Encryption is based on three principals: algorithm, key length, and storage. It has also become more popular and it is more often built into databases, networks, config files, OS, and users’ secrets. Is DPAPI and DPAPI-NG enough for us? Unfortunately there are many slip-ups that can be made. Come and learn if ‘encrypted’ = or != ‘safe’ and when! Tools included.
7. SAM
1. bootkey: classes from HKLMSYSTEMCCSControlLsa +
[class names for: Data, GBG, JD, Skew1] (+arrays’
permutations)
2. F: HKLMSAMSAMDomainsAccount [F – value] string
aqwerty =
“!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%0”;
string anum =
“01234567890123456789012345678901234567890”;
3. rchbootkey: MD5(string created after arytmetic
functions with F, aqwerty, anum, bootkey)
4. hbootkey: RC4(key, data) -> RC4(rchbootkey, F)
5. MD5(…,hbootkey,…) -> RC4(…)-> DES(…, F) to get the
hash (MD4)
8. Store configuration in the registry
Always need some identity to run the executable!
Local Security Authority (LSA) Secrets
Must be stored locally, especially when domain credentials are used
Can be accessed when we impersonate to Local System
Their accounts should be monitored
If you cannot use gMSA, MSA, use subscription for svc_ accounts (naming convention)
Conclusion: Think twice before using an Administrative account, use gMSA
10. Based on the following components:
Password, data blob, entropy
Is not prone to password resets!
Protects from outsiders when being in offline access
Effectively protects users data
Stores the password history
You need to be able to get access to some of your passwords
from the past
Conclusion: OS greatly helps us to protect secrets
11. DPAPI (classic)
A. MasterKey
1. pwdhash = MD4(password) or SHA1(password)
2. pwdhash_key = HMACSHA1(pwdhash, user_sid)
3. PBKDF2(…, pwdhash_key,…), another elements from the file. Windows 10 no domain: SHA512,
AES-256, 8000 rounds
4. Control – HMACSHA512
B. CREDHIST
1. pwdhash = MD4(password) or SHA1(password)
2. pwdhash_key = HMACSHA1(pwdhash, user_sid)
3. PBKDF2(…, pwdhash_key,…), another elements from the file. Windows 10 no domain: SHA512,
AES-256, 8000 rounds
4. Control – HMACSHA512
C. DPAPI blob Algorithms are written in the blob itself.
DPAPI-NG
A. RootKey Algorithms Key derivation function: SP800_108_CTR_HMAC (SHA512) Secret agreement:
Diffie-Hellman
B. DPAPI blob Key derivation: KDF_SP80056A_CONCAT
After getting the key, there is a need for decryption: Key wrap algorithm: RFC3394 (KEK ->
CEK) Decryption: AES-256-GCM (CEK, Blob)
12.
13.
14. In contrast to the earlier IIS versions, IIS 10.0 is set to use two new Cryptography API: Next
Generation (CNG) providers by default:
IISWASOnlyCngProvider and IISCngProvider. We still have: IISWASOnlyRsaProvider, AesProvider,
IISWasOnlyAesProvider and RsaProtectedConfigurationProvider, DataProtectionConfigurationProvider
CNG stores shared private keys in the %ALLUSERSPROFILE%Application DataMicrosoftCryptoKeys
Worker Processes (w3wp.exe)
Their identity is defined in Application Pool settings
Are managed by Windows Process Activation Service that knows how to read secrets
Passwords for AppPool identity can be ’decrypted’ even offline
They are stored in the encrypted form in applicationHost.config
Conclusion: IIS relies it’s security on Machine Keys (Local System)
15.
16. TDE how to:
1. Create a master key
2. Create or obtain a certificate protected by the
master key
3. Create a database encryption key and protect it by
the certificate
4. Set the database to use encryption
Transparent Data Encryption (TDE) encrypts SQL Server,
Azure SQL Database, and Azure SQL Data Warehouse
data files, known as encrypting data at rest.
However, in a scenario where the physical media (such
as drives or backup tapes) are stolen, a malicious party
can just restore or attach the database and browse the
data.
17.
18. There is actually not much of a difference with XP /
2003!
No additional salting.
PBKDF2 introduced a new variable: the number of
iterations SHA1 with the same salt as before (username).
22. Replicate Directory Changes All
WARNING: “…You will need two
credentials, the synchronization account
credential that has Replicate Directory
Changes/All on the Domain as well as
Configuration container…” – OUCH!
23. DPAPI-PROTECTED BLOB
CLIENT
Local LSASS process
(local masterkey can’t be
decrypted)
CryptUnprotectData()
DPAPI
AD SERVER
LSASS process
RPC Call
BackupKey(masterkey)
Decrypted masterkey
01 00 00 00 d0 8c 9d df 01 15 d1 11 8c 7a 00 c0
4f c2 97 eb 01 00 00 00 ......
G$BCKUPKEY_PREFERRED
G$BCKUPKEY_940db612-ee8f-4a31-84b3-8f80c25be855
Scenario: offline changed user
password or local masterkey can’t be
decrypted
32. DPAPI-NG
A. RootKey Algorithms Key derivation function:
SP800_108_CTR_HMAC (SHA512) Secret agreement: Diffie-Hellman
B. DPAPI blob Key derivation: KDF_SP80056A_CONCAT
After getting the key, there is a need for decryption: Key wrap
algorithm: RFC3394 (KEK -> CEK) Decryption: AES-256-GCM (CEK,
Blob)
33. SID-PROTECTED BLOB
CLIENT
Local LSASS process
NCryptUnprotectSecret()
CNGDPAPI AD SERVER
LSASS process
RPC Call
GetKey(SID, L0, L1, L2 params)
ACTIVE DIRECTORY
RootKey
RootKeyData?
Group key
34. Looks familiar? It should!
It’s DPAPI blob!
Protection descriptor: LOCAL=user
• KEK (Key Encryption Key)
stored as DPAPI blob
• Forced by protection
descriptor
LOCAL=user
• Key Wrap (RFC3394)
contains encrypted CEK
(Content Encryption Key)
• Data encrypted by CEK
38. DPAPI SYSTEM is as safe as your
offline access and privileged
accounts
DPAPI USER is safe as your user’s
password and domain admin’s
intentions
Use password manager but rely
on your own separate password
Almost anything system related
can be accessed offline – it is ‘just’
a matter of finding the way
Editor's Notes
Wrzuciłem na ftp do /MGRZEG/Ignite2017/NTDS.dit kolejny tool do weryfikacji przeddemowej.
Opis:
https://docs.google.com/document/d/1pXFXI09PcmpYUIfH5aSvpQEbjrH2yMA4dMcH6748mQM/edit?usp=sharing
Tool w wersji 32-bit z dołączonym zestawem vcredist dla VS 2015 (dla libesedb).
m.
Jak przechowywane sa hasla
System user
Jak szyfrowane 10214
27 min / 48 min do konca
Comparing Machine-Level and User-Level RSA Key Containers
User-level RSA key containers are stored with the Windows user profile for a particular user and can be used to encrypt and decrypt information for applications that run under that specific user identity. User-level RSA key containers can be useful if you want to ensure that the RSA key information is removed when the Windows user profile is removed. However, because you must be logged in with the specific user account that will make use of the user-level RSA key container in order to encrypt or decrypt protected configuration sections, they are inconvenient to use.
Machine-level RSA key containers are available to all users that can log in to a computer, by default, and are the most useful as you can use them to encrypt or decrypt protected configuration sections while logged in with an administrator account. A machine-level RSA key container can be used to protect information for a single application, all the applications on a server, or a group of applications on a server that run under the same user identity. Although machine-level RSA key containers are available to all users, they can be secured with NTFS Access Control Lists (ACLs) so that only required users can access them.
Note It is recommended that you only secure sensitive information using protected configuration on file systems formatted using NTFS, so that you can restrict access to encryption key information using ACLs.
As there is little benefit from using user-level RSA key containers, it is recommended that you use machine-level RSA key containers when protecting configuration sections using the RsaProtectedConfigurationProvider provider. When you create an RSA key container to protect configuration information for one or more applications, it is recommended that you restrict the access to the machine-level RSA key container using the Aspnet_regiis.exe tool, with the -pa option to add access to the key for a particular identity and the -pr option to remove access to the key. For more information on how to set or determine the identity of an ASP.NET application, see ASP.NET Impersonation. For more information on granting read access to an RSA key container, see Importing and Exporting Protected Configuration RSA Key Containers.
https://blogs.iis.net/iisteam/cng-data-encryption
One solution is to encrypt the sensitive
data in the database and protect the keys that are used to encrypt the
data with a certificate. This prevents anyone without the keys from using
the data, but this kind of protection must be planned in advance.
Jak tylko wygrzebaliśmy numer seryjny klucza w masterach domenowych i znaleźliśmy odpowiedzialny za to obiekt w AD, to pewne było to, że trzeba będzie wyłuskać ten secret z LSASSa. Spróbowałem wtedy jakoś dziwnie i nie udało się, więc zwróciliśmy się do Benjamina z prośbą o pomoc - co skończyło się sporym kawałkiem nowego kodu w mimikatzu. Nie wróciłem już później do tego, ale wystarczyło po prostu wygrzebać secret lsasa korzystając z LsaRetrievePrivateData, co czyniłem wcześniej już w innym toolu - do wygrzebywania sekretów lsassa online, ale tu nie bardzo wiedziałem co i jak.
Teraz jednak, już nieco mądrzejszy spróbowałem raz jeszcze i tym razem udało się 'z pierwszego kopa'. Guid właściwego klucza wyciągam z sekretu
CN=BCKUPKEY_PREFERRED Secret
czyli globalnego sekretu
G$BCKUPKEY_PREFERRED
a potem po prostu wyciągam sam secret korzystając z rodziny funkcji Lsa*.
Tak więc żadne halo, ale jest to odmienne podejście od tego, który jest w mimikatzu i nie znam żadnego innego toola, który by to robił :)
AES256-CCM – pierwsze 16 bajtow to jest suma kontrolna
User2 uses the ASP.NET Core DataProtection with DPAPI-NG SID descriptor to create the master key for User1 and then User1 uses the newly created key to protect some sensitive data. After that User2 tries to access that data in three ways:
- using his own SID and the same decryption tool as the User1 (fail)
- using SE_TCB privilege on local machine and decryption tool (fail)
- using SE_TCB privilege on AD controler and decryption tool (success)
- using dpapi-ng decryption tool with dpapi--ng rootkey (success)