search

mitre-attack / attack-arsenal

A collection of red team and adversary emulation resources developed and released by MITRE.
Apache License 2.0
491 stars 77 forks source link

Day 2: Step 14.B - Password Not Showing #9

Closed leegengyu closed 4 years ago

leegengyu commented 4 years ago

When I executed wmidump (point 6 of Step 14.B), all of the passwords which returned were (null): image

Looking at stepFourteen_credDump.ps1, I found $ProcessInfo.Arguments = @("privilege::debug","sekurlsa::logonpasswords","exit"); which were passed into the Mimikatz executable. I decided to run m.exe on the victim machine with the same 2 commands manually.

This is an example of a paragraph from the output after running the above 2 commands: image

The white arrow in the screenshot shows that for this particular Authentication Id, that field has a value of (null). Additionally, manual execution of the executable does indeed show that all Password fields had a value of (null).

I came across this Microsoft link, and attempted a shot:

In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest, there was no UseLogonCredential originally: image

After adding in UseLogonCredential and setting it to 1: image

I manually executed the Mimikatz executable first, and found that for the same Authentication Id, I was able to see the password (under Kerberos) now. image

I executed wmidump this time, and found that the password was showing up (as expected based on the second time the manual execution was carried out): image

I am not sure if ...:

  1. ... there is indeed a missing setup step (which would be under Victim Setup), or if there is something that I missed in the setup that caused me to see only (null) values as passwords.
  2. ... the addition of the registry entry (as shown above) is a correct fix in this case, should there indeed be a missing setup step. Interestingly the new registry entry was under WDigest, while the expected passwords appeared in the Kerberos section of the Mimikatz executable output instead.
jcwilliamsATmitre commented 4 years ago

Hello again @leegengyu!

And yeah you're right, we have that as part of our environment configuration (https://attackevals.mitre.org/APT29/environment.html). Added to the Victim Setup as you suggested, thanks!

In regards to the section of Mimikatz output, it may depend on how you originally logged into the during setup box (which dictates how/where the credentials are cached).

leegengyu commented 4 years ago

I see. I had totally missed out on the bottom section of that page and focused solely on the instructions in README.md.

Thank you for addressing this so quickly @jcwilliamsATmitre!

jwillyamz commented 4 years ago

Glad to help, and thank you for pointing this out! As you said, this was something we should have included in the readme as well so great catch.