Domain penetration-Security Support Provider
0x00 Preface
In the previous article, I introduced some penetration methods and techniques in the domain environment, so this time I will introduce a method used to maintain domain control permissions-SSP.
0x01 Introduction
SSP:
Security Support Provider, also known as Security Package.
SSP is a DLL used for identity authentication. For example:
#!bashNTLMKerberosNegotiateSecure Channel (Schannel)DigestCredential (CredSSP)
SSPI:
Security Support Provider Interface, which is an API used by Windows to perform authentication operations.
SSPI is an ssp api.
LSA:
Local Security authority, used for ID authentication. The authorization process is lsass.exe
The special feature is that lsacan be extended. When the system starts, sspwill be redirected to lsass.exe.
This means that we can define a dlland wait until the system is started into lsass.exe!
This is a normal SSPI structure diagram. The Client APP is our custom dll. With Secur32.dll, you can call "credential capture API" to obtain LSA information.
Demonstrate the attack ideas. Since we can customize the dll, We can customize the dll function and obtain the plaintext password in lsass.exe through Named Pipe and Shared memory, the new password can be obtained immediately when the password is changed!
0x02 mimilib SSP
Mimikatz already supports this function, and this file is the mimilib. dll that we often ignore when using it.
Next we will test how to use mimilib to forge the SSP record plaintext password.
Mimikatz poc address:
Https://github.com/gentilkiwi/mimikatz/blob/bb371c2acba397b4006a6cddc0f9ce2b5958017b/mimilib/kssp.c
0x03 actual test
Test Environment
#! Bash domain control: server 2008 r2 x64 domain host: win7 x64
Test procedure:
1. Add SSP
Copy mimilib. dll to domain control c: \ windows \ system32
Note:
64-bit system uses 64-bit mimilib. dll, 32-bit will fail
2. Set SSP
Modify the Registry location:
#!bashHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Security Packages\
Add mimilib. dll under Security Packages
Click OK. Security Packages has been added with mimilib. dll.
3. restart the system
After the domain controller is restarted, the new file kiwissp. log is displayed in c: \ windows \ system32.
Kiwissp. log records the Logon account and password,
Tips:
Mimilib only saves the password to the local device. Isn't it so powerful if I send the password to a remote server?
0x04 supplement 1. Memory Updating of SSPs
Mimikatz also supports updating ssp through memory, so that you do not need to restart to obtain account information
Use mimikatz.exe. The command is as follows:
#!bashprivilege::debugmisc::memssp
Note:
1,64 system requires 64-bit mimikatz,
32-bit mimikatz Error
64-bit mimikatz success
2,The memory update method will expire after restart.
0x05 Detection 1. Registry
Check registry location:
#!bashHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Security Packages\
2. dll
Check % windir % \ System32 for suspicious dll
3. Autoruns
Use Autoruns to detect LSA
To find the location where the dll is added.
0x06 Summary
This article only demonstrates the general usage of SSP to save the domain control account and password locally. Based on this idea, more advanced exploitation methods can be developed.
From the defense point of view, the conventional methods are insufficient. Only by understanding more about attacks can we better defend against them.