Hernan Ochoa - WCE Internals [RootedCON 2011]

WCE Internals
Hernan Ochoa
(hernan@ampliasecurity.com)

What is WCE?
• Windows Credentials Editor v1.0

• Manipulates Windows Logon Sessions

• Evolution of the Pass-the-Hash Toolkit (also
written by me)

• WCE v1.1 to be published after this is over 

WCE features
• Dump in-memory credentials of logon
sessions
– Lists in-memory logon sessions
• Dumps in-memory username, domain, LM & NT
hashes
• current, future and terminated (…)
– Great to ‘steal’ credentials not stored locally

WCE features

• Pass-The-Hash
– Change/delete NTLM credentials of logon sessions
– Create new logon sessions and associate arbitrary
NTLM credentials

WCE features

• Does not require code injection to dump in-
memory credentials (v1.1)
– No need to run code inside LSASS.EXE
– Can locate, list and decrypt Logon Sessions and
NTLM credentials just by reading memory

WCE features
• Single executable (wce.exe)
– Easier to use, upload, etc.

• Supports
– Windows XP
– Windows 2003
– Windows Vista
– Windows 7
– Windows 2008

How does it work?
• Windows NT Logon and authentication model

Logon
LSA
Processes

Authentication
Packages

Windows NT Logon and
Authentication Model
WINLOGON.EXE

LSA AUTH API
(LSASRV.DLL)

MSV1_0.DLL
(NTLM AUTH PKG)
…

LSASS.EXE

Windows NT Logon and Authentication Model:
NTLM

WINLOGON.EXE

NTLM
CREDS
msv1_0.dll!LsaApLogonUser/Ex/Ex2()
Logon
• Authenticates user
Session
• Create logon session
(LUID)
• Add Credentials to Session

LSASS.EXE

Logon Sessions  Credentials

Logon Session
Process (LUID) NTLM
CREDENTIALS

Implementation:
two possible ways…
'Use Auth Package API’ Method ‘Read LSASS Memory’ Method
(less safe) (very safe)

• List LUIDs • Read LSASS Memory
• Run code inside LSASS.EXE • Learn inner workings
• Call MSV1_0.DLL Functions • Undocumented
• AddPrimaryCredential structures
• GetPrimaryCredentials • List Logon Sessions
• DeletePrimaryCredential • Find keys and friends
• No need to encrypt or decrypt • Decrypt/Encrypt
credentials credentials

• OS/Version ~independent • OS/Version dependent

Initialization of auth packages

Loads authentication packages and
LSASS.EXE
calls <authpkg>.dll!LsaApInitializePackage

• For Example,
msv1_0.dll!LsaApInitializepackage()

NTSTATUS LsaApInitializePackage(
__in ULONG AuthenticationPackageId,
__in PLSA_DISPATCH_TABLE LsaDispatchTable,
__in_opt PLSA_STRING Database,
__in_opt PLSA_STRING Confidentiality,
__out PLSA_STRING *AuthenticationPackageName );

Functions provided to auth packages

typedef struct LSA_DISPATCH_TABLE {
PLSA_CREATE_LOGON_SESSION CreateLogonSession;
PLSA_DELETE_LOGON_SESSION DeleteLogonSession;
PLSA_ADD_CREDENTIAL AddCredential;
PLSA_GET_CREDENTIALS GetCredentials;
PLSA_DELETE_CREDENTIAL DeleteCredential;
PLSA_ALLOCATE_LSA_HEAP AllocateLsaHeap;
PLSA_FREE_LSA_HEAP FreeLsaHeap;
PLSA_ALLOCATE_CLIENT_BUFFER AllocateClientBuffer;
PLSA_FREE_CLIENT_BUFFER FreeClientBuffer;
PLSA_COPY_TO_CLIENT_BUFFER CopyToClientBuffer;
PLSA_COPY_FROM_CLIENT_BUFFER CopyFromClientBuffer;
} LSA_DISPATCH_TABLE, *PLSA_DISPATCH_TABLE;

Functions handling credentials

NTSTATUS AddCredential(
__in PLUID LogonId,
__in ULONG AuthenticationPackage,
__in PLSA_STRING PrimaryKeyValue,
__in PLSA_STRING Credentials
);

NTSTATUS GetCredentials(
__in PLUID LogonId,
__inout PULONG QueryContext,
__in BOOLEAN RetrieveAllCredentials,
__inout PLSA_STRING PrimaryKeyValue,
__out PULONG PrimaryKeyLength,
__out PLSA_STRING Credentials
);


NTSTATUS DeleteCredential(
__in PLUID LogonId,
__in PLSA_STRING PrimaryKeyValue
);

Windows NT Logon and Authentication Model:
NTLM in detail

WINLOGON.EXE

LUID luid = LsaLogonUser( …,MSV1_0_PACKAGE_ID,… )

msv1_0.dll!LsaApLogonUser/Ex/Ex2()
• Create logon session
• Authenticates against local sam or AD
• msv1_0.dll!NlpAddPrimaryAddCredential(LUID, [username, domain,
LM/NT hashes],…)
• Lsasrv.dll!AddCredential(LUID,…)

'Use Auth
Implementation:
Package API’
Method
Summary
• Find by ‘signatures’ and heuristics
• MSV1_0.DLL!NlpAddPrimaryCredential
• MSV1_0.DLL!NlpDeletePrimaryCredential
• MSV1_0.DLL!NlpGetPrimaryCredential
• Run code inside LSASS.EXE
• Call *PrimaryCredential functions
• LSASRV.DLL functions are not called directly, eg:
• MSV1_0.DLL!NlpAddPrimaryCredential()
• LSASRV.DLL!AddCredential()

• No need to encrypt/decrypt credentials

'Use Auth Implementation:
Package API’
Method Credentials Block Format

• MSV1_0.DLL!NlpAddPrimaryCredential(PLUID pluid, BYTE* ptrtoCreds,
DWORD dwCredsSize);

• MSV1_0.DLL!NlpDeletePrimaryCredential(PLUID pluid);

• MSV1_0.DLL!NlpGetPrimaryCredential(PLUID pluid, DWORD* ptrtoCreds,
DWORD whatever);

ptrtoCreds ?

'Use Auth
Implementation:
Package API’ Credentials Block Format
Method

ptrtoCreds

typedef struct {
UNICODE_STR ustr_domain;
UNICODE_STR ustr_username;
BYTE NThash[16];
BYTE LMhash[16];
BYTE Udomain[MAX_DOMAIN_LEN];
BYTE Uuser[MAX_USERNAME_LEN];
} CREDSBLOCK;

'Use Auth
Package API’
Implementation:
Method Credentials Block Format

ptrtoCreds

+00h 000C000D
+04h 00000030
+08h 00080009
+0Ch 0000003C
+10h 11111111111111111111111111111111
+20h 22222222222222222222222222222222
+30h D0O0M0A0IN00
+3Ch T0E0S0T00

'Use Auth
Package Implementation:
API’
Method
working with Session Isolation

'Use Auth
API’
Method

Inject code LSASS.EXE
WCE.EXE

INJECTED CODE
Call
msv1_0.dll!NlpAdd
PrimaryCredential
Etc.

Session 1 Session 0

'Use Auth
Package
Implementation:
API’ working with Session Isolation
Method

'Use Auth
API’
Method

(Note: CreateRemoteThread() is not the the only way to inject & run code...)

'Use Auth
API’
Method

• Windows Vista/7/2008
• NTDLL.DLL!NtCreateThreadEx

• Windows XP/2003
• RDP / Terminal Services
• Create a Windows Service and do everything there
• WCE.EXE also acts as a Windows Service
• Installs, starts, stops and removes itself
• IPC via Named Pipe

‘Read LSASS
Memory’ Implementation
Method

• No need to run code inside LSASS.EXE (SUPER SAFE!)
• ReadProcessMemory() only!

• Reverse engineer inner workings of LSASS.EXE (LSASRV.DLL)
• Structures used internally to hold logon sessions
• Structures used internally to hold credentials
• Structures used internally to hold NTLM Hashes
• Decrypt credentials
• Find keys
• Algorithm
• Anything else needed to decrypt (e.g.: IV)

‘Read LSASS Implementation:
Memory’ Logon sessions & credentials structures
Method
LSASRV.DLL!LogonSessionList
LSASRV.DLL!LogonSessionListCount
SESSION_ENTRY
NEXT PREV … UserLen UserPtr DomainLen DomainPtr … PtrToCreds

? AuthPkgId PtrToCreds

CREDS_ENTRY
CREDS_HASH_ENTRY

? PrimaryLen PrimaryPtr HashesLen HashesPtr

NTLM LM Domain User
DomainLen DomainOff userLen userOff …
hash hash Name Name

NTLM_CREDS_BLOCK (encrypted)

‘Read LSASS Implementation:
Memory’
Method changes in SESSION_ENTRY
Windows XP/2003 Windows Vista/7/2008

struct SESSION_ENTRY { struct SESSION_ENTRY {

DWORD nextEntry; DWORD nextEntry;
DWORD prevEntry; DWORD prevEntry;
DWORD unk1; DWORD UNKNOWN[18];
DWORD unk2; DWORD userSize;
DWORD userSize; DWORD userNamePtrUnicode;
DWORD machineSize;
DWORD userNamePtrUnicode;
DWORD machinePtrUnicode;
DWORD machineSize;
…
DWORD machinePtrUnicode;
….
+0x48 DWORD PtrToCreds; +0x88 DWORD PtrToCreds;
}; };

Implementation:
LsaEncryptMemory()

Lsasrv.dll!LsaEncryptMemory()

NTLM_CREDS_BLOCK

• Encrypted with desX-CBC or RC4 • Encrypted with 3DES-CBC or AES-128-CFB
• If mod(size/8) == 0 => desX-cbc • If mod(size/8) == 0 => 3DES-CBC
• Otherwise use RC4 • Otherwise use 3DES-CBC
• Encrypted with desX-CBC • Encrypted with 3DES-CBC

Implementation
lsasrv.dll!LsaInitializeProtectedMemory (XP/2003)
0 190h
VirtualAlloc()
90h 8 8 8

cbRandomKey = 100h
pDESXTable
pRandomKey
struct DESXTable {
SystemFunction036( byte byte inWhitening[8];
Feedback[8],8) byte outWhitening[8];
DESTable desTable;
}
desxkey( pDESXTable ,
pRandomKey ) struct DESTable {
unsigned long keys[16][2];
}
SystemFunction036(
pRandomKey, cbRandomKey )

Implementation
lsasrv.dll!LsaInitializeProtectedMemory (Vista/7/2008)
h3DesProvider = BCryptOpenAlgorithmProvider( )
hAesProvider = BCryptOpenAlgorithmProvider( )
BCryptSetProperty( h3DesProvider, "CBCMode" )
BCryptSetProperty( hAesProvider, "CFBMode" )

BCryptGetProperty( h3DesProvider, "ObjectLength" )
BCryptGetProperty( hAesProvider, "ObjectLength" )

BCryptGenRandom( h3DesProvider, 24 )
h3DesKey = BCryptGenerateSymmetricKey( h3DesProvider, 24 )

BCryptGenRandom( hAesProvider, 16 )
hAesKey = BCryptGenerateSymmetricKey( hAesProvider, 16 )

BCryptGenRandom( InitializationVector, 16 )

Implementation:
crypto functions used

• Uses custom desX-CBC • Uses Cryptography API: Next
implementation Generation (CNG)
– Located in LSASRV.DLL • Exported by BCRYPT.DLL
– Is not an API • BCryptOpenAlgorithmProvider
– Not exported by any Win32
• BCryptSetProperty /
DLL
BCryptGetProperty
• BCryptGenRandom
• BCryptGenerateSymmetricKey
• BCryptEncrypt / BCryptDecrypt

Implementation
• desX-cbc ‘trick’ – ‘Reuse’ LsaEncryptMemory
CODE!LSASRV.DLL
LsaEncrptMemory()

DATA DATA
IV, DESXTABLE IV, DESXTABLE

LSASRV.DLL
LSASRV.DLL

LSASS.EXE PROCESS.EXE

Implementation:
pseudo-code (Vista/7/2008)

LSASRV.DLL!LsaInitializeProtectedMemory(..) {

…
h3DesKey = BCryptGenerateSymmetricKey(
BCryptGenRandom(24 bytes) );
…
hAesKey = BCryptGenerateSymmetricKey(BCryptGenRandom(16
bytes))
…
IV = BCryptGenRandom(16 bytes)
}

Implementation
Finding the encryption key (Vista/7/2008)
LSASRV.DLL!LsaInitializeProtected
Memory()
NTSTATUS WINAPI BCryptGenerateSymmetricKey(
__inout BCRYPT_ALG_HANDLE hAlgorithm,
__out BCRYPT_KEY_HANDLE *phKey,
__out_opt PUCHAR pbKeyObject,
__in ULONG cbKeyObject,
__in PUCHAR pbSecret,
__in ULONG cbSecret,
__in ULONG dwFlags );

Implementation

• BCRYPT_KEY_HANDLE hKey
– hKey = Pointer to Memory Block (BLOB)
– hKey + 0x3C => encryption key

• To extract key, read from LSASS.EXE(LSASRV.DLL)
– ((unsigned char*)h3DesKey)+0x3C
– ((unsigned char*))hAesKey)+0x3C

Implementation

• Actually, offset changes between OSes
– hKey + 0x3C => encryption key (Win7)
– hKey + 0x2C => encryption key (Win2008)

• To be safe, I ‘discover’ the offset at runtime
– I wrote a custom function for that
‘KeyDiscoverOffset()’

Implementation
• KeyDiscoverOffset()
– Uses CNG API to create key object with hard-coded key
– Look for hard-coded key inside BLOB pointed to by
BCRYPT_KEY_HANDLE

BCRYPT_KEY_HANDLE hKey +0h

hKey = +3Ch KKKKKKKK…
BCryptGenerateSymmetricKey(...,”K
KKKKKKK…”)
+...h

Implementation
Finding the IV (Vista/7/2008)
• IV is also needed
• To extract IV
– Read IV from LSASS.EXE (LSASRV.DLL) memory
– Symbol ‘InitializationVector’

• With IV and Key, just use CNG
– BCryptDecrypt and friends
– No need to run code inside LSASS.EXE

Implementation:
Addresses Needed


• LsaLogonSessionList • LsaLogonSessionList
• LsaLogonSessionListCount • LsaLogonSessionListCount
• DESXTable • h3DesKey
• Feedback • InitializationVector
• LsaEncryptMemory

Implementation:
Addresses Needed

• Database of addresses

• ID by SHA1 hash of LSASRV.DLL

• Yes, addresses still an issue..
• But ..
• Getlsasrvaddr.exe to the rescue..

GetLSASRVADDR.exe
• Finds needed addresses automatically
• User-friendly
• No IDC script, IDA or anything weird like that
is needed 

• Uses Microsoft symbol server
• Requires http outbound connection (!)

• Associates addresses and DLLs using SHA1

GetLSASRVADDR.exe
• Could be integrated with WCE but..
• The outbound connection might be an
issue
• huge not-there-by-default DLLs needed
• Symsrv.dll and dbghelp.dll (new version,
not the default one)

• Could implement own version of ‘symbol
server’ protocol

• Or perhaps it is best to use heuristics..

Implementation:
ASLR and Windows Vista/7/2008

• LSASRV.DLL addresses and ASLR
– Not an issue..
– To locate symbols don’t use hard-coded addresses
– Use Offsets instead
– ASLR is just at boot time
– Get current LSASRV.DLL Base Address at run-time
and add offset

WCE execution flow (simplified)
List READ
START END
Creds? MEM

XP/2003
Install/Run/Use ? Vista/7 INJECT
WCE Service /2008 CODE

CurSessionID ==
LSASessionID?

WCE vs PTH
Feature WCE PTH
Supports Windows Vista/7/2008 YES NO

Single executable YES NO
(many executables,
need to upload dll, etc)
Delete NTLM Credentials YES NO

Works with session isolation YES NO
(e.g.: via RDP)
Programmatic discovery of new YES NO
LSASRV addresses (via
getlsasrvaddr)
Seamlessly chooses code injection or YES NO
reading from memory

Conclusions
• WCE v1.1
– More features and OSes supported
– Works via RDP/Terminal Services
– No code injection needed
– Better solution for ‘addresses issue’
– ‘zombie’ logon sessions and credentials still
around in Windows 7 and family..
– Download WCE v1.1!
• http://www.ampliasecurity.com/research/wce_v1_1.tgz

‘zombie’ logon sessions and credentials
NTLM
CREDS

Logon
Session RDP/Terminal Services
connection

Domain Admin
Some Server
(e.g.: backup
server nobody
cares about)

Attacker

Preguntas?
Gracias!
Hernan Ochoa (hernan@ampliasecurity.com)

http://www.twitter.com/hernano
http://www.twitter.com/ampliasecurity
http://www.ampliasecurity.com/blog/

Hernan Ochoa - WCE Internals [RootedCON 2011]

More Related Content

What's hot (10)

Viewers also liked (20)

Similar to Hernan Ochoa - WCE Internals [RootedCON 2011] (20)

More from RootedCON (20)

Recently uploaded (20)

Hernan Ochoa - WCE Internals [RootedCON 2011]