bluehat 2014 - the attacker's view of windows authentication and post exploitation

Reality BitesThe Attacker’s View of

Windows Authentication and Post-exploitation

Chris CAMPBELL `obscuresec`Benjamin DELPY `genti lkiwi`

Skip DUCKWALL `passingthehash`

2

`whoami /groups` ?Chris CAMPBELL - @obscuresec– Pentester /Researcher / Former Army Red Team– One of the authors of PowerSploit – PowerShell based post-exploitation toolkit– Presented at Blackhat, Defcon, and more

Benjamin DELPY - @gentilkiwi– Security researcher (the French guy with flashy Tahitian shirts)– Author of mimikatz– Presented at Black Hat, Defcon, PHDays, and more

Skip DUCKWALL - @passingthehash– Pentester /Researcher / Former Army Red Team– Patched pass-the-hash functionality into many tools used by pentesters– Presented at Blackhat, Defcon, and more

10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation

3

What we’re talking aboutThe world that exists outside Microsoft

Windows authentication in the real world

Popular attacks against Windows authentication in the real world

mimikatz


4

One quick question?Who won the Xbox One?

All three of us have asked a lot–Even at MSRC ;)

So let’s use #askpth–… for official hashtag of this talk!


5

The Idealistic ViewEverybody runs the most up-to-date software

–All clients are Windows 8.1 / servers are 2012R2

–Domain / forest is at 2012R2 functional level

–All software is patched quickly

–Completely homogeneous Microsoft environment


6

A More Realistic View - EnvironmentHeterogeneous environments

Mix of Linux / Unix / Windows on the server side– License costs prohibitive if not bundled with server hardware– Virtualization makes spinning up new servers quick and easy

• license costs can grow quickly as well

Desktops are often a mix of various flavors of Windows– Some OSX / Macs as well

Unix authentication sometimes integrated with Active Directory– LDAP


7

The Realistic View - PatchingPatching is inconsistent– Especially 3rd-party software• Java / Acrobat Reader

Some services will be patched quickly

Some services on ‘don’t touch’ lists

Patching usually inversely proportional to the criticality of the system


8

The Realistic View - DesktopMost enterprises are still transitioning from XP to Windows 7– Licenses are expensive and often paired with hardware upgrades

None of the enterprises we’ve seen use 8.1– Most enterprises have decided to see what happens with 10+ (XP approach)

Some places still have 2000 or NT and older– See @Viss scan of the internet– Shodan HQ


9

The Realistic View - OfficeMix of Office 2007 / 2010 in use–with a lot of VBA ;)

Little incentive to upgrade–Making stuff more “cloud capable” causes issues in many

enterprises• 3rd party doctrine regarding information remaining private / confidential• Ownership issues• Technology has evolved, laws haven’t caught up


10

The Realistic View – Server OSMany places still run 2003 domain functional level and are only now transitioning to 2008 / 2008R2

Most Windows servers are running 2008 / 2008R2

Server 2003 being transitioned away from due to EOL

Server 2012 / 2012R2 has some traction

Criticality of server determines upgrades– More critical , less likely


11

The Realistic View - Other Server SoftwareSQL server– Whatever version the developer / app wanted to use when installed– Usually multiple versions at the same time– If the app works, little incentive to upgrade

Exchange– 2007 or 2010– Not a lot of incentive to upgrade since it’s viewed as critical infrastructure

SharePoint– 2007 or 2010– Not a lot of incentive to upgrade depending on usage


12

The Net Result?New features for the latest software will not be present in the average environment

Most enterprises will not regard a new security feature to be worthy of upgrading the platform

It could be 5+ years before some features will be seen in the average environment


13

Attackers in the Real World (1)“Real World” attack knowledge suffers from research bias– Sometimes we only find what we’re looking for– Once we find something in the past, we tend to look for that first the next time– New or novel attacks go unnoticed for years

Attackers are less interested in being disruptive

Attackers are more interested in gaining access to corporate data– Domain / enterprise admin usually not the ultimate goal– Usually a checkpoint along the way to find the people with access to the goods– Possible with targeted attacks to never touch any privileged accounts

• Example: Target devs or HR


14

Attackers in the Real World (2)Most discovered attacks don’t involve 0-day exploits–0-days are expensive–More difficult to discover post-attack– Likely only required for hardened targets

Most breach responders overestimate their defensive capabilities, therefore overestimate attacker capabilities


15

Attackers in the Real World (3)Client-side attacks combined with social engineering are the most likely vectors– Everybody clicks on dancing cats– Email addresses are easy to collect or figure out– Client-side vulnerabilities appear to be more plentiful

– Some products have come a long way : IE with EMET– Some still have a ways to go : Java / Flash / Acrobat Reader

– Recentish breaches give attackers access to employee’s social networks• Easier to create more legit looking context

Use an exploit to start then depend on bad architecture to work deeper


16

Attackers in the Real World (4)After initial compromise, attackers will take their time on post-exploitation– Targeted information sought

• Client lists• Source Code• Schematics• Financial Information• Credit card info / PII / PHI• Private keys / certificates / code signing certs

Attackers usually have weeks to months– Detection usually takes months based on the latest Verizon report

• http://www.verizonenterprise.com/DBIR/


17

Post-exploitation Techniques (1)An entirely different talk

A few highlights– Group Policy Preferences

• Anybody with access to DC could recover any credentials set with GPP• Potentially allows elevation in automation scripts• ~Patched with MS14-025

– Plaintext credentials in automation scripts• Mount a share somewhere, copy stuff

– Service accounts• Tend to be privileged with easy-to-guess passwords that haven’t changed in years


18

Post-exploitation Techniques (2)Poorly configured file shares– Password lists

• Search for ‘password.txt’

– Backups of critical infrastructure / configs– Unattended installers

• If automagically joins the domain, means there’s a password somewhere

Poorly configured Sharepoint– Use the search functionality to find password lists and config files


19

Post-exploitation Tools (1)Attackers have a wide variety of tools they can use

Many are legit tools being used nefariously– PowerShell• Allows access to WINAPI / entire .NET framework• Can be used to bypass even the most mature application whitelisting products• Trivial AV bypass

– SysInternals• Why not do ‘bad things’ with Microsoft signed binaries?• PsExec, AdExplorer, ProcDump, and others


20

Post-exploitation Tools (2)NT Resource Kit– Many useful utilities that are now built-in commands– sc, dnsquery, etc– srvany – make any program a service

Built-in commands– net.exe, cmd.exe, netsh.exe

Some tools are really only useful for post-exploitation– mimikatz


21

mimikatz (1)Designed by Benjamin to learn more about Windows programming– Seriously– We aren’t joking

Exposed several issues with plaintext passwords being stored in memory– Passwords being stored in LSASS by various SSP

• WDigest and others

– Partially fixed by Microsoft– Passwords will be back in LSASS if users need certain SSO– Third party SSP still have access to passwords

• RSA for example• mimikatz rolled its own as well


22

mimikatz (2)Can recover keys / hashes for accounts in memory

Can be used to implement pass-the-hash attacks– PTH = using hashes as password equivalents – NTLM is DESIGNED this way– Windows OS uses PTH• NTLM service provider only stores the hash in memory


NTLM (md4)

LM

cc36cf7a8514893e

fccd332446158b1a

cc36cf7a8514893e

fccd332446158b1a

23

mimikatz (3)Can be used to implement Kerberos attacks

– Can be used to recover a user’s Kerberos tickets• Both TGTs and service tickets

– Can be used to insert tickets into LSASS for use• Using a native Windows API

– Can be used to upgrade NTLM hash to a Kerberos ticket• This is “overpass-the-hash”• Introduced at Black Hat USA 2014• Also works for recovered AES keys on the client side


des_cbc_md5

LSASS (kerberos)for « chocolate.local » domain

rc4_hmac_nt(NTLM/md4)

cc36cf7a8514893efccd332446158b1a

aes128_hmac

aes256_hmac

KDC

KDC

TGT

TGS

① AS-REQ

② AS-REP

③ TGS-REQ

④ TGS-REP

⑤ Usage

cc36cf7a8514893efccd332446158b1a

des_cbc_md5

LSASS (kerberos)for « chocolate.local » domain

rc4_hmac_nt(NTLM/md4)

aes128_hmac

aes256_hmac

KDC

KDC

TGT

TGS

① AS-REQ

② AS-REP

③ TGS-REQ

④ TGS-REP

⑤ UsageTGT

24

Demo !


New version of mimikatzin

New version of Windowsin

Front of Microsoft staff

25

mimikatz :: Golden Tickets (1)Can be used to implement Golden Ticket attacks

– If KRBTGT hash/keys lost• Domain dump

– Password audit (legitimate use case)– Poorly redacted pentest report

• Other – Compromise

– File backup of the domain controller• Shadow copy trick• Recovery of backup tapes or access to backup file share

– Compromise of virtual machine infrastructure• Copy the drive image or a snapshot of the image


26

mimikatz :: Golden Tickets (2)Made worse by KRBTGT rarely changing

– Only changes during domain functional upgrade from NT5 -> NT6

– 2000/2003 to 2008/2012• 2008 -> 2012 doesn’t change the value• the previous one (n-1) still valid…

– Means the age of the hash on the average operational environments is measured in YEARS


27

mimikatz :: Golden Tickets (3)KRBTGT hash can be used to generate arbitrary TGTs for use– Can make user a member of any group, even make it multiple users!

• Even users and SIDs that do not exist– TGTs will only work for 20 minutes to get service tickets (however any service tickets will be good for 10 hours by

default)• Any account can create / used spoofed ticket, doesn’t require elevated rights

– Can be used to bypass account restrictions• Disabled / expired• Authentication silos• “protected users” group is just a group SID in the TGT

– Create a trail of false events• Incident handlers rely on event logs• Easy to frame another user


28

Demo !


29

mimikatz :: BlackHat erratumAt BlackHat, we announced that to forge a TGS, we need 2 keys– krbtgt key– target key

The krbtgt is needed to sign the PAC, to avoid alterations– But how a remote service can check this

signature without the Key ?• Remember ? Kerberos is SYMETRIC

– Easy : it delegates PAC checks to the KDC…


30

mimikatz :: BlackHat erratumWindows 2000 Server and Windows XP do not validate the PAC when the application server is running under the local system context or has SeTcbPrivilege […]

Windows Server 2003 does not validate the PAC when the application server is running under the local system context, the network service context, or has SeTcbPrivilege. […]

Windows Server 2003 with SP1 does not validate the PAC when the application server is under the local system context, the network service context, the local service context, or has SeTcbPrivilege privilege. […]

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 do not validate the PAC by default for services. Windows still validates the PAC for processes that are not running as services. PAC validation can be enabled when the application server is not running in the context of local system, network service, or local service; or it does not have SeTcbPrivilege […]


http://msdn.microsoft.com/library/cc224027.aspx#id2



31

mimikatz :: Silver Tickets (1)So “in real life”, TGS only need the target key… no classic services will check signature…, let’s call them : Silver Tickets !


Default lifetime

Minimum number of

KDC accesses

Multiple targets

Available with

Smartcard

Realtime check for restrictions

(account disabled, logon hours...)

Protected UsersCheck for Encryption

(RC4/AES)Can be found in Is funky

Normal 42 days 2 Yes Yes Yes Yes n.a. No

Overpass-the-hash(Pass-the-key)

42 days 2 Yes No Yes YesActive DirectoryClient Memory

No(ok, a l ittle;))

Pass-the-Ticket(TGT)

10 hours 1 Yes Yes No (20mn after) No Client Memory Yes

Pass-the-Ticket(TGS)

10 hours 0 No Yes No No Client Memory Yes

Silver Ticket [30;60] days 0 No Yes No No n.a. Yes

Golden Ticket 10 years 1 Yes Yes No (we can cheat) No n.a. Fuck, Yes!

32

mimikatz :: Silver Tickets (2)How do we make a Silver Ticket ?– Exactly such as a Golden Ticket, except the krbtgt key– Target name (server FQDN)– Service name– We must have the “Target Key”

• From Client Memory• From Active Directory (ok, we can make Golden Ticket ;)• or... from the registry (even, offline !)


mimikatz # lsadump::secretsDomain : CLIENTSysKey : 5418b222b48866feea6f633efcf8417d

Policy subsystem is : 1.13LSA Key(s) : 1, default {13e98d1c-c7d5-1099-6477-5dbbed69ec73} [00] {13e98d1c-c7d5-1099-6477-5dbbed69ec73} c2e2ee5bfeb6a4fd4f58ab8554c42a585a093b116ee8ce830ee227e0c31071a4

Secret : $MACHINE.ACCcur/NTLM:1acf72e4e8a2d6209fe96920ff800110/text: ,QK@Y+i$ nA9BCcrRvnPsaWE/m3_h?U+U^3AL-LF!_8y<2.xH>'^F;>OA.(9v9!(_[=51Pj_]YqKV!5`LIsk=*F`q-/dP:kP))bDhA'!2R/x#u=)O$2W\0me

33

mimikatz :: Silver Tickets (3)Before that, who cares about this computer password ?– No… really ?– Yeah, like for the krbtgt account– At least, this time the password can change every 30 days...

• But the n-1 still valid (so [30;60 days])… and the password still works if not changed…

$MACHINE.ACC is the new krbtgt, localized to a computer– And it’s in the registry

Silver ticket is the new Golden Ticket, localized to a target/service

When you use a Service Account linked to a Kerberized Service, it can be localized to multiple targets (see SPN)– A lot of chances that you can find it in registry too ;)


34

mimikatz :: Silver Tickets (4)Kerberos services relies on SPN– Nobody likes to setup SPN (like MIT Kerberos)– that’s why Microsoft made it ~easy for you (like MIT Kerberos)

host SPN is not only for “host”, but is an alias for :


alerter appmgmt cisvc clipsrv browser dhcp

dnscache replicator eventlog eventsystem policyagent oakley

dmserver dns mcsvc fax msiserver ias

messenger netlogon netman netdde netddedsm nmagent

plugplay protectedstorage rasman rpclocator rpc rpcss

remoteaccess rsvp samss scardsvr scesrv seclogon

scm dcom cifs spooler snmp schedule

tapisrv trksvr trkwks ups time wins

www http w3svc iisadmin msdtc

35

mimikatz :: Silver Tickets (5)kerberos::golden/domain:blue.local <= domain name/sid:S-1-5-21-4174036629-1679296857-797215250 <= domain SID/rc4:1acf72e4e8a2d6209fe96920ff800110 <= NTLM/RC4 of the Target/Service/target:client.blue.local <= Target FQDN/service:cifs <= Service name/user:Administrator <= username you wanna be/id:500 <= RID of username (500 is THE domain admin)/groups:513,512,520,518,519 <= Groups list of the user (be imaginative)/ticket:cifs.client.kirbi <= the ticket filename (or /ptt)


36

Demo !


New version of mimikatzin

New version of Windowsin

Front of Microsoft staffwith

new features

37

mimikatz :: BonusMimikatz is full of love for pentesters, but we can’t show all!– We are modest

A little driver to bypass Protected Process– Avoid RunAsPPL for LSASS by example

AddSid– An experimental function to add SID of users/groups to another one user in Active Directory (admin without

admin group)

Thinking that PIN code and Picture password are better?– You’ve a l33t company, you use Fingerprints in Windows 8?– Password are in the local vault of the SYSTEM… you know ? The same with the password in registry…

mimilib & memssp– Grab all passwords!


38

Demo !


39

Do Smart Cards Help? (1)With Windows Auth, not really– High cost– Painful deployment– Other benefits (email certs, ID certs for web servers)

Password hashes are randomly generated and stored– They never change by default– Useful for PTH– Password could still be reset

• One location set the password after smart card enrollment to the same password for all users (thousands)

– NTLM hash stored in Kerberos ticket


40

Do Smart Cards Help? (2)Smart cards are only required for INTERACTIVE logon– Second factor null and void for network logons– File shares, etc

Smart cards are considered a stronger form of authentication– means that somebody could launch a password guessing attack against the

account, possibly lock it– Account is silently unlocked with a successful smart card login– User never notified– Even with that, it gives to the user… Kerberos tickets… usable without SC.


41

What does a compromise really mean?Need to be honest with ourselves:– A domain CANNOT BE RECOVERED once it is COMPROMISED• … but very few people can detect when their domain is compromised

– How does “assume breach” mentality collide with the “10 Immutable Laws of Security”?

– Education• If this is the new stance, step up and release actionable guidance for strategic

decision makers– C-Level– Security Managers


42

Next Steps (1)Not all technical– Educational– Strategic

Must give client the real keys to make the transition easy– Disabling NTLM has been an option for a long time, but who cares?

• That and people like devices like printers and scanners that use network authentication

– WDigest can be disabled on Windows 7, but who will push the fixit?

– Using CNG or Virtual Smart Cards too, but who cares?• Most products are not compatible


43

Next Steps (2)Good security must not be a hard option to set AFTER compromise

Give sysadmins / blue teams tools for serious monitoring (eventlog is very NT4)– Recent addition of command line auditing is a good first step, what’s next?

Enhance admin tools to securely manage large deployments– Provide a secure method for managing local users across an enterprise– One of the appeals of GPP was user management, although poorly implemented/insecure

Service / feature minimization– Unix has done this for years– If you don’t need a feature, make it so it can be easily disable / removed– Issue guidance on what features are required and how to disable those that aren’t


44

Next Steps (3)Design services that are breach-resistant– Advice can’t be to rebuild the forest every day / week– Design services that are more “tamper evident”• Alert defenders if key services are touched• Develop interesting methods to detect things like the Kerberos attacks

Authentication is hard– If we had the solution, we’d be rich– Requires active research• Not a one-size-fits-all solution• Local authentication != cloud authentication• Room for many solutions


45

Next Steps (4)Asymmetric encryption might be the answer?– Key exchange is always the problem• Figure this one out and you might have a way forward

Hardware integration?– Critical credentials stored on a crypto chip that is tied to a particular

computer?

Third Party Support– Accept the fact that most environments are heterogeneous– Printers / Scanners / Future devices need to authenticate– Develop proactive solutions for authentication, document and share


46

Next Steps (5)Minimize and learn from previous mistakes

– NTLM weakness = hash is password equivalent

– AES keys are treated the same way currently in Windows• Recover AES keys, get Kerberos ticket, win

– Kerberos design weaknesses have been well documented since 1990s• Designed to minimize authentication traffic / load, not necessarily for security /

robustness


47

Next Steps (6)Break with the past–Backwards compatibility will always get you–At some point in time you have to put it out of your misery

Remember that solution can’t be Microsoft only–Printers / scanners / etc. need to be able to interact as well–Design for future network needs as well


48

Defensive MeasuresIt’s difficult to get everything correct– Old adage: Defenders have to be right all the time, attackers only have to be

right once– Try to move towards “secure by default” or “fail closed”

• Or at least give enterprises the capability to do so if they choose to

Best measures are usually detective– Know what normal looks like for privileged users– Spot the abnormalities• Defensive staff knows when an admin is on vacation or off shift

– Enhance auditing capabilities and increase alerting10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-

exploitation

49

That’s all Folks!We would specially thanks:

– Will Peteroy– Joe Bialek– Akila Srinivasan

– 80’s (first versions of Kerberos)– 90’s (first versions of NTLM)– All (previous?) architects of Microsoft for making it possible

Seriously, we know it’s hard to change things in Security with retro compatibility and business in the balance !


50

Websites, Source Codes & Contact


blog http://blog.gentilkiwi.commimikatz http://blog.gentilkiwi.com/mimikatzsource https://github.com/gentilkiwi/mimikatzcontact @gentilkiwi / [email protected]

blog http://obscuresecurity.blogspot.comsource https://github.com/obscureseccontact @obscuresec / [email protected]

blog http://passing-the-hash.blogspot.comsource https://github.com/gentilkiwi/mimikatzcontact @passingthehash / [email protected]

http://blog.gentilkiwi.com/



http://blog.gentilkiwi.com/mimikatz

http://blog.gentilkiwi.com/mimikatz

https://github.com/gentilkiwi/mimikatz


https://twitter.com/gentilkiwi

mailto:[email protected]

http://obscuresecurity.blogspot.com/



https://github.com/obscuresec



https://twitter.com/obscuresec

https://twitter.com/obscuresec


http://passing-the-hash.blogspot.com/

http://passing-the-hash.blogspot.com/


https://twitter.com/passingthehash

https://twitter.com/passingthehash


bluehat 2014 - the attacker's view of windows authentication and post exploitation

Technology

ben skip

bluehat reality bites

realistic view officemix

wellunix authentication

2008r2most windows servers

system10102014 chris

up10102014 chris

likely10102014 chris