[ENG] IPv6 shipworm + My little Windows domain pwnie

1,461 views

Published on

Hacktivity 2011 presentation about IPv6 Teredo protocol, Windows pass-the-hash attack

Original video in Hungarian: http://vimeo.com/31359639
Translated version: http://vimeo.com/31360814

Published in: News & Politics, Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,461
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • slide theme: folio, studio, tradition
  • The relay sends an encapsulated bubble packet to the Teredo client’s server with the IPv6 destination set to the Teredo peer. The server address is extracted from the client’s Teredo address. 2. The server passes the bubble along to the Teredo client, adding origin data (the IPv4 address and port of the relay). 3. The NAT receives the packet and passes it on to the client. The NAT allows this because the client and server communicate on a regular basis. 4. Upon receipt of the bubble, the client sends an encapsulated bubble to the address and port in the origin data (the relay). 5. The encapsulated bubble is received by the NAT and forwarded to the relay. The NAT now sees the relay as a recent peer and allows incoming packets from it.
  • Even if you turn off firewall (or install a least secure one),
  • El kell inditani dc-t + támadó + támadott win7-est Mutatni ahogy domain admin belép a gépére 15 karakteres majd zárolja Belépni támadó win7-re 8 karakteres jelszóval Wce-vel beállítani új hasht új usert létrehozni és domain admin jogokat adni Előtte:
  • [ENG] IPv6 shipworm + My little Windows domain pwnie

    1. 1. IPv6 shipworm + My little Windows domain pwnie 18. 09. 2011 Zoltán Balázs
    2. 2. Disclaimer• All views and opinions I share with you today are my own.• The following presentation does not represent the views of any of my previous or present employers.• don’t try this at home or at work – for educational purposes only 2
    3. 3. Who am I?• Certified Interspecie-ial Sheep Shearing Professional (CISSP)• Certified Pajama Toaster Specialist (CPTS)• Microsoft Certified Psychopath (MCP)• Certified Propeller Beanie Hat Script Kiddie (CPBHSK)• 7 years of experience with IT Security 3
    4. 4. This presentation is NOT about...• assembly – buffer overflow, egghunting, NOPsled, SEH exploits, ROP• kernel rootkits• stuxnet• zero day• any new stuff you can find on the internet 4
    5. 5. This presentation is NOT about...• assembly – buffer overflow, egghunting, NOPsled, SEH exploits, ROP• kernel rootkits• stuxnet• zero day• any new stuff you can find on the internet 5
    6. 6. What’s next?• a fictitious hacking scenario – IPv6 Teredo protocol – Pass the hash – NTLM authentication• Both attacks are known for more than a decade, but still (or even more) effective.  – “precious ancient treasures” 6
    7. 7. IPv6 Teredo basics• IPv6 • native, 6in4, 6over4, 6to4, 6rd, ISATAP, Teredo, etc ...• goal of Teredo (a.k.a. IPv6 shipworm) • IPv6 behind IPv4 NAT (UDP tunneling)• Teredo components – client – server – relay || host-specific relay – IPv6 peer• attention conspiracy theory fans – teredo.ipv6.microsoft.com – default MS WIN server – knows every non Teredo IPv6 peers you are communicating with ... 7
    8. 8. 8
    9. 9. Teredo address decoding 2001:0000:53aa:064c:0055:6bbf:a67b:7887Bits 0 - 31 32 - 63 64 - 79 80 - 95 96 - 127Length 32 bits 32 bits 16 bits 16 bits 32 bits Teredo Obfuscated ClientDescription Prefix Flags server IPv4 UDP port public IPv4Part 2001:0000 53aa:064c 0055 6bbf a67b:7887Decoded 83.170.6.76 37952 89.132.135.120 online decoder: http://isc.sans.org/tools/ipv6.html 9
    10. 10. 10
    11. 11. Qualification (simplified …) 11
    12. 12. Bubble packetsbubble packets are sent out every 30 seconds for keep-alive 12
    13. 13. NAT hole – ICMPv6 bubble 13
    14. 14. NAT hole – with Romeo and Juliet 14
    15. 15. Our journey begins• target of the attack – auditor/pentester company – steal reports/findings• TCP/(known service UDP) port scan – nmap – no TCP/known service UDP ports opened• google fu – we locate a forum post from the pentester • Linux – BackTrack5 user – No Script – no Java/Flash/browser 0-day 15
    16. 16. scenario 16
    17. 17. Pwning the BT5• The pentester was complaining on the forum that IPv6 is not working on his BT5 – We suggest to run: miredo (Teredo Linux implementation)• get the pentester to visit a our website (e.g. test IPv6 here), or find XSS on the forum – IPv6 object (image, iframe) hosted by the attacker – extract Teredo IPv6 address from webserver logs• portscan the Teredo IPv6 address• TCP port 22 (SSH) on Teredo address open 17
    18. 18. Lightning round – for 1 HACKER PSCHORR 18
    19. 19. Lightning round – for 1 HACKER PSCHORR• What could be the password for the user root after double rot13 encryption, if we know it is a Backtrack5 OS? 19
    20. 20. Lightning round – for 1 HACKER PSCHORR• What could be the password for the user root after double rot13 encryption, if we know it is a Backtrack5 OS?• yes, the answer is toor• default SSHD configuration – listens on every interface (IPv4, IPv6) – PermitRootLogin yes 20
    21. 21. Video 21
    22. 22. scenario 22
    23. 23. Root access is like the key to the kingdom for Romeo 23
    24. 24. Windows Teredo implementation is secure by default• although Teredo enabled by default• Windows firewall will blocks Teredo • if not explicitly allowed for the port/application • IPV6_PROTECTION_LEVEL: PROTECTION_LEVEL_UNRESTRICTED• Teredo is secure till vuln in ... – Windows firewall – UDP/TCP/IP/IPV6/Teredo stack – NIC driver level• Teredo backdoor – meterpreter IPv6 bind shell• Teredo DNS spoofing… 24
    25. 25. Lessons learned• Teredo has security holes by design• know the protocol you are using• change passwords, srsly, change passwords• disable SSH listening on every interface• configure ip6tables locally• Close ports on the network firewall if they are not needed, even outbound ones. Especially close every outgoing UDP which is not needed.• use Windows  25
    26. 26. Pass the hash – a.k.a.My little Windows domain pwnie known since 1997 Bugtraq ID number 233
    27. 27. Windows local admin hashes• local login - user password is verified by NTLM (NT Lan Manager) if (NTLMHash(userPassword) == decryptWithSyskey( encryptedLocalUserNTLMHash)) login(); else raise WrongPasswordException();• Security Accounts Management Database (SAM) (%SystemRoot%/SAM ) – stores encrypted hashed copies of (local) user passwords• syskey is either stored in – registry (%SystemRoot%/SYSTEM) – optionally password protected – floppy … 27
    28. 28. Extract hashes of the Windows local admin(s)• well known tools to extract the local user hashes – online OS – via dll injection – pwdumpX/fgdump/cain – offline OS – access to SAM files – bkhive, samdump2• security rule of thumb: never ever reuse passwords – do you reuse local admin passwords if you have thousands of workstations?• common excuses for password reuse – „it is random, 20 character long with special characters” – „the weak LM hash is not stored” – „noone can break it” 28
    29. 29. Lightning round – for another HACKER PSCHORR• What is the minimum number of characters in the password, if the local admin password hash looks like this? – User:Domain:aad3b435b51404eeaad3b435b5140 4ee:25edfdbf01ae5d63be05f958b4221fb9 – additional info: HKEY_LOCAL_MACHINESYSTEMCurrentControlS etControlLsaNoLMHash = 0 29
    30. 30. Scenario• BackTrack5 was installed as a dual boot OS – mount Win NTFS partition – extract local admin hashes 30
    31. 31. Video 31
    32. 32. Scenario 32
    33. 33. Pass the hash• cracking NTLM hash of a 15 long mixed case random AlphaNumeric password takes … – 1.7*1010 years to crack with today GPU • even with life-time GPU warranty it looks impossible… – the universe is around 1.375*1010 years old• What is the purpose of cracking hashes??? – we can authenticate with the hash • without knowing the password!!! 33
    34. 34. Romeo – get Juliet’s fingerprint(not the finger, just the fingerprint) Juliet has access to Lord Capulet’s room with fingerprint authentication Which means Romeo has access to Capulet’s room, too. 34
    35. 35. Pass the hash• „NTLM single sign on” is a security problem by design• in the RAM, there has to be something (e.g. hash) you can authenticate with – it would be slightly inconvenient to type your password every time you want to authenticate to a network resource 35
    36. 36. Pass the hash attack – in theory and on SecurityTube• search for a workstation – with a logged in domain administrator• authenticate to this workstation as a local admin with the local admin hash – SMB (Server Message Block + psexec)• two ways to go – grab the domain admin password hashes (e.g. Windows Credentials Editor) – token impersonation (e.g. Meterpreter Incognito)• with the hash/token we are domain admin• this means PROFIT ... – where is the ??? step
    37. 37. The ??? step: STATUS_ACCES_DENIED 37
    38. 38. Pass the hash attack - in practice• works on SMB if domain admin uses WinXP• fails on SMB if domain admin uses Vista/Win7/Win2k8 – if authenticating as local admin via network, admin privileges are dropped• Vista/Win7/Win2k8 SMB attack may be possible – HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciessystemLocalAccountToke nFilterPolicy = 1 (remote UAC)• Vista/Win7/Win2k8 attack is possible – Remote Desktop single sign on uses NTLM - (attack only in theory, yet) – SQL Server Windows auth. uses NTLM (local priv. escalation still required) 38
    39. 39. Video 39
    40. 40. Scenario 40
    41. 41. Scenario Romeo – having the credentials of Lord Capulet 41
    42. 42. How not to try to prevent pass the hash?• security people – non representative survey in 2010, USA * – 2/3 of security professionals never heard about the pass the hash attack * references 42
    43. 43. How not to try to prevent pass the hash?• security people – non representative survey in 2010, USA * – 2/3 of security professionals never heard about the pass the hash attack• antivirus * references 43
    44. 44. How not to try to prevent pass the hash?• security people – non representative survey in 2010, USA * – 2/3 of security professionals never heard about the pass the hash attack• antivirus• HIPS * references 44
    45. 45. How not to try to prevent pass the hash?• security people – non representative survey in 2010, USA * – 2/3 of security professionals never heard about the pass the hash attack• antivirus• HIPS• Kerberos – pass the ticket * references 45
    46. 46. How not to try to prevent pass the hash?• security people – non representative survey in 2010, USA * – 2/3 of security professionals never heard about the pass the hash attack• antivirus• HIPS• Kerberos – pass the ticket• smartcard ! * references 46
    47. 47. Pass the hash prevention tips• the following advices could help you to prevent the attack shown before – pass the hash attack will be still effective, it’s by design• full disc encryption• different local admin password – e.g. trunc(hashAlphaNum(Passwd || WorkstationNumber),15)• separate domain admin workstations – physically – network• domain admins should login as domain admin only on servers – on workstations login as domain user• don’t use the same workstation for web browsing and administrator tasks 47
    48. 48. Pass the hash attack detection• legitim events in event logs – it may be possible to locate the „attacker” workstation• 552 Windows event code – „explicit credentials were used from another account” • too many false positives• in practice, if you detect the attack, you have been already pwned 48
    49. 49. SMB pass the hash „worm”• this is my idea• implemented by my friend Buherator – metasploit module – http://bit.ly/qrM2V8 49
    50. 50. References• The Teredo Protocol:Tunneling Past Network Security and Other Security Implications – Dr. James Hoagland Principal Security Researcher – Symantec Advanced Threat Research – http://www.symantec.com/avcenter/reference/Teredo_Se• Hernan Ochoa: Windows Credentials Editor tool• Pass-the-hash attacks: Tools and Mitigation – Bashar Ewaida – http://www.sans.org/reading_room/whitepapers/testing/p 50
    51. 51. H___t__p_____! Zoltan1.Balazs@gmail.com ZBalazs@DeloitteCE.com 51

    ×