SlideShare a Scribd company logo

Defcon 20 stamp out hash corruption crack all the things

C
claudijd

This is the presentation that @reynolds and @claudijd presented at DEFCON, which demonstrates how password extraction tools yield corrupted hashes, how the flaw was identified and the fix.

1 of 44
 Manager, Crowe Horwath  Pentester  Twitter: @reynoldsrb
 SpiderLabs Security Researcher, Trustwave  Vulnerability Research  Twitter: @claudijd
 Windows Hash Extraction  Story of What We Found  Windows Hash Extraction Mechanics  A Different Approach  Why Are All the Tools Broken?  Demo  Patches
 Two Types of Hashes:  LM (Lan Manager) ▪ Old Hashing Algorithm w/ Security Flaws ▪ Case insensitivity, Broken into 2 Components  NTLM (NT Lan Manager) ▪ Newer Hashing Algorithm w/ Security Flaws ▪ Not salted, but is case sensitive
 Two Methods to Get Hashes:  Injection via LSASS ▪ Reads hashes from memory  Registry Reading via SAM/SYSTEM ▪ Reads hashes from local registry hives
 Social Engineering Engagement  Gained Physical Access  Dumped Hashes on a Bank Workstation  Failed to Crack  John the Ripper  Rainbow Tables
 Internal Penetration Assessment  Popped a Shell via Missing Patch  Dumped Hashes on System  Fail to Crack  Rainbow Tables (via all LM Space & French)  Pass the Hash (PTH)
 Via Registry (Metasploit)  LM: 4500a2115ce8e23a99303f760ba6cc96  NTLM: 5c0bd165cea577e98fa92308f996cf45  Via Injection (PwDump6)  LM: aad3b435b51404eeaad3b435b51404ee  NTLM: 5f1bec25dd42d41183d0f450bf9b1d6b
 Beers  Hacking  More Beers
 HKLMSAM  Store security information for each user (including hash data)  HKLMSYSTEM  Stores the SYSKEY (encrypts the SAM information for security purposes)
 HKLMSAMSAMdomainsaccountusers  Users: 000001F4, ..1F5, etc.
 For each user, we have two values…  “F” – Binary Data ▪ Last Logon, Account Expires, Password Expiry, etc.  “V”- Binary Data ▪ Username, LM Hash Data, NT Hash Data, etc.
 Raw Data w/ LM & NTLM Data ...0000AAAAAAAA0000BBBBBBBB00000...  Raw Data w/ just NTLM Hash Data ...00000000BBBBBBBB0000000000000...
 Metasploit Hashdump Script  Creddump  Samdump2  Cain and Able  Pwdump7  FGDump 3.0  Others
OFFSET HASH DATA  LM & NTLM If size > 40 bytes?  NTLM Else If size > 20 bytes?  None Else
 Via Registry (Metasploit)  LM: 4500a2115ce8e23a99303f760ba6cc96  NTLM: 5c0bd165cea577e98fa92308f996cf45  Via Injection (PwDump6)  LM: aad3b435b51404eeaad3b435b51404ee  NTLM: 5f1bec25dd42d41183d0f450bf9b1d6b
OFFSET HASH DATA DATA++  LM & NTLM If size > 40 bytes?  NTLM Else If size > 20 bytes?  None Else
BAD ...0000AAAAAAAA0000BBBBBBBB00000... ...00000000BBBBBBBB0000000000000...
 How do we get “DATA++”? OFFSET HASH DATA DATA++  By following Microsoft best practices  Set Password History  No LM Hashes
LM HASH DATA NT HASH DATA DATA++
 Newer OS’s do not store LM  Windows Vista and newer  LM can be disabled by a proactive Sysadmin  Password histories set through GPO
 We would want…  LM Exists?  NTLM Exists?  Parse correct hash data 100% of the time
 <insert slide here with the raw registry LM HEADER NT HEADER details> LM HASH DATA NT HASH DATA DATA++
 “V” hash 4 byte headers for LM & NTLN  0x4 (4 bytes) = Hash Not Present (false)  0x14 (20 bytes) = Hash Present (true)  No more guessing!
OFFSET HASH DATA DATA++  LM & NTLM If LM.exists? && NTLM.exists?  NTLM Else If NTLM.exists?  None Else
BAD LOGIC ...0000AAAAAAAA0000BBBBBBBB00000... ...00000000BBBBBBBB0000000000000... GOOD LOGIC ...0000AAAAAAAA0000BBBBBBBB00000... ...00000000BBBBBBBB0000000000000...
pwdump samdump2 Cain & Abel Creddump Fgdump 3.0 Metasploit Pwdump7
FGDump v. 3.0 Pwdump v. 1 Cain & Abel Creddump Pwdump7 v. 2.7.4 v. 0.1 v. 7.1 Samdump2 MSF Samdump2 v. 1.1.1 Hashdump v. 1.0.1 3/24/1997 3/28/04 7/9/05 11/21/07 12/30/09 11/9/11 2/20/08 3/10/10
 Reverse engineering is hard  Exhaustive testing is time consuming  Leveraging code is helpful  Fully reusing code is not always good  Open source let’s others learn and help fix!
Affected Tools Patched? Creddump Yes Metasploit’s Hashdump Script Yes L0phtcrack Working with Author(s) Pwdump7 Working with Author(s) FGDump 3.0 Working with Author(s) Samdump2 Fixed in v 1.1.1 Cain & Abel Working with Author(s)
 White Paper  Explains entire process in detail  Patches for Metasploit & Creddump  Example SAM/SYSTEM Files  Some users w/ DATA++  Some user w/o DATA++
Defcon 20 stamp out hash corruption crack all the things
Defcon 20 stamp out hash corruption crack all the things
Defcon 20 stamp out hash corruption crack all the things

Recommended

jps & jvmtop
jps & jvmtopjps & jvmtop
jps & jvmtop
Scott Leberknight
 
Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"
abend_cve_9999_0001
 
Simple and efficient way to get the last log using MMAP
Simple and efficient way to get the last log using MMAPSimple and efficient way to get the last log using MMAP
Simple and efficient way to get the last log using MMAPTetsuyuki Kobayashi
 
Project00
Project00Project00
Project00
Ganesh Chavan
 
Multiply your Testing Effectiveness with Parameterized Testing, v1
Multiply your Testing Effectiveness with Parameterized Testing, v1Multiply your Testing Effectiveness with Parameterized Testing, v1
Multiply your Testing Effectiveness with Parameterized Testing, v1
Brian Okken
 
PLAM 2015 - Evolving Backups Strategy, Devploying pyxbackup
PLAM 2015 - Evolving Backups Strategy, Devploying pyxbackupPLAM 2015 - Evolving Backups Strategy, Devploying pyxbackup
PLAM 2015 - Evolving Backups Strategy, Devploying pyxbackup
Jervin Real
 
Cram
CramCram
Cram
JamesBonfield
 
Q2.12: Debugging with GDB
Q2.12: Debugging with GDBQ2.12: Debugging with GDB
Q2.12: Debugging with GDB
Linaro
 

Recommended

jps & jvmtop
jps & jvmtopjps & jvmtop
jps & jvmtop
Scott Leberknight
 
Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"
abend_cve_9999_0001
 
Simple and efficient way to get the last log using MMAP
Simple and efficient way to get the last log using MMAPSimple and efficient way to get the last log using MMAP
Simple and efficient way to get the last log using MMAPTetsuyuki Kobayashi
 
Project00
Project00Project00
Project00
Ganesh Chavan
 
Multiply your Testing Effectiveness with Parameterized Testing, v1
Multiply your Testing Effectiveness with Parameterized Testing, v1Multiply your Testing Effectiveness with Parameterized Testing, v1
Multiply your Testing Effectiveness with Parameterized Testing, v1
Brian Okken
 
PLAM 2015 - Evolving Backups Strategy, Devploying pyxbackup
PLAM 2015 - Evolving Backups Strategy, Devploying pyxbackupPLAM 2015 - Evolving Backups Strategy, Devploying pyxbackup
PLAM 2015 - Evolving Backups Strategy, Devploying pyxbackup
Jervin Real
 
Cram
CramCram
Cram
JamesBonfield
 
Q2.12: Debugging with GDB
Q2.12: Debugging with GDBQ2.12: Debugging with GDB
Q2.12: Debugging with GDB
Linaro
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
PROIDEA
 
Introduction to segmentation fault handling
Introduction to segmentation fault handling Introduction to segmentation fault handling
Introduction to segmentation fault handling
Larion
 
Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Jarod Wang
 
bcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesbcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challenges
IO Visor Project
 
Tweaking Google TV emulator
Tweaking Google TV emulatorTweaking Google TV emulator
Tweaking Google TV emulatorTetsuyuki Kobayashi
 
Vimm
VimmVimm
Vimmguest7f6a7f
 
Parallel computing in bioinformatics t.seemann - balti bioinformatics - wed...
Parallel computing in bioinformatics t.seemann - balti bioinformatics - wed...Parallel computing in bioinformatics t.seemann - balti bioinformatics - wed...
Parallel computing in bioinformatics t.seemann - balti bioinformatics - wed...
Torsten Seemann
 
Positive Hack Days. Тараканов. Мастер-класс: уязвимости нулевого дня
Positive Hack Days. Тараканов. Мастер-класс: уязвимости нулевого дняPositive Hack Days. Тараканов. Мастер-класс: уязвимости нулевого дня
Positive Hack Days. Тараканов. Мастер-класс: уязвимости нулевого дня
Positive Hack Days
 
Casper FFG Explained
Casper FFG ExplainedCasper FFG Explained
Casper FFG Explained
상문 오
 
Puppet
PuppetPuppet
Puppet
Łukasz Jagiełło
 
20082501 Leeds Pm
20082501 Leeds Pm20082501 Leeds Pm
20082501 Leeds Pm
AndyA
 
High Availability in 37 Easy Steps
High Availability in 37 Easy StepsHigh Availability in 37 Easy Steps
High Availability in 37 Easy Steps
Tim Serong
 
bettercap.pdf
bettercap.pdfbettercap.pdf
bettercap.pdf
shehbaz15
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Priyanka Aash
 
jvm goes to big data
jvm goes to big datajvm goes to big data
jvm goes to big data
srisatish ambati
 
Bugs from Outer Space | while42 SF #6
Bugs from Outer Space | while42 SF #6Bugs from Outer Space | while42 SF #6
Bugs from Outer Space | while42 SF #6
While42
 
Golang Performance : microbenchmarks, profilers, and a war story
Golang Performance : microbenchmarks, profilers, and a war storyGolang Performance : microbenchmarks, profilers, and a war story
Golang Performance : microbenchmarks, profilers, and a war story
Aerospike
 
The post release technologies of Crysis 3 (Slides Only) - Stewart Needham
The post release technologies of Crysis 3 (Slides Only) - Stewart NeedhamThe post release technologies of Crysis 3 (Slides Only) - Stewart Needham
The post release technologies of Crysis 3 (Slides Only) - Stewart Needham
Stewart Needham
 
An Overview of Next-Gen Filesystems
An Overview of Next-Gen FilesystemsAn Overview of Next-Gen Filesystems
An Overview of Next-Gen Filesystems
Great Wide Open
 
Trying and evaluating the new features of GlusterFS 3.5
Trying and evaluating the new features of GlusterFS 3.5Trying and evaluating the new features of GlusterFS 3.5
Trying and evaluating the new features of GlusterFS 3.5
Keisuke Takahashi
 
Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Jim Clausing
 

More Related Content

What's hot

CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
PROIDEA
 
Introduction to segmentation fault handling
Introduction to segmentation fault handling Introduction to segmentation fault handling
Introduction to segmentation fault handling
Larion
 
Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Jarod Wang
 
bcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesbcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challenges
IO Visor Project
 
Parallel computing in bioinformatics t.seemann - balti bioinformatics - wed...
Parallel computing in bioinformatics t.seemann - balti bioinformatics - wed...Parallel computing in bioinformatics t.seemann - balti bioinformatics - wed...
Parallel computing in bioinformatics t.seemann - balti bioinformatics - wed...
Torsten Seemann
 
Positive Hack Days. Тараканов. Мастер-класс: уязвимости нулевого дня
Positive Hack Days. Тараканов. Мастер-класс: уязвимости нулевого дняPositive Hack Days. Тараканов. Мастер-класс: уязвимости нулевого дня
Positive Hack Days. Тараканов. Мастер-класс: уязвимости нулевого дня
Positive Hack Days
 
Casper FFG Explained
Casper FFG ExplainedCasper FFG Explained
Casper FFG Explained
상문 오
 
Puppet
PuppetPuppet
Puppet
Łukasz Jagiełło
 
20082501 Leeds Pm
20082501 Leeds Pm20082501 Leeds Pm
20082501 Leeds Pm
AndyA
 

What's hot (11)

CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
 
Introduction to segmentation fault handling
Introduction to segmentation fault handling Introduction to segmentation fault handling
Introduction to segmentation fault handling
 
Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0
 
bcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesbcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challenges
 
Tweaking Google TV emulator
Tweaking Google TV emulatorTweaking Google TV emulator
Tweaking Google TV emulator
 
Vimm
VimmVimm
Vimm
 
Parallel computing in bioinformatics t.seemann - balti bioinformatics - wed...
Parallel computing in bioinformatics t.seemann - balti bioinformatics - wed...Parallel computing in bioinformatics t.seemann - balti bioinformatics - wed...
Parallel computing in bioinformatics t.seemann - balti bioinformatics - wed...
 
Positive Hack Days. Тараканов. Мастер-класс: уязвимости нулевого дня
Positive Hack Days. Тараканов. Мастер-класс: уязвимости нулевого дняPositive Hack Days. Тараканов. Мастер-класс: уязвимости нулевого дня
Positive Hack Days. Тараканов. Мастер-класс: уязвимости нулевого дня
 
Casper FFG Explained
Casper FFG ExplainedCasper FFG Explained
Casper FFG Explained
 
Puppet
PuppetPuppet
Puppet
 
20082501 Leeds Pm
20082501 Leeds Pm20082501 Leeds Pm
20082501 Leeds Pm
 

Similar to Defcon 20 stamp out hash corruption crack all the things

High Availability in 37 Easy Steps
High Availability in 37 Easy StepsHigh Availability in 37 Easy Steps
High Availability in 37 Easy Steps
Tim Serong
 
bettercap.pdf
bettercap.pdfbettercap.pdf
bettercap.pdf
shehbaz15
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Priyanka Aash
 
jvm goes to big data
jvm goes to big datajvm goes to big data
jvm goes to big data
srisatish ambati
 
Bugs from Outer Space | while42 SF #6
Bugs from Outer Space | while42 SF #6Bugs from Outer Space | while42 SF #6
Bugs from Outer Space | while42 SF #6
While42
 
Golang Performance : microbenchmarks, profilers, and a war story
Golang Performance : microbenchmarks, profilers, and a war storyGolang Performance : microbenchmarks, profilers, and a war story
Golang Performance : microbenchmarks, profilers, and a war story
Aerospike
 
The post release technologies of Crysis 3 (Slides Only) - Stewart Needham
The post release technologies of Crysis 3 (Slides Only) - Stewart NeedhamThe post release technologies of Crysis 3 (Slides Only) - Stewart Needham
The post release technologies of Crysis 3 (Slides Only) - Stewart Needham
Stewart Needham
 
An Overview of Next-Gen Filesystems
An Overview of Next-Gen FilesystemsAn Overview of Next-Gen Filesystems
An Overview of Next-Gen Filesystems
Great Wide Open
 
Trying and evaluating the new features of GlusterFS 3.5
Trying and evaluating the new features of GlusterFS 3.5Trying and evaluating the new features of GlusterFS 3.5
Trying and evaluating the new features of GlusterFS 3.5
Keisuke Takahashi
 
Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Jim Clausing
 
SD, a P2P bug tracking system
SD, a P2P bug tracking systemSD, a P2P bug tracking system
SD, a P2P bug tracking systemJesse Vincent
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Rob Fuller
 
Ha systems-with-heartbeatv2
Ha systems-with-heartbeatv2Ha systems-with-heartbeatv2
Ha systems-with-heartbeatv2
Marian Marinov
 
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
Moabi.com
 
Velocity 2012 - Learning WebOps the Hard Way
Velocity 2012 - Learning WebOps the Hard WayVelocity 2012 - Learning WebOps the Hard Way
Velocity 2012 - Learning WebOps the Hard Way
Cosimo Streppone
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pubCassio Ramos
 
Bettercap
BettercapBettercap
Bettercap
Rajivarnan (Rajiv)
 
Malware vs Big Data
Malware vs Big DataMalware vs Big Data
Malware vs Big DataFrank Denis
 
Version Control in Machine Learning + AI (Stanford)
Version Control in Machine Learning + AI (Stanford)Version Control in Machine Learning + AI (Stanford)
Version Control in Machine Learning + AI (Stanford)
Anand Sampat
 

Similar to Defcon 20 stamp out hash corruption crack all the things (20)

High Availability in 37 Easy Steps
High Availability in 37 Easy StepsHigh Availability in 37 Easy Steps
High Availability in 37 Easy Steps
 
bettercap.pdf
bettercap.pdfbettercap.pdf
bettercap.pdf
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
 
jvm goes to big data
jvm goes to big datajvm goes to big data
jvm goes to big data
 
Bugs from Outer Space | while42 SF #6
Bugs from Outer Space | while42 SF #6Bugs from Outer Space | while42 SF #6
Bugs from Outer Space | while42 SF #6
 
Golang Performance : microbenchmarks, profilers, and a war story
Golang Performance : microbenchmarks, profilers, and a war storyGolang Performance : microbenchmarks, profilers, and a war story
Golang Performance : microbenchmarks, profilers, and a war story
 
The post release technologies of Crysis 3 (Slides Only) - Stewart Needham
The post release technologies of Crysis 3 (Slides Only) - Stewart NeedhamThe post release technologies of Crysis 3 (Slides Only) - Stewart Needham
The post release technologies of Crysis 3 (Slides Only) - Stewart Needham
 
An Overview of Next-Gen Filesystems
An Overview of Next-Gen FilesystemsAn Overview of Next-Gen Filesystems
An Overview of Next-Gen Filesystems
 
Trying and evaluating the new features of GlusterFS 3.5
Trying and evaluating the new features of GlusterFS 3.5Trying and evaluating the new features of GlusterFS 3.5
Trying and evaluating the new features of GlusterFS 3.5
 
Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...
 
SD, a P2P bug tracking system
SD, a P2P bug tracking systemSD, a P2P bug tracking system
SD, a P2P bug tracking system
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Ha systems-with-heartbeatv2
Ha systems-with-heartbeatv2Ha systems-with-heartbeatv2
Ha systems-with-heartbeatv2
 
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
 
Velocity 2012 - Learning WebOps the Hard Way
Velocity 2012 - Learning WebOps the Hard WayVelocity 2012 - Learning WebOps the Hard Way
Velocity 2012 - Learning WebOps the Hard Way
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub
 
Bettercap
BettercapBettercap
Bettercap
 
Malware vs Big Data
Malware vs Big DataMalware vs Big Data
Malware vs Big Data
 
Version Control in Machine Learning + AI (Stanford)
Version Control in Machine Learning + AI (Stanford)Version Control in Machine Learning + AI (Stanford)
Version Control in Machine Learning + AI (Stanford)
 

Recently uploaded

GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 

Recently uploaded (20)

GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 

Defcon 20 stamp out hash corruption crack all the things

  • 1.
  • 2. Manager, Crowe Horwath  Pentester  Twitter: @reynoldsrb
  • 3. SpiderLabs Security Researcher, Trustwave  Vulnerability Research  Twitter: @claudijd
  • 4.
  • 5. Windows Hash Extraction  Story of What We Found  Windows Hash Extraction Mechanics  A Different Approach  Why Are All the Tools Broken?  Demo  Patches
  • 6.
  • 7. Two Types of Hashes:  LM (Lan Manager) ▪ Old Hashing Algorithm w/ Security Flaws ▪ Case insensitivity, Broken into 2 Components  NTLM (NT Lan Manager) ▪ Newer Hashing Algorithm w/ Security Flaws ▪ Not salted, but is case sensitive
  • 8. Two Methods to Get Hashes:  Injection via LSASS ▪ Reads hashes from memory  Registry Reading via SAM/SYSTEM ▪ Reads hashes from local registry hives
  • 9.
  • 10. Social Engineering Engagement  Gained Physical Access  Dumped Hashes on a Bank Workstation  Failed to Crack  John the Ripper  Rainbow Tables
  • 11. Internal Penetration Assessment  Popped a Shell via Missing Patch  Dumped Hashes on System  Fail to Crack  Rainbow Tables (via all LM Space & French)  Pass the Hash (PTH)
  • 12. Via Registry (Metasploit)  LM: 4500a2115ce8e23a99303f760ba6cc96  NTLM: 5c0bd165cea577e98fa92308f996cf45  Via Injection (PwDump6)  LM: aad3b435b51404eeaad3b435b51404ee  NTLM: 5f1bec25dd42d41183d0f450bf9b1d6b
  • 13.
  • 14. Beers  Hacking  More Beers
  • 15.
  • 16. HKLMSAM  Store security information for each user (including hash data)  HKLMSYSTEM  Stores the SYSKEY (encrypts the SAM information for security purposes)
  • 17. HKLMSAMSAMdomainsaccountusers  Users: 000001F4, ..1F5, etc.
  • 18. For each user, we have two values…  “F” – Binary Data ▪ Last Logon, Account Expires, Password Expiry, etc.  “V”- Binary Data ▪ Username, LM Hash Data, NT Hash Data, etc.
  • 19. Raw Data w/ LM & NTLM Data ...0000AAAAAAAA0000BBBBBBBB00000...  Raw Data w/ just NTLM Hash Data ...00000000BBBBBBBB0000000000000...
  • 20. Metasploit Hashdump Script  Creddump  Samdump2  Cain and Able  Pwdump7  FGDump 3.0  Others
  • 21. OFFSET HASH DATA  LM & NTLM If size > 40 bytes?  NTLM Else If size > 20 bytes?  None Else
  • 22.
  • 23. Via Registry (Metasploit)  LM: 4500a2115ce8e23a99303f760ba6cc96  NTLM: 5c0bd165cea577e98fa92308f996cf45  Via Injection (PwDump6)  LM: aad3b435b51404eeaad3b435b51404ee  NTLM: 5f1bec25dd42d41183d0f450bf9b1d6b
  • 24. OFFSET HASH DATA DATA++  LM & NTLM If size > 40 bytes?  NTLM Else If size > 20 bytes?  None Else
  • 26. How do we get “DATA++”? OFFSET HASH DATA DATA++  By following Microsoft best practices  Set Password History  No LM Hashes
  • 27. LM HASH DATA NT HASH DATA DATA++
  • 28. Newer OS’s do not store LM  Windows Vista and newer  LM can be disabled by a proactive Sysadmin  Password histories set through GPO
  • 29. We would want…  LM Exists?  NTLM Exists?  Parse correct hash data 100% of the time
  • 30. <insert slide here with the raw registry LM HEADER NT HEADER details> LM HASH DATA NT HASH DATA DATA++
  • 31. “V” hash 4 byte headers for LM & NTLN  0x4 (4 bytes) = Hash Not Present (false)  0x14 (20 bytes) = Hash Present (true)  No more guessing!
  • 32. OFFSET HASH DATA DATA++  LM & NTLM If LM.exists? && NTLM.exists?  NTLM Else If NTLM.exists?  None Else
  • 34.
  • 35. pwdump samdump2 Cain & Abel Creddump Fgdump 3.0 Metasploit Pwdump7
  • 36. FGDump v. 3.0 Pwdump v. 1 Cain & Abel Creddump Pwdump7 v. 2.7.4 v. 0.1 v. 7.1 Samdump2 MSF Samdump2 v. 1.1.1 Hashdump v. 1.0.1 3/24/1997 3/28/04 7/9/05 11/21/07 12/30/09 11/9/11 2/20/08 3/10/10
  • 37. Reverse engineering is hard  Exhaustive testing is time consuming  Leveraging code is helpful  Fully reusing code is not always good  Open source let’s others learn and help fix!
  • 38.
  • 39.
  • 40. Affected Tools Patched? Creddump Yes Metasploit’s Hashdump Script Yes L0phtcrack Working with Author(s) Pwdump7 Working with Author(s) FGDump 3.0 Working with Author(s) Samdump2 Fixed in v 1.1.1 Cain & Abel Working with Author(s)
  • 41. White Paper  Explains entire process in detail  Patches for Metasploit & Creddump  Example SAM/SYSTEM Files  Some users w/ DATA++  Some user w/o DATA++