SlideShare a Scribd company logo

Secure360 - Extracting Password from Windows

Download as PPTX, PDF
Scott Sutherland
Scott Sutherland

This presentation will provide an overview of common methods that can be used to obtain clear text credentials from Microsoft products such as Windows, IIS, and SQL Server. It also provides an overview of the proof of concept script used to recover MSSQL Linked Server passwords. Relevant blog links have been provided below. https://www.netspi.com/blog/entryid/215/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1 https://www.netspi.com/blog/entryid/226/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2 https://www.netspi.com/blog/entryid/221/decrypting-mssql-database-link-server-passwords More security blogs by the authors can be found @ https://www.netspi.com/blog/

Technology
1 of 87
Like what you hear? Tweet it using: #Sec360
INTRODUCTIONS Who are we? •Scott Sutherland •Antti Rantasaari What do we do? •Network and application penetration testing at NetSPI
GOAL Provide a basic understanding of how passwords can be exposed on Windows systems •What are the common controls? •What are their limitations? •How can we reduce risk?
OVERVIEW How to steal credentials from Microsoft technologies: • Password Storage • Cleartext passwords • Encrypted passwords • Password hashes • Authentication tokens
PASSWORD STORAGE • Hashed passwords  Used when cleartext password is not required later  No key required, hashing process can’t be reversed • Encrypted passwords  Used when cleartext password will be required later  Requires key to decrypt password  Requires key management • Encoded passwords  Should not be used to protect passwords  No key required to decode password • Cleartext passwords – Don’t do that!
CLEARTEXT PASSWORDS Why does it matter if passwords are stored or transmitted in cleartext? • Vulnerabilities can provide read-only access to:  OS files, backup files, and files shares  Network traffic • Passwords can then be used to access:  Systems  Applications / Databases  Sensitive information
CLEARTEXT PASSWORDS Why does it matter if passwords are stored or transmitted in cleartext? • Vulnerability examples:  File traversal  Local file includes  Excessive privileges on shares  ARP MITM
CLEARTEXT PASSWORDS Where can I find cleartext passwords? • Mapped network drives – User files • Configuration files • Windows Registry • Active Directory • Websites • Script files • Log files
CLEARTEXT PASSWORDS Mapped Network Drives • Users have access to a ton of files shares • File shares often have bad ACLs • Users love to store password in files  xls files  doc files  txt file  etc…
CLEARTEXT PASSWORDS Mapped Network Drives • Easy to find passwords using:  Find  Grep  Spider  Notepad++  Etc…
CLEARTEXT PASSWORDS Mapped Network Drives Recommendations • Review for password on at regular intervals • Periodic audits of access controls on shares • User awareness training • Use of proper password storage
CLEARTEXT PASSWORDS Configuration Files • Sometimes config files are only accessible to administrators • Most config files are accessible to all users  Bad ACLs  Access to backups
CLEARTEXT PASSWORDS Configuration Files – Sysprep • Files created to support the automation of large scale image roll outs • Configuration settings • Local and domain credentials
CLEARTEXT PASSWORDS Configuration Files – Sysprep • Files can be read by ANY user on the system • There are many places they can be stored and used
CLEARTEXT PASSWORDS Configuration Files – Sysprep http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx Type Location Registry HKLMSystemSetup!UnattendFile File %WINDIR%PantherUnattend File %WINDIR%Panther File Removable read/write media in order of drive letter, at the root of the drive. File Removable read-only media in order of drive letter, at the root of the drive. File windowsPE and offlineServicing passes: Sources directory in a Windows distribution All other passes: %WINDIR%System32Sysprep File %SYSTEMDRIVE%
CLEARTEXT PASSWORDS Configuration Files – Sysprep • Most of the time they are stored with no protection… http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx
CLEARTEXT PASSWORDS Unattend and Sysprep Files http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx Unattend.xml Example - Cleartext …[snip]… <OOBE> <HideEULAPage>true</HideEULAPage> <NetworkLocation>Work</NetworkLocation> <ProtectYourPC>1</ProtectYourPC> <SkipMachineOOBE>true</SkipMachineOOBE> <SkipUserOOBE>true</SkipUserOOBE> </OOBE> <UserAccounts> <AdministratorPassword> <Value>Passw0rd</Value> <PlainText>true</PlainText> </AdministratorPassword> </UserAccounts> </component> …[snip]…
CLEARTEXT PASSWORDS Configuration Files – Sysprep • Sometimes they are Base64 encoded… http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx
CLEARTEXT PASSWORDS Unattend and Sysprep Files http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx Unattend.xml Example – Base64 Encoded …[snip]… <OOBE> <HideEULAPage>true</HideEULAPage> <NetworkLocation>Work</NetworkLocation> <ProtectYourPC>1</ProtectYourPC> <SkipMachineOOBE>true</SkipMachineOOBE> <SkipUserOOBE>true</SkipUserOOBE> </OOBE> <UserAccounts> <AdministratorPassword> <Value>UGFzc3cwcmQ=</Value> <PlainText>true</PlainText> </AdministratorPassword> </UserAccounts> </component> …[snip]…
CLEARTEXT PASSWORDS Configuration Files – Sysprep • Sometimes they are Base64 encoded… Base64 Encoding != Encryption http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx
CLEARTEXT PASSWORDS Unattend and Sysprep Files http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx
CLEARTEXT PASSWORDS Configuration Files – Sysprep Recommendations • Configure roll out scripts to remove the sysprep answer files like unattend.xml • Additional notes:  Prevent remote logins by local administrators  Manage systems with domain groups
CLEARTEXT PASSWORDS Configuration Files – Web.config • Used to store IIS web application configurations • Often contain database passwords • By default passwords are cleartext
CLEARTEXT PASSWORDS Configuration Files – Web.config • Typically stored at the webroot for each IIS site • Usually can be read by all users on the system
CLEARTEXT PASSWORDS Configuration Files – Web.config Recommendations • Encrypt passwords stored in web.config aspnet_regiis.exe -pef "connectionStrings" c:webapp • Additional notes:  Configure strong ACLs on file system
CLEARTEXT PASSWORDS Configuration Files – Web.config Recommendations
CLEARTEXT PASSWORDS Basic Authentication • Simple way to implement IIS authentication • Uses Base64 encoding, NOT ENCRYPTION • Credentials can be captured from network traffic over HTTP, or via man-in-the-middle over HTTPS
CLEARTEXT PASSWORDS Basic Authentication • Basic authentication over SSL is not that bad • Very common to see it used over unencrypted HTTP connections
CLEARTEXT PASSWORDS Basic Authentication • Base64 Encoded bmV0c3BpOlZlcnlTdHJvbmdBbmRIYXJkVG9HdW Vzc1Bhc3N3b3Jk • Easily decoded Base64 netspi:VeryStrongAndHardToGuessPassword Microsoft ActiveSync (iPhone, etc.)
CLEARTEXT PASSWORDS Basic Authentication Recommendations • Basic Auth is simple, but not often necessary • Replace with Integrated Authentication to enforce authentication handshake • Additional notes:  Integrated Authentication can still be exploited, but it’s not as easy
CLEARTEXT PASSWORDS Windows Registry • Many applications store passwords in cleartext • Easy to search for common strings to find passwords • Windows also stores some passwords in cleartext  Autologin username and password
CLEARTEXT PASSWORDS Windows Registry - AutoLogin • Used by many kiosk and POS systems • Often stores autologin credentials in [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon] "AutoAdminLogon"="1" "DefaultUserName"=“autoadmin" "DefaultPassword"=“!PassW0rd!" "DefaultDomainName"=“acme"
CLEARTEXT PASSWORDS Windows Registry - AutoLogin
CLEARTEXT PASSWORDS Windows Registry - AutoLogin Recommendations • Only use autologin when necessary • If required, store credentials encrypted in LSASecrets • Additional notes:  The encrypted password can be recovered with administrative access to the system http://technet.microsoft.com/en-us/sysinternals/bb963905.aspx
CLEARTEXT PASSWORDS Active Directory • User Comments • Custom properties
CLEARTEXT PASSWORDS Active Directory Recommendations • Don’t store cleartext passwords in active directory • Audit Active Directory periodically for comments and custom objects that may contain passwords
ENCRYPTED PASSWORDS How is it possible to decrypt passwords protected by Microsoft technologies? Key Point: If an application or OS can decrypt it, so can an attacker! …sometimes administrator access is required.
ENCRYPTED PASSWORDS How is it possible to recover passwords encrypted by Microsoft technologies? • Calling native OS and application functions • Recovering encryption keys  From same system as the protected data  From external systems like HSMs • Use the keys and correct algorithm to recover protected data
ENCRYPTED PASSWORDS Groups.xml • Windows AD Group Policy Preferences allow setting passwords for local accounts on domain systems
ENCRYPTED PASSWORDS Groups.xml • For that to work the password has to be sent to the user’s system • Groups.xml is pulled down from the SYSVOL share on the DC • SYSVOL and Groups.xml are accessible to all domain users and computer accounts
ENCRYPTED PASSWORDS • Updating a user results in groups.xml file creation
ENCRYPTED PASSWORDS • Passwords in groups.xml are AES256 encrypted and base64 encoded • To apply the password locally, client has to decrypt it • To enable this, encryption key is stored on clients • But MS released the STATIC key in an MSDN article; now anyone can decrypt the password! http://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70- 1f2fa45dd4be.aspx#endNote2
ENCRYPTED PASSWORDS • Groups.xml password decrypted with a simple PowerShell script https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get- GPPPassword.ps1
ENCRYPTED PASSWORDS Groups.xml Recommendations • Microsoft does not recommend setting passwords via Group Policy so it’s not a good idea to do that • Access to groups.xml cannot be prevented for domain users so it should not be used
ENCRYPTED PASSWORDS LSASecrets • Used to store all kinds of passwords  Service accounts  Autologin  Applications
ENCRYPTED PASSWORDS LSASecrets • Passwords are stored encrypted in the registry HKLM:SECURITYPolicySecrets • Only viewable by LocalSystem • But…administrators can become LocalSystem
ENCRYPTED PASSWORDS LSASecrets sdf Administrator Access LocalSystem Access
ENCRYPTED PASSWORDS LSASecrets • Additional information is also required from the subkeys of HKLM:SECURITYPolicy
ENCRYPTED PASSWORDS LSASecrets • Use native API methods to decrypt the secrets LsaRetrievePrivateData LsaStorePrivateData LsaOpenPolicy LsaNtStatusToWinError LsaClose LsaFreeMemory
ENCRYPTED PASSWORDS LSASecrets – Service Account Example
ENCRYPTED PASSWORDS WDigest • Designed for use protocols that require a cleartext password to authenticate:  Hypertext Transfer Protocol (HTTP)  Simple Authentication Security Layer (SASL) exchanges http://technet.microsoft.com/en-us/library/cc778868(v=ws.10).aspx http://www.slideshare.net/gentilkiwi
ENCRYPTED PASSWORDS WDigest • Stores passwords for interactive logins (like RDP) encrypted in the lsass.exe process • Depending on secret size and OS version RC4, DES, or AES is used http://technet.microsoft.com/en-us/library/cc778868(v=ws.10).aspx http://www.slideshare.net/gentilkiwi
ENCRYPTED PASSWORDS WDigest • After injecting into the lsass.exe process or importing initialized keys via lsasrv.dll… • Native functions from lsasrv.dll can be used to decrypt the passwords – namely… LsaUnprotectMemory http://www.slideshare.net/gentilkiwi http://msdn.microsoft.com/en-us/library/windows/desktop/ff714510(v=vs.85).aspx
ENCRYPTED PASSWORDS WDigest • Tools like Mimikatz and WCE can be used to recover cleartext passwords http://www.slideshare.net/gentilkiwi http://msdn.microsoft.com/en-us/library/windows/desktop/ff714510(v=vs.85).aspx
ENCRYPTED PASSWORDS WDigest Recommendations • Use smartcard or biometrics when possible • Use network logins instead of interactive logs when possible • Use unprivileged accounts when possible • Do not provide admin / system / debug privileges to users http://www.slideshare.net/gentilkiwi
ENCRYPTED PASSWORDS DPAPI • Windows Data Protection API (DPAPI) • Standard / easy way on Windows to encrypt and decrypt data • DPAPI used by many applications  IE, Chrome, Skype, EFS certificates, WEP / WPA keys, RDP passwords, Credential Manager • Data protection in memory or on disk
ENCRYPTED PASSWORDS DPAPI – stored data • Two protection scopes: CurrentUser or LocalMachine • Protection scope determines the encryption keys  CurrentUser scope uses keys protected by current user’s password  LocalMachine scope uses keys on the system • Additional entropy added to strengthen protection
ENCRYPTED PASSWORDS DPAPI - internals • Largely undocumented by Microsoft – just the API calls are fully documented • DPAPI has been reversed and offline decryption tools have been released http://passcape.com/index.php?section=blog&cmd=details&id=20#11 http://www.elie.net/publication/reversing-dpapi-and-stealing- windows-secrets-offline#.U3BnB_ldWDs
ENCRYPTED PASSWORDS MSSQL Links - Background • Microsoft SQL Server allows users to create links to external data sources, typically to SQL Servers • Links can be configured to use SQL server credentials • Cleartext passwords are needed to connect to linked servers – password hashing cannot be used
ENCRYPTED PASSWORDS MSSQL Links - Background
ENCRYPTED PASSWORDS MSSQL Links – Password Storage • Linked server passwords stored in the database – only accessible using DAC • Passwords stored in pwdhash column even though hashing is not used • Passwords encrypted but SQL Server must have the key
ENCRYPTED PASSWORDS MSSQL Links – Password Storage
ENCRYPTED PASSWORDS MSSQL Links – Service Master Key • SQL Server has a Service Master Key which is encrypted using DPAPI • Additional entropy is stored in the registry • Service Master Key is “the root of the SQL Server encryption hierarchy”, used to encrypt linked server passwords too
ENCRYPTED PASSWORDS MSSQL Links – Service Master Key
ENCRYPTED PASSWORDS MSSQL Links – Passwords Decryption • Decrypt Service Master Key using DPAPI • Extract encrypted password from database • Remove metadata from the password • Decrypt password using Service Master Key (either 3DES or AES depending on version)
ENCRYPTED PASSWORDS MSSQL Links – Passwords Decrypted
ENCRYPTED PASSWORDS MSSQL Links Recommendations • Best practice is to use Windows authentication only – do not enable SQL server authentication • Configure linked servers to use current execution context rather than saved credentials
ENCRYPTED PASSWORDS Credential Manager / Vault • Credential Manager is intended to be a secure way to store password • Can be used for Windows credentials, browser credentials, application credentials • Each user has their own Vault – user can store own passwords
ENCRYPTED PASSWORDS Credential Manager / Vault • Cleartext credentials needed to connect to remote systems – thus passwords in Cred Manager are encrypted, not hashed. • DPAPI used to encrypt passwords
ENCRYPTED PASSWORDS Credential Manager / Vault
ENCRYPTED PASSWORDS Credential Manager / Vault • Credential manager password decryption using Cain http://www.oxid.it/
ENCRYPTED PASSWORDS Credential Manager / Vault Recommendations • Stored passwords always a security risks • Consider disabling Credential Manager using group policies
ENCRYPTED PASSWORDS Wireless • Wireless connections with pre-shared keys have to store the passwords • Passwords encrypted using DPAPI • User or SYSTEM can access the stored passwords • Multiple tools to extract wireless credentials, including Metasploit
ENCRYPTED PASSWORDS Wireless
ENCRYPTED PASSWORDS Wireless Metasploit module: post/windows/wlan/wlan_profile
ENCRYPTED PASSWORDS Wireless Recommendations • Do not use pre-shared keys • Configure corporate wireless to use WPA2- Enterprise (integrated authentication)
ENCRYPTED PASSWORDS Web.config and ApplicationHost.config • IIS application configuration files • Web.config = application level • ApplicationHost.config = server level  Application pool credentials  Windows credentials used for directory access … but they can also be decrypted
ENCRYPTED PASSWORDS Web.config and ApplicationHost.config • Early saw this aspnet_regiis.exe -pef "connectionStrings" c:webapp
ENCRYPTED PASSWORDS Web.config and ApplicationHost.config • No surprise that local administrators can do this: aspnet_regiis.exe -pdf "connectionStrings" c:webapp
HASHED PASSWORDS Why should I care if someone is stealing my password hashes if I have complexity enabled? •#1 Reason: Password hashes can be replayed and used to authenticate without knowledge of the password
HASHED PASSWORDS Why should I care if someone is stealing my password hashes if I have complexity enabled? •#2 Reason: Password hashes can cracked at lighting speeds using modern hardware and software
HASHED PASSWORDS On the System • Local / Domain LM hashes • Local / Domain NTLM hashes • Domain MS-CACHEv2 On the Network • Local / Domain NetLM • Local / Domain NetNTLM
HASHED PASSWORDS Can be dumped with a billion different hacker tools!
DO I REALLY NEED PASSWORDS? Short answer is NO
DO I REALLY NEED PASSWORDS? • SMB relay • Pass-the-hash • Stealing authentication tokens • Crawling database links • Process migration • Generating golden tickets
CONCLUSIONS • Protecting passwords is really, really hard if an attacker has admin rights to you system • Don’t store passwords in clear text – Anywhere! • Only use encryption when the cleartext passwords need used later • Use HSM to protect keys used to encrypt data • Use strong salted hashes to protect passwords • Enforce least privilege everywhere – networks, servers, applications…EVERYWHERE
NETSPI REFERENCES • NetSPI blog: http://www.netspi.com/blog • NetSPI github: https://github.com/netspi • Scott github: https://github.com/nullbind • NetSPI slideshare: http://slideshare.com/netspi • Scott slideshare: http://slideshare.com/nullbind • Scott twitter: @_nullbind

Recommended

Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellNikhil Mittal
 
Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From WindowsNetSPI
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellEnclaveSecurity
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksNetSPI
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceNikhil Mittal
 

Recommended

Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellNikhil Mittal
 
Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From WindowsNetSPI
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellEnclaveSecurity
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksNetSPI
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceNikhil Mittal
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryNikhil Mittal
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsEnclaveSecurity
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShellkieranjacobsen
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360Scott Sutherland
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingNetSPI
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShellNikhil Mittal
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShellkieranjacobsen
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"Will Schroeder
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access darkRoyce Davis
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2Royce Davis
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Accesseightbit
 
Заполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаЗаполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаPositive Hack Days
 

More Related Content

What's hot

Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryNikhil Mittal
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsEnclaveSecurity
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShellkieranjacobsen
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360Scott Sutherland
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingNetSPI
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShellNikhil Mittal
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShellkieranjacobsen
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access darkRoyce Davis
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2Royce Davis
 

What's hot (20)

Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active Directory
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security Assessments
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShell
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox Testing
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShell
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShell
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
 

Similar to Secure360 - Extracting Password from Windows

Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Accesseightbit
 
Заполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаЗаполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаPositive Hack Days
 
Secret Management Architectures
Secret Management Architectures Secret Management Architectures
Secret Management Architectures Stenio Ferreira
 
20-security.ppt
20-security.ppt20-security.ppt
20-security.pptajajkhan16
 
Securing your azure web app with asp.net core data protection
Securing your azure web app with asp.net core data protectionSecuring your azure web app with asp.net core data protection
Securing your azure web app with asp.net core data protectionMike Melusky
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxGiuseppe Paterno'
 
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint SecurityAUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint SecurityMichael Noel
 
Operating system security
Operating system securityOperating system security
Operating system securityRamesh Ogania
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX SecurityHelpSystems
 
Securing Cassandra The Right Way
Securing Cassandra The Right WaySecuring Cassandra The Right Way
Securing Cassandra The Right WayDataStax Academy
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesSam Bowne
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 
Data At Rest Encryption
Data At Rest EncryptionData At Rest Encryption
Data At Rest EncryptionSteven Aiello
 
Transparent Encryption in HDFS
Transparent Encryption in HDFSTransparent Encryption in HDFS
Transparent Encryption in HDFSDataWorks Summit
 
Steve Jones - Encrypting Data
Steve Jones - Encrypting DataSteve Jones - Encrypting Data
Steve Jones - Encrypting DataRed Gate Software
 

Similar to Secure360 - Extracting Password from Windows (20)

Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
 
Заполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаЗаполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не окончена
 
SQL Server 2017 CLR
SQL Server 2017 CLRSQL Server 2017 CLR
SQL Server 2017 CLR
 
Secret Management Architectures
Secret Management Architectures Secret Management Architectures
Secret Management Architectures
 
20-security.ppt
20-security.ppt20-security.ppt
20-security.ppt
 
SQL Server 2017 CLR
SQL Server 2017 CLRSQL Server 2017 CLR
SQL Server 2017 CLR
 
Securing your azure web app with asp.net core data protection
Securing your azure web app with asp.net core data protectionSecuring your azure web app with asp.net core data protection
Securing your azure web app with asp.net core data protection
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS Vulnerabilites
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-Linux
 
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint SecurityAUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
 
Operating system security
Operating system securityOperating system security
Operating system security
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX Security
 
Securing Cassandra The Right Way
Securing Cassandra The Right WaySecuring Cassandra The Right Way
Securing Cassandra The Right Way
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
 
Data At Rest Encryption
Data At Rest EncryptionData At Rest Encryption
Data At Rest Encryption
 
Transparent Encryption in HDFS
Transparent Encryption in HDFSTransparent Encryption in HDFS
Transparent Encryption in HDFS
 
Steve Jones - Encrypting Data
Steve Jones - Encrypting DataSteve Jones - Encrypting Data
Steve Jones - Encrypting Data
 
W982 05092004
W982 05092004W982 05092004
W982 05092004
 

More from Scott Sutherland

Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Scott Sutherland
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)Scott Sutherland
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsScott Sutherland
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQLScott Sutherland
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationScott Sutherland
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerScott Sutherland
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL ServerScott Sutherland
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerScott Sutherland
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShellScott Sutherland
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial EmulationScott Sutherland
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)Scott Sutherland
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksScott Sutherland
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingScott Sutherland
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012Scott Sutherland
 

More from Scott Sutherland (20)

Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWARe
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
 

Recently uploaded

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 

Recently uploaded (20)

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 

Secure360 - Extracting Password from Windows

  • 1. Like what you hear? Tweet it using: #Sec360
  • 2. INTRODUCTIONS Who are we? •Scott Sutherland •Antti Rantasaari What do we do? •Network and application penetration testing at NetSPI
  • 3. GOAL Provide a basic understanding of how passwords can be exposed on Windows systems •What are the common controls? •What are their limitations? •How can we reduce risk?
  • 4. OVERVIEW How to steal credentials from Microsoft technologies: • Password Storage • Cleartext passwords • Encrypted passwords • Password hashes • Authentication tokens
  • 5. PASSWORD STORAGE • Hashed passwords  Used when cleartext password is not required later  No key required, hashing process can’t be reversed • Encrypted passwords  Used when cleartext password will be required later  Requires key to decrypt password  Requires key management • Encoded passwords  Should not be used to protect passwords  No key required to decode password • Cleartext passwords – Don’t do that!
  • 6. CLEARTEXT PASSWORDS Why does it matter if passwords are stored or transmitted in cleartext? • Vulnerabilities can provide read-only access to:  OS files, backup files, and files shares  Network traffic • Passwords can then be used to access:  Systems  Applications / Databases  Sensitive information
  • 7. CLEARTEXT PASSWORDS Why does it matter if passwords are stored or transmitted in cleartext? • Vulnerability examples:  File traversal  Local file includes  Excessive privileges on shares  ARP MITM
  • 8. CLEARTEXT PASSWORDS Where can I find cleartext passwords? • Mapped network drives – User files • Configuration files • Windows Registry • Active Directory • Websites • Script files • Log files
  • 9. CLEARTEXT PASSWORDS Mapped Network Drives • Users have access to a ton of files shares • File shares often have bad ACLs • Users love to store password in files  xls files  doc files  txt file  etc…
  • 10. CLEARTEXT PASSWORDS Mapped Network Drives • Easy to find passwords using:  Find  Grep  Spider  Notepad++  Etc…
  • 11. CLEARTEXT PASSWORDS Mapped Network Drives Recommendations • Review for password on at regular intervals • Periodic audits of access controls on shares • User awareness training • Use of proper password storage
  • 12. CLEARTEXT PASSWORDS Configuration Files • Sometimes config files are only accessible to administrators • Most config files are accessible to all users  Bad ACLs  Access to backups
  • 13. CLEARTEXT PASSWORDS Configuration Files – Sysprep • Files created to support the automation of large scale image roll outs • Configuration settings • Local and domain credentials
  • 14. CLEARTEXT PASSWORDS Configuration Files – Sysprep • Files can be read by ANY user on the system • There are many places they can be stored and used
  • 15. CLEARTEXT PASSWORDS Configuration Files – Sysprep http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx Type Location Registry HKLMSystemSetup!UnattendFile File %WINDIR%PantherUnattend File %WINDIR%Panther File Removable read/write media in order of drive letter, at the root of the drive. File Removable read-only media in order of drive letter, at the root of the drive. File windowsPE and offlineServicing passes: Sources directory in a Windows distribution All other passes: %WINDIR%System32Sysprep File %SYSTEMDRIVE%
  • 16. CLEARTEXT PASSWORDS Configuration Files – Sysprep • Most of the time they are stored with no protection… http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx
  • 17. CLEARTEXT PASSWORDS Unattend and Sysprep Files http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx Unattend.xml Example - Cleartext …[snip]… <OOBE> <HideEULAPage>true</HideEULAPage> <NetworkLocation>Work</NetworkLocation> <ProtectYourPC>1</ProtectYourPC> <SkipMachineOOBE>true</SkipMachineOOBE> <SkipUserOOBE>true</SkipUserOOBE> </OOBE> <UserAccounts> <AdministratorPassword> <Value>Passw0rd</Value> <PlainText>true</PlainText> </AdministratorPassword> </UserAccounts> </component> …[snip]…
  • 18. CLEARTEXT PASSWORDS Configuration Files – Sysprep • Sometimes they are Base64 encoded… http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx
  • 19. CLEARTEXT PASSWORDS Unattend and Sysprep Files http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx Unattend.xml Example – Base64 Encoded …[snip]… <OOBE> <HideEULAPage>true</HideEULAPage> <NetworkLocation>Work</NetworkLocation> <ProtectYourPC>1</ProtectYourPC> <SkipMachineOOBE>true</SkipMachineOOBE> <SkipUserOOBE>true</SkipUserOOBE> </OOBE> <UserAccounts> <AdministratorPassword> <Value>UGFzc3cwcmQ=</Value> <PlainText>true</PlainText> </AdministratorPassword> </UserAccounts> </component> …[snip]…
  • 20. CLEARTEXT PASSWORDS Configuration Files – Sysprep • Sometimes they are Base64 encoded… Base64 Encoding != Encryption http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx
  • 21. CLEARTEXT PASSWORDS Unattend and Sysprep Files http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx
  • 22. CLEARTEXT PASSWORDS Configuration Files – Sysprep Recommendations • Configure roll out scripts to remove the sysprep answer files like unattend.xml • Additional notes:  Prevent remote logins by local administrators  Manage systems with domain groups
  • 23. CLEARTEXT PASSWORDS Configuration Files – Web.config • Used to store IIS web application configurations • Often contain database passwords • By default passwords are cleartext
  • 24. CLEARTEXT PASSWORDS Configuration Files – Web.config • Typically stored at the webroot for each IIS site • Usually can be read by all users on the system
  • 25. CLEARTEXT PASSWORDS Configuration Files – Web.config Recommendations • Encrypt passwords stored in web.config aspnet_regiis.exe -pef "connectionStrings" c:webapp • Additional notes:  Configure strong ACLs on file system
  • 26. CLEARTEXT PASSWORDS Configuration Files – Web.config Recommendations
  • 27. CLEARTEXT PASSWORDS Basic Authentication • Simple way to implement IIS authentication • Uses Base64 encoding, NOT ENCRYPTION • Credentials can be captured from network traffic over HTTP, or via man-in-the-middle over HTTPS
  • 28. CLEARTEXT PASSWORDS Basic Authentication • Basic authentication over SSL is not that bad • Very common to see it used over unencrypted HTTP connections
  • 29. CLEARTEXT PASSWORDS Basic Authentication • Base64 Encoded bmV0c3BpOlZlcnlTdHJvbmdBbmRIYXJkVG9HdW Vzc1Bhc3N3b3Jk • Easily decoded Base64 netspi:VeryStrongAndHardToGuessPassword Microsoft ActiveSync (iPhone, etc.)
  • 30. CLEARTEXT PASSWORDS Basic Authentication Recommendations • Basic Auth is simple, but not often necessary • Replace with Integrated Authentication to enforce authentication handshake • Additional notes:  Integrated Authentication can still be exploited, but it’s not as easy
  • 31. CLEARTEXT PASSWORDS Windows Registry • Many applications store passwords in cleartext • Easy to search for common strings to find passwords • Windows also stores some passwords in cleartext  Autologin username and password
  • 32. CLEARTEXT PASSWORDS Windows Registry - AutoLogin • Used by many kiosk and POS systems • Often stores autologin credentials in [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon] "AutoAdminLogon"="1" "DefaultUserName"=“autoadmin" "DefaultPassword"=“!PassW0rd!" "DefaultDomainName"=“acme"
  • 34. CLEARTEXT PASSWORDS Windows Registry - AutoLogin Recommendations • Only use autologin when necessary • If required, store credentials encrypted in LSASecrets • Additional notes:  The encrypted password can be recovered with administrative access to the system http://technet.microsoft.com/en-us/sysinternals/bb963905.aspx
  • 35. CLEARTEXT PASSWORDS Active Directory • User Comments • Custom properties
  • 36. CLEARTEXT PASSWORDS Active Directory Recommendations • Don’t store cleartext passwords in active directory • Audit Active Directory periodically for comments and custom objects that may contain passwords
  • 37. ENCRYPTED PASSWORDS How is it possible to decrypt passwords protected by Microsoft technologies? Key Point: If an application or OS can decrypt it, so can an attacker! …sometimes administrator access is required.
  • 38. ENCRYPTED PASSWORDS How is it possible to recover passwords encrypted by Microsoft technologies? • Calling native OS and application functions • Recovering encryption keys  From same system as the protected data  From external systems like HSMs • Use the keys and correct algorithm to recover protected data
  • 39. ENCRYPTED PASSWORDS Groups.xml • Windows AD Group Policy Preferences allow setting passwords for local accounts on domain systems
  • 40. ENCRYPTED PASSWORDS Groups.xml • For that to work the password has to be sent to the user’s system • Groups.xml is pulled down from the SYSVOL share on the DC • SYSVOL and Groups.xml are accessible to all domain users and computer accounts
  • 41. ENCRYPTED PASSWORDS • Updating a user results in groups.xml file creation
  • 42. ENCRYPTED PASSWORDS • Passwords in groups.xml are AES256 encrypted and base64 encoded • To apply the password locally, client has to decrypt it • To enable this, encryption key is stored on clients • But MS released the STATIC key in an MSDN article; now anyone can decrypt the password! http://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70- 1f2fa45dd4be.aspx#endNote2
  • 43. ENCRYPTED PASSWORDS • Groups.xml password decrypted with a simple PowerShell script https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get- GPPPassword.ps1
  • 44. ENCRYPTED PASSWORDS Groups.xml Recommendations • Microsoft does not recommend setting passwords via Group Policy so it’s not a good idea to do that • Access to groups.xml cannot be prevented for domain users so it should not be used
  • 45. ENCRYPTED PASSWORDS LSASecrets • Used to store all kinds of passwords  Service accounts  Autologin  Applications
  • 46. ENCRYPTED PASSWORDS LSASecrets • Passwords are stored encrypted in the registry HKLM:SECURITYPolicySecrets • Only viewable by LocalSystem • But…administrators can become LocalSystem
  • 48. ENCRYPTED PASSWORDS LSASecrets • Additional information is also required from the subkeys of HKLM:SECURITYPolicy
  • 49. ENCRYPTED PASSWORDS LSASecrets • Use native API methods to decrypt the secrets LsaRetrievePrivateData LsaStorePrivateData LsaOpenPolicy LsaNtStatusToWinError LsaClose LsaFreeMemory
  • 50. ENCRYPTED PASSWORDS LSASecrets – Service Account Example
  • 51. ENCRYPTED PASSWORDS WDigest • Designed for use protocols that require a cleartext password to authenticate:  Hypertext Transfer Protocol (HTTP)  Simple Authentication Security Layer (SASL) exchanges http://technet.microsoft.com/en-us/library/cc778868(v=ws.10).aspx http://www.slideshare.net/gentilkiwi
  • 52. ENCRYPTED PASSWORDS WDigest • Stores passwords for interactive logins (like RDP) encrypted in the lsass.exe process • Depending on secret size and OS version RC4, DES, or AES is used http://technet.microsoft.com/en-us/library/cc778868(v=ws.10).aspx http://www.slideshare.net/gentilkiwi
  • 53. ENCRYPTED PASSWORDS WDigest • After injecting into the lsass.exe process or importing initialized keys via lsasrv.dll… • Native functions from lsasrv.dll can be used to decrypt the passwords – namely… LsaUnprotectMemory http://www.slideshare.net/gentilkiwi http://msdn.microsoft.com/en-us/library/windows/desktop/ff714510(v=vs.85).aspx
  • 54. ENCRYPTED PASSWORDS WDigest • Tools like Mimikatz and WCE can be used to recover cleartext passwords http://www.slideshare.net/gentilkiwi http://msdn.microsoft.com/en-us/library/windows/desktop/ff714510(v=vs.85).aspx
  • 55. ENCRYPTED PASSWORDS WDigest Recommendations • Use smartcard or biometrics when possible • Use network logins instead of interactive logs when possible • Use unprivileged accounts when possible • Do not provide admin / system / debug privileges to users http://www.slideshare.net/gentilkiwi
  • 56. ENCRYPTED PASSWORDS DPAPI • Windows Data Protection API (DPAPI) • Standard / easy way on Windows to encrypt and decrypt data • DPAPI used by many applications  IE, Chrome, Skype, EFS certificates, WEP / WPA keys, RDP passwords, Credential Manager • Data protection in memory or on disk
  • 57. ENCRYPTED PASSWORDS DPAPI – stored data • Two protection scopes: CurrentUser or LocalMachine • Protection scope determines the encryption keys  CurrentUser scope uses keys protected by current user’s password  LocalMachine scope uses keys on the system • Additional entropy added to strengthen protection
  • 58. ENCRYPTED PASSWORDS DPAPI - internals • Largely undocumented by Microsoft – just the API calls are fully documented • DPAPI has been reversed and offline decryption tools have been released http://passcape.com/index.php?section=blog&cmd=details&id=20#11 http://www.elie.net/publication/reversing-dpapi-and-stealing- windows-secrets-offline#.U3BnB_ldWDs
  • 59. ENCRYPTED PASSWORDS MSSQL Links - Background • Microsoft SQL Server allows users to create links to external data sources, typically to SQL Servers • Links can be configured to use SQL server credentials • Cleartext passwords are needed to connect to linked servers – password hashing cannot be used
  • 61. ENCRYPTED PASSWORDS MSSQL Links – Password Storage • Linked server passwords stored in the database – only accessible using DAC • Passwords stored in pwdhash column even though hashing is not used • Passwords encrypted but SQL Server must have the key
  • 62. ENCRYPTED PASSWORDS MSSQL Links – Password Storage
  • 63. ENCRYPTED PASSWORDS MSSQL Links – Service Master Key • SQL Server has a Service Master Key which is encrypted using DPAPI • Additional entropy is stored in the registry • Service Master Key is “the root of the SQL Server encryption hierarchy”, used to encrypt linked server passwords too
  • 64. ENCRYPTED PASSWORDS MSSQL Links – Service Master Key
  • 65. ENCRYPTED PASSWORDS MSSQL Links – Passwords Decryption • Decrypt Service Master Key using DPAPI • Extract encrypted password from database • Remove metadata from the password • Decrypt password using Service Master Key (either 3DES or AES depending on version)
  • 66. ENCRYPTED PASSWORDS MSSQL Links – Passwords Decrypted
  • 67. ENCRYPTED PASSWORDS MSSQL Links Recommendations • Best practice is to use Windows authentication only – do not enable SQL server authentication • Configure linked servers to use current execution context rather than saved credentials
  • 68. ENCRYPTED PASSWORDS Credential Manager / Vault • Credential Manager is intended to be a secure way to store password • Can be used for Windows credentials, browser credentials, application credentials • Each user has their own Vault – user can store own passwords
  • 69. ENCRYPTED PASSWORDS Credential Manager / Vault • Cleartext credentials needed to connect to remote systems – thus passwords in Cred Manager are encrypted, not hashed. • DPAPI used to encrypt passwords
  • 71. ENCRYPTED PASSWORDS Credential Manager / Vault • Credential manager password decryption using Cain http://www.oxid.it/
  • 72. ENCRYPTED PASSWORDS Credential Manager / Vault Recommendations • Stored passwords always a security risks • Consider disabling Credential Manager using group policies
  • 73. ENCRYPTED PASSWORDS Wireless • Wireless connections with pre-shared keys have to store the passwords • Passwords encrypted using DPAPI • User or SYSTEM can access the stored passwords • Multiple tools to extract wireless credentials, including Metasploit
  • 75. ENCRYPTED PASSWORDS Wireless Metasploit module: post/windows/wlan/wlan_profile
  • 76. ENCRYPTED PASSWORDS Wireless Recommendations • Do not use pre-shared keys • Configure corporate wireless to use WPA2- Enterprise (integrated authentication)
  • 77. ENCRYPTED PASSWORDS Web.config and ApplicationHost.config • IIS application configuration files • Web.config = application level • ApplicationHost.config = server level  Application pool credentials  Windows credentials used for directory access … but they can also be decrypted
  • 78. ENCRYPTED PASSWORDS Web.config and ApplicationHost.config • Early saw this aspnet_regiis.exe -pef "connectionStrings" c:webapp
  • 79. ENCRYPTED PASSWORDS Web.config and ApplicationHost.config • No surprise that local administrators can do this: aspnet_regiis.exe -pdf "connectionStrings" c:webapp
  • 80. HASHED PASSWORDS Why should I care if someone is stealing my password hashes if I have complexity enabled? •#1 Reason: Password hashes can be replayed and used to authenticate without knowledge of the password
  • 81. HASHED PASSWORDS Why should I care if someone is stealing my password hashes if I have complexity enabled? •#2 Reason: Password hashes can cracked at lighting speeds using modern hardware and software
  • 82. HASHED PASSWORDS On the System • Local / Domain LM hashes • Local / Domain NTLM hashes • Domain MS-CACHEv2 On the Network • Local / Domain NetLM • Local / Domain NetNTLM
  • 83. HASHED PASSWORDS Can be dumped with a billion different hacker tools!
  • 84. DO I REALLY NEED PASSWORDS? Short answer is NO
  • 85. DO I REALLY NEED PASSWORDS? • SMB relay • Pass-the-hash • Stealing authentication tokens • Crawling database links • Process migration • Generating golden tickets
  • 86. CONCLUSIONS • Protecting passwords is really, really hard if an attacker has admin rights to you system • Don’t store passwords in clear text – Anywhere! • Only use encryption when the cleartext passwords need used later • Use HSM to protect keys used to encrypt data • Use strong salted hashes to protect passwords • Enforce least privilege everywhere – networks, servers, applications…EVERYWHERE
  • 87. NETSPI REFERENCES • NetSPI blog: http://www.netspi.com/blog • NetSPI github: https://github.com/netspi • Scott github: https://github.com/nullbind • NetSPI slideshare: http://slideshare.com/netspi • Scott slideshare: http://slideshare.com/nullbind • Scott twitter: @_nullbind