fgdump 3.0: A First Look<br />October 9, 2011<br />Dave “fizzgig” Russell<br />Fizzgig[at]foofus[dot]net<br />
Lightning Round – No Time for Chit Chat<br />Dave “fizzgig” Russell<br />Pete “bokojan” Arzamendi<br />Work at 403 Labs, a...
Background on fgdump<br />Originally written in 2005, shortly after pwdump6 (a product of the Ballmer effect)<br />pwdump3...
Background on fgdump<br />When Vista/Server 2008 came out, the game changed<br />Different storage and encryption were use...
Quick Primer on Hashes<br />Two sets of stored credentials: regular and cached<br />Cached creds exist once you have conne...
A Crash Course in Cred Theft<br />pwdump6/fgdump (prior to 3) made use of DLL injection into the LSASS process<br />LSASS ...
This is Bad<br />Clients hated rebooting DCs<br />Stabilized over time, but was always a risk<br />Not particularly fast, ...
There is a Better Way!<br />Mao [at] oxid[dot]it shed some light on pulling things right out of the registry, metasploit m...
Early Success<br />fgdump3 was written to take advantage of this – regular creds were no problem!<br />Cached creds pre-Vi...
But We Made It!<br />Finally got cached decryption working!<br />Too bad the registry keys we wanted didn’t allow read per...
fgdump3 Design Goals<br />“No upload” method of pulling large amounts of creds from an enterprise<br />Improved speed for ...
Beta is Finally Out!<br />Support for all current OSes (not yet tested on Windows 8) – 32- and 64-bit<br />Grabs regular c...
More Features<br />Resistant to “problems”<br />Registry permissions need to be changed, we track this and spit out the or...
About Registry Changes<br />Bokojan figured out how to make it work<br />Also responsible for updated AV and domain contro...
Not Perfect Yet<br />Changing registry permissions is SLOW<br />Reg keys default to SYSTEM-only, we are not running as SYS...
Optimizing for Your Use<br />For internal audits: consider changing the HKLMSecurity registry key to allow read and enumer...
Now Available on fgdump.com<br />Using a new website – www.fgdump.com<br />Best email is still fizzgig[at]foofus[dot]net f...
Would Love Real World Feedback<br />This is a BETA version! Use with caution<br />Pay particular attention to registry per...
Thanks!<br />Bokojan: all the coding and actually forcing me to finally release a new version<br />403 Labs: time to work ...
Upcoming SlideShare
Loading in...5
×

fgdump 3.0: A First Look - Toorcon 2011

2,083

Published on

403 Labs consultant Dave Russell presented "fgdump 3.0: A First Look" at the 2011 Toorcon 13 event in San Diego, CA.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,083
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

fgdump 3.0: A First Look - Toorcon 2011

  1. 1. fgdump 3.0: A First Look<br />October 9, 2011<br />Dave “fizzgig” Russell<br />Fizzgig[at]foofus[dot]net<br />
  2. 2. Lightning Round – No Time for Chit Chat<br />Dave “fizzgig” Russell<br />Pete “bokojan” Arzamendi<br />Work at 403 Labs, a full service info-sec shop who is nice enough to support ongoing development of the tool<br />Neither of us do as much pen testing these days, forensics keeps us busy<br />Look us up for consulting and PCI<br />
  3. 3. Background on fgdump<br />Originally written in 2005, shortly after pwdump6 (a product of the Ballmer effect)<br />pwdump3e didn’t like DEP, so I decided to fix it and created pwdump6<br />Got really sick of McAfee locking up boxes<br />Largely replaced pwdump6 – but (at least up until now), was a wrapper<br />Handles pwdump, cachedump and protected storage dumps<br />
  4. 4. Background on fgdump<br />When Vista/Server 2008 came out, the game changed<br />Different storage and encryption were used for passwords and cached credentials<br />Pwdump portion continued to work fine…<br />Cachedump was broken<br />Promised to fix last year at Toorcon<br />Has some advantages like multi-threading and easy multiple target support<br />
  5. 5. Quick Primer on Hashes<br />Two sets of stored credentials: regular and cached<br />Cached creds exist once you have connected to a domain<br />Regular credentials have a weak LM hash and stronger NTLM hash<br />LM disabled by default Vista and later<br />Cached creds are salted and encrypted much better<br />
  6. 6. A Crash Course in Cred Theft<br />pwdump6/fgdump (prior to 3) made use of DLL injection into the LSASS process<br />LSASS has access to encrypted passwords<br />Needed to be SYSTEM, easily handled by creating a service, which defaults to running as SYSTEM<br />Highly susceptible to programming flaws (perish the thought) and AV stupidity<br />If pwdump/fgdump crashes on a target, down goes LSASS, forced reboot 60 seconds later<br />
  7. 7. This is Bad<br />Clients hated rebooting DCs<br />Stabilized over time, but was always a risk<br />Not particularly fast, nor stealthy<br />Communication occurred back to the executing client over named pipes<br />Constantly needing to change signatures to stay ahead of AV<br />Very interesting to see just how bad signature-based AV sucks though<br />
  8. 8. There is a Better Way!<br />Mao [at] oxid[dot]it shed some light on pulling things right out of the registry, metasploit module also helped<br />Both cached and regular creds can be extracted this way<br />The process is somewhat complicated – involves getting the machine’s bootkey and NL$KM secret first, then decrypting the entries<br />
  9. 9. Early Success<br />fgdump3 was written to take advantage of this – regular creds were no problem!<br />Cached creds pre-Vista – no problem!<br />Vista changed the encryption method for cached creds, as well as some other subtle bits – problem<br />Took a VERY long time to sort out what was going on, someone else beat me to it<br />
  10. 10. But We Made It!<br />Finally got cached decryption working!<br />Too bad the registry keys we wanted didn’t allow read permission for administrators<br />Bokojan to the rescue!<br />Wanted to time release to coincide with other features<br />
  11. 11. fgdump3 Design Goals<br />“No upload” method of pulling large amounts of creds from an enterprise<br />Improved speed for large systems<br />Bypass AV easier<br />Less noisy<br />More manageable for multiple-run engagements<br />Recognize the growing internal password audit needs<br />
  12. 12. Beta is Finally Out!<br />Support for all current OSes (not yet tested on Windows 8) – 32- and 64-bit<br />Grabs regular creds and cached creds<br />Defaults to registry extraction, can be overridden (no upload needed for this method)<br />For DCs, credentials are not stored in the registry; fgdump detects this and reverts to old-style DLL injection for these<br />
  13. 13. More Features<br />Resistant to “problems”<br />Registry permissions need to be changed, we track this and spit out the original DACL if we couldn’t change it back<br />Ability to put all output into a folder, nice for multiple runs<br />Injection method should be MUCH faster (anecdotally, two to 10 times as fast)<br />More AV detection support<br />
  14. 14. About Registry Changes<br />Bokojan figured out how to make it work<br />Also responsible for updated AV and domain controller detection!<br />Sets rights to HKLMSecurity such that Administrators have permission to enumerate subkeys and read values<br />Automatically reverts the DACLs back to where they belong after we’re done<br />
  15. 15. Not Perfect Yet<br />Changing registry permissions is SLOW<br />Reg keys default to SYSTEM-only, we are not running as SYSTEM, only admin<br />Need to force inheritance of permission changes down to all subkeys and values in the tree<br />Like to come up with a cleaner way to manage permission changes, or a “non-uploady” way to run as SYSTEM<br />
  16. 16. Optimizing for Your Use<br />For internal audits: consider changing the HKLMSecurity registry key to allow read and enumerate subkey access to Administrator(s)<br />For large numbers of systems, depends on the network link<br />Trial and error – use the “-R” flag to force old injection method and compare<br />
  17. 17. Now Available on fgdump.com<br />Using a new website – www.fgdump.com<br />Best email is still fizzgig[at]foofus[dot]net for right now<br />Version is 3.0.0-BETA1<br />Expect perhaps one more beta and a release candidate prior to “official” release as it helps work out kinks such that sensitive environments can feel comfortable about using<br />
  18. 18. Would Love Real World Feedback<br />This is a BETA version! Use with caution<br />Pay particular attention to registry permissions<br />Speed comparisons would be helpful<br />Any unusual behavior<br />Broken hashes (pretty unlikely hopefully)<br />Looking for pen test and enterprise info<br />
  19. 19. Thanks!<br />Bokojan: all the coding and actually forcing me to finally release a new version<br />403 Labs: time to work on this, a fun weekend in San Diego<br />Foofus folks: the original inspiration for the tool!<br />Soaring Moe!: some early updates to pwdump6, particularly 64-bit stuff<br />Ross Geerlings: performance improvements to pwdump6<br />Kevin Mitnick: the mention in Ghost in the Wires<br />All the users, especially those who provided feedback<br />
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×