Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Credential provider

373 views

Published on

Credential provider

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Credential provider

  1. 1. Exposing the Secrets of Windows Credential Provider Presented By: Subrat Sarkar Give me your password
  2. 2. Common Methods to Steal Password • Reading registry hives - LM and NT password hashes for local accounts are stored in the Security Accounts Manager (SAM) database file. • Injecting into LSASS - inject code into the existing LSASS process, so the code is able to call the necessary functions to read memory structure. • Reading LSASS’s memory - recovering credentials from a memory dump file is supported in mimikatz. • Decoding NTDS.DIT - LM and NT hashes for Active Directory domain accounts are stored in the Active Directory database file, NTDS.DIT
  3. 3. Windows 7 Authentication Architecture
  4. 4. Logon Authentication • Interactive Logon • Local Logon: A local logon requires that the user have a user account in the SAM on the local computer. • Domain Logon: A domain logon requires that the user have a user account in the domain’s Active Directory. • Network Logon
  5. 5. Interactive Local Logon
  6. 6. Interactive Domain Logon
  7. 7. Windows Interactive Logon Architecture
  8. 8. Windows Interactive Logon Component Component Description Winlogon Provides interactive logon infrastructure. Logon UI Provides interactive UI rendering. Credential providers (password and smart card) Describes credential information and serializing credentials. LSA Processes logon credentials. Authentication packages Includes NTLM and Kerberos. Communicates with server authentication packages to authenticate users.
  9. 9. Windows Credential Providers LogonUI enumerates all of the credential providers registered under - HKLMSoftwareMicrosoftWindowsCurrentVersionAuthenticationCredential Providers DLL should Implement following 2 COM Interfaces – 1. ICredentialProviderCredential 2. ICredentialProvider ICredentialProviderCredential::GetSerialization
  10. 10. Live Demo
  11. 11. Disable Credential Provider • Method 1: Using Group Policy. • Open local Group Policy editor, navigate to Computer Configuration -> Administrative Templates - > System -> Logon, and then find the policy Exclude credential providers on the right side. • Right Click Exclude credential providers, click Edit, click Enabled and enters the comma-separated CLSID which to exclude multiple credential providers during authentication. • Click OK to save the changes. • Method 2: Using Registry. • Open Registry Editor , then Navigate to the registry keyHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionAuthenticationCr edential Providers • Right click on the CLSID of the provider, select New -> DWORD (32-bit) Value, then enter the value name to Disabled, after that modify the value data to 1. • The provider will be disabled on the next session which is created during log off, switch user, or reboot. • SysInternal - AutoRuns
  12. 12. Reference • https://msdn.microsoft.com/en-us/magazine/cc163489.aspx • https://technet.microsoft.com/en-us/library/dn169016(v=ws.10).aspx • https://technet.microsoft.com/en-us/library/cc780095(v=ws.10).aspx • https://technet.microsoft.com/en-us/library/dn169029(v=ws.10).aspx • https://msdn.microsoft.com/en- us/library/windows/desktop/bb648647(v=vs.85).aspx • https://technet.microsoft.com/en-us/library/ff404303(v=ws.10).aspx • https://technet.microsoft.com/en-us/library/dn169014(v=ws.10).aspx • https://technet.microsoft.com/en-us/library/cc780332(v=ws.10).aspx • https://social.technet.microsoft.com/Forums/windows/en-US/9c23976a-3e2b- 4b71-9f19-83ee3df0848b/how-to-disable-additional-credential- providers?forum=w8itprosecurity

×