This presentation will provide an overview of common methods that can be used to obtain clear text credentials from Microsoft products such as Windows, IIS, and SQL Server. It also provides an overview of the proof of concept script used to recover MSSQL Linked Server passwords.
Relevant blog links have been provided below.
https://www.netspi.com/blog/entryid/215/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1
https://www.netspi.com/blog/entryid/226/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2
https://www.netspi.com/blog/entryid/221/decrypting-mssql-database-link-server-passwords
More security blogs by the authors can be found @
https://www.netspi.com/blog/
2. INTRODUCTIONS
Who are we?
•Scott Sutherland
•Antti Rantasaari
What do we do?
•Network and application penetration testing
at NetSPI
3. GOAL
Provide a basic understanding of how passwords can
be exposed on Windows systems
•What are the common controls?
•What are their limitations?
•How can we reduce risk?
4. OVERVIEW
How to steal credentials from Microsoft technologies:
• Password Storage
• Cleartext passwords
• Encrypted passwords
• Password hashes
• Authentication tokens
5. PASSWORD STORAGE
• Hashed passwords
Used when cleartext password is not required later
No key required, hashing process can’t be reversed
• Encrypted passwords
Used when cleartext password will be required later
Requires key to decrypt password
Requires key management
• Encoded passwords
Should not be used to protect passwords
No key required to decode password
• Cleartext passwords – Don’t do that!
6. CLEARTEXT PASSWORDS
Why does it matter if passwords are stored or
transmitted in cleartext?
• Vulnerabilities can provide read-only access to:
OS files, backup files, and files shares
Network traffic
• Passwords can then be used to access:
Systems
Applications / Databases
Sensitive information
7. CLEARTEXT PASSWORDS
Why does it matter if passwords are stored or
transmitted in cleartext?
• Vulnerability examples:
File traversal
Local file includes
Excessive privileges on shares
ARP MITM
8. CLEARTEXT PASSWORDS
Where can I find cleartext passwords?
• Mapped network drives – User files
• Configuration files
• Windows Registry
• Active Directory
• Websites
• Script files
• Log files
9. CLEARTEXT PASSWORDS
Mapped Network Drives
• Users have access to a ton of files shares
• File shares often have bad ACLs
• Users love to store password in files
xls files
doc files
txt file
etc…
11. CLEARTEXT PASSWORDS
Mapped Network Drives
Recommendations
• Review for password on at regular intervals
• Periodic audits of access controls on shares
• User awareness training
• Use of proper password storage
12. CLEARTEXT PASSWORDS
Configuration Files
• Sometimes config files are only accessible to
administrators
• Most config files are accessible to all users
Bad ACLs
Access to backups
13. CLEARTEXT PASSWORDS
Configuration Files – Sysprep
• Files created to support the automation of large
scale image roll outs
• Configuration settings
• Local and domain credentials
15. CLEARTEXT PASSWORDS
Configuration Files – Sysprep
http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx
Type Location
Registry HKLMSystemSetup!UnattendFile
File %WINDIR%PantherUnattend
File %WINDIR%Panther
File
Removable read/write media in order of drive letter, at the root of the
drive.
File Removable read-only media in order of drive letter, at the root of the drive.
File
windowsPE and offlineServicing passes:
Sources directory in a Windows distribution
All other passes:
%WINDIR%System32Sysprep
File %SYSTEMDRIVE%
16. CLEARTEXT PASSWORDS
Configuration Files – Sysprep
• Most of the time they are stored with no
protection…
http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx
18. CLEARTEXT PASSWORDS
Configuration Files – Sysprep
• Sometimes they are Base64 encoded…
http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx
22. CLEARTEXT PASSWORDS
Configuration Files – Sysprep
Recommendations
• Configure roll out scripts to remove the sysprep
answer files like unattend.xml
• Additional notes:
Prevent remote logins by local administrators
Manage systems with domain groups
23. CLEARTEXT PASSWORDS
Configuration Files – Web.config
• Used to store IIS web application configurations
• Often contain database passwords
• By default passwords are cleartext
27. CLEARTEXT PASSWORDS
Basic Authentication
• Simple way to implement IIS authentication
• Uses Base64 encoding, NOT ENCRYPTION
• Credentials can be captured from network traffic
over HTTP, or via man-in-the-middle over HTTPS
30. CLEARTEXT PASSWORDS
Basic Authentication
Recommendations
• Basic Auth is simple, but not often necessary
• Replace with Integrated Authentication to enforce
authentication handshake
• Additional notes:
Integrated Authentication can still be exploited,
but it’s not as easy
31. CLEARTEXT PASSWORDS
Windows Registry
• Many applications store passwords in cleartext
• Easy to search for common strings to find
passwords
• Windows also stores some passwords in cleartext
Autologin username and password
32. CLEARTEXT PASSWORDS
Windows Registry - AutoLogin
• Used by many kiosk and POS systems
• Often stores autologin credentials in
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon]
"AutoAdminLogon"="1"
"DefaultUserName"=“autoadmin"
"DefaultPassword"=“!PassW0rd!"
"DefaultDomainName"=“acme"
34. CLEARTEXT PASSWORDS
Windows Registry - AutoLogin
Recommendations
• Only use autologin when necessary
• If required, store credentials encrypted in
LSASecrets
• Additional notes:
The encrypted password can be recovered with
administrative access to the system
http://technet.microsoft.com/en-us/sysinternals/bb963905.aspx
37. ENCRYPTED PASSWORDS
How is it possible to decrypt passwords protected
by Microsoft technologies?
Key Point: If an application or OS can decrypt it, so
can an attacker!
…sometimes administrator access is required.
38. ENCRYPTED PASSWORDS
How is it possible to recover passwords encrypted
by Microsoft technologies?
• Calling native OS and application functions
• Recovering encryption keys
From same system as the protected data
From external systems like HSMs
• Use the keys and correct algorithm to recover
protected data
40. ENCRYPTED PASSWORDS
Groups.xml
• For that to work the password has to be sent to
the user’s system
• Groups.xml is pulled down from the SYSVOL
share on the DC
• SYSVOL and Groups.xml are accessible to all
domain users and computer accounts
42. ENCRYPTED PASSWORDS
• Passwords in groups.xml are AES256 encrypted and
base64 encoded
• To apply the password locally, client has to decrypt it
• To enable this, encryption key is stored on clients
• But MS released the STATIC key in an MSDN article;
now anyone can decrypt the password!
http://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-
1f2fa45dd4be.aspx#endNote2
43. ENCRYPTED PASSWORDS
• Groups.xml password decrypted with a simple
PowerShell script
https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-
GPPPassword.ps1
44. ENCRYPTED PASSWORDS
Groups.xml
Recommendations
• Microsoft does not recommend setting passwords via
Group Policy so it’s not a good idea to do that
• Access to groups.xml cannot be prevented for domain
users so it should not be used
46. ENCRYPTED PASSWORDS
LSASecrets
• Passwords are stored encrypted in the registry
HKLM:SECURITYPolicySecrets
• Only viewable by LocalSystem
• But…administrators can become LocalSystem
49. ENCRYPTED PASSWORDS
LSASecrets
• Use native API methods to decrypt the secrets
LsaRetrievePrivateData
LsaStorePrivateData
LsaOpenPolicy
LsaNtStatusToWinError
LsaClose
LsaFreeMemory
51. ENCRYPTED PASSWORDS
WDigest
• Designed for use protocols that require a cleartext
password to authenticate:
Hypertext Transfer Protocol (HTTP)
Simple Authentication Security Layer (SASL)
exchanges
http://technet.microsoft.com/en-us/library/cc778868(v=ws.10).aspx
http://www.slideshare.net/gentilkiwi
52. ENCRYPTED PASSWORDS
WDigest
• Stores passwords for interactive logins (like RDP)
encrypted in the lsass.exe process
• Depending on secret
size and OS version
RC4, DES, or AES
is used
http://technet.microsoft.com/en-us/library/cc778868(v=ws.10).aspx
http://www.slideshare.net/gentilkiwi
53. ENCRYPTED PASSWORDS
WDigest
• After injecting into the lsass.exe process or
importing initialized keys via lsasrv.dll…
• Native functions from lsasrv.dll can be used to
decrypt the passwords – namely…
LsaUnprotectMemory
http://www.slideshare.net/gentilkiwi
http://msdn.microsoft.com/en-us/library/windows/desktop/ff714510(v=vs.85).aspx
54. ENCRYPTED PASSWORDS
WDigest
• Tools like Mimikatz and WCE can be used to
recover cleartext passwords
http://www.slideshare.net/gentilkiwi
http://msdn.microsoft.com/en-us/library/windows/desktop/ff714510(v=vs.85).aspx
55. ENCRYPTED PASSWORDS
WDigest
Recommendations
• Use smartcard or biometrics when possible
• Use network logins instead of interactive logs when
possible
• Use unprivileged accounts when possible
• Do not provide admin / system / debug privileges
to users
http://www.slideshare.net/gentilkiwi
56. ENCRYPTED PASSWORDS
DPAPI
• Windows Data Protection API (DPAPI)
• Standard / easy way on Windows to encrypt and
decrypt data
• DPAPI used by many applications
IE, Chrome, Skype, EFS certificates, WEP / WPA
keys, RDP passwords, Credential Manager
• Data protection in memory or on disk
57. ENCRYPTED PASSWORDS
DPAPI – stored data
• Two protection scopes: CurrentUser or
LocalMachine
• Protection scope determines the encryption keys
CurrentUser scope uses keys protected by
current user’s password
LocalMachine scope uses keys on the system
• Additional entropy added to strengthen protection
58. ENCRYPTED PASSWORDS
DPAPI - internals
• Largely undocumented by Microsoft – just the API
calls are fully documented
• DPAPI has been reversed and offline decryption
tools have been released
http://passcape.com/index.php?section=blog&cmd=details&id=20#11
http://www.elie.net/publication/reversing-dpapi-and-stealing-
windows-secrets-offline#.U3BnB_ldWDs
59. ENCRYPTED PASSWORDS
MSSQL Links - Background
• Microsoft SQL Server allows users to create links to
external data sources, typically to SQL Servers
• Links can be configured to use SQL server
credentials
• Cleartext passwords are needed to connect to
linked servers – password hashing cannot be used
61. ENCRYPTED PASSWORDS
MSSQL Links – Password Storage
• Linked server passwords stored in the database –
only accessible using DAC
• Passwords stored in pwdhash column even though
hashing is not used
• Passwords encrypted but SQL Server must have
the key
63. ENCRYPTED PASSWORDS
MSSQL Links – Service Master Key
• SQL Server has a Service Master Key which is
encrypted using DPAPI
• Additional entropy is stored in the registry
• Service Master Key is “the root of the SQL Server
encryption hierarchy”, used to encrypt linked
server passwords too
65. ENCRYPTED PASSWORDS
MSSQL Links – Passwords Decryption
• Decrypt Service Master Key using DPAPI
• Extract encrypted password from database
• Remove metadata from the password
• Decrypt password using Service Master Key (either
3DES or AES depending on version)
67. ENCRYPTED PASSWORDS
MSSQL Links
Recommendations
• Best practice is to use Windows authentication only
– do not enable SQL server authentication
• Configure linked servers to use current execution
context rather than saved credentials
68. ENCRYPTED PASSWORDS
Credential Manager / Vault
• Credential Manager is intended to be a secure way
to store password
• Can be used for Windows credentials, browser
credentials, application credentials
• Each user has their own Vault – user can store own
passwords
69. ENCRYPTED PASSWORDS
Credential Manager / Vault
• Cleartext credentials needed to connect to remote
systems – thus passwords in Cred Manager are
encrypted, not hashed.
• DPAPI used to encrypt passwords
72. ENCRYPTED PASSWORDS
Credential Manager / Vault
Recommendations
• Stored passwords always a security risks
• Consider disabling Credential Manager using
group policies
73. ENCRYPTED PASSWORDS
Wireless
• Wireless connections with pre-shared keys have to
store the passwords
• Passwords encrypted using DPAPI
• User or SYSTEM can access the stored passwords
• Multiple tools to extract wireless credentials,
including Metasploit
77. ENCRYPTED PASSWORDS
Web.config and ApplicationHost.config
• IIS application configuration files
• Web.config = application level
• ApplicationHost.config = server level
Application pool credentials
Windows credentials used for directory access
… but they can also be decrypted
79. ENCRYPTED PASSWORDS
Web.config and ApplicationHost.config
• No surprise that local administrators can do this:
aspnet_regiis.exe -pdf "connectionStrings" c:webapp
80. HASHED PASSWORDS
Why should I care if someone is stealing my
password hashes if I have complexity enabled?
•#1 Reason:
Password hashes can be replayed and used to
authenticate without knowledge of the password
81. HASHED PASSWORDS
Why should I care if someone is stealing my
password hashes if I have complexity enabled?
•#2 Reason:
Password hashes can cracked at lighting speeds using
modern hardware and software
82. HASHED PASSWORDS
On the System
• Local / Domain LM hashes
• Local / Domain NTLM hashes
• Domain MS-CACHEv2
On the Network
• Local / Domain NetLM
• Local / Domain NetNTLM
84. DO I REALLY NEED PASSWORDS?
Short answer is NO
85. DO I REALLY NEED PASSWORDS?
• SMB relay
• Pass-the-hash
• Stealing authentication tokens
• Crawling database links
• Process migration
• Generating golden tickets
86. CONCLUSIONS
• Protecting passwords is really, really hard if an attacker
has admin rights to you system
• Don’t store passwords in clear text – Anywhere!
• Only use encryption when the cleartext passwords need
used later
• Use HSM to protect keys used to encrypt data
• Use strong salted hashes to protect passwords
• Enforce least privilege everywhere – networks, servers,
applications…EVERYWHERE
87. NETSPI REFERENCES
• NetSPI blog: http://www.netspi.com/blog
• NetSPI github: https://github.com/netspi
• Scott github: https://github.com/nullbind
• NetSPI slideshare: http://slideshare.com/netspi
• Scott slideshare: http://slideshare.com/nullbind
• Scott twitter: @_nullbind