   Manager, Crowe Horwath   Pentester   Twitter: @reynoldsrb
   SpiderLabs Security Researcher, Trustwave   Vulnerability Research   Twitter: @claudijd
   Windows Hash Extraction   Story of What We Found   Windows Hash Extraction Mechanics   A Different Approach   Why ...
   Two Types of Hashes:     LM (Lan Manager)      ▪ Old Hashing Algorithm w/ Security Flaws      ▪ Case insensitivity, B...
   Two Methods to Get Hashes:     Injection via LSASS      ▪ Reads hashes from memory     Registry Reading via SAM/SYST...
   Social Engineering Engagement     Gained Physical Access     Dumped Hashes on a Bank Workstation   Failed to Crack ...
   Internal Penetration Assessment     Popped a Shell via Missing Patch     Dumped Hashes on System   Fail to Crack   ...
   Via Registry (Metasploit)     LM: 4500a2115ce8e23a99303f760ba6cc96     NTLM: 5c0bd165cea577e98fa92308f996cf45   Via...
   Beers   Hacking   More Beers
   HKLMSAM     Store security information for each user (including     hash data)   HKLMSYSTEM     Stores the SYSKEY (...
   HKLMSAMSAMdomainsaccountusers     Users: 000001F4, ..1F5, etc.
   For each user, we have two values…     “F” – Binary Data      ▪ Last Logon, Account Expires, Password Expiry, etc.   ...
   Raw Data w/ LM & NTLM Data...0000AAAAAAAA0000BBBBBBBB00000...   Raw Data w/ just NTLM Hash Data...00000000BBBBBBBB000...
   Metasploit Hashdump Script   Creddump   Samdump2   Cain and Able   Pwdump7   FGDump 3.0   Others
OFFSET       HASH DATA   LM & NTLM   If size > 40 bytes?   NTLM        Else If size > 20 bytes?   None        Else
   Via Registry (Metasploit)     LM: 4500a2115ce8e23a99303f760ba6cc96     NTLM: 5c0bd165cea577e98fa92308f996cf45   Via...
OFFSET       HASH DATA            DATA++   LM & NTLM   If size > 40 bytes?   NTLM        Else If size > 20 bytes?   Non...
BAD...0000AAAAAAAA0000BBBBBBBB00000......00000000BBBBBBBB0000000000000...
   How do we get “DATA++”?     OFFSET            HASH DATA        DATA++   By following Microsoft best practices     Se...
LM HASH DATA     NT HASH DATA        DATA++
   Newer OS’s do not store LM     Windows Vista and newer     LM can be disabled by a proactive Sysadmin   Password hi...
   We would want…     LM Exists?     NTLM Exists?     Parse correct hash data 100% of the time
   <insert slide here with the raw registry                      LM HEADER     NT HEADER    details>                 LM H...
   “V” hash 4 byte headers for LM & NTLN     0x4 (4 bytes) = Hash Not Present (false)     0x14 (20 bytes) = Hash Presen...
OFFSET       HASH DATA            DATA++   LM & NTLM   If LM.exists? && NTLM.exists?   NTLM        Else If NTLM.exists?...
BAD LOGIC...0000AAAAAAAA0000BBBBBBBB00000......00000000BBBBBBBB0000000000000...GOOD LOGIC...0000AAAAAAAA0000BBBBBBBB00000....
pwdump samdump2  Cain & Abel   Creddump Fgdump 3.0       Metasploit   Pwdump7
FGDump                                                                  v. 3.0Pwdump v. 1                        Cain & Ab...
   Reverse engineering is hard     Exhaustive testing is time consuming   Leveraging code is helpful     Fully reusing...
Affected Tools                 Patched?         Creddump                       YesMetasploit’s Hashdump Script            ...
   White Paper     Explains entire process in detail   Patches for Metasploit & Creddump   Example SAM/SYSTEM Files   ...
Defcon 20 stamp out hash corruption crack all the things
Defcon 20 stamp out hash corruption crack all the things
Defcon 20 stamp out hash corruption crack all the things
Defcon 20 stamp out hash corruption crack all the things
Defcon 20 stamp out hash corruption crack all the things
Defcon 20 stamp out hash corruption crack all the things
Defcon 20 stamp out hash corruption crack all the things
Defcon 20 stamp out hash corruption crack all the things
Defcon 20 stamp out hash corruption crack all the things
Defcon 20 stamp out hash corruption crack all the things
Defcon 20 stamp out hash corruption crack all the things
Defcon 20 stamp out hash corruption crack all the things
Defcon 20 stamp out hash corruption crack all the things
Upcoming SlideShare
Loading in …5
×

Defcon 20 stamp out hash corruption crack all the things

2,965 views

Published on

This is the presentation that @reynolds and @claudijd presented at DEFCON, which demonstrates how password extraction tools yield corrupted hashes, how the flaw was identified and the fix.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,965
On SlideShare
0
From Embeds
0
Number of Embeds
1,540
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Defcon 20 stamp out hash corruption crack all the things

  1. 1.  Manager, Crowe Horwath Pentester Twitter: @reynoldsrb
  2. 2.  SpiderLabs Security Researcher, Trustwave Vulnerability Research Twitter: @claudijd
  3. 3.  Windows Hash Extraction Story of What We Found Windows Hash Extraction Mechanics A Different Approach Why Are All the Tools Broken? Demo Patches
  4. 4.  Two Types of Hashes:  LM (Lan Manager) ▪ Old Hashing Algorithm w/ Security Flaws ▪ Case insensitivity, Broken into 2 Components  NTLM (NT Lan Manager) ▪ Newer Hashing Algorithm w/ Security Flaws ▪ Not salted, but is case sensitive
  5. 5.  Two Methods to Get Hashes:  Injection via LSASS ▪ Reads hashes from memory  Registry Reading via SAM/SYSTEM ▪ Reads hashes from local registry hives
  6. 6.  Social Engineering Engagement  Gained Physical Access  Dumped Hashes on a Bank Workstation Failed to Crack  John the Ripper  Rainbow Tables
  7. 7.  Internal Penetration Assessment  Popped a Shell via Missing Patch  Dumped Hashes on System Fail to Crack  Rainbow Tables (via all LM Space & French)  Pass the Hash (PTH)
  8. 8.  Via Registry (Metasploit)  LM: 4500a2115ce8e23a99303f760ba6cc96  NTLM: 5c0bd165cea577e98fa92308f996cf45 Via Injection (PwDump6)  LM: aad3b435b51404eeaad3b435b51404ee  NTLM: 5f1bec25dd42d41183d0f450bf9b1d6b
  9. 9.  Beers Hacking More Beers
  10. 10.  HKLMSAM  Store security information for each user (including hash data) HKLMSYSTEM  Stores the SYSKEY (encrypts the SAM information for security purposes)
  11. 11.  HKLMSAMSAMdomainsaccountusers  Users: 000001F4, ..1F5, etc.
  12. 12.  For each user, we have two values…  “F” – Binary Data ▪ Last Logon, Account Expires, Password Expiry, etc.  “V”- Binary Data ▪ Username, LM Hash Data, NT Hash Data, etc.
  13. 13.  Raw Data w/ LM & NTLM Data...0000AAAAAAAA0000BBBBBBBB00000... Raw Data w/ just NTLM Hash Data...00000000BBBBBBBB0000000000000...
  14. 14.  Metasploit Hashdump Script Creddump Samdump2 Cain and Able Pwdump7 FGDump 3.0 Others
  15. 15. OFFSET HASH DATA LM & NTLM If size > 40 bytes? NTLM Else If size > 20 bytes? None Else
  16. 16.  Via Registry (Metasploit)  LM: 4500a2115ce8e23a99303f760ba6cc96  NTLM: 5c0bd165cea577e98fa92308f996cf45 Via Injection (PwDump6)  LM: aad3b435b51404eeaad3b435b51404ee  NTLM: 5f1bec25dd42d41183d0f450bf9b1d6b
  17. 17. OFFSET HASH DATA DATA++ LM & NTLM If size > 40 bytes? NTLM Else If size > 20 bytes? None Else
  18. 18. BAD...0000AAAAAAAA0000BBBBBBBB00000......00000000BBBBBBBB0000000000000...
  19. 19.  How do we get “DATA++”? OFFSET HASH DATA DATA++ By following Microsoft best practices  Set Password History  No LM Hashes
  20. 20. LM HASH DATA NT HASH DATA DATA++
  21. 21.  Newer OS’s do not store LM  Windows Vista and newer  LM can be disabled by a proactive Sysadmin Password histories set through GPO
  22. 22.  We would want…  LM Exists?  NTLM Exists?  Parse correct hash data 100% of the time
  23. 23.  <insert slide here with the raw registry LM HEADER NT HEADER details> LM HASH DATA NT HASH DATA DATA++
  24. 24.  “V” hash 4 byte headers for LM & NTLN  0x4 (4 bytes) = Hash Not Present (false)  0x14 (20 bytes) = Hash Present (true) No more guessing!
  25. 25. OFFSET HASH DATA DATA++ LM & NTLM If LM.exists? && NTLM.exists? NTLM Else If NTLM.exists? None Else
  26. 26. BAD LOGIC...0000AAAAAAAA0000BBBBBBBB00000......00000000BBBBBBBB0000000000000...GOOD LOGIC...0000AAAAAAAA0000BBBBBBBB00000......00000000BBBBBBBB0000000000000...
  27. 27. pwdump samdump2 Cain & Abel Creddump Fgdump 3.0 Metasploit Pwdump7
  28. 28. FGDump v. 3.0Pwdump v. 1 Cain & Abel Creddump Pwdump7 v. 2.7.4 v. 0.1 v. 7.1 Samdump2 MSF Samdump2 v. 1.1.1 Hashdump v. 1.0.13/24/1997 3/28/04 7/9/05 11/21/07 12/30/09 11/9/11 2/20/08 3/10/10
  29. 29.  Reverse engineering is hard  Exhaustive testing is time consuming Leveraging code is helpful  Fully reusing code is not always good Open source let’s others learn and help fix!
  30. 30. Affected Tools Patched? Creddump YesMetasploit’s Hashdump Script Yes L0phtcrack Working with Author(s) Pwdump7 Working with Author(s) FGDump 3.0 Working with Author(s) Samdump2 Fixed in v 1.1.1 Cain & Abel Working with Author(s)
  31. 31.  White Paper  Explains entire process in detail Patches for Metasploit & Creddump Example SAM/SYSTEM Files  Some users w/ DATA++  Some user w/o DATA++

×