Secure360 - Extracting Password from Windows

2,115 views

Published on

This presentation will provide an overview of common methods that can be used to obtain clear text credentials from Microsoft products such as Windows, IIS, and SQL Server. It also provides an overview of the proof of concept script used to recover MSSQL Linked Server passwords.

Relevant blog links have been provided below.

https://www.netspi.com/blog/entryid/215/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1
https://www.netspi.com/blog/entryid/226/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2
https://www.netspi.com/blog/entryid/221/decrypting-mssql-database-link-server-passwords

More security blogs by the authors can be found @
https://www.netspi.com/blog/

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,115
On SlideShare
0
From Embeds
0
Number of Embeds
23
Actions
Shares
0
Downloads
49
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Secure360 - Extracting Password from Windows

  1. 1. Like what you hear? Tweet it using: #Sec360
  2. 2. INTRODUCTIONS Who are we? •Scott Sutherland •Antti Rantasaari What do we do? •Network and application penetration testing at NetSPI
  3. 3. GOAL Provide a basic understanding of how passwords can be exposed on Windows systems •What are the common controls? •What are their limitations? •How can we reduce risk?
  4. 4. OVERVIEW How to steal credentials from Microsoft technologies: • Password Storage • Cleartext passwords • Encrypted passwords • Password hashes • Authentication tokens
  5. 5. PASSWORD STORAGE • Hashed passwords  Used when cleartext password is not required later  No key required, hashing process can’t be reversed • Encrypted passwords  Used when cleartext password will be required later  Requires key to decrypt password  Requires key management • Encoded passwords  Should not be used to protect passwords  No key required to decode password • Cleartext passwords – Don’t do that!
  6. 6. CLEARTEXT PASSWORDS Why does it matter if passwords are stored or transmitted in cleartext? • Vulnerabilities can provide read-only access to:  OS files, backup files, and files shares  Network traffic • Passwords can then be used to access:  Systems  Applications / Databases  Sensitive information
  7. 7. CLEARTEXT PASSWORDS Why does it matter if passwords are stored or transmitted in cleartext? • Vulnerability examples:  File traversal  Local file includes  Excessive privileges on shares  ARP MITM
  8. 8. CLEARTEXT PASSWORDS Where can I find cleartext passwords? • Mapped network drives – User files • Configuration files • Windows Registry • Active Directory • Websites • Script files • Log files
  9. 9. CLEARTEXT PASSWORDS Mapped Network Drives • Users have access to a ton of files shares • File shares often have bad ACLs • Users love to store password in files  xls files  doc files  txt file  etc…
  10. 10. CLEARTEXT PASSWORDS Mapped Network Drives • Easy to find passwords using:  Find  Grep  Spider  Notepad++  Etc…
  11. 11. CLEARTEXT PASSWORDS Mapped Network Drives Recommendations • Review for password on at regular intervals • Periodic audits of access controls on shares • User awareness training • Use of proper password storage
  12. 12. CLEARTEXT PASSWORDS Configuration Files • Sometimes config files are only accessible to administrators • Most config files are accessible to all users  Bad ACLs  Access to backups
  13. 13. CLEARTEXT PASSWORDS Configuration Files – Sysprep • Files created to support the automation of large scale image roll outs • Configuration settings • Local and domain credentials
  14. 14. CLEARTEXT PASSWORDS Configuration Files – Sysprep • Files can be read by ANY user on the system • There are many places they can be stored and used
  15. 15. CLEARTEXT PASSWORDS Configuration Files – Sysprep http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx Type Location Registry HKLMSystemSetup!UnattendFile File %WINDIR%PantherUnattend File %WINDIR%Panther File Removable read/write media in order of drive letter, at the root of the drive. File Removable read-only media in order of drive letter, at the root of the drive. File windowsPE and offlineServicing passes: Sources directory in a Windows distribution All other passes: %WINDIR%System32Sysprep File %SYSTEMDRIVE%
  16. 16. CLEARTEXT PASSWORDS Configuration Files – Sysprep • Most of the time they are stored with no protection… http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx
  17. 17. CLEARTEXT PASSWORDS Unattend and Sysprep Files http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx Unattend.xml Example - Cleartext …[snip]… <OOBE> <HideEULAPage>true</HideEULAPage> <NetworkLocation>Work</NetworkLocation> <ProtectYourPC>1</ProtectYourPC> <SkipMachineOOBE>true</SkipMachineOOBE> <SkipUserOOBE>true</SkipUserOOBE> </OOBE> <UserAccounts> <AdministratorPassword> <Value>Passw0rd</Value> <PlainText>true</PlainText> </AdministratorPassword> </UserAccounts> </component> …[snip]…
  18. 18. CLEARTEXT PASSWORDS Configuration Files – Sysprep • Sometimes they are Base64 encoded… http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx
  19. 19. CLEARTEXT PASSWORDS Unattend and Sysprep Files http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx Unattend.xml Example – Base64 Encoded …[snip]… <OOBE> <HideEULAPage>true</HideEULAPage> <NetworkLocation>Work</NetworkLocation> <ProtectYourPC>1</ProtectYourPC> <SkipMachineOOBE>true</SkipMachineOOBE> <SkipUserOOBE>true</SkipUserOOBE> </OOBE> <UserAccounts> <AdministratorPassword> <Value>UGFzc3cwcmQ=</Value> <PlainText>true</PlainText> </AdministratorPassword> </UserAccounts> </component> …[snip]…
  20. 20. CLEARTEXT PASSWORDS Configuration Files – Sysprep • Sometimes they are Base64 encoded… Base64 Encoding != Encryption http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx
  21. 21. CLEARTEXT PASSWORDS Unattend and Sysprep Files http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx
  22. 22. CLEARTEXT PASSWORDS Configuration Files – Sysprep Recommendations • Configure roll out scripts to remove the sysprep answer files like unattend.xml • Additional notes:  Prevent remote logins by local administrators  Manage systems with domain groups
  23. 23. CLEARTEXT PASSWORDS Configuration Files – Web.config • Used to store IIS web application configurations • Often contain database passwords • By default passwords are cleartext
  24. 24. CLEARTEXT PASSWORDS Configuration Files – Web.config • Typically stored at the webroot for each IIS site • Usually can be read by all users on the system
  25. 25. CLEARTEXT PASSWORDS Configuration Files – Web.config Recommendations • Encrypt passwords stored in web.config aspnet_regiis.exe -pef "connectionStrings" c:webapp • Additional notes:  Configure strong ACLs on file system
  26. 26. CLEARTEXT PASSWORDS Configuration Files – Web.config Recommendations
  27. 27. CLEARTEXT PASSWORDS Basic Authentication • Simple way to implement IIS authentication • Uses Base64 encoding, NOT ENCRYPTION • Credentials can be captured from network traffic over HTTP, or via man-in-the-middle over HTTPS
  28. 28. CLEARTEXT PASSWORDS Basic Authentication • Basic authentication over SSL is not that bad • Very common to see it used over unencrypted HTTP connections
  29. 29. CLEARTEXT PASSWORDS Basic Authentication • Base64 Encoded bmV0c3BpOlZlcnlTdHJvbmdBbmRIYXJkVG9HdW Vzc1Bhc3N3b3Jk • Easily decoded Base64 netspi:VeryStrongAndHardToGuessPassword Microsoft ActiveSync (iPhone, etc.)
  30. 30. CLEARTEXT PASSWORDS Basic Authentication Recommendations • Basic Auth is simple, but not often necessary • Replace with Integrated Authentication to enforce authentication handshake • Additional notes:  Integrated Authentication can still be exploited, but it’s not as easy
  31. 31. CLEARTEXT PASSWORDS Windows Registry • Many applications store passwords in cleartext • Easy to search for common strings to find passwords • Windows also stores some passwords in cleartext  Autologin username and password
  32. 32. CLEARTEXT PASSWORDS Windows Registry - AutoLogin • Used by many kiosk and POS systems • Often stores autologin credentials in [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon] "AutoAdminLogon"="1" "DefaultUserName"=“autoadmin" "DefaultPassword"=“!PassW0rd!" "DefaultDomainName"=“acme"
  33. 33. CLEARTEXT PASSWORDS Windows Registry - AutoLogin
  34. 34. CLEARTEXT PASSWORDS Windows Registry - AutoLogin Recommendations • Only use autologin when necessary • If required, store credentials encrypted in LSASecrets • Additional notes:  The encrypted password can be recovered with administrative access to the system http://technet.microsoft.com/en-us/sysinternals/bb963905.aspx
  35. 35. CLEARTEXT PASSWORDS Active Directory • User Comments • Custom properties
  36. 36. CLEARTEXT PASSWORDS Active Directory Recommendations • Don’t store cleartext passwords in active directory • Audit Active Directory periodically for comments and custom objects that may contain passwords
  37. 37. ENCRYPTED PASSWORDS How is it possible to decrypt passwords protected by Microsoft technologies? Key Point: If an application or OS can decrypt it, so can an attacker! …sometimes administrator access is required.
  38. 38. ENCRYPTED PASSWORDS How is it possible to recover passwords encrypted by Microsoft technologies? • Calling native OS and application functions • Recovering encryption keys  From same system as the protected data  From external systems like HSMs • Use the keys and correct algorithm to recover protected data
  39. 39. ENCRYPTED PASSWORDS Groups.xml • Windows AD Group Policy Preferences allow setting passwords for local accounts on domain systems
  40. 40. ENCRYPTED PASSWORDS Groups.xml • For that to work the password has to be sent to the user’s system • Groups.xml is pulled down from the SYSVOL share on the DC • SYSVOL and Groups.xml are accessible to all domain users and computer accounts
  41. 41. ENCRYPTED PASSWORDS • Updating a user results in groups.xml file creation
  42. 42. ENCRYPTED PASSWORDS • Passwords in groups.xml are AES256 encrypted and base64 encoded • To apply the password locally, client has to decrypt it • To enable this, encryption key is stored on clients • But MS released the STATIC key in an MSDN article; now anyone can decrypt the password! http://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70- 1f2fa45dd4be.aspx#endNote2
  43. 43. ENCRYPTED PASSWORDS • Groups.xml password decrypted with a simple PowerShell script https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get- GPPPassword.ps1
  44. 44. ENCRYPTED PASSWORDS Groups.xml Recommendations • Microsoft does not recommend setting passwords via Group Policy so it’s not a good idea to do that • Access to groups.xml cannot be prevented for domain users so it should not be used
  45. 45. ENCRYPTED PASSWORDS LSASecrets • Used to store all kinds of passwords  Service accounts  Autologin  Applications
  46. 46. ENCRYPTED PASSWORDS LSASecrets • Passwords are stored encrypted in the registry HKLM:SECURITYPolicySecrets • Only viewable by LocalSystem • But…administrators can become LocalSystem
  47. 47. ENCRYPTED PASSWORDS LSASecrets sdf Administrator Access LocalSystem Access
  48. 48. ENCRYPTED PASSWORDS LSASecrets • Additional information is also required from the subkeys of HKLM:SECURITYPolicy
  49. 49. ENCRYPTED PASSWORDS LSASecrets • Use native API methods to decrypt the secrets LsaRetrievePrivateData LsaStorePrivateData LsaOpenPolicy LsaNtStatusToWinError LsaClose LsaFreeMemory
  50. 50. ENCRYPTED PASSWORDS LSASecrets – Service Account Example
  51. 51. ENCRYPTED PASSWORDS WDigest • Designed for use protocols that require a cleartext password to authenticate:  Hypertext Transfer Protocol (HTTP)  Simple Authentication Security Layer (SASL) exchanges http://technet.microsoft.com/en-us/library/cc778868(v=ws.10).aspx http://www.slideshare.net/gentilkiwi
  52. 52. ENCRYPTED PASSWORDS WDigest • Stores passwords for interactive logins (like RDP) encrypted in the lsass.exe process • Depending on secret size and OS version RC4, DES, or AES is used http://technet.microsoft.com/en-us/library/cc778868(v=ws.10).aspx http://www.slideshare.net/gentilkiwi
  53. 53. ENCRYPTED PASSWORDS WDigest • After injecting into the lsass.exe process or importing initialized keys via lsasrv.dll… • Native functions from lsasrv.dll can be used to decrypt the passwords – namely… LsaUnprotectMemory http://www.slideshare.net/gentilkiwi http://msdn.microsoft.com/en-us/library/windows/desktop/ff714510(v=vs.85).aspx
  54. 54. ENCRYPTED PASSWORDS WDigest • Tools like Mimikatz and WCE can be used to recover cleartext passwords http://www.slideshare.net/gentilkiwi http://msdn.microsoft.com/en-us/library/windows/desktop/ff714510(v=vs.85).aspx
  55. 55. ENCRYPTED PASSWORDS WDigest Recommendations • Use smartcard or biometrics when possible • Use network logins instead of interactive logs when possible • Use unprivileged accounts when possible • Do not provide admin / system / debug privileges to users http://www.slideshare.net/gentilkiwi
  56. 56. ENCRYPTED PASSWORDS DPAPI • Windows Data Protection API (DPAPI) • Standard / easy way on Windows to encrypt and decrypt data • DPAPI used by many applications  IE, Chrome, Skype, EFS certificates, WEP / WPA keys, RDP passwords, Credential Manager • Data protection in memory or on disk
  57. 57. ENCRYPTED PASSWORDS DPAPI – stored data • Two protection scopes: CurrentUser or LocalMachine • Protection scope determines the encryption keys  CurrentUser scope uses keys protected by current user’s password  LocalMachine scope uses keys on the system • Additional entropy added to strengthen protection
  58. 58. ENCRYPTED PASSWORDS DPAPI - internals • Largely undocumented by Microsoft – just the API calls are fully documented • DPAPI has been reversed and offline decryption tools have been released http://passcape.com/index.php?section=blog&cmd=details&id=20#11 http://www.elie.net/publication/reversing-dpapi-and-stealing- windows-secrets-offline#.U3BnB_ldWDs
  59. 59. ENCRYPTED PASSWORDS MSSQL Links - Background • Microsoft SQL Server allows users to create links to external data sources, typically to SQL Servers • Links can be configured to use SQL server credentials • Cleartext passwords are needed to connect to linked servers – password hashing cannot be used
  60. 60. ENCRYPTED PASSWORDS MSSQL Links - Background
  61. 61. ENCRYPTED PASSWORDS MSSQL Links – Password Storage • Linked server passwords stored in the database – only accessible using DAC • Passwords stored in pwdhash column even though hashing is not used • Passwords encrypted but SQL Server must have the key
  62. 62. ENCRYPTED PASSWORDS MSSQL Links – Password Storage
  63. 63. ENCRYPTED PASSWORDS MSSQL Links – Service Master Key • SQL Server has a Service Master Key which is encrypted using DPAPI • Additional entropy is stored in the registry • Service Master Key is “the root of the SQL Server encryption hierarchy”, used to encrypt linked server passwords too
  64. 64. ENCRYPTED PASSWORDS MSSQL Links – Service Master Key
  65. 65. ENCRYPTED PASSWORDS MSSQL Links – Passwords Decryption • Decrypt Service Master Key using DPAPI • Extract encrypted password from database • Remove metadata from the password • Decrypt password using Service Master Key (either 3DES or AES depending on version)
  66. 66. ENCRYPTED PASSWORDS MSSQL Links – Passwords Decrypted
  67. 67. ENCRYPTED PASSWORDS MSSQL Links Recommendations • Best practice is to use Windows authentication only – do not enable SQL server authentication • Configure linked servers to use current execution context rather than saved credentials
  68. 68. ENCRYPTED PASSWORDS Credential Manager / Vault • Credential Manager is intended to be a secure way to store password • Can be used for Windows credentials, browser credentials, application credentials • Each user has their own Vault – user can store own passwords
  69. 69. ENCRYPTED PASSWORDS Credential Manager / Vault • Cleartext credentials needed to connect to remote systems – thus passwords in Cred Manager are encrypted, not hashed. • DPAPI used to encrypt passwords
  70. 70. ENCRYPTED PASSWORDS Credential Manager / Vault
  71. 71. ENCRYPTED PASSWORDS Credential Manager / Vault • Credential manager password decryption using Cain http://www.oxid.it/
  72. 72. ENCRYPTED PASSWORDS Credential Manager / Vault Recommendations • Stored passwords always a security risks • Consider disabling Credential Manager using group policies
  73. 73. ENCRYPTED PASSWORDS Wireless • Wireless connections with pre-shared keys have to store the passwords • Passwords encrypted using DPAPI • User or SYSTEM can access the stored passwords • Multiple tools to extract wireless credentials, including Metasploit
  74. 74. ENCRYPTED PASSWORDS Wireless
  75. 75. ENCRYPTED PASSWORDS Wireless Metasploit module: post/windows/wlan/wlan_profile
  76. 76. ENCRYPTED PASSWORDS Wireless Recommendations • Do not use pre-shared keys • Configure corporate wireless to use WPA2- Enterprise (integrated authentication)
  77. 77. ENCRYPTED PASSWORDS Web.config and ApplicationHost.config • IIS application configuration files • Web.config = application level • ApplicationHost.config = server level  Application pool credentials  Windows credentials used for directory access … but they can also be decrypted
  78. 78. ENCRYPTED PASSWORDS Web.config and ApplicationHost.config • Early saw this aspnet_regiis.exe -pef "connectionStrings" c:webapp
  79. 79. ENCRYPTED PASSWORDS Web.config and ApplicationHost.config • No surprise that local administrators can do this: aspnet_regiis.exe -pdf "connectionStrings" c:webapp
  80. 80. HASHED PASSWORDS Why should I care if someone is stealing my password hashes if I have complexity enabled? •#1 Reason: Password hashes can be replayed and used to authenticate without knowledge of the password
  81. 81. HASHED PASSWORDS Why should I care if someone is stealing my password hashes if I have complexity enabled? •#2 Reason: Password hashes can cracked at lighting speeds using modern hardware and software
  82. 82. HASHED PASSWORDS On the System • Local / Domain LM hashes • Local / Domain NTLM hashes • Domain MS-CACHEv2 On the Network • Local / Domain NetLM • Local / Domain NetNTLM
  83. 83. HASHED PASSWORDS Can be dumped with a billion different hacker tools!
  84. 84. DO I REALLY NEED PASSWORDS? Short answer is NO
  85. 85. DO I REALLY NEED PASSWORDS? • SMB relay • Pass-the-hash • Stealing authentication tokens • Crawling database links • Process migration • Generating golden tickets
  86. 86. CONCLUSIONS • Protecting passwords is really, really hard if an attacker has admin rights to you system • Don’t store passwords in clear text – Anywhere! • Only use encryption when the cleartext passwords need used later • Use HSM to protect keys used to encrypt data • Use strong salted hashes to protect passwords • Enforce least privilege everywhere – networks, servers, applications…EVERYWHERE
  87. 87. NETSPI REFERENCES • NetSPI blog: http://www.netspi.com/blog • NetSPI github: https://github.com/netspi • Scott github: https://github.com/nullbind • NetSPI slideshare: http://slideshare.com/netspi • Scott slideshare: http://slideshare.com/nullbind • Scott twitter: @_nullbind

×