From zero to SYSTEM on full disk encrypted windows system
1. from zero to system
Nabeel ahmed & tom gilis
on full disk encrypted windows system
2. From zero to system
on full disk encrypted windows system
ABOUT US
๏ Nabeel Ahmed, Security Researcher
and Penetration Tester, Dimension
Data Belgium
๏ I love to break things =)
๏ @NabeelAhmedBE
๏ blog.nabeelahmed.com
๏ Tom Gilis, Security Consultant (and Team
Leader) at Dimension Data Belgium
๏More “boring” stuff like compliancy, …
๏@tgilis
๏Co-organizer of BruCON
2
3. From zero to system
on full disk encrypted windows system
Inspiration
3
4. From zero to system
on full disk encrypted windows system
November 2015
4
5. From zero to system
on full disk encrypted windows system
Ian haken
5
๏ A new way to defeat FDE
๏ Rogue Domain Controller
๏ Poison Credential Cache
๏ Windows Security Feature bypass
6. From zero to system
on full disk encrypted windows system
Ms15-122
๏ Implements trust relationship before local cache is updated
๏ Works on Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008 up to
2012 (Windows XP, Windows Server 2003, …)
6
7. From zero to system
on full disk encrypted windows system
Bitlocker
๏ TPM (Trusted Platform Module)
๏ Pre-boot PIN
๏ USB Key
7
8. From zero to system
on full disk encrypted windows system
๏ TPM (Trusted Platform Module)
๏
๏
8
Bitlocker
9. From zero to system
on full disk encrypted windows system
Bitlocker tpm
9
๏ BitLocker key is stored in TPM
๏ No user interaction when decrypting
the drive
๏ Windows login screen is the first and
only line of defense
10. From zero to system
on full disk encrypted windows system
Trust relationship?
๏ Computer account password is used for trust
๏ Randomly generated every 30 days
๏ 2 computer account passwords are stored
๏ Stored in
“HKLMSECURITYPolicySecrets$machine.ACC”
10
11. From zero to system
on full disk encrypted windows system
Bypassing the patch
11
12. From zero to system
on full disk encrypted windows system
Difference
12
Legitimate DC
Rogue DC
13. From zero to system
on full disk encrypted windows system
Ticket missing
13
14. From zero to system
on full disk encrypted windows system
SPN
14
SPNs are used to support mutual authentication
between a client application and a service. A service
principal name is associated with an account and an
account can have many service principal names.
– MSDN
SPNs are usually formatted as SERVICE/HOST, but
sometimes they also include a port like
SERVICE/HOST:PORT.
15. From zero to system
on full disk encrypted windows system
Demo time
15
16. From zero to system
on full disk encrypted windows system
Kerberos Password change
16
?????????? EXP_PASS
17. From zero to system
on full disk encrypted windows system
Kerberos Password change
17
?????????? EXP_PASS
NEW_PASS
18. From zero to system
on full disk encrypted windows system
18
Conclusion
๏ Checks if a service ticket (T) has been received
BUT only validates AFTER the password change
๏ MS16-014 / CVE-2016-0049
๏ “Suggested workaround” disable local
password caching
๏ Patched on all supported Windows versions
19. From zero to system
on full disk encrypted windows system
Bluebox
19
๏ Automated exploitation of MS15-122 and MS16-014
๏ Less than 1 minute
๏ Written in Python
๏ Portable (Raspberry Pi)
๏ Kudos to Ian Haken (@ianhaken)
๏ https://github.com/JackOfMostTrades/bluebox
20. From zero to system
on full disk encrypted windows system
WHAT’s NEXT ?
20
๏ Extract any personal data
o Documents, emails, passwords..
๏ Requires admin privileges to :
o Retrieve BitLocker Recovery Key (or disable it)
o Install Malware
o Extract data from other users
o …
21. From zero to system
on full disk encrypted windows system
Trust relationship?
๏ Trust relationship is not always validated
๏ Working Active Directory set-up
๏ Any other Windows functionality missing trust validation?
22
22. From zero to system
on full disk encrypted windows system
PRIVILEGE ESCALATION
23
Will Group Policies work ?
๏ Works on all supported Windows versions
๏ No need for additional (vulnerable) software
๏ No specific configuration requirements
23. From zero to system
on full disk encrypted windows system
Group Policies
24
User Configuration Computer Configuration
During login (or on refresh) Before login (or on refresh)
User or
SYSTEM Privileges
SYSTEM Privileges
User account password Machine account password
24. From zero to system
on full disk encrypted windows system
Group Policies
25
User Configuration Computer Configuration
During login (or on refresh) Before login (or on refresh)
User or
SYSTEM Privileges
SYSTEM Privileges
User account password Machine account password
25. From zero to system
on full disk encrypted windows system
Group policies
26
26. From zero to system
on full disk encrypted windows system
EXAMPLE – CMD AS SYSTEM
27
1. New Group Policy and assign it to the user account
2. Add the following configuration to the policy :
• Download file (e.g. NetCat.exe)
• Run NetCat as SYSTEM
• Connect to service as User
Screenshot Scheduled task GPO
27. From zero to system
on full disk encrypted windows system
It works!?
28
28. From zero to system
on full disk encrypted windows system
Why does it work?
29
๏ Client can successfully authenticate against the DC using
his credentials
๏ All encrypted traffic remains intact (SMB,LDAP,RPC)
๏ Assumes that the user credentials are sufficient to
acknowledge trust relationship.
๏ Reported to Microsoft, who acknowledged the vulnerability
but ...
29. From zero to system
on full disk encrypted windows system
IS it NEW ?
30
๏ Luke Jennings (MWR Labs) demonstrated how you can gain
SYSTEM access through MITM in March 2015
๏ MITM attack against legitimate GPO communication, resulting
two patches (MS15-011 and MS15-014)
๏ Jennings’ conclusion : “Even on Vista/2008 onwards, user
settings group policy can be exploited if you know a user’s
password to conduct a form of privilege escalation to gain
SYSTEM on domain members. Microsoft have shown no
intention thus far of providing a control to protect against this.”
30. From zero to system
on full disk encrypted windows system
WINDOWS 10 ?
31
31. From zero to system
on full disk encrypted windows system
WINDOWS 10 ?
32
32. From zero to system
on full disk encrypted windows system
WIN 7 vs Win 10
33
33. From zero to system
on full disk encrypted windows system
WIN 7 vs Win 10
34
34. From zero to system
on full disk encrypted windows system
Relative ID
User SID
35
S-1-5-21-124525095-708259637-1543119021-20937
Domain Security Identifier
Incremental
Uses Machine SID
when new domain is
created
35. From zero to system
on full disk encrypted windows system
Setting the SID
36
๏ Possibilities :
o Setting the Machine SID before the AD is created:
o Windows SysPrep – Generates new “random” SID
o Commercial tools exist
o Off-line edit the NTDS.DIT File
o SAMBA NT4 PDC to AD-DC
Lengthy, complex and prone to errors
36. From zero to system
on full disk encrypted windows system
mimikatz to the rescue
37
37. From zero to system
on full disk encrypted windows system
Demo time
38
38. From zero to system
on full disk encrypted windows system
39
Conclusion
๏ First validates trust with computer account
๏ MS16-072 / CVE-2016-3223
๏ Took approx. 8 months to patch and then …
39. From zero to system
on full disk encrypted windows system
40
40. From zero to system
on full disk encrypted windows system
Recovering original password
41
๏ (convert .sys to .dmp)
๏ WinDbg
๏ Mimikatz (extract plaintext credentials)
๏ Only Windows 7 and below
Force
Hibernation
Bypass login
screen
Elevate
privileges
Extract
HIBERFIL.SYS
Reset Local
Password Cache
41. From zero to system
on full disk encrypted windows system
timeline
42
42. From zero to system
on full disk encrypted windows system
timeline
43
43. From zero to system
on full disk encrypted windows system
Take aways
44
๏ Trust relationships not always validated
๏ Don’t take physical security for granted
๏ Backwards compatibility makes patching very difficult
๏ Bypassing authentication and escalating privileges without a
single line of code
๏ Kudos to Ian Haken @ianhaken and Benjamin Delpy @gentilwiki
๏ Third time’s a charm?
o November 2015 (MS15-122)
o February 2016 (MS16-014)
o … July 2016 (MS16-???)
@nabeelahmedbe
blog.ahmednabeel.com
@tgilis