search

gentilkiwi / mimikatz

A little tool to play with Windows security
http://blog.gentilkiwi.com/mimikatz
19.48k stars 3.74k forks source link

Skeleton Key on "MSV" SSP #449

Open MarcoZufferli opened 6 months ago

MarcoZufferli commented 6 months ago

Hello!

i'm studying the Skeleton Key Attack, in the original paper (https://www.virusbulletin.com/uploads/pdf/magazine/2016/vb201601-skeleton-key.pdf) they described that this attack is able to modify both SSP "MSV" (NTLM Authentication) & "kerberos.dll" (Kerberos Authentication) installing a backdoor inside these protocols.

But in my test with "misc::skeleton" it appears that Mimikatz modifies only the SSP "Kerberos.dll", i tried with:

net use (wireshark says it use Kerberos) and it works psexec of sysinternal (wireshark says it use Kerberos) and it works Enter-PSSession (wireshark says it use Kerberos) and it works

Can you please tell me if I'm wrong?

On my Kali using "psexec" of Impacket (or also crackmapexec) (wireshark says it use NTLM) and it NOT works as you can see in the screenshot.

image image
nathan-rabet commented 5 months ago

crackmapexec uses NTLM authentication by default.

To force Kerberos authentication, add -k or --kerberos to your crackmapexec command.