This document discusses exploiting trust relationships and group policies to escalate privileges on a Windows system with full disk encryption. It describes exploiting MS15-122 and MS16-014 to poison the credential cache and authenticate to a rogue domain controller. Group policies can then be used to run applications with SYSTEM privileges and extract credentials or encryption keys before Windows fully loads. While Windows 10 provides some improvements, similar vulnerabilities were still present until MS16-072 was released after several months.

1. from zero to system
Nabeel ahmed & tom gilis
on full disk encrypted windows system

2. From zero to system
on full disk encrypted windows system
ABOUT US
๏ Nabeel Ahmed, Security Researcher
and Penetration Tester, Dimension
Data Belgium
๏ I love to break things =)
๏ @NabeelAhmedBE
๏ blog.nabeelahmed.com
๏ Tom Gilis, Security Consultant (and Team
Leader) at Dimension Data Belgium
๏More “boring” stuff like compliancy, … 
๏@tgilis
๏Co-organizer of BruCON
2

3. From zero to system
on full disk encrypted windows system
Inspiration
3

4. From zero to system
on full disk encrypted windows system
November 2015
4

5. From zero to system
on full disk encrypted windows system
Ian haken
5
๏ A new way to defeat FDE
๏ Rogue Domain Controller
๏ Poison Credential Cache
๏ Windows Security Feature bypass

6. From zero to system
on full disk encrypted windows system
Ms15-122
๏ Implements trust relationship before local cache is updated
๏ Works on Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008 up to
2012 (Windows XP, Windows Server 2003, …)
6

7. From zero to system
on full disk encrypted windows system
Bitlocker
๏ TPM (Trusted Platform Module)
๏ Pre-boot PIN
๏ USB Key
7

8. From zero to system
on full disk encrypted windows system
๏ TPM (Trusted Platform Module)
๏
๏
8
Bitlocker

9. From zero to system
on full disk encrypted windows system
Bitlocker tpm
9
๏ BitLocker key is stored in TPM
๏ No user interaction when decrypting
the drive
๏ Windows login screen is the first and
only line of defense

10. From zero to system
on full disk encrypted windows system
Trust relationship?
๏ Computer account password is used for trust
๏ Randomly generated every 30 days
๏ 2 computer account passwords are stored
๏ Stored in
“HKLMSECURITYPolicySecrets$machine.ACC”
10

11. From zero to system
on full disk encrypted windows system
Bypassing the patch
11

12. From zero to system
on full disk encrypted windows system
Difference
12
Legitimate DC
Rogue DC

13. From zero to system
on full disk encrypted windows system
Ticket missing
13

14. From zero to system
on full disk encrypted windows system
SPN
14
SPNs are used to support mutual authentication
between a client application and a service. A service
principal name is associated with an account and an
account can have many service principal names.
– MSDN
SPNs are usually formatted as SERVICE/HOST, but
sometimes they also include a port like
SERVICE/HOST:PORT.

15. From zero to system
on full disk encrypted windows system
Demo time
15

16. From zero to system
on full disk encrypted windows system
Kerberos Password change
16
?????????? EXP_PASS

17. From zero to system
on full disk encrypted windows system
Kerberos Password change
17
?????????? EXP_PASS
NEW_PASS

18. From zero to system
on full disk encrypted windows system
18
Conclusion
๏ Checks if a service ticket (T) has been received
BUT only validates AFTER the password change
๏ MS16-014 / CVE-2016-0049
๏ “Suggested workaround” disable local
password caching
๏ Patched on all supported Windows versions

19. From zero to system
on full disk encrypted windows system
Bluebox
19
๏ Automated exploitation of MS15-122 and MS16-014
๏ Less than 1 minute
๏ Written in Python 
๏ Portable (Raspberry Pi)
๏ Kudos to Ian Haken (@ianhaken)
๏ https://github.com/JackOfMostTrades/bluebox

20. From zero to system
on full disk encrypted windows system
WHAT’s NEXT ?
20
๏ Extract any personal data
o Documents, emails, passwords..
๏ Requires admin privileges to :
o Retrieve BitLocker Recovery Key (or disable it)
o Install Malware
o Extract data from other users
o …

21. From zero to system
on full disk encrypted windows system
Trust relationship?
๏ Trust relationship is not always validated
๏ Working Active Directory set-up
๏ Any other Windows functionality missing trust validation?
22

22. From zero to system
on full disk encrypted windows system
PRIVILEGE ESCALATION
23
Will Group Policies work ?
๏ Works on all supported Windows versions
๏ No need for additional (vulnerable) software
๏ No specific configuration requirements

23. From zero to system
on full disk encrypted windows system
Group Policies
24
User Configuration Computer Configuration
During login (or on refresh) Before login (or on refresh)
User or
SYSTEM Privileges
SYSTEM Privileges
User account password Machine account password

24. From zero to system
on full disk encrypted windows system
Group Policies
25
User Configuration Computer Configuration
During login (or on refresh) Before login (or on refresh)
User or
SYSTEM Privileges
SYSTEM Privileges
User account password Machine account password

25. From zero to system
on full disk encrypted windows system
Group policies
26

26. From zero to system
on full disk encrypted windows system
EXAMPLE – CMD AS SYSTEM
27
1. New Group Policy and assign it to the user account
2. Add the following configuration to the policy :
• Download file (e.g. NetCat.exe)
• Run NetCat as SYSTEM
• Connect to service as User
Screenshot Scheduled task GPO

27. From zero to system
on full disk encrypted windows system
It works!?
28

28. From zero to system
on full disk encrypted windows system
Why does it work?
29
๏ Client can successfully authenticate against the DC using
his credentials
๏ All encrypted traffic remains intact (SMB,LDAP,RPC)
๏ Assumes that the user credentials are sufficient to
acknowledge trust relationship.
๏ Reported to Microsoft, who acknowledged the vulnerability
but ...

29. From zero to system
on full disk encrypted windows system
IS it NEW ?
30
๏ Luke Jennings (MWR Labs) demonstrated how you can gain
SYSTEM access through MITM in March 2015
๏ MITM attack against legitimate GPO communication, resulting
two patches (MS15-011 and MS15-014)
๏ Jennings’ conclusion : “Even on Vista/2008 onwards, user
settings group policy can be exploited if you know a user’s
password to conduct a form of privilege escalation to gain
SYSTEM on domain members. Microsoft have shown no
intention thus far of providing a control to protect against this.”

30. From zero to system
on full disk encrypted windows system
WINDOWS 10 ?
31

31. From zero to system
on full disk encrypted windows system
WINDOWS 10 ?
32

32. From zero to system
on full disk encrypted windows system
WIN 7 vs Win 10
33

33. From zero to system
on full disk encrypted windows system
WIN 7 vs Win 10
34

34. From zero to system
on full disk encrypted windows system
Relative ID
User SID
35
S-1-5-21-124525095-708259637-1543119021-20937
Domain Security Identifier
Incremental
Uses Machine SID
when new domain is
created

35. From zero to system
on full disk encrypted windows system
Setting the SID
36
๏ Possibilities :
o Setting the Machine SID before the AD is created:
o Windows SysPrep – Generates new “random” SID
o Commercial tools exist
o Off-line edit the NTDS.DIT File
o SAMBA NT4 PDC to AD-DC
Lengthy, complex and prone to errors

36. From zero to system
on full disk encrypted windows system
mimikatz to the rescue
37

37. From zero to system
on full disk encrypted windows system
Demo time
38

38. From zero to system
on full disk encrypted windows system
39
Conclusion
๏ First validates trust with computer account
๏ MS16-072 / CVE-2016-3223
๏ Took approx. 8 months to patch and then …

39. From zero to system
on full disk encrypted windows system
40

40. From zero to system
on full disk encrypted windows system
Recovering original password
41
๏ (convert .sys to .dmp)
๏ WinDbg
๏ Mimikatz (extract plaintext credentials)
๏ Only Windows 7 and below
Force
Hibernation
Bypass login
screen
Elevate
privileges
Extract
HIBERFIL.SYS
Reset Local
Password Cache

41. From zero to system
on full disk encrypted windows system
timeline
42

42. From zero to system
on full disk encrypted windows system
timeline
43

43. From zero to system
on full disk encrypted windows system
Take aways
44
๏ Trust relationships not always validated
๏ Don’t take physical security for granted
๏ Backwards compatibility makes patching very difficult
๏ Bypassing authentication and escalating privileges without a
single line of code
๏ Kudos to Ian Haken @ianhaken and Benjamin Delpy @gentilwiki
๏ Third time’s a charm?
o November 2015 (MS15-122)
o February 2016 (MS16-014)
o … July 2016  (MS16-???)
@nabeelahmedbe
blog.ahmednabeel.com
@tgilis