Didier Stevens

Friday 12 August 2016

mimikatz: Golden Ticket + DCSync

Filed under: Encryption — Didier Stevens @ 8:04

This blog post aims to provide a bit more information about what Benjamin Delpy wrote in this tweet:


For this demo I run mimikatz as a least privilege, local user on a Windows workstation that is a member of my demo domain. The first step is to generate and use a golden ticket to obtain domain admin rights. The second step is to use dcsync to retrieve hashes from the domain controller.

As a freshly logged-on local user, I have no tickets:


Then I create a golden ticket for the domain admin:



And I use it:


Now my least privilege, local user is impersonating the domain administrator:


Then I retrieve the hashes for user user01 from the domain control via the DRSR protocol:


Compare the LM and NTLM hashes with the hashes in this blogpost: they are the same.

All the arguments (krbtgt, domain, domain admin username, domain SID) needed for the kerberos::golden command can be extracted from the ntds.dit file we obtained. More info on alternative methods to obtain the arguments can be found here.

@gentilkiwi told me that the domain admin username and RID can also be faked, as long that it is part of the domain admins group. It will work for about 20 minutes without checks.

If we don’t have the necessary rights (for example domain admin) to query a DC with DRSR, we get an error 5 (access denied):


You also get this error when the krbtgt NTLM hash has changed. Command ptt will seem to succeed however:


Remember that unless the password for user krbtgt is changed (which is not a standard practice), the krbtgt NTLM hash never changes. So even very old copies of ntds.dit can be used to recover hashes as described in this method.

The ticket is stored on file using asn1:


Benjamin has a YARA rule (mimikatz_kirbi_ticket) to detect such tickets:


Unfortunately, the mimikatz I use (version 2.1) uses another asn1 encoder and the rule no longer works.

Until Benjamin makes a more generic rule, you can use this updated rule:

rule mimikatz_kirbi_ticket
		description		= "KiRBi ticket for mimikatz"
		author			= "Benjamin DELPY (gentilkiwi); Didier Stevens"

		$asn1			= { 76 82 ?? ?? 30 82 ?? ?? a0 03 02 01 05 a1 03 02 01 16 }
		$asn1_84		= { 76 84 ?? ?? ?? ?? 30 84 ?? ?? ?? ?? a0 84 00 00 00 03 02 01 05 a1 84 00 00 00 03 02 01 16 }

		$asn1 at 0 or $asn1_84 at 0

This ticket file is created on disk because I use kerberos::golden’s option /ticket:, but if I use option /ptt, the ticket is immediately passed, and not written to disk.

@gentilkiwi also told me that if you impersonate a domain controller account for kerberos::dcsync, then no events are logged.

Monday 8 August 2016

Howto CreateCertGUI: Create Your Own Certificate On Windows (OpenSSL Library)

Filed under: Encryption,My Software — Didier Stevens @ 0:00

I created a program with a graphical user interface to create a simple certificate. This program uses the OpenSSL library. Extract the program from the zip file (below) and run it:


You don’t have to install any dependencies, everything is linked into the program.

If you need more help, here is a video:


CreateCertGUI_V1_0_0_1.zip (https)
MD5: F5400736E7E38F30D35A02FEB6D99651
SHA256: 82D59AC494FEF1A8B219C591717359712C19E8845D02A457017045A9A4C3D989

And if you are interested, here is the source code:

CreateCertGUI_source_V1_0_0_1.zip (https)
MD5: 790CA083407032434A8DA1FF8AC1E512
SHA256: B15BB8A3504EF56D1C6C84CA181FFB6E5A73956EC79757C62B87B520C136AA2D

Tuesday 2 August 2016

rtfdump: Update And Videos

Filed under: maldoc,My Software,Update — Didier Stevens @ 0:00

I made a small update to rtfdump and added new rules to rtf.yara.

This video is an intro to rtfdump:

This is a video on an RTF maldoc (MD5 07884483f95ae891845caf0d50ce507f) that contains an exploit for MS12-027 CVE-2012-0158:

This is a video on an RTF maldoc (MD5 4483ad299158eb54f6ff58b5346a36ee) that contains an exploit for MS10-087 CVE-2010-3333:

rtfdump_V0_0_3.zip (https)
MD5: 59DC23EE55F76C065A2A718DDFDB0E4E
SHA256: 46F9D768C6976AD5D4018EFDFD35DAE4212FEAE57871434A33CAEF028CB4CBA2

Monday 1 August 2016

Overview of Content Published In July

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in July:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

Sunday 31 July 2016

Update: re-search Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a small update for re-search.py to properly handle binary files.

re-search_V0_0_2.zip (https)
MD5: FC921EAF48774B6E113FAE76867B69E1
SHA256: B07BF53FE476E6FC4D5B568BA2B0B70DD3BC037478A2CBF3A08A1AA6CCDD402C

Saturday 30 July 2016

Video: ntds.dit: Extract Hashes With secretsdump.py

Filed under: Encryption — Didier Stevens @ 17:40

In this video I show an alternative to my blogpost on extracting hashes from the Active Directory database file ntds.dit.

I use secretsdump.py from Core Security’s impacket Python modules. The advantage is that this is a pure Python solution, and that it was able to automatically select the correct object ID. Dependencies are pycrypto and pyasn1.

Bugfix: pdf-parser Version 0.6.5

Filed under: My Software,PDF,Update — Didier Stevens @ 16:19

This is a bugfix for pdf-parser. Streams were not properly extracted when they started with whitespace after the normal whitespace following the stream keyword.

pdf-parser_V0_6_5.zip (https)
MD5: 7F0880EB8A954979CA0ADAB2087E1C55
SHA256: E7D2CCA12CC43D626C53873CFF0BC0CE2875330FD5DBC8FB23B07396382DCC85

Friday 29 July 2016

Releasing rtfdump.py

Filed under: maldoc,My Software — Didier Stevens @ 8:59

Today I’m releasing my rtfdump.py tool to analyze RTF documents. I started working on it about a year ago, but I didn’t like the direction it took me in, and stopped working on it. About a week ago I started again with new samples, and I’m more satisfied now with the result.

I will post more information later. But if you want to get an idea how to use my tool, take a look at this analysis in SANS ISC Diary.

rtfdump_V0_0_2.zip (https)
MD5: 368CCACC556E283D5E1759ED5E164BFF
SHA256: DA9B0AB231B1ADBC1083FC0F915A789EF19A5F7540C317CFA80BF3DE038C7952

Monday 25 July 2016

Practice ntds.dit File Overview

Filed under: Encryption — Didier Stevens @ 9:15

I published a sample Active Directory database file (ntds.dit) to practise hash extraction and password cracking. And I published several how-to blog posts.

Here is an overview:

Practice ntds.dit File Part 1

Practice ntds.dit File Part 2: Extracting Hashes

Practice ntds.dit File Part 3: Password Cracking With hashcat – Wordlist

Practice ntds.dit File Part 4: Password Cracking With hashcat – Brute-force

Practice ntds.dit File Part 5: Password Cracking With hashcat – LM NTLM

Practice ntds.dit File Part 6: Password Cracking With John the Ripper – Wordlist

Practice ntds.dit File Part 7: Password Cracking With John the Ripper – Brute-force

Practice ntds.dit File Part 8: Password Cracking With John the Ripper – LM NTLM


Thursday 21 July 2016

Practice ntds.dit File Part 8: Password Cracking With John the Ripper – LM NTLM

Filed under: Encryption — Didier Stevens @ 0:00

Using passwords recovered from LM hashes to crack NTLM hashes is easier with John the Ripper, because it comes with a rule (NT) to toggle all letter combinations:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --wordlist=lm-passwords.txt --rules=NT --pot=john-lm-ntlm.pot nt.john.out

Warning: detected hash type "NT", but the string is also recognized as "nt2"
Use the "--format=nt2" option to force loading these as that type instead
Loaded 43 password hashes with no different salts (NT [MD4 128/128 SSE2 + 32/32]
Warning: no OpenMP support for this hash type
Press 'q' or Ctrl-C to abort, almost any other key for status
123456           (user01)
FEPARAGON        (user20)
V                (user21)
Y6G              (user23)
aS               (user22)
*qFT             (user24)
lm1181992        (user16)
976b0            (user26)
*Vqc(            (user25)
Root1$           (Administrator)
Lzac08@          (user19)
kurt!!!          (user05)
XjW*wL           (user27)
yeliz6           (user14)
tadob            (user15)
zordic7          (user04)
maisie2007       (user12)
8N)IMRgQ57_      (user31)
girlish2020      (user06)
thurlow1         (user09)
cuningo          (user17)
A9LT5J$r         (user28)
Crx3#W+f         (user29)
beaufort1        (user10)
43PDlBR8tS#V     (user32)
453758487l       (user08)
F-62RqTo@m       (user30)
WBJ_Pvtz6i42AV   (user34)
rachelleanne     (user03)
amorosaoveja     (user07)
b#f1HvU@Qz7nk    (user33)
31g 0:00:00:00 DONE (2016-07-18 22:19) 382.7g/s 426851p/s 426851c/s 6317KC/s wbj_pvtz6I42av..wbj_pvtz6i42av
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Using –show:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --show --pot=john-lm-ntlm.pot ad-database\kali\dump\nt.john.out


31 password hashes cracked, 12 left


« Previous PageNext Page »

Blog at WordPress.com.