phdays.com, phdays.ru
Moscow, 2012
Day2, Track2, 13:00
Benjamin Delpy,
To Recover Plaintext Passwords of Windows Users

mimikatz::sekurlsa::tspkg

http://blog.gentilkiwi.com/securite/pass-the-pass

MS introduces SSO with NT 6 to improve RemoteApps

KB says it work with "Default credentials"
    it can be user/domain/(pass|hash|ticket)
    in all cases seems to be vulnerable to pass-the-hash attack

Some interesting APIs/symbols
    TSObtainClearCreds
    TSRevealPassword
    TSCredTableLocateDefaultCreds

LsaEnumerateLogonSessions
    for each UID
        tspkg!TSCredTableLocateDefaultCreds
    TODO

LsaEnumerateLogonSessions
    for each UID
        tspkg!TSGlobalCredTable
        RtlLookupElementGenericTable
        LsaUnprotectMemory

We have just to:
    tspkg:TSGlobalCredTable
    SeckPkgFunctionTable -> LsaUnprotectMemory
        LSA_SECPKG_FUNCTION_TABLE (MSDN/KB link)

mimikatz::sekurlsa::wdigest
    Hashes
        HA1=MD5(username:relam:password)
        HA2=MD5(methiod:digestURI:[...])

LsaUnprotectMemory
    at offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE
    _DigestCalcHA1@8

LsaProtectMemory
    at offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE

LsaEnumerateLogonSessions
    for each UID
        TODO

Using TsPkg and WDigest password can be revealed on all Windows
    WDigest
        XP, 2003
        Vista, seven, 2008, 2008r2
        8
    TsPkg
        XP SP3 (manual install)
        Vista, seven, 2008, 2008r2
        8

wce (TODO find what is wce) had not copied this talk TsPkg functionalities

WinDBG
    !process 0 0 lsass.exe
    .process /i 83569040
    g
    .reload /user
    bp TODO
    g

mimikatz::sekurlsa::livessp

LsaEnumerateLogonSessions
    for each UID
        search linked list LUID
        LsaUnprotectMemory

mimikatz::sekurlsa::kerberos (nt 6)
mimikatz::sekurlsa::kerberos (nt 5)

MS implementaation of Kerberos
    For password auth
        password hash for shared secred but keeping password in memory