Well, when are they going to fix this? They’re not going to fix it. And I’m using air quotes here. This is a feature for Microsoft because Microsoft themselves been using it for years and they never thought they need to tell you about it. Let’s go a little bit further than this because it gets a whole lot worse than this. Let’s try this. Let’s.
