Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Skeleton Key on "MSV" SSP #449

Open
MarcoZufferli opened this issue May 13, 2024 · 1 comment
Open

Skeleton Key on "MSV" SSP #449

MarcoZufferli opened this issue May 13, 2024 · 1 comment

Comments

@MarcoZufferli
Copy link

MarcoZufferli commented May 13, 2024

Hello!

i'm studying the Skeleton Key Attack, in the original paper (https://www.virusbulletin.com/uploads/pdf/magazine/2016/vb201601-skeleton-key.pdf) they described that this attack is able to modify both SSP "MSV" (NTLM Authentication) & "kerberos.dll" (Kerberos Authentication) installing a backdoor inside these protocols.

But in my test with "misc::skeleton" it appears that Mimikatz modifies only the SSP "Kerberos.dll", i tried with:

net use (wireshark says it use Kerberos) and it works
psexec of sysinternal (wireshark says it use Kerberos) and it works
Enter-PSSession (wireshark says it use Kerberos) and it works

Can you please tell me if I'm wrong?


On my Kali using "psexec" of Impacket (or also crackmapexec) (wireshark says it use NTLM) and it NOT works as you can see in the screenshot.

image image
@nathan-rabet
Copy link

crackmapexec uses NTLM authentication by default.

To force Kerberos authentication, add -k or --kerberos to your crackmapexec command.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants