Reality Bites 
The Attacker’s View of 
Windows Authentication and Post-exploitation 
Chris CAMPBELL `obscuresec` 
Benjamin...
`whoami /groups` ? 
Chris CAMPBELL - @obscuresec 
– Pentester /Researcher / Former Army Red Team 
– One of the authors of ...
What we’re talking about 
The world that exists outside Microsoft 
Windows authentication in the real world 
Popular attac...
One quick question? 
Who won the Xbox One? 
All three of us have asked a lot 
–Even at MSRC ;) 
So let’s use #askpth 
–… f...
The Idealistic View 
Everybody runs the most up-to-date software 
– All clients are Windows 8.1 / servers are 2012R2 
– Do...
A More Realistic View - Environment 
Heterogeneous environments 
Mix of Linux / Unix / Windows on the server side 
– Licen...
The Realistic View - Patching 
Patching is inconsistent 
– Especially 3rd-party software 
• Java / Acrobat Reader 
Some se...
The Realistic View - Desktop 
Most enterprises are still transitioning from XP to Windows 7 
– Licenses are expensive and ...
The Realistic View - Office 
Mix of Office 2007 / 2010 in use 
– with a lot of VBA ;) 
Little incentive to upgrade 
– Maki...
The Realistic View – Server OS 
Many places still run 2003 domain functional level and are only now 
transitioning to 2008...
The Realistic View - Other Server Software 
SQL server 
– Whatever version the developer / app wanted to use when installe...
The Net Result? 
New features for the latest software will not be present in 
the average environment 
Most enterprises wi...
Attackers in the Real World (1) 
“Real World” attack knowledge suffers from research bias 
– Sometimes we only find what w...
Attackers in the Real World (2) 
Most discovered attacks don’t involve 0-day exploits 
– 0-days are expensive 
– More diff...
Attackers in the Real World (3) 
Client-side attacks combined with social engineering are the most 
likely vectors 
– Ever...
Attackers in the Real World (4) 
After initial compromise, attackers will take their time on post-exploitation 
– Targeted...
Post-exploitation Techniques (1) 
An entirely different talk 
A few highlights 
– Group Policy Preferences 
• Anybody with...
Post-exploitation Techniques (2) 
Poorly configured file shares 
– Password lists 
• Search for ‘password.txt’ 
– Backups ...
Post-exploitation Tools (1) 
Attackers have a wide variety of tools they can use 
Many are legit tools being used nefariou...
Post-exploitation Tools (2) 
NT Resource Kit 
– Many useful utilities that are now built-in commands 
– sc, dnsquery, etc ...
mimikatz (1) 
Designed by Benjamin to learn more about Windows programming 
– Seriously 
– We aren’t joking 
Exposed sever...
mimikatz (2) 
Can recover keys / hashes for accounts in memory 
Can be used to implement pass-the-hash attacks 
– PTH = us...
mimikatz (3) 
Can be used to implement Kerberos attacks 
– Can be used to recover a user’s Kerberos tickets 
• Both TGTs a...
Demo ! 
New version of mimikatz 
in 
New version of Windows 
in 
Front of Microsoft staff 
10/10/2014 Chris, Ben & Skip @ ...
mimikatz :: Golden Tickets (1) 
Can be used to implement Golden Ticket attacks 
– If KRBTGT hash/keys lost 
• Domain dump ...
mimikatz :: Golden Tickets (2) 
Made worse by KRBTGT rarely changing 
– Only changes during domain functional upgrade 
fro...
mimikatz :: Golden Tickets (3) 
KRBTGT hash can be used to generate arbitrary TGTs for use 
– Can make user a member of an...
Demo ! 
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-expl...
mimikatz :: BlackHat erratum 
At BlackHat, we announced that to 
forge a TGS, we need 2 keys 
– krbtgt key 
– target key 
...
mimikatz :: BlackHat erratum 
Windows 2000 Server and Windows XP do not validate the PAC when the 
application server is r...
mimikatz :: Silver Tickets (1) 
So “in real life”, TGS only need the target key… no classic services will check 
signature...
mimikatz :: Silver Tickets (2) 
How do we make a Silver Ticket ? 
– Exactly such as a Golden Ticket, except the krbtgt key...
mimikatz :: Silver Tickets (3) 
Before that, who cares about this computer password ? 
– No… really ? 
– Yeah, like for th...
mimikatz :: Silver Tickets (4) 
Kerberos services relies on SPN 
– Nobody likes to setup SPN (like MIT Kerberos) 
– that’s...
mimikatz :: Silver Tickets (5) 
kerberos::golden 
/domain:blue.local <= domain name 
/sid:S-1-5-21-4174036629-1679296857-7...
Demo ! 
New version of mimikatz 
in 
New version of Windows 
in 
Front of Microsoft staff 
with 
new features 
10/10/2014 ...
mimikatz :: Bonus 
Mimikatz is full of love for pentesters, but we can’t show all! 
– We are modest 
A little driver to by...
Demo ! 
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-expl...
Do Smart Cards Help? (1) 
With Windows Auth, not really 
– High cost 
– Painful deployment 
– Other benefits (email certs,...
Do Smart Cards Help? (2) 
Smart cards are only required for INTERACTIVE logon 
– Second factor null and void for network l...
What does a compromise really mean? 
Need to be honest with ourselves: 
– A domain CANNOT BE RECOVERED once it is COMPROMI...
Next Steps (1) 
Not all technical 
– Educational 
– Strategic 
Must give client the real keys to make the transition easy ...
Next Steps (2) 
Good security must not be a hard option to set AFTER compromise 
Give sysadmins / blue teams tools for ser...
Next Steps (3) 
Design services that are breach-resistant 
– Advice can’t be to rebuild the forest every day / week 
– Des...
Next Steps (4) 
Asymmetric encryption might be the answer? 
– Key exchange is always the problem 
• Figure this one out an...
Next Steps (5) 
Minimize and learn from previous mistakes 
– NTLM weakness = hash is password equivalent 
– AES keys are t...
Next Steps (6) 
Break with the past 
– Backwards compatibility will always get you 
– At some point in time you have to pu...
Defensive Measures 
It’s difficult to get everything correct 
– Old adage: Defenders have to be right all the time, attack...
That’s all Folks! 
We would specially thanks: 
– Will Peteroy 
– Joe Bialek 
– Akila Srinivasan 
– 80’s (first versions of...
Websites, Source Codes & Contact 
blog http://obscuresecurity.blogspot.com 
source https://github.com/obscuresec 
contact ...
Prochain SlideShare
Chargement dans…5
×

BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploitation

17 297 vues

Publié le

This talk will focus on the how Windows authentication works in the real world and what are the popular attacks against it. You will learn the thought process of attackers in the real world and how it differs from a defender’s perspective. We’ll also cover post-exploitation tools and techniques such as Mimikatz. Finally, we’ll discuss next steps – How do you design services that are breach-resistant and make authentication harder to crack.

Publié dans : Technologie
0 commentaire
16 j’aime
Statistiques
Remarques
  • Soyez le premier à commenter

Aucun téléchargement
Vues
Nombre de vues
17 297
Sur SlideShare
0
Issues des intégrations
0
Intégrations
1 499
Actions
Partages
0
Téléchargements
392
Commentaires
0
J’aime
16
Intégrations 0
Aucune incorporation

Aucune remarque pour cette diapositive

BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploitation

  1. 1. Reality Bites The Attacker’s View of Windows Authentication and Post-exploitation Chris CAMPBELL `obscuresec` Benjamin DELPY `gentilkiwi` Skip DUCKWALL `passingthehash`
  2. 2. `whoami /groups` ? Chris CAMPBELL - @obscuresec – Pentester /Researcher / Former Army Red Team – One of the authors of PowerSploit – PowerShell based post-exploitation toolkit – Presented at Blackhat, Defcon, and more Benjamin DELPY - @gentilkiwi – Security researcher (the French guy with flashy Tahitian shirts) – Author of mimikatz – Presented at Black Hat, Defcon, PHDays, and more Skip DUCKWALL - @passingthehash – Pentester /Researcher / Former Army Red Team – Patched pass-the-hash functionality into many tools used by pentesters – Presented at Blackhat, Defcon, and more 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 2
  3. 3. What we’re talking about The world that exists outside Microsoft Windows authentication in the real world Popular attacks against Windows authentication in the real world mimikatz 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 3
  4. 4. One quick question? Who won the Xbox One? All three of us have asked a lot –Even at MSRC ;) So let’s use #askpth –… for official hashtag of this talk! 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 4
  5. 5. The Idealistic View Everybody runs the most up-to-date software – All clients are Windows 8.1 / servers are 2012R2 – Domain / forest is at 2012R2 functional level – All software is patched quickly – Completely homogeneous Microsoft environment 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 5
  6. 6. A More Realistic View - Environment Heterogeneous environments Mix of Linux / Unix / Windows on the server side – License costs prohibitive if not bundled with server hardware – Virtualization makes spinning up new servers quick and easy • license costs can grow quickly as well Desktops are often a mix of various flavors of Windows – Some OSX / Macs as well Unix authentication sometimes integrated with Active Directory – LDAP 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 6
  7. 7. The Realistic View - Patching Patching is inconsistent – Especially 3rd-party software • Java / Acrobat Reader Some services will be patched quickly Some services on ‘don’t touch’ lists Patching usually inversely proportional to the criticality of the system 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 7
  8. 8. The Realistic View - Desktop Most enterprises are still transitioning from XP to Windows 7 – Licenses are expensive and often paired with hardware upgrades None of the enterprises we’ve seen use 8.1 – Most enterprises have decided to see what happens with 10+ (XP approach) Some places still have 2000 or NT and older – See @Viss scan of the internet – Shodan HQ 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 8
  9. 9. The Realistic View - Office Mix of Office 2007 / 2010 in use – with a lot of VBA ;) Little incentive to upgrade – Making stuff more “cloud capable” causes issues in many enterprises • 3rd party doctrine regarding information remaining private / confidential • Ownership issues • Technology has evolved, laws haven’t caught up 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 9
  10. 10. The Realistic View – Server OS Many places still run 2003 domain functional level and are only now transitioning to 2008 / 2008R2 Most Windows servers are running 2008 / 2008R2 Server 2003 being transitioned away from due to EOL Server 2012 / 2012R2 has some traction Criticality of server determines upgrades – More critical , less likely 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 10
  11. 11. The Realistic View - Other Server Software SQL server – Whatever version the developer / app wanted to use when installed – Usually multiple versions at the same time – If the app works, little incentive to upgrade Exchange – 2007 or 2010 – Not a lot of incentive to upgrade since it’s viewed as critical infrastructure SharePoint – 2007 or 2010 – Not a lot of incentive to upgrade depending on usage 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 11
  12. 12. The Net Result? New features for the latest software will not be present in the average environment Most enterprises will not regard a new security feature to be worthy of upgrading the platform It could be 5+ years before some features will be seen in the average environment 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 12
  13. 13. Attackers in the Real World (1) “Real World” attack knowledge suffers from research bias – Sometimes we only find what we’re looking for – Once we find something in the past, we tend to look for that first the next time – New or novel attacks go unnoticed for years Attackers are less interested in being disruptive Attackers are more interested in gaining access to corporate data – Domain / enterprise admin usually not the ultimate goal – Usually a checkpoint along the way to find the people with access to the goods – Possible with targeted attacks to never touch any privileged accounts • Example: Target devs or HR 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 13
  14. 14. Attackers in the Real World (2) Most discovered attacks don’t involve 0-day exploits – 0-days are expensive – More difficult to discover post-attack – Likely only required for hardened targets Most breach responders overestimate their defensive capabilities, therefore overestimate attacker capabilities 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 14
  15. 15. Attackers in the Real World (3) Client-side attacks combined with social engineering are the most likely vectors – Everybody clicks on dancing cats – Email addresses are easy to collect or figure out – Client-side vulnerabilities appear to be more plentiful – Some products have come a long way : IE with EMET – Some still have a ways to go : Java / Flash / Acrobat Reader – Recentish breaches give attackers access to employee’s social networks • Easier to create more legit looking context Use an exploit to start then depend on bad architecture to work deeper 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 15
  16. 16. Attackers in the Real World (4) After initial compromise, attackers will take their time on post-exploitation – Targeted information sought • Client lists • Source Code • Schematics • Financial Information • Credit card info / PII / PHI • Private keys / certificates / code signing certs Attackers usually have weeks to months – Detection usually takes months based on the latest Verizon report • http://www.verizonenterprise.com/DBIR/ 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 16
  17. 17. Post-exploitation Techniques (1) An entirely different talk A few highlights – Group Policy Preferences • Anybody with access to DC could recover any credentials set with GPP • Potentially allows elevation in automation scripts • ~Patched with MS14-025 – Plaintext credentials in automation scripts • Mount a share somewhere, copy stuff – Service accounts • Tend to be privileged with easy-to-guess passwords that haven’t changed in years 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 17
  18. 18. Post-exploitation Techniques (2) Poorly configured file shares – Password lists • Search for ‘password.txt’ – Backups of critical infrastructure / configs – Unattended installers • If automagically joins the domain, means there’s a password somewhere Poorly configured Sharepoint – Use the search functionality to find password lists and config files 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 18
  19. 19. Post-exploitation Tools (1) Attackers have a wide variety of tools they can use Many are legit tools being used nefariously – PowerShell • Allows access to WINAPI / entire .NET framework • Can be used to bypass even the most mature application whitelisting products • Trivial AV bypass – SysInternals • Why not do ‘bad things’ with Microsoft signed binaries? • PsExec, AdExplorer, ProcDump, and others 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 19
  20. 20. Post-exploitation Tools (2) NT Resource Kit – Many useful utilities that are now built-in commands – sc, dnsquery, etc – srvany – make any program a service Built-in commands – net.exe, cmd.exe, netsh.exe Some tools are really only useful for post-exploitation – mimikatz 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 20
  21. 21. mimikatz (1) Designed by Benjamin to learn more about Windows programming – Seriously – We aren’t joking Exposed several issues with plaintext passwords being stored in memory – Passwords being stored in LSASS by various SSP • WDigest and others – Partially fixed by Microsoft – Passwords will be back in LSASS if users need certain SSO – Third party SSP still have access to passwords • RSA for example • mimikatz rolled its own as well 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 21
  22. 22. mimikatz (2) Can recover keys / hashes for accounts in memory Can be used to implement pass-the-hash attacks – PTH = using hashes as password equivalents – NTLM is DESIGNED this way – Windows OS uses PTH • NTLM service provider only stores the hash in memory LM NTLM (md4) cc36cf7a8514893e fccd332446158b1a cc36cf7a8514893e fccd332446158b1a 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 22
  23. 23. mimikatz (3) Can be used to implement Kerberos attacks – Can be used to recover a user’s Kerberos tickets • Both TGTs and service tickets – Can be used to insert tickets into LSASS for use • Using a native Windows API – Can be used to upgrade NTLM hash to a Kerberos ticket • This is “overpass-the-hash” • Introduced at Black Hat USA 2014 • Also works for recovered AES keys on the client side for « chocolate.local » domain des_cbc_md5 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac aes256_hmac 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 23 KD C KD C TGT TGS ③ TGS-REQ ④ TGS-REP ⑤ Usage cc36cf7a8514893e fccd332446158b1a des_cbc_md5 LSASS (kerberos) for « chocolate.local » domain rc4_hmac_nt (NTLM/md4) aes128_hmac aes256_hmac KD C KD C TGT TGS ③ TGS-REQ ④ TGS-REP ⑤ Usage TGT
  24. 24. Demo ! New version of mimikatz in New version of Windows in Front of Microsoft staff 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 24
  25. 25. mimikatz :: Golden Tickets (1) Can be used to implement Golden Ticket attacks – If KRBTGT hash/keys lost • Domain dump – Password audit (legitimate use case) – Poorly redacted pentest report • Other – Compromise – File backup of the domain controller • Shadow copy trick • Recovery of backup tapes or access to backup file share – Compromise of virtual machine infrastructure • Copy the drive image or a snapshot of the image 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 25
  26. 26. mimikatz :: Golden Tickets (2) Made worse by KRBTGT rarely changing – Only changes during domain functional upgrade from NT5 -> NT6 – 2000/2003 to 2008/2012 • 2008 -> 2012 doesn’t change the value • the previous one (n-1) still valid… – Means the age of the hash on the average operational environments is measured in YEARS 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 26
  27. 27. mimikatz :: Golden Tickets (3) KRBTGT hash can be used to generate arbitrary TGTs for use – Can make user a member of any group, even make it multiple users! • Even users and SIDs that do not exist – TGTs will only work for 20 minutes to get service tickets (however any service tickets will be good for 10 hours by default) • Any account can create / used spoofed ticket, doesn’t require elevated rights – Can be used to bypass account restrictions • Disabled / expired • Authentication silos • “protected users” group is just a group SID in the TGT – Create a trail of false events • Incident handlers rely on event logs • Easy to frame another user 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 27
  28. 28. Demo ! 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 28
  29. 29. mimikatz :: BlackHat erratum At BlackHat, we announced that to forge a TGS, we need 2 keys – krbtgt key – target key The krbtgt is needed to sign the PAC, to avoid alterations – But how a remote service can check this signature without the Key ? • Remember ? Kerberos is SYMETRIC – Easy : it delegates PAC checks to the KDC… 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 29
  30. 30. mimikatz :: BlackHat erratum Windows 2000 Server and Windows XP do not validate the PAC when the application server is running under the local system context or has SeTcbPrivilege […] Windows Server 2003 does not validate the PAC when the application server is running under the local system context, the network service context, or has SeTcbPrivilege. […] Windows Server 2003 with SP1 does not validate the PAC when the application server is under the local system context, the network service context, the local service context, or has SeTcbPrivilege privilege. […] Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 do not validate the PAC by default for services. Windows still validates the PAC for processes that are not running as services. PAC validation can be enabled when the application server is not running in the context of local system, network service, or local service; or it does not have SeTcbPrivilege […] http://msdn.microsoft.com/library/cc224027.aspx#id2 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 30
  31. 31. mimikatz :: Silver Tickets (1) So “in real life”, TGS only need the target key… no classic services will check signature…, let’s call them : Silver Tickets ! Default lifetime Minimum number of KDC accesses Multiple targets Available with Smartcard Realtime check for restrictions (account disabled, logon hours...) Protected Users Check for Encryption (RC4/AES) Can be found in Is funky Normal 42 days 2 Yes Yes Yes Yes n.a. No Overpass-the-hash (Pass-the-key) 42 days 2 Yes No Yes Yes Active Directory Client Memory No (ok, a l i ttle;)) Pass-the-Ticket (TGT) 10 hours 1 Yes Yes No (20mn after) No Client Memory Yes Pass-the-Ticket (TGS) 10 hours 0 No Yes No No Client Memory Yes Silver Ticket [30;60] days 0 No Yes No No n.a. Yes Golden Ticket 10 years 1 Yes Yes No (we can cheat) No n.a. Fuck, Yes! 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 31
  32. 32. mimikatz :: Silver Tickets (2) How do we make a Silver Ticket ? – Exactly such as a Golden Ticket, except the krbtgt key – Target name (server FQDN) – Service name – We must have the “Target Key” • From Client Memory • From Active Directory (ok, we can make Golden Ticket ;) • or... from the registry (even, offline !) mimikatz # lsadump::secrets Domain : CLIENT SysKey : 5418b222b48866feea6f633efcf8417d Policy subsystem is : 1.13 LSA Key(s) : 1, default {13e98d1c-c7d5-1099-6477-5dbbed69ec73} [00] {13e98d1c-c7d5-1099-6477-5dbbed69ec73} c2e2ee5bfeb6a4fd4f58ab8554c42a585a093b116ee8ce830ee227e0c31071a4 Secret : $MACHINE.ACC cur/NTLM:1acf72e4e8a2d6209fe96920ff800110/text: ,QK@Y+i$ nA9BCcrRvnPsaWE/m3_h?U+U^3AL-LF!_ 8y<2.xH>'^F;>OA.(9v9!(_[=51Pj_]YqKV!5`LIsk=*F`q-/dP:kP))bDhA'!2R/x#u=)O$2W0me 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 32
  33. 33. mimikatz :: Silver Tickets (3) Before that, who cares about this computer password ? – No… really ? – Yeah, like for the krbtgt account – At least, this time the password can change every 30 days... • But the n-1 still valid (so [30;60 days])… and the password still works if not changed… $MACHINE.ACC is the new krbtgt, localized to a computer – And it’s in the registry Silver ticket is the new Golden Ticket, localized to a target/service When you use a Service Account linked to a Kerberized Service, it can be localized to multiple targets (see SPN) – A lot of chances that you can find it in registry too ;) 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 33
  34. 34. mimikatz :: Silver Tickets (4) Kerberos services relies on SPN – Nobody likes to setup SPN (like MIT Kerberos) – that’s why Microsoft made it ~easy for you (like MIT Kerberos) host SPN is not only for “host”, but is an alias for : alerter appmgmt cisvc clipsrv browser dhcp dnscache replicator eventlog eventsystem policyagent oakley dmserver dns mcsvc fax msiserver ias messenger netlogon netman netdde netddedsm nmagent plugplay protectedstorage rasman rpclocator rpc rpcss remoteaccess rsvp samss scardsvr scesrv seclogon scm dcom cifs spooler snmp schedule tapisrv trksvr trkwks ups time wins www http w3svc iisadmin msdtc 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 34
  35. 35. mimikatz :: Silver Tickets (5) kerberos::golden /domain:blue.local <= domain name /sid:S-1-5-21-4174036629-1679296857-797215250 <= domain SID /rc4:1acf72e4e8a2d6209fe96920ff800110 <= NTLM/RC4 of the Target/Service /target:client.blue.local <= Target FQDN /service:cifs <= Service name /user:Administrator <= username you wanna be /id:500 <= RID of username (500 is THE domain admin) /groups:513,512,520,518,519 <= Groups list of the user (be imaginative) /ticket:cifs.client.kirbi <= the ticket filename (or /ptt) 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 35
  36. 36. Demo ! New version of mimikatz in New version of Windows in Front of Microsoft staff with new features 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 36
  37. 37. mimikatz :: Bonus Mimikatz is full of love for pentesters, but we can’t show all! – We are modest A little driver to bypass Protected Process – Avoid RunAsPPL for LSASS by example AddSid – An experimental function to add SID of users/groups to another one user in Active Directory (admin without admin group) Thinking that PIN code and Picture password are better? – You’ve a l33t company, you use Fingerprints in Windows 8? – Password are in the local vault of the SYSTEM… you know ? The same with the password in registry… mimilib & memssp – Grab all passwords! 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 37
  38. 38. Demo ! 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 38
  39. 39. Do Smart Cards Help? (1) With Windows Auth, not really – High cost – Painful deployment – Other benefits (email certs, ID certs for web servers) Password hashes are randomly generated and stored – They never change by default – Useful for PTH – Password could still be reset • One location set the password after smart card enrollment to the same password for all users (thousands) – NTLM hash stored in Kerberos ticket 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 39
  40. 40. Do Smart Cards Help? (2) Smart cards are only required for INTERACTIVE logon – Second factor null and void for network logons – File shares, etc Smart cards are considered a stronger form of authentication – means that somebody could launch a password guessing attack against the account, possibly lock it – Account is silently unlocked with a successful smart card login – User never notified – Even with that, it gives to the user… Kerberos tickets… usable without SC. 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 40
  41. 41. What does a compromise really mean? Need to be honest with ourselves: – A domain CANNOT BE RECOVERED once it is COMPROMISED • … but very few people can detect when their domain is compromised – How does “assume breach” mentality collide with the “10 Immutable Laws of Security”? – Education • If this is the new stance, step up and release actionable guidance for strategic decision makers – C-Level – Security Managers 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 41
  42. 42. Next Steps (1) Not all technical – Educational – Strategic Must give client the real keys to make the transition easy – Disabling NTLM has been an option for a long time, but who cares? • That and people like devices like printers and scanners that use network authentication – WDigest can be disabled on Windows 7, but who will push the fixit? – Using CNG or Virtual Smart Cards too, but who cares? • Most products are not compatible 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 42
  43. 43. Next Steps (2) Good security must not be a hard option to set AFTER compromise Give sysadmins / blue teams tools for serious monitoring (eventlog is very NT4) – Recent addition of command line auditing is a good first step, what’s next? Enhance admin tools to securely manage large deployments – Provide a secure method for managing local users across an enterprise – One of the appeals of GPP was user management, although poorly implemented/insecure Service / feature minimization – Unix has done this for years – If you don’t need a feature, make it so it can be easily disable / removed – Issue guidance on what features are required and how to disable those that aren’t 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 43
  44. 44. Next Steps (3) Design services that are breach-resistant – Advice can’t be to rebuild the forest every day / week – Design services that are more “tamper evident” • Alert defenders if key services are touched • Develop interesting methods to detect things like the Kerberos attacks Authentication is hard – If we had the solution, we’d be rich – Requires active research • Not a one-size-fits-all solution • Local authentication != cloud authentication • Room for many solutions 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 44
  45. 45. Next Steps (4) Asymmetric encryption might be the answer? – Key exchange is always the problem • Figure this one out and you might have a way forward Hardware integration? – Critical credentials stored on a crypto chip that is tied to a particular computer? Third Party Support – Accept the fact that most environments are heterogeneous – Printers / Scanners / Future devices need to authenticate – Develop proactive solutions for authentication, document and share 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 45
  46. 46. Next Steps (5) Minimize and learn from previous mistakes – NTLM weakness = hash is password equivalent – AES keys are treated the same way currently in Windows • Recover AES keys, get Kerberos ticket, win – Kerberos design weaknesses have been well documented since 1990s • Designed to minimize authentication traffic / load, not necessarily for security / robustness 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 46
  47. 47. Next Steps (6) Break with the past – Backwards compatibility will always get you – At some point in time you have to put it out of your misery Remember that solution can’t be Microsoft only – Printers / scanners / etc. need to be able to interact as well – Design for future network needs as well 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 47
  48. 48. Defensive Measures It’s difficult to get everything correct – Old adage: Defenders have to be right all the time, attackers only have to be right once – Try to move towards “secure by default” or “fail closed” • Or at least give enterprises the capability to do so if they choose to Best measures are usually detective – Know what normal looks like for privileged users – Spot the abnormalities • Defensive staff knows when an admin is on vacation or off shift – Enhance auditing capabilities and increase alerting 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 48
  49. 49. That’s all Folks! We would specially thanks: – Will Peteroy – Joe Bialek – Akila Srinivasan – 80’s (first versions of Kerberos) – 90’s (first versions of NTLM) – All (previous?) architects of Microsoft for making it possible Seriously, we know it’s hard to change things in Security with retro compatibility and business in the balance ! 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 49
  50. 50. Websites, Source Codes & Contact blog http://obscuresecurity.blogspot.com source https://github.com/obscuresec contact @obscuresec / obscuresec@gmail.com blog http://blog.gentilkiwi.com mimikatz http://blog.gentilkiwi.com/mimikatz source https://github.com/gentilkiwi/mimikatz contact @gentilkiwi / benjamin@gentilkiwi.com blog http://passing-the-hash.blogspot.com source https://github.com/gentilkiwi/mimikatz contact @passingthehash / exorcyst@gmail.com 10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 50

×