Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

From zero to SYSTEM on full disk encrypted windows system

Presentation presented on Hack In Paris 2016

  • Identifiez-vous pour voir les commentaires

From zero to SYSTEM on full disk encrypted windows system

  1. 1. from zero to system Nabeel ahmed & tom gilis on full disk encrypted windows system
  2. 2. From zero to system on full disk encrypted windows system ABOUT US ๏ Nabeel Ahmed, Security Researcher and Penetration Tester, Dimension Data Belgium ๏ I love to break things =) ๏ @NabeelAhmedBE ๏ blog.nabeelahmed.com ๏ Tom Gilis, Security Consultant (and Team Leader) at Dimension Data Belgium ๏More “boring” stuff like compliancy, …  ๏@tgilis ๏Co-organizer of BruCON 2
  3. 3. From zero to system on full disk encrypted windows system Inspiration 3
  4. 4. From zero to system on full disk encrypted windows system November 2015 4
  5. 5. From zero to system on full disk encrypted windows system Ian haken 5 ๏ A new way to defeat FDE ๏ Rogue Domain Controller ๏ Poison Credential Cache ๏ Windows Security Feature bypass
  6. 6. From zero to system on full disk encrypted windows system Ms15-122 ๏ Implements trust relationship before local cache is updated ๏ Works on Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008 up to 2012 (Windows XP, Windows Server 2003, …) 6
  7. 7. From zero to system on full disk encrypted windows system Bitlocker ๏ TPM (Trusted Platform Module) ๏ Pre-boot PIN ๏ USB Key 7
  8. 8. From zero to system on full disk encrypted windows system ๏ TPM (Trusted Platform Module) ๏ ๏ 8 Bitlocker
  9. 9. From zero to system on full disk encrypted windows system Bitlocker tpm 9 ๏ BitLocker key is stored in TPM ๏ No user interaction when decrypting the drive ๏ Windows login screen is the first and only line of defense
  10. 10. From zero to system on full disk encrypted windows system Trust relationship? ๏ Computer account password is used for trust ๏ Randomly generated every 30 days ๏ 2 computer account passwords are stored ๏ Stored in “HKLMSECURITYPolicySecrets$machine.ACC” 10
  11. 11. From zero to system on full disk encrypted windows system Bypassing the patch 11
  12. 12. From zero to system on full disk encrypted windows system Difference 12 Legitimate DC Rogue DC
  13. 13. From zero to system on full disk encrypted windows system Ticket missing 13
  14. 14. From zero to system on full disk encrypted windows system SPN 14 SPNs are used to support mutual authentication between a client application and a service. A service principal name is associated with an account and an account can have many service principal names. – MSDN SPNs are usually formatted as SERVICE/HOST, but sometimes they also include a port like SERVICE/HOST:PORT.
  15. 15. From zero to system on full disk encrypted windows system Demo time 15
  16. 16. From zero to system on full disk encrypted windows system Kerberos Password change 16 ?????????? EXP_PASS
  17. 17. From zero to system on full disk encrypted windows system Kerberos Password change 17 ?????????? EXP_PASS NEW_PASS
  18. 18. From zero to system on full disk encrypted windows system 18 Conclusion ๏ Checks if a service ticket (T) has been received BUT only validates AFTER the password change ๏ MS16-014 / CVE-2016-0049 ๏ “Suggested workaround” disable local password caching ๏ Patched on all supported Windows versions
  19. 19. From zero to system on full disk encrypted windows system Bluebox 19 ๏ Automated exploitation of MS15-122 and MS16-014 ๏ Less than 1 minute ๏ Written in Python  ๏ Portable (Raspberry Pi) ๏ Kudos to Ian Haken (@ianhaken) ๏ https://github.com/JackOfMostTrades/bluebox
  20. 20. From zero to system on full disk encrypted windows system WHAT’s NEXT ? 20 ๏ Extract any personal data o Documents, emails, passwords.. ๏ Requires admin privileges to : o Retrieve BitLocker Recovery Key (or disable it) o Install Malware o Extract data from other users o …
  21. 21. From zero to system on full disk encrypted windows system Trust relationship? ๏ Trust relationship is not always validated ๏ Working Active Directory set-up ๏ Any other Windows functionality missing trust validation? 22
  22. 22. From zero to system on full disk encrypted windows system PRIVILEGE ESCALATION 23 Will Group Policies work ? ๏ Works on all supported Windows versions ๏ No need for additional (vulnerable) software ๏ No specific configuration requirements
  23. 23. From zero to system on full disk encrypted windows system Group Policies 24 User Configuration Computer Configuration During login (or on refresh) Before login (or on refresh) User or SYSTEM Privileges SYSTEM Privileges User account password Machine account password
  24. 24. From zero to system on full disk encrypted windows system Group Policies 25 User Configuration Computer Configuration During login (or on refresh) Before login (or on refresh) User or SYSTEM Privileges SYSTEM Privileges User account password Machine account password
  25. 25. From zero to system on full disk encrypted windows system Group policies 26
  26. 26. From zero to system on full disk encrypted windows system EXAMPLE – CMD AS SYSTEM 27 1. New Group Policy and assign it to the user account 2. Add the following configuration to the policy : • Download file (e.g. NetCat.exe) • Run NetCat as SYSTEM • Connect to service as User Screenshot Scheduled task GPO
  27. 27. From zero to system on full disk encrypted windows system It works!? 28
  28. 28. From zero to system on full disk encrypted windows system Why does it work? 29 ๏ Client can successfully authenticate against the DC using his credentials ๏ All encrypted traffic remains intact (SMB,LDAP,RPC) ๏ Assumes that the user credentials are sufficient to acknowledge trust relationship. ๏ Reported to Microsoft, who acknowledged the vulnerability but ...
  29. 29. From zero to system on full disk encrypted windows system IS it NEW ? 30 ๏ Luke Jennings (MWR Labs) demonstrated how you can gain SYSTEM access through MITM in March 2015 ๏ MITM attack against legitimate GPO communication, resulting two patches (MS15-011 and MS15-014) ๏ Jennings’ conclusion : “Even on Vista/2008 onwards, user settings group policy can be exploited if you know a user’s password to conduct a form of privilege escalation to gain SYSTEM on domain members. Microsoft have shown no intention thus far of providing a control to protect against this.”
  30. 30. From zero to system on full disk encrypted windows system WINDOWS 10 ? 31
  31. 31. From zero to system on full disk encrypted windows system WINDOWS 10 ? 32
  32. 32. From zero to system on full disk encrypted windows system WIN 7 vs Win 10 33
  33. 33. From zero to system on full disk encrypted windows system WIN 7 vs Win 10 34
  34. 34. From zero to system on full disk encrypted windows system Relative ID User SID 35 S-1-5-21-124525095-708259637-1543119021-20937 Domain Security Identifier Incremental Uses Machine SID when new domain is created
  35. 35. From zero to system on full disk encrypted windows system Setting the SID 36 ๏ Possibilities : o Setting the Machine SID before the AD is created: o Windows SysPrep – Generates new “random” SID o Commercial tools exist o Off-line edit the NTDS.DIT File o SAMBA NT4 PDC to AD-DC Lengthy, complex and prone to errors
  36. 36. From zero to system on full disk encrypted windows system mimikatz to the rescue 37
  37. 37. From zero to system on full disk encrypted windows system Demo time 38
  38. 38. From zero to system on full disk encrypted windows system 39 Conclusion ๏ First validates trust with computer account ๏ MS16-072 / CVE-2016-3223 ๏ Took approx. 8 months to patch and then …
  39. 39. From zero to system on full disk encrypted windows system 40
  40. 40. From zero to system on full disk encrypted windows system Recovering original password 41 ๏ (convert .sys to .dmp) ๏ WinDbg ๏ Mimikatz (extract plaintext credentials) ๏ Only Windows 7 and below Force Hibernation Bypass login screen Elevate privileges Extract HIBERFIL.SYS Reset Local Password Cache
  41. 41. From zero to system on full disk encrypted windows system timeline 42
  42. 42. From zero to system on full disk encrypted windows system timeline 43
  43. 43. From zero to system on full disk encrypted windows system Take aways 44 ๏ Trust relationships not always validated ๏ Don’t take physical security for granted ๏ Backwards compatibility makes patching very difficult ๏ Bypassing authentication and escalating privileges without a single line of code ๏ Kudos to Ian Haken @ianhaken and Benjamin Delpy @gentilwiki ๏ Third time’s a charm? o November 2015 (MS15-122) o February 2016 (MS16-014) o … July 2016  (MS16-???) @nabeelahmedbe blog.ahmednabeel.com @tgilis

×