Do cached credentials bring any danger? Can we just extract them and crack the password or use the value to do the pass the hash attack? One thing is for sure: CQURE team made a DPAPI world discovery where they have reverse-engineered this mechanism to tell you right now how it works and if it is safe. What about other places where credentials are stored? I will demonstrate the technology weaknesses in credential security and specific misused actions within the operating system. Learn the unexpected places your passwords reside, how the password attacks are performed, the typical paths where credentials can be leaked and how to prevent these by implementing various solutions.
9. Before the attacks facilitated by pass-the-hash, we can only
rejoice the "salting" by the username.
There are a number pre-computed tables for users as
Administrator facilitating attacks on these hashes.
10. There is actually not much of a difference with XP / 2003!
No additional salting.
PBKDF2 introduced a new variable: the number of
iterations SHA1 with the same salt as before (username).
11. The number of iterations in PBKDF2, it is
configurable through the registry:
HKEY_LOCAL_MACHINESECURITYCache
DWORD (32) NL$IterationCount
If the number is less than 10240, it is a multiplier
by 1024 (20 therefore gives 20480 iterations)
If the number is greater than 10240, it is the
number of iterations (rounded to 1024)
12.
13. Based on the following components:
Password, data blob, entropy
Is not prone to password resets!
Protects from outsiders when being in offline access
Effectively protects users data
Stores the password history
You need to be able to get access to some of your passwords
from the past
Conclusion: OS greatly helps usto protect secrets
14.
15.
16.
17.
18. Used to group one or more Web Applications
Purpose: Assign resources, serve as a security sandbox
Use Worker Processes (w3wp.exe)
Their identity is defined in Application Pool settings
Process requests to the applications
Passwords for AppPool identity can be ’decrypted’ even offline
They are stored in the encrypted form in applicationHost.config
Conclusion: IIS relies it’s security on Machine Keys (Local System)
19.
20.
21. Store configuration in the registry
Always need some identity to run the executable!
Local Security Authority (LSA) Secrets
Must be stored locally, especially when domain credentials are used
Can be accessed when we impersonate to Local System
Their accounts should be monitored
If you cannot use gMSA, MSA, use subscription for svc_ accounts (naming convention)
Conclusion: Think twice before using an Administrative account, use gMSA
http://www.reddit.com/r/funny/comments/si6io/safety_begins_with_you/
Cerdentiale musza byc jakos zweryfikowane I wszystkie skladowe potrzebne do weryfikacji credentiali sa w rejestrze. Mozemy myslec o baize SAM itp
Na samym poczatku jest bootkey.
System jak sie uruchamia to musi miec mozliwosc weryfikacji credentiali userow, ktorzy sie beda logowac.
Konto komputera
>nltest /sc_change_pwd:mordor
[50]How can we use MSDCC2 within the attack? Is it really useless for bad guys?
10 min / 65 min
[50] Modyfikacja co 3 miesiace.
Extract z AD
CQMasterKeyAD - podmiana
[50]Keepas
20 / 55
25 / 50
System user
Jak szyfrowane 10214
27 min / 48 min do konca
29 min / 46 min do konca
[65]
34 min / 41 min do konca
Jak przechowywane sa hasla
Ale offline
37 min / 38 min do konca
Ale offline
45 min / 30 min
I love Ignite cause you can see thing for the first time in the world. So you are in the right place to see 2 world premiers of security tools and issues.
50 min / 25 min
Is like having a nice set of checks in blanco
50 min / 25 min
55 w maksie
RPC -> Act -> KDS Rood
60 minuta / 15 minutes
Malware
Problems with app: a – xperf, b – make a dump