SlideShare une entreprise Scribd logo
1  sur  43
Télécharger pour lire hors ligne
from zero to system
Nabeel ahmed & tom gilis
on full disk encrypted windows system
From zero to system
on full disk encrypted windows system
ABOUT US
๏ Nabeel Ahmed, Security Researcher
and Penetration Tester, Dimension
Data Belgium
๏ I love to break things =)
๏ @NabeelAhmedBE
๏ blog.nabeelahmed.com
๏ Tom Gilis, Security Consultant (and Team
Leader) at Dimension Data Belgium
๏More “boring” stuff like compliancy, … 
๏@tgilis
๏Co-organizer of BruCON
2
From zero to system
on full disk encrypted windows system
Inspiration
3
From zero to system
on full disk encrypted windows system
November 2015
4
From zero to system
on full disk encrypted windows system
Ian haken
5
๏ A new way to defeat FDE
๏ Rogue Domain Controller
๏ Poison Credential Cache
๏ Windows Security Feature bypass
From zero to system
on full disk encrypted windows system
Ms15-122
๏ Implements trust relationship before local cache is updated
๏ Works on Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008 up to
2012 (Windows XP, Windows Server 2003, …)
6
From zero to system
on full disk encrypted windows system
Bitlocker
๏ TPM (Trusted Platform Module)
๏ Pre-boot PIN
๏ USB Key
7
From zero to system
on full disk encrypted windows system
๏ TPM (Trusted Platform Module)
๏
๏
8
Bitlocker
From zero to system
on full disk encrypted windows system
Bitlocker tpm
9
๏ BitLocker key is stored in TPM
๏ No user interaction when decrypting
the drive
๏ Windows login screen is the first and
only line of defense
From zero to system
on full disk encrypted windows system
Trust relationship?
๏ Computer account password is used for trust
๏ Randomly generated every 30 days
๏ 2 computer account passwords are stored
๏ Stored in
“HKLMSECURITYPolicySecrets$machine.ACC”
10
From zero to system
on full disk encrypted windows system
Bypassing the patch
11
From zero to system
on full disk encrypted windows system
Difference
12
Legitimate DC
Rogue DC
From zero to system
on full disk encrypted windows system
Ticket missing
13
From zero to system
on full disk encrypted windows system
SPN
14
SPNs are used to support mutual authentication
between a client application and a service. A service
principal name is associated with an account and an
account can have many service principal names.
– MSDN
SPNs are usually formatted as SERVICE/HOST, but
sometimes they also include a port like
SERVICE/HOST:PORT.
From zero to system
on full disk encrypted windows system
Demo time
15
From zero to system
on full disk encrypted windows system
Kerberos Password change
16
?????????? EXP_PASS
From zero to system
on full disk encrypted windows system
Kerberos Password change
17
?????????? EXP_PASS
NEW_PASS
From zero to system
on full disk encrypted windows system
18
Conclusion
๏ Checks if a service ticket (T) has been received
BUT only validates AFTER the password change
๏ MS16-014 / CVE-2016-0049
๏ “Suggested workaround” disable local
password caching
๏ Patched on all supported Windows versions
From zero to system
on full disk encrypted windows system
Bluebox
19
๏ Automated exploitation of MS15-122 and MS16-014
๏ Less than 1 minute
๏ Written in Python 
๏ Portable (Raspberry Pi)
๏ Kudos to Ian Haken (@ianhaken)
๏ https://github.com/JackOfMostTrades/bluebox
From zero to system
on full disk encrypted windows system
WHAT’s NEXT ?
20
๏ Extract any personal data
o Documents, emails, passwords..
๏ Requires admin privileges to :
o Retrieve BitLocker Recovery Key (or disable it)
o Install Malware
o Extract data from other users
o …
From zero to system
on full disk encrypted windows system
Trust relationship?
๏ Trust relationship is not always validated
๏ Working Active Directory set-up
๏ Any other Windows functionality missing trust validation?
22
From zero to system
on full disk encrypted windows system
PRIVILEGE ESCALATION
23
Will Group Policies work ?
๏ Works on all supported Windows versions
๏ No need for additional (vulnerable) software
๏ No specific configuration requirements
From zero to system
on full disk encrypted windows system
Group Policies
24
User Configuration Computer Configuration
During login (or on refresh) Before login (or on refresh)
User or
SYSTEM Privileges
SYSTEM Privileges
User account password Machine account password
From zero to system
on full disk encrypted windows system
Group Policies
25
User Configuration Computer Configuration
During login (or on refresh) Before login (or on refresh)
User or
SYSTEM Privileges
SYSTEM Privileges
User account password Machine account password
From zero to system
on full disk encrypted windows system
Group policies
26
From zero to system
on full disk encrypted windows system
EXAMPLE – CMD AS SYSTEM
27
1. New Group Policy and assign it to the user account
2. Add the following configuration to the policy :
• Download file (e.g. NetCat.exe)
• Run NetCat as SYSTEM
• Connect to service as User
Screenshot Scheduled task GPO
From zero to system
on full disk encrypted windows system
It works!?
28
From zero to system
on full disk encrypted windows system
Why does it work?
29
๏ Client can successfully authenticate against the DC using
his credentials
๏ All encrypted traffic remains intact (SMB,LDAP,RPC)
๏ Assumes that the user credentials are sufficient to
acknowledge trust relationship.
๏ Reported to Microsoft, who acknowledged the vulnerability
but ...
From zero to system
on full disk encrypted windows system
IS it NEW ?
30
๏ Luke Jennings (MWR Labs) demonstrated how you can gain
SYSTEM access through MITM in March 2015
๏ MITM attack against legitimate GPO communication, resulting
two patches (MS15-011 and MS15-014)
๏ Jennings’ conclusion : “Even on Vista/2008 onwards, user
settings group policy can be exploited if you know a user’s
password to conduct a form of privilege escalation to gain
SYSTEM on domain members. Microsoft have shown no
intention thus far of providing a control to protect against this.”
From zero to system
on full disk encrypted windows system
WINDOWS 10 ?
31
From zero to system
on full disk encrypted windows system
WINDOWS 10 ?
32
From zero to system
on full disk encrypted windows system
WIN 7 vs Win 10
33
From zero to system
on full disk encrypted windows system
WIN 7 vs Win 10
34
From zero to system
on full disk encrypted windows system
Relative ID
User SID
35
S-1-5-21-124525095-708259637-1543119021-20937
Domain Security Identifier
Incremental
Uses Machine SID
when new domain is
created
From zero to system
on full disk encrypted windows system
Setting the SID
36
๏ Possibilities :
o Setting the Machine SID before the AD is created:
o Windows SysPrep – Generates new “random” SID
o Commercial tools exist
o Off-line edit the NTDS.DIT File
o SAMBA NT4 PDC to AD-DC
Lengthy, complex and prone to errors
From zero to system
on full disk encrypted windows system
mimikatz to the rescue
37
From zero to system
on full disk encrypted windows system
Demo time
38
From zero to system
on full disk encrypted windows system
39
Conclusion
๏ First validates trust with computer account
๏ MS16-072 / CVE-2016-3223
๏ Took approx. 8 months to patch and then …
From zero to system
on full disk encrypted windows system
40
From zero to system
on full disk encrypted windows system
Recovering original password
41
๏ (convert .sys to .dmp)
๏ WinDbg
๏ Mimikatz (extract plaintext credentials)
๏ Only Windows 7 and below
Force
Hibernation
Bypass login
screen
Elevate
privileges
Extract
HIBERFIL.SYS
Reset Local
Password Cache
From zero to system
on full disk encrypted windows system
timeline
42
From zero to system
on full disk encrypted windows system
timeline
43
From zero to system
on full disk encrypted windows system
Take aways
44
๏ Trust relationships not always validated
๏ Don’t take physical security for granted
๏ Backwards compatibility makes patching very difficult
๏ Bypassing authentication and escalating privileges without a
single line of code
๏ Kudos to Ian Haken @ianhaken and Benjamin Delpy @gentilwiki
๏ Third time’s a charm?
o November 2015 (MS15-122)
o February 2016 (MS16-014)
o … July 2016  (MS16-???)
@nabeelahmedbe
blog.ahmednabeel.com
@tgilis

Contenu connexe

Tendances

Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2Royce Davis
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainPriyanka Aash
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access darkRoyce Davis
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShellNikhil Mittal
 
Windows Attacks AT is the new black
Windows Attacks   AT is the new blackWindows Attacks   AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Introducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitIntroducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitjaredhaight
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellNikhil Mittal
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorMike Felch
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shellNikhil Mittal
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedAlex Davies
 

Tendances (20)

Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
 
1000 to 0
1000 to 01000 to 0
1000 to 0
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShell
 
Windows Attacks AT is the new black
Windows Attacks   AT is the new blackWindows Attacks   AT is the new black
Windows Attacks AT is the new black
 
Introducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitIntroducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkit
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
 

En vedette

Attacking Windows Authentication and BitLocker Full Disk Encryption
Attacking Windows Authentication and BitLocker Full Disk EncryptionAttacking Windows Authentication and BitLocker Full Disk Encryption
Attacking Windows Authentication and BitLocker Full Disk EncryptionIan Haken
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalationjakx_
 
Data protection in windows
Data protection in windowsData protection in windows
Data protection in windowsVijay Kumar
 
Deploying Microsoft BitLocker
Deploying Microsoft BitLockerDeploying Microsoft BitLocker
Deploying Microsoft BitLockerutahmisfit
 
List of Software tools for encryption
List of Software tools for encryptionList of Software tools for encryption
List of Software tools for encryptionCliford John Reandino
 
Smau Milano 2016 - Paola Presutto, Microsoft
Smau Milano 2016 - Paola Presutto, MicrosoftSmau Milano 2016 - Paola Presutto, Microsoft
Smau Milano 2016 - Paola Presutto, MicrosoftSMAU
 
Managing bitlocker with mbam
Managing bitlocker with mbamManaging bitlocker with mbam
Managing bitlocker with mbamOlav Tvedt
 
Protéger vos données avec le chiffrement dans Azure et Office 365
Protéger vos données avec le chiffrement dans Azure et Office 365Protéger vos données avec le chiffrement dans Azure et Office 365
Protéger vos données avec le chiffrement dans Azure et Office 365Microsoft Technet France
 
Medical Data Encryption 101
Medical Data Encryption 101Medical Data Encryption 101
Medical Data Encryption 101SecurityMetrics
 
Latihan9 comp-forensic-bab6
Latihan9 comp-forensic-bab6Latihan9 comp-forensic-bab6
Latihan9 comp-forensic-bab6sabtolinux
 
A Look Into Cyber Security
A Look Into Cyber SecurityA Look Into Cyber Security
A Look Into Cyber SecurityGTreasury
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalationnullthreat
 
Search Engines Presentation
Search Engines PresentationSearch Engines Presentation
Search Engines PresentationJSCHO9
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCanSecWest
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CanSecWest
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCanSecWest
 
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...Anton Chuvakin
 
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerStudy notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerDavid Sweigert
 

En vedette (20)

Attacking Windows Authentication and BitLocker Full Disk Encryption
Attacking Windows Authentication and BitLocker Full Disk EncryptionAttacking Windows Authentication and BitLocker Full Disk Encryption
Attacking Windows Authentication and BitLocker Full Disk Encryption
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalation
 
Data protection in windows
Data protection in windowsData protection in windows
Data protection in windows
 
Deploying Microsoft BitLocker
Deploying Microsoft BitLockerDeploying Microsoft BitLocker
Deploying Microsoft BitLocker
 
List of Software tools for encryption
List of Software tools for encryptionList of Software tools for encryption
List of Software tools for encryption
 
Smau Milano 2016 - Paola Presutto, Microsoft
Smau Milano 2016 - Paola Presutto, MicrosoftSmau Milano 2016 - Paola Presutto, Microsoft
Smau Milano 2016 - Paola Presutto, Microsoft
 
Managing bitlocker with mbam
Managing bitlocker with mbamManaging bitlocker with mbam
Managing bitlocker with mbam
 
Protéger vos données avec le chiffrement dans Azure et Office 365
Protéger vos données avec le chiffrement dans Azure et Office 365Protéger vos données avec le chiffrement dans Azure et Office 365
Protéger vos données avec le chiffrement dans Azure et Office 365
 
Medical Data Encryption 101
Medical Data Encryption 101Medical Data Encryption 101
Medical Data Encryption 101
 
Latihan9 comp-forensic-bab6
Latihan9 comp-forensic-bab6Latihan9 comp-forensic-bab6
Latihan9 comp-forensic-bab6
 
A Look Into Cyber Security
A Look Into Cyber SecurityA Look Into Cyber Security
A Look Into Cyber Security
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalation
 
Search Engines Presentation
Search Engines PresentationSearch Engines Presentation
Search Engines Presentation
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
 
Security best practices
Security best practices Security best practices
Security best practices
 
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
 
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
 
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerStudy notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security Practitioner
 

Similaire à From zero to SYSTEM on full disk encrypted windows system

Upgrade Windows 10 _ 11 Evaluation Edition (Including LTSC) to Full - Cyberse...
Upgrade Windows 10 _ 11 Evaluation Edition (Including LTSC) to Full - Cyberse...Upgrade Windows 10 _ 11 Evaluation Edition (Including LTSC) to Full - Cyberse...
Upgrade Windows 10 _ 11 Evaluation Edition (Including LTSC) to Full - Cyberse...mhalexeg82
 
System Client Details
System Client DetailsSystem Client Details
System Client DetailsSyAM Software
 
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....Denis Gundarev
 
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Jan Ketil Skanke
 
Windows 7 Seminar - Acend Corporate Learning
Windows 7 Seminar - Acend Corporate LearningWindows 7 Seminar - Acend Corporate Learning
Windows 7 Seminar - Acend Corporate LearningAcend Corporate Learning
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Paula Januszkiewicz
 
Smart Printing Technical Presentation
Smart Printing Technical PresentationSmart Printing Technical Presentation
Smart Printing Technical PresentationJohnTileyITQ
 
New Laptop setup
New Laptop setupNew Laptop setup
New Laptop setupBenR12
 
ITE v5.0 - Chapter 5
ITE v5.0 - Chapter 5ITE v5.0 - Chapter 5
ITE v5.0 - Chapter 5Irsandi Hasan
 
A Critical Analysis of Microsoft Data Protection Solutions
A Critical Analysis of Microsoft Data Protection SolutionsA Critical Analysis of Microsoft Data Protection Solutions
A Critical Analysis of Microsoft Data Protection SolutionsJohn Rhoton
 
Microsoft (Data Protection Solutions)
Microsoft (Data Protection Solutions)Microsoft (Data Protection Solutions)
Microsoft (Data Protection Solutions)Vinayak Hegde
 
Secure containers for trustworthy cloud services: business opportunities
 Secure containers for trustworthy cloud services: business opportunities Secure containers for trustworthy cloud services: business opportunities
Secure containers for trustworthy cloud services: business opportunitiesATMOSPHERE .
 
Desktop and server securityse
Desktop and server securityseDesktop and server securityse
Desktop and server securityseAppin Ara
 

Similaire à From zero to SYSTEM on full disk encrypted windows system (20)

Upgrade Windows 10 _ 11 Evaluation Edition (Including LTSC) to Full - Cyberse...
Upgrade Windows 10 _ 11 Evaluation Edition (Including LTSC) to Full - Cyberse...Upgrade Windows 10 _ 11 Evaluation Edition (Including LTSC) to Full - Cyberse...
Upgrade Windows 10 _ 11 Evaluation Edition (Including LTSC) to Full - Cyberse...
 
System Client Details
System Client DetailsSystem Client Details
System Client Details
 
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
 
T hin client configuration
T hin client configurationT hin client configuration
T hin client configuration
 
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
 
Windows 7 Seminar - Acend Corporate Learning
Windows 7 Seminar - Acend Corporate LearningWindows 7 Seminar - Acend Corporate Learning
Windows 7 Seminar - Acend Corporate Learning
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
 
Users guide
Users guideUsers guide
Users guide
 
Smart Printing Technical Presentation
Smart Printing Technical PresentationSmart Printing Technical Presentation
Smart Printing Technical Presentation
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
 
New Laptop setup
New Laptop setupNew Laptop setup
New Laptop setup
 
ITE v5.0 - Chapter 5
ITE v5.0 - Chapter 5ITE v5.0 - Chapter 5
ITE v5.0 - Chapter 5
 
Ite v5.0 chapter5
Ite v5.0 chapter5Ite v5.0 chapter5
Ite v5.0 chapter5
 
A Critical Analysis of Microsoft Data Protection Solutions
A Critical Analysis of Microsoft Data Protection SolutionsA Critical Analysis of Microsoft Data Protection Solutions
A Critical Analysis of Microsoft Data Protection Solutions
 
Microsoft (Data Protection Solutions)
Microsoft (Data Protection Solutions)Microsoft (Data Protection Solutions)
Microsoft (Data Protection Solutions)
 
Windows 8.1 a closer look
Windows 8.1 a closer lookWindows 8.1 a closer look
Windows 8.1 a closer look
 
Intro xp linux
Intro xp linuxIntro xp linux
Intro xp linux
 
Secure containers for trustworthy cloud services: business opportunities
 Secure containers for trustworthy cloud services: business opportunities Secure containers for trustworthy cloud services: business opportunities
Secure containers for trustworthy cloud services: business opportunities
 
Desktop and server securityse
Desktop and server securityseDesktop and server securityse
Desktop and server securityse
 
Desktop and Server Security
Desktop and Server SecurityDesktop and Server Security
Desktop and Server Security
 

Dernier

Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIUdaiappa Ramachandran
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.francesco barbera
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataSafe Software
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 

Dernier (20)

Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AI
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 

From zero to SYSTEM on full disk encrypted windows system

  • 1. from zero to system Nabeel ahmed & tom gilis on full disk encrypted windows system
  • 2. From zero to system on full disk encrypted windows system ABOUT US ๏ Nabeel Ahmed, Security Researcher and Penetration Tester, Dimension Data Belgium ๏ I love to break things =) ๏ @NabeelAhmedBE ๏ blog.nabeelahmed.com ๏ Tom Gilis, Security Consultant (and Team Leader) at Dimension Data Belgium ๏More “boring” stuff like compliancy, …  ๏@tgilis ๏Co-organizer of BruCON 2
  • 3. From zero to system on full disk encrypted windows system Inspiration 3
  • 4. From zero to system on full disk encrypted windows system November 2015 4
  • 5. From zero to system on full disk encrypted windows system Ian haken 5 ๏ A new way to defeat FDE ๏ Rogue Domain Controller ๏ Poison Credential Cache ๏ Windows Security Feature bypass
  • 6. From zero to system on full disk encrypted windows system Ms15-122 ๏ Implements trust relationship before local cache is updated ๏ Works on Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008 up to 2012 (Windows XP, Windows Server 2003, …) 6
  • 7. From zero to system on full disk encrypted windows system Bitlocker ๏ TPM (Trusted Platform Module) ๏ Pre-boot PIN ๏ USB Key 7
  • 8. From zero to system on full disk encrypted windows system ๏ TPM (Trusted Platform Module) ๏ ๏ 8 Bitlocker
  • 9. From zero to system on full disk encrypted windows system Bitlocker tpm 9 ๏ BitLocker key is stored in TPM ๏ No user interaction when decrypting the drive ๏ Windows login screen is the first and only line of defense
  • 10. From zero to system on full disk encrypted windows system Trust relationship? ๏ Computer account password is used for trust ๏ Randomly generated every 30 days ๏ 2 computer account passwords are stored ๏ Stored in “HKLMSECURITYPolicySecrets$machine.ACC” 10
  • 11. From zero to system on full disk encrypted windows system Bypassing the patch 11
  • 12. From zero to system on full disk encrypted windows system Difference 12 Legitimate DC Rogue DC
  • 13. From zero to system on full disk encrypted windows system Ticket missing 13
  • 14. From zero to system on full disk encrypted windows system SPN 14 SPNs are used to support mutual authentication between a client application and a service. A service principal name is associated with an account and an account can have many service principal names. – MSDN SPNs are usually formatted as SERVICE/HOST, but sometimes they also include a port like SERVICE/HOST:PORT.
  • 15. From zero to system on full disk encrypted windows system Demo time 15
  • 16. From zero to system on full disk encrypted windows system Kerberos Password change 16 ?????????? EXP_PASS
  • 17. From zero to system on full disk encrypted windows system Kerberos Password change 17 ?????????? EXP_PASS NEW_PASS
  • 18. From zero to system on full disk encrypted windows system 18 Conclusion ๏ Checks if a service ticket (T) has been received BUT only validates AFTER the password change ๏ MS16-014 / CVE-2016-0049 ๏ “Suggested workaround” disable local password caching ๏ Patched on all supported Windows versions
  • 19. From zero to system on full disk encrypted windows system Bluebox 19 ๏ Automated exploitation of MS15-122 and MS16-014 ๏ Less than 1 minute ๏ Written in Python  ๏ Portable (Raspberry Pi) ๏ Kudos to Ian Haken (@ianhaken) ๏ https://github.com/JackOfMostTrades/bluebox
  • 20. From zero to system on full disk encrypted windows system WHAT’s NEXT ? 20 ๏ Extract any personal data o Documents, emails, passwords.. ๏ Requires admin privileges to : o Retrieve BitLocker Recovery Key (or disable it) o Install Malware o Extract data from other users o …
  • 21. From zero to system on full disk encrypted windows system Trust relationship? ๏ Trust relationship is not always validated ๏ Working Active Directory set-up ๏ Any other Windows functionality missing trust validation? 22
  • 22. From zero to system on full disk encrypted windows system PRIVILEGE ESCALATION 23 Will Group Policies work ? ๏ Works on all supported Windows versions ๏ No need for additional (vulnerable) software ๏ No specific configuration requirements
  • 23. From zero to system on full disk encrypted windows system Group Policies 24 User Configuration Computer Configuration During login (or on refresh) Before login (or on refresh) User or SYSTEM Privileges SYSTEM Privileges User account password Machine account password
  • 24. From zero to system on full disk encrypted windows system Group Policies 25 User Configuration Computer Configuration During login (or on refresh) Before login (or on refresh) User or SYSTEM Privileges SYSTEM Privileges User account password Machine account password
  • 25. From zero to system on full disk encrypted windows system Group policies 26
  • 26. From zero to system on full disk encrypted windows system EXAMPLE – CMD AS SYSTEM 27 1. New Group Policy and assign it to the user account 2. Add the following configuration to the policy : • Download file (e.g. NetCat.exe) • Run NetCat as SYSTEM • Connect to service as User Screenshot Scheduled task GPO
  • 27. From zero to system on full disk encrypted windows system It works!? 28
  • 28. From zero to system on full disk encrypted windows system Why does it work? 29 ๏ Client can successfully authenticate against the DC using his credentials ๏ All encrypted traffic remains intact (SMB,LDAP,RPC) ๏ Assumes that the user credentials are sufficient to acknowledge trust relationship. ๏ Reported to Microsoft, who acknowledged the vulnerability but ...
  • 29. From zero to system on full disk encrypted windows system IS it NEW ? 30 ๏ Luke Jennings (MWR Labs) demonstrated how you can gain SYSTEM access through MITM in March 2015 ๏ MITM attack against legitimate GPO communication, resulting two patches (MS15-011 and MS15-014) ๏ Jennings’ conclusion : “Even on Vista/2008 onwards, user settings group policy can be exploited if you know a user’s password to conduct a form of privilege escalation to gain SYSTEM on domain members. Microsoft have shown no intention thus far of providing a control to protect against this.”
  • 30. From zero to system on full disk encrypted windows system WINDOWS 10 ? 31
  • 31. From zero to system on full disk encrypted windows system WINDOWS 10 ? 32
  • 32. From zero to system on full disk encrypted windows system WIN 7 vs Win 10 33
  • 33. From zero to system on full disk encrypted windows system WIN 7 vs Win 10 34
  • 34. From zero to system on full disk encrypted windows system Relative ID User SID 35 S-1-5-21-124525095-708259637-1543119021-20937 Domain Security Identifier Incremental Uses Machine SID when new domain is created
  • 35. From zero to system on full disk encrypted windows system Setting the SID 36 ๏ Possibilities : o Setting the Machine SID before the AD is created: o Windows SysPrep – Generates new “random” SID o Commercial tools exist o Off-line edit the NTDS.DIT File o SAMBA NT4 PDC to AD-DC Lengthy, complex and prone to errors
  • 36. From zero to system on full disk encrypted windows system mimikatz to the rescue 37
  • 37. From zero to system on full disk encrypted windows system Demo time 38
  • 38. From zero to system on full disk encrypted windows system 39 Conclusion ๏ First validates trust with computer account ๏ MS16-072 / CVE-2016-3223 ๏ Took approx. 8 months to patch and then …
  • 39. From zero to system on full disk encrypted windows system 40
  • 40. From zero to system on full disk encrypted windows system Recovering original password 41 ๏ (convert .sys to .dmp) ๏ WinDbg ๏ Mimikatz (extract plaintext credentials) ๏ Only Windows 7 and below Force Hibernation Bypass login screen Elevate privileges Extract HIBERFIL.SYS Reset Local Password Cache
  • 41. From zero to system on full disk encrypted windows system timeline 42
  • 42. From zero to system on full disk encrypted windows system timeline 43
  • 43. From zero to system on full disk encrypted windows system Take aways 44 ๏ Trust relationships not always validated ๏ Don’t take physical security for granted ๏ Backwards compatibility makes patching very difficult ๏ Bypassing authentication and escalating privileges without a single line of code ๏ Kudos to Ian Haken @ianhaken and Benjamin Delpy @gentilwiki ๏ Third time’s a charm? o November 2015 (MS15-122) o February 2016 (MS16-014) o … July 2016  (MS16-???) @nabeelahmedbe blog.ahmednabeel.com @tgilis