SlideShare a Scribd company logo

Defcon 20 stamp out hash corruption crack all the things

C
claudijd

This is the presentation that @reynolds and @claudijd presented at DEFCON, which demonstrates how password extraction tools yield corrupted hashes, how the flaw was identified and the fix.

Technology
1 of 44
 Manager, Crowe Horwath  Pentester  Twitter: @reynoldsrb
 SpiderLabs Security Researcher, Trustwave  Vulnerability Research  Twitter: @claudijd
 Windows Hash Extraction  Story of What We Found  Windows Hash Extraction Mechanics  A Different Approach  Why Are All the Tools Broken?  Demo  Patches
 Two Types of Hashes:  LM (Lan Manager) ▪ Old Hashing Algorithm w/ Security Flaws ▪ Case insensitivity, Broken into 2 Components  NTLM (NT Lan Manager) ▪ Newer Hashing Algorithm w/ Security Flaws ▪ Not salted, but is case sensitive
 Two Methods to Get Hashes:  Injection via LSASS ▪ Reads hashes from memory  Registry Reading via SAM/SYSTEM ▪ Reads hashes from local registry hives
 Social Engineering Engagement  Gained Physical Access  Dumped Hashes on a Bank Workstation  Failed to Crack  John the Ripper  Rainbow Tables
 Internal Penetration Assessment  Popped a Shell via Missing Patch  Dumped Hashes on System  Fail to Crack  Rainbow Tables (via all LM Space & French)  Pass the Hash (PTH)
 Via Registry (Metasploit)  LM: 4500a2115ce8e23a99303f760ba6cc96  NTLM: 5c0bd165cea577e98fa92308f996cf45  Via Injection (PwDump6)  LM: aad3b435b51404eeaad3b435b51404ee  NTLM: 5f1bec25dd42d41183d0f450bf9b1d6b
 Beers  Hacking  More Beers
 HKLMSAM  Store security information for each user (including hash data)  HKLMSYSTEM  Stores the SYSKEY (encrypts the SAM information for security purposes)
 HKLMSAMSAMdomainsaccountusers  Users: 000001F4, ..1F5, etc.
 For each user, we have two values…  “F” – Binary Data ▪ Last Logon, Account Expires, Password Expiry, etc.  “V”- Binary Data ▪ Username, LM Hash Data, NT Hash Data, etc.
 Raw Data w/ LM & NTLM Data ...0000AAAAAAAA0000BBBBBBBB00000...  Raw Data w/ just NTLM Hash Data ...00000000BBBBBBBB0000000000000...
 Metasploit Hashdump Script  Creddump  Samdump2  Cain and Able  Pwdump7  FGDump 3.0  Others
OFFSET HASH DATA  LM & NTLM If size > 40 bytes?  NTLM Else If size > 20 bytes?  None Else
 Via Registry (Metasploit)  LM: 4500a2115ce8e23a99303f760ba6cc96  NTLM: 5c0bd165cea577e98fa92308f996cf45  Via Injection (PwDump6)  LM: aad3b435b51404eeaad3b435b51404ee  NTLM: 5f1bec25dd42d41183d0f450bf9b1d6b
OFFSET HASH DATA DATA++  LM & NTLM If size > 40 bytes?  NTLM Else If size > 20 bytes?  None Else
BAD ...0000AAAAAAAA0000BBBBBBBB00000... ...00000000BBBBBBBB0000000000000...
 How do we get “DATA++”? OFFSET HASH DATA DATA++  By following Microsoft best practices  Set Password History  No LM Hashes
LM HASH DATA NT HASH DATA DATA++
 Newer OS’s do not store LM  Windows Vista and newer  LM can be disabled by a proactive Sysadmin  Password histories set through GPO
 We would want…  LM Exists?  NTLM Exists?  Parse correct hash data 100% of the time
 <insert slide here with the raw registry LM HEADER NT HEADER details> LM HASH DATA NT HASH DATA DATA++
 “V” hash 4 byte headers for LM & NTLN  0x4 (4 bytes) = Hash Not Present (false)  0x14 (20 bytes) = Hash Present (true)  No more guessing!
OFFSET HASH DATA DATA++  LM & NTLM If LM.exists? && NTLM.exists?  NTLM Else If NTLM.exists?  None Else
BAD LOGIC ...0000AAAAAAAA0000BBBBBBBB00000... ...00000000BBBBBBBB0000000000000... GOOD LOGIC ...0000AAAAAAAA0000BBBBBBBB00000... ...00000000BBBBBBBB0000000000000...
pwdump samdump2 Cain & Abel Creddump Fgdump 3.0 Metasploit Pwdump7
FGDump v. 3.0 Pwdump v. 1 Cain & Abel Creddump Pwdump7 v. 2.7.4 v. 0.1 v. 7.1 Samdump2 MSF Samdump2 v. 1.1.1 Hashdump v. 1.0.1 3/24/1997 3/28/04 7/9/05 11/21/07 12/30/09 11/9/11 2/20/08 3/10/10
 Reverse engineering is hard  Exhaustive testing is time consuming  Leveraging code is helpful  Fully reusing code is not always good  Open source let’s others learn and help fix!
Affected Tools Patched? Creddump Yes Metasploit’s Hashdump Script Yes L0phtcrack Working with Author(s) Pwdump7 Working with Author(s) FGDump 3.0 Working with Author(s) Samdump2 Fixed in v 1.1.1 Cain & Abel Working with Author(s)
 White Paper  Explains entire process in detail  Patches for Metasploit & Creddump  Example SAM/SYSTEM Files  Some users w/ DATA++  Some user w/o DATA++
Defcon 20 stamp out hash corruption crack all the things
Defcon 20 stamp out hash corruption crack all the things
Defcon 20 stamp out hash corruption crack all the things

Recommended

jps & jvmtop
jps & jvmtopjps & jvmtop
jps & jvmtopScott Leberknight
 
Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"abend_cve_9999_0001
 
Simple and efficient way to get the last log using MMAP
Simple and efficient way to get the last log using MMAPSimple and efficient way to get the last log using MMAP
Simple and efficient way to get the last log using MMAPTetsuyuki Kobayashi
 
Project00
Project00Project00
Project00Ganesh Chavan
 
Multiply your Testing Effectiveness with Parameterized Testing, v1
Multiply your Testing Effectiveness with Parameterized Testing, v1Multiply your Testing Effectiveness with Parameterized Testing, v1
Multiply your Testing Effectiveness with Parameterized Testing, v1Brian Okken
 
PLAM 2015 - Evolving Backups Strategy, Devploying pyxbackup
PLAM 2015 - Evolving Backups Strategy, Devploying pyxbackupPLAM 2015 - Evolving Backups Strategy, Devploying pyxbackup
PLAM 2015 - Evolving Backups Strategy, Devploying pyxbackupJervin Real
 
Cram
CramCram
CramJamesBonfield
 
Q2.12: Debugging with GDB
Q2.12: Debugging with GDBQ2.12: Debugging with GDB
Q2.12: Debugging with GDBLinaro
 

Recommended

jps & jvmtop
jps & jvmtopjps & jvmtop
jps & jvmtopScott Leberknight
 
Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"abend_cve_9999_0001
 
Simple and efficient way to get the last log using MMAP
Simple and efficient way to get the last log using MMAPSimple and efficient way to get the last log using MMAP
Simple and efficient way to get the last log using MMAPTetsuyuki Kobayashi
 
Project00
Project00Project00
Project00Ganesh Chavan
 
Multiply your Testing Effectiveness with Parameterized Testing, v1
Multiply your Testing Effectiveness with Parameterized Testing, v1Multiply your Testing Effectiveness with Parameterized Testing, v1
Multiply your Testing Effectiveness with Parameterized Testing, v1Brian Okken
 
PLAM 2015 - Evolving Backups Strategy, Devploying pyxbackup
PLAM 2015 - Evolving Backups Strategy, Devploying pyxbackupPLAM 2015 - Evolving Backups Strategy, Devploying pyxbackup
PLAM 2015 - Evolving Backups Strategy, Devploying pyxbackupJervin Real
 
Cram
CramCram
CramJamesBonfield
 
Q2.12: Debugging with GDB
Q2.12: Debugging with GDBQ2.12: Debugging with GDB
Q2.12: Debugging with GDBLinaro
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...PROIDEA
 
Introduction to segmentation fault handling
Introduction to segmentation fault handling Introduction to segmentation fault handling
Introduction to segmentation fault handling Larion
 
Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Jarod Wang
 
bcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesbcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesIO Visor Project
 
Tweaking Google TV emulator
Tweaking Google TV emulatorTweaking Google TV emulator
Tweaking Google TV emulatorTetsuyuki Kobayashi
 
Vimm
VimmVimm
Vimmguest7f6a7f
 
Parallel computing in bioinformatics t.seemann - balti bioinformatics - wed...
Parallel computing in bioinformatics t.seemann - balti bioinformatics - wed...Parallel computing in bioinformatics t.seemann - balti bioinformatics - wed...
Parallel computing in bioinformatics t.seemann - balti bioinformatics - wed...Torsten Seemann
 
Positive Hack Days. Тараканов. Мастер-класс: уязвимости нулевого дня
Positive Hack Days. Тараканов. Мастер-класс: уязвимости нулевого дняPositive Hack Days. Тараканов. Мастер-класс: уязвимости нулевого дня
Positive Hack Days. Тараканов. Мастер-класс: уязвимости нулевого дняPositive Hack Days
 
Casper FFG Explained
Casper FFG ExplainedCasper FFG Explained
Casper FFG Explained상문 오
 
Puppet
PuppetPuppet
PuppetŁukasz Jagiełło
 
20082501 Leeds Pm
20082501 Leeds Pm20082501 Leeds Pm
20082501 Leeds PmAndyA
 
High Availability in 37 Easy Steps
High Availability in 37 Easy StepsHigh Availability in 37 Easy Steps
High Availability in 37 Easy StepsTim Serong
 
bettercap.pdf
bettercap.pdfbettercap.pdf
bettercap.pdfshehbaz15
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacPriyanka Aash
 
jvm goes to big data
jvm goes to big datajvm goes to big data
jvm goes to big datasrisatish ambati
 
Bugs from Outer Space | while42 SF #6
Bugs from Outer Space | while42 SF #6Bugs from Outer Space | while42 SF #6
Bugs from Outer Space | while42 SF #6While42
 
Golang Performance : microbenchmarks, profilers, and a war story
Golang Performance : microbenchmarks, profilers, and a war storyGolang Performance : microbenchmarks, profilers, and a war story
Golang Performance : microbenchmarks, profilers, and a war storyAerospike
 
The post release technologies of Crysis 3 (Slides Only) - Stewart Needham
The post release technologies of Crysis 3 (Slides Only) - Stewart NeedhamThe post release technologies of Crysis 3 (Slides Only) - Stewart Needham
The post release technologies of Crysis 3 (Slides Only) - Stewart NeedhamStewart Needham
 
An Overview of Next-Gen Filesystems
An Overview of Next-Gen FilesystemsAn Overview of Next-Gen Filesystems
An Overview of Next-Gen FilesystemsGreat Wide Open
 
Trying and evaluating the new features of GlusterFS 3.5
Trying and evaluating the new features of GlusterFS 3.5Trying and evaluating the new features of GlusterFS 3.5
Trying and evaluating the new features of GlusterFS 3.5Keisuke Takahashi
 
Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Jim Clausing
 

More Related Content

What's hot

CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...PROIDEA
 
Introduction to segmentation fault handling
Introduction to segmentation fault handling Introduction to segmentation fault handling
Introduction to segmentation fault handling Larion
 
Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Jarod Wang
 
bcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesbcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesIO Visor Project
 
Parallel computing in bioinformatics t.seemann - balti bioinformatics - wed...
Parallel computing in bioinformatics t.seemann - balti bioinformatics - wed...Parallel computing in bioinformatics t.seemann - balti bioinformatics - wed...
Parallel computing in bioinformatics t.seemann - balti bioinformatics - wed...Torsten Seemann
 
Positive Hack Days. Тараканов. Мастер-класс: уязвимости нулевого дня
Positive Hack Days. Тараканов. Мастер-класс: уязвимости нулевого дняPositive Hack Days. Тараканов. Мастер-класс: уязвимости нулевого дня
Positive Hack Days. Тараканов. Мастер-класс: уязвимости нулевого дняPositive Hack Days
 
Casper FFG Explained
Casper FFG ExplainedCasper FFG Explained
Casper FFG Explained상문 오
 
20082501 Leeds Pm
20082501 Leeds Pm20082501 Leeds Pm
20082501 Leeds PmAndyA
 

What's hot (11)

CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
 
Introduction to segmentation fault handling
Introduction to segmentation fault handling Introduction to segmentation fault handling
Introduction to segmentation fault handling
 
Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0
 
bcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesbcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challenges
 
Tweaking Google TV emulator
Tweaking Google TV emulatorTweaking Google TV emulator
Tweaking Google TV emulator
 
Vimm
VimmVimm
Vimm
 
Parallel computing in bioinformatics t.seemann - balti bioinformatics - wed...
Parallel computing in bioinformatics t.seemann - balti bioinformatics - wed...Parallel computing in bioinformatics t.seemann - balti bioinformatics - wed...
Parallel computing in bioinformatics t.seemann - balti bioinformatics - wed...
 
Positive Hack Days. Тараканов. Мастер-класс: уязвимости нулевого дня
Positive Hack Days. Тараканов. Мастер-класс: уязвимости нулевого дняPositive Hack Days. Тараканов. Мастер-класс: уязвимости нулевого дня
Positive Hack Days. Тараканов. Мастер-класс: уязвимости нулевого дня
 
Casper FFG Explained
Casper FFG ExplainedCasper FFG Explained
Casper FFG Explained
 
Puppet
PuppetPuppet
Puppet
 
20082501 Leeds Pm
20082501 Leeds Pm20082501 Leeds Pm
20082501 Leeds Pm
 

Similar to Defcon 20 stamp out hash corruption crack all the things

High Availability in 37 Easy Steps
High Availability in 37 Easy StepsHigh Availability in 37 Easy Steps
High Availability in 37 Easy StepsTim Serong
 
bettercap.pdf
bettercap.pdfbettercap.pdf
bettercap.pdfshehbaz15
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacPriyanka Aash
 
Bugs from Outer Space | while42 SF #6
Bugs from Outer Space | while42 SF #6Bugs from Outer Space | while42 SF #6
Bugs from Outer Space | while42 SF #6While42
 
Golang Performance : microbenchmarks, profilers, and a war story
Golang Performance : microbenchmarks, profilers, and a war storyGolang Performance : microbenchmarks, profilers, and a war story
Golang Performance : microbenchmarks, profilers, and a war storyAerospike
 
The post release technologies of Crysis 3 (Slides Only) - Stewart Needham
The post release technologies of Crysis 3 (Slides Only) - Stewart NeedhamThe post release technologies of Crysis 3 (Slides Only) - Stewart Needham
The post release technologies of Crysis 3 (Slides Only) - Stewart NeedhamStewart Needham
 
An Overview of Next-Gen Filesystems
An Overview of Next-Gen FilesystemsAn Overview of Next-Gen Filesystems
An Overview of Next-Gen FilesystemsGreat Wide Open
 
Trying and evaluating the new features of GlusterFS 3.5
Trying and evaluating the new features of GlusterFS 3.5Trying and evaluating the new features of GlusterFS 3.5
Trying and evaluating the new features of GlusterFS 3.5Keisuke Takahashi
 
Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Jim Clausing
 
SD, a P2P bug tracking system
SD, a P2P bug tracking systemSD, a P2P bug tracking system
SD, a P2P bug tracking systemJesse Vincent
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
 
Ha systems-with-heartbeatv2
Ha systems-with-heartbeatv2Ha systems-with-heartbeatv2
Ha systems-with-heartbeatv2Marian Marinov
 
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...Moabi.com
 
Velocity 2012 - Learning WebOps the Hard Way
Velocity 2012 - Learning WebOps the Hard WayVelocity 2012 - Learning WebOps the Hard Way
Velocity 2012 - Learning WebOps the Hard WayCosimo Streppone
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pubCassio Ramos
 
Malware vs Big Data
Malware vs Big DataMalware vs Big Data
Malware vs Big DataFrank Denis
 
Version Control in Machine Learning + AI (Stanford)
Version Control in Machine Learning + AI (Stanford)Version Control in Machine Learning + AI (Stanford)
Version Control in Machine Learning + AI (Stanford)Anand Sampat
 

Similar to Defcon 20 stamp out hash corruption crack all the things (20)

High Availability in 37 Easy Steps
High Availability in 37 Easy StepsHigh Availability in 37 Easy Steps
High Availability in 37 Easy Steps
 
bettercap.pdf
bettercap.pdfbettercap.pdf
bettercap.pdf
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
 
jvm goes to big data
jvm goes to big datajvm goes to big data
jvm goes to big data
 
Bugs from Outer Space | while42 SF #6
Bugs from Outer Space | while42 SF #6Bugs from Outer Space | while42 SF #6
Bugs from Outer Space | while42 SF #6
 
Golang Performance : microbenchmarks, profilers, and a war story
Golang Performance : microbenchmarks, profilers, and a war storyGolang Performance : microbenchmarks, profilers, and a war story
Golang Performance : microbenchmarks, profilers, and a war story
 
The post release technologies of Crysis 3 (Slides Only) - Stewart Needham
The post release technologies of Crysis 3 (Slides Only) - Stewart NeedhamThe post release technologies of Crysis 3 (Slides Only) - Stewart Needham
The post release technologies of Crysis 3 (Slides Only) - Stewart Needham
 
An Overview of Next-Gen Filesystems
An Overview of Next-Gen FilesystemsAn Overview of Next-Gen Filesystems
An Overview of Next-Gen Filesystems
 
Trying and evaluating the new features of GlusterFS 3.5
Trying and evaluating the new features of GlusterFS 3.5Trying and evaluating the new features of GlusterFS 3.5
Trying and evaluating the new features of GlusterFS 3.5
 
Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...
 
SD, a P2P bug tracking system
SD, a P2P bug tracking systemSD, a P2P bug tracking system
SD, a P2P bug tracking system
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Ha systems-with-heartbeatv2
Ha systems-with-heartbeatv2Ha systems-with-heartbeatv2
Ha systems-with-heartbeatv2
 
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
 
Velocity 2012 - Learning WebOps the Hard Way
Velocity 2012 - Learning WebOps the Hard WayVelocity 2012 - Learning WebOps the Hard Way
Velocity 2012 - Learning WebOps the Hard Way
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub
 
Bettercap
BettercapBettercap
Bettercap
 
Malware vs Big Data
Malware vs Big DataMalware vs Big Data
Malware vs Big Data
 
Version Control in Machine Learning + AI (Stanford)
Version Control in Machine Learning + AI (Stanford)Version Control in Machine Learning + AI (Stanford)
Version Control in Machine Learning + AI (Stanford)
 

Recently uploaded

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 

Recently uploaded (20)

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

Defcon 20 stamp out hash corruption crack all the things

  • 1.
  • 2. Manager, Crowe Horwath  Pentester  Twitter: @reynoldsrb
  • 3. SpiderLabs Security Researcher, Trustwave  Vulnerability Research  Twitter: @claudijd
  • 4.
  • 5. Windows Hash Extraction  Story of What We Found  Windows Hash Extraction Mechanics  A Different Approach  Why Are All the Tools Broken?  Demo  Patches
  • 6.
  • 7. Two Types of Hashes:  LM (Lan Manager) ▪ Old Hashing Algorithm w/ Security Flaws ▪ Case insensitivity, Broken into 2 Components  NTLM (NT Lan Manager) ▪ Newer Hashing Algorithm w/ Security Flaws ▪ Not salted, but is case sensitive
  • 8. Two Methods to Get Hashes:  Injection via LSASS ▪ Reads hashes from memory  Registry Reading via SAM/SYSTEM ▪ Reads hashes from local registry hives
  • 9.
  • 10. Social Engineering Engagement  Gained Physical Access  Dumped Hashes on a Bank Workstation  Failed to Crack  John the Ripper  Rainbow Tables
  • 11. Internal Penetration Assessment  Popped a Shell via Missing Patch  Dumped Hashes on System  Fail to Crack  Rainbow Tables (via all LM Space & French)  Pass the Hash (PTH)
  • 12. Via Registry (Metasploit)  LM: 4500a2115ce8e23a99303f760ba6cc96  NTLM: 5c0bd165cea577e98fa92308f996cf45  Via Injection (PwDump6)  LM: aad3b435b51404eeaad3b435b51404ee  NTLM: 5f1bec25dd42d41183d0f450bf9b1d6b
  • 13.
  • 14. Beers  Hacking  More Beers
  • 15.
  • 16. HKLMSAM  Store security information for each user (including hash data)  HKLMSYSTEM  Stores the SYSKEY (encrypts the SAM information for security purposes)
  • 17. HKLMSAMSAMdomainsaccountusers  Users: 000001F4, ..1F5, etc.
  • 18. For each user, we have two values…  “F” – Binary Data ▪ Last Logon, Account Expires, Password Expiry, etc.  “V”- Binary Data ▪ Username, LM Hash Data, NT Hash Data, etc.
  • 19. Raw Data w/ LM & NTLM Data ...0000AAAAAAAA0000BBBBBBBB00000...  Raw Data w/ just NTLM Hash Data ...00000000BBBBBBBB0000000000000...
  • 20. Metasploit Hashdump Script  Creddump  Samdump2  Cain and Able  Pwdump7  FGDump 3.0  Others
  • 21. OFFSET HASH DATA  LM & NTLM If size > 40 bytes?  NTLM Else If size > 20 bytes?  None Else
  • 22.
  • 23. Via Registry (Metasploit)  LM: 4500a2115ce8e23a99303f760ba6cc96  NTLM: 5c0bd165cea577e98fa92308f996cf45  Via Injection (PwDump6)  LM: aad3b435b51404eeaad3b435b51404ee  NTLM: 5f1bec25dd42d41183d0f450bf9b1d6b
  • 24. OFFSET HASH DATA DATA++  LM & NTLM If size > 40 bytes?  NTLM Else If size > 20 bytes?  None Else
  • 26. How do we get “DATA++”? OFFSET HASH DATA DATA++  By following Microsoft best practices  Set Password History  No LM Hashes
  • 27. LM HASH DATA NT HASH DATA DATA++
  • 28. Newer OS’s do not store LM  Windows Vista and newer  LM can be disabled by a proactive Sysadmin  Password histories set through GPO
  • 29. We would want…  LM Exists?  NTLM Exists?  Parse correct hash data 100% of the time
  • 30. <insert slide here with the raw registry LM HEADER NT HEADER details> LM HASH DATA NT HASH DATA DATA++
  • 31. “V” hash 4 byte headers for LM & NTLN  0x4 (4 bytes) = Hash Not Present (false)  0x14 (20 bytes) = Hash Present (true)  No more guessing!
  • 32. OFFSET HASH DATA DATA++  LM & NTLM If LM.exists? && NTLM.exists?  NTLM Else If NTLM.exists?  None Else
  • 34.
  • 35. pwdump samdump2 Cain & Abel Creddump Fgdump 3.0 Metasploit Pwdump7
  • 36. FGDump v. 3.0 Pwdump v. 1 Cain & Abel Creddump Pwdump7 v. 2.7.4 v. 0.1 v. 7.1 Samdump2 MSF Samdump2 v. 1.1.1 Hashdump v. 1.0.1 3/24/1997 3/28/04 7/9/05 11/21/07 12/30/09 11/9/11 2/20/08 3/10/10
  • 37. Reverse engineering is hard  Exhaustive testing is time consuming  Leveraging code is helpful  Fully reusing code is not always good  Open source let’s others learn and help fix!
  • 38.
  • 39.
  • 40. Affected Tools Patched? Creddump Yes Metasploit’s Hashdump Script Yes L0phtcrack Working with Author(s) Pwdump7 Working with Author(s) FGDump 3.0 Working with Author(s) Samdump2 Fixed in v 1.1.1 Cain & Abel Working with Author(s)
  • 41. White Paper  Explains entire process in detail  Patches for Metasploit & Creddump  Example SAM/SYSTEM Files  Some users w/ DATA++  Some user w/o DATA++