SlideShare a Scribd company logo
1 of 51
IPv6 shipworm + My little
 Windows domain pwnie

        18. 09. 2011
        Zoltán Balázs
Disclaimer
• All views and opinions I share with you today
  are my own.
• The following presentation does not represent
  the views of any of my previous or present
  employers.
• don’t try this at home or at work
  – for educational purposes only


                                              2
Who am I?
• Certified Interspecie-ial Sheep Shearing
  Professional (CISSP)
• Certified Pajama Toaster Specialist (CPTS)
• Microsoft Certified Psychopath (MCP)
• Certified Propeller Beanie Hat Script Kiddie
  (CPBHSK)
• 7 years of experience with IT Security


                                                 3
This presentation is NOT about...
• assembly
    – buffer overflow, egghunting, NOPsled, SEH
      exploits, ROP
•   kernel rootkits
•   stuxnet
•   zero day
•   any new stuff you can find on the internet


                                                  4
This presentation is NOT about...
• assembly
    – buffer overflow, egghunting, NOPsled, SEH
      exploits, ROP
•   kernel rootkits
•   stuxnet
•   zero day
•   any new stuff you can find on the internet


                                                  5
What’s next?
• a fictitious hacking scenario
  – IPv6 Teredo protocol
  – Pass the hash – NTLM authentication


• Both attacks are known for more than a
  decade, but still (or even more) effective. 
  – “precious ancient treasures”


                                                  6
IPv6 Teredo basics
• IPv6
  • native, 6in4, 6over4, 6to4, 6rd, ISATAP, Teredo, etc ...
• goal of Teredo (a.k.a. IPv6 shipworm)
  • IPv6 behind IPv4 NAT (UDP tunneling)
• Teredo components
  –   client
  –   server
  –   relay || host-specific relay
  –   IPv6 peer
• attention conspiracy theory fans
  – teredo.ipv6.microsoft.com – default MS WIN server
       – knows every non Teredo IPv6 peers you are
         communicating with ...                                7
8
Teredo address decoding
       2001:0000:53aa:064c:0055:6bbf:a67b:7887

Bits            0 - 31      32 - 63         64 - 79     80 - 95     96 - 127
Length          32 bits     32 bits         16 bits     16 bits     32 bits
                            Teredo                      Obfuscated Client
Description     Prefix                      Flags
                            server IPv4                 UDP port   public IPv4
Part            2001:0000 53aa:064c         0055        6bbf        a67b:7887
Decoded                     83.170.6.76                 37952       89.132.135.120



       online decoder: http://isc.sans.org/tools/ipv6.html




                                                                                     9
10
Qualification (simplified …)




                               11
Bubble packets
bubble packets are sent out every 30 seconds for keep-alive




                                                              12
NAT hole – ICMPv6 bubble




                           13
NAT hole – with Romeo and Juliet




                                   14
Our journey begins
• target of the attack
  – auditor/pentester company
  – steal reports/findings
• TCP/(known service UDP) port scan – nmap
  – no TCP/known service UDP ports opened
• google fu
  – we locate a forum post from the pentester
     • Linux – BackTrack5 user
        – No Script
        – no Java/Flash/browser 0-day           15
scenario




           16
Pwning the BT5
• The pentester was complaining on the forum that
  IPv6 is not working on his BT5
   – We suggest to run: miredo (Teredo Linux implementation)
• get the pentester to visit a our website (e.g. test IPv6
  here), or find XSS on the forum
   – IPv6 object (image, iframe) hosted by the attacker
   – extract Teredo IPv6 address from webserver logs
• portscan the Teredo IPv6 address
• TCP port 22 (SSH) on Teredo address open

                                                           17
Lightning round – for 1 HACKER PSCHORR




                                     18
Lightning round – for 1 HACKER PSCHORR

• What could be the password for the user root
  after double rot13 encryption, if we know it is
  a Backtrack5 OS?




                                                19
Lightning round – for 1 HACKER PSCHORR

• What could be the password for the user root
  after double rot13 encryption, if we know it is
  a Backtrack5 OS?

• yes, the answer is toor

• default SSHD configuration
  – listens on every interface (IPv4, IPv6)
  – PermitRootLogin yes
                                                20
Video




        21
scenario




           22
Root access is like the key to the
      kingdom for Romeo




                                     23
Windows Teredo implementation is
            secure by default
• although Teredo enabled by default
• Windows firewall will blocks Teredo
   • if not explicitly allowed for the
     port/application
   • IPV6_PROTECTION_LEVEL:
     PROTECTION_LEVEL_UNRESTRICTED
• Teredo is secure till vuln in ...
   – Windows firewall
   – UDP/TCP/IP/IPV6/Teredo stack
   – NIC driver level
• Teredo backdoor
   – meterpreter IPv6 bind shell
• Teredo DNS spoofing…
                                         24
Lessons learned
• Teredo has security holes by design
• know the protocol you are using
• change passwords, srsly, change passwords
• disable SSH listening on every interface
• configure ip6tables locally
• Close ports on the network firewall if they are
  not needed, even outbound ones. Especially
  close every outgoing UDP which is not needed.
• use Windows 
                                                    25
Pass the hash – a.k.a.
My little Windows domain pwnie
         known since 1997
       Bugtraq ID number 233
Windows local admin hashes
• local login - user password is verified by NTLM (NT Lan
  Manager)
   if (NTLMHash(userPassword) ==
        decryptWithSyskey( encryptedLocalUserNTLMHash))
                  login();
        else raise WrongPasswordException();
• Security Accounts Management Database (SAM)
  (%SystemRoot%/SAM )
   – stores encrypted hashed copies of (local) user passwords
• syskey is either stored in
   – registry (%SystemRoot%/SYSTEM) – optionally password protected
   – floppy …


                                                                      27
Extract hashes of the Windows local
                 admin(s)
•   well known tools to extract the local user hashes
    – online OS – via dll injection – pwdumpX/fgdump/cain
    – offline OS – access to SAM files – bkhive, samdump2
• security rule of thumb: never ever reuse
  passwords
    – do you reuse local admin passwords if you have thousands
      of workstations?
•   common excuses for password reuse
    – „it is random, 20 character long with special characters”
    – „the weak LM hash is not stored”
    – „noone can break it”

                                                              28
Lightning round – for another HACKER PSCHORR

• What is the minimum number of characters in
  the password, if the local admin password
  hash looks like this?
  – User:Domain:aad3b435b51404eeaad3b435b5140
    4ee:25edfdbf01ae5d63be05f958b4221fb9

  – additional info:
    HKEY_LOCAL_MACHINESYSTEMCurrentControlS
    etControlLsaNoLMHash = 0

                                            29
Scenario
• BackTrack5 was installed as a dual boot OS
  – mount Win NTFS partition
  – extract local admin hashes




                                               30
Video




        31
Scenario




           32
Pass the hash
• cracking NTLM hash of a 15 long mixed case
  random AlphaNumeric password takes …
  –       1.7*1010 years to crack with today GPU
      •     even with life-time GPU warranty it looks impossible…
  – the universe is around 1.375*1010 years old


• What is the purpose of cracking
  hashes???
  – we can authenticate with the hash
    • without knowing the password!!!                          33
Romeo – get Juliet’s fingerprint
(not the finger, just the fingerprint)




             Juliet has access to Lord
             Capulet’s room
             with fingerprint authentication

             Which means Romeo has
             access to Capulet’s room, too.
                                               34
Pass the hash
• „NTLM single sign on” is a security problem
  by design

• in the RAM, there has to be something (e.g.
   hash) you can authenticate with
  – it would be slightly inconvenient to type
     your password every time you want to
     authenticate to a network resource


                                                35
Pass the hash attack – in theory and on
                   SecurityTube
• search for a workstation
   – with a logged in domain administrator
• authenticate to this workstation as a local admin with the
  local admin hash – SMB (Server Message Block + psexec)
• two ways to go
   – grab the domain admin password hashes (e.g. Windows
      Credentials Editor)
   – token impersonation (e.g. Meterpreter Incognito)
• with the hash/token we are domain admin
• this means PROFIT ...
   – where is the ??? step
The ??? step: STATUS_ACCES_DENIED




                                37
Pass the hash attack - in practice
• works on SMB if domain admin uses WinXP
• fails on SMB if domain admin uses
  Vista/Win7/Win2k8
  –   if authenticating as local admin via network, admin
      privileges are dropped
• Vista/Win7/Win2k8 SMB attack may be possible
  –   HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciessystemLocalAccountToke
      nFilterPolicy = 1 (remote UAC)

• Vista/Win7/Win2k8 attack is possible
  –   Remote Desktop single sign on uses NTLM - (attack
      only in theory, yet)
  –   SQL Server Windows auth. uses NTLM (local priv.
      escalation still required)
                                                                                    38
Video




        39
Scenario




           40
Scenario Romeo – having the credentials of Lord
                  Capulet




                                              41
How not to try to prevent pass the
                 hash?
• security people
  – non representative survey in 2010, USA *
     – 2/3 of security professionals never heard about the pass the
       hash attack




                                               * references
                                                              42
How not to try to prevent pass the
                 hash?
• security people
  – non representative survey in 2010, USA *
     – 2/3 of security professionals never heard about the pass the
       hash attack
• antivirus




                                               * references
                                                              43
How not to try to prevent pass the
                 hash?
• security people
  – non representative survey in 2010, USA *
     – 2/3 of security professionals never heard about the pass the
       hash attack
• antivirus
• HIPS




                                               * references
                                                              44
How not to try to prevent pass the
                 hash?
• security people
  – non representative survey in 2010, USA *
     – 2/3 of security professionals never heard about the pass the
       hash attack
• antivirus
• HIPS
• Kerberos
  – pass the ticket


                                               * references
                                                              45
How not to try to prevent pass the
                 hash?
• security people
  – non representative survey in 2010, USA *
     – 2/3 of security professionals never heard about the pass the
       hash attack
• antivirus
• HIPS
• Kerberos
  – pass the ticket
• smartcard !
                                               * references
                                                              46
Pass the hash prevention tips
• the following advices could help you to prevent the attack
  shown before
   – pass the hash attack will be still effective, it’s by design
• full disc encryption
• different local admin password
   – e.g. trunc(hashAlphaNum(Passwd || WorkstationNumber),15)
• separate domain admin workstations
   – physically
   – network
• domain admins should login as domain admin only on servers
   – on workstations login as domain user
• don’t use the same workstation for web browsing and
  administrator tasks
                                                                    47
Pass the hash attack detection
• legitim events in event logs
  – it may be possible to locate the „attacker”
    workstation
• 552 Windows event code
  – „explicit credentials were used from another
    account”
     • too many false positives
• in practice, if you detect the attack, you have
  been already pwned
                                                    48
SMB pass the hash „worm”
• this is my idea
• implemented by my friend Buherator
  – metasploit module
  – http://bit.ly/qrM2V8




                                       49
References
• The Teredo Protocol:Tunneling Past Network
  Security and Other Security Implications
  – Dr. James Hoagland Principal Security Researcher
  – Symantec Advanced Threat Research
  – http://www.symantec.com/avcenter/reference/Teredo_Se
• Hernan Ochoa: Windows Credentials Editor tool
• Pass-the-hash attacks: Tools and Mitigation
  – Bashar Ewaida
  – http://www.sans.org/reading_room/whitepapers/testing/p



                                                    50
H___
t__
p_____!

 Zoltan1.Balazs@gmail.com

 ZBalazs@DeloitteCE.com


                            51

More Related Content

What's hot

Explain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveExplain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveZoltan Balazs
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment Sergey Gordeychik
 
Solnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecSolnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecPacSecJP
 
CSI - Poor Mans Guide To Espionage Gear
CSI - Poor Mans Guide To Espionage GearCSI - Poor Mans Guide To Espionage Gear
CSI - Poor Mans Guide To Espionage Gearshawn_merdinger
 
How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay aliveqqlan
 
44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON
 
Kali tools list with short description
Kali tools list with short descriptionKali tools list with short description
Kali tools list with short descriptionJose Moruno Cadima
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jarsPacSecJP
 
Device inspection to remote root
Device inspection to remote rootDevice inspection to remote root
Device inspection to remote rootTim N
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
ifwt remote (sydney ruxmon edition)
ifwt remote (sydney ruxmon edition)ifwt remote (sydney ruxmon edition)
ifwt remote (sydney ruxmon edition)Tim N
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st SessionBeginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st Sessionveerababu penugonda(Mr-IoT)
 
Beginners guide on how to start exploring IoT 2nd session
Beginners  guide on how to start exploring IoT 2nd sessionBeginners  guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionveerababu penugonda(Mr-IoT)
 
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]RootedCON
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...B.A.
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
 

What's hot (20)

Explain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveExplain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a five
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment
 
Solnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecSolnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsec
 
CSI - Poor Mans Guide To Espionage Gear
CSI - Poor Mans Guide To Espionage GearCSI - Poor Mans Guide To Espionage Gear
CSI - Poor Mans Guide To Espionage Gear
 
How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay alive
 
44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN
 
Kali tools list with short description
Kali tools list with short descriptionKali tools list with short description
Kali tools list with short description
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jars
 
Device inspection to remote root
Device inspection to remote rootDevice inspection to remote root
Device inspection to remote root
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
 
Polstra 44con2012
Polstra 44con2012Polstra 44con2012
Polstra 44con2012
 
ifwt remote (sydney ruxmon edition)
ifwt remote (sydney ruxmon edition)ifwt remote (sydney ruxmon edition)
ifwt remote (sydney ruxmon edition)
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st SessionBeginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
 
Firmware analysis 101
Firmware analysis 101Firmware analysis 101
Firmware analysis 101
 
Beginners guide on how to start exploring IoT 2nd session
Beginners  guide on how to start exploring IoT 2nd sessionBeginners  guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd session
 
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2
 

Similar to [ENG] IPv6 shipworm + My little Windows domain pwnie

Share winter 2016 encryption
Share winter 2016 encryptionShare winter 2016 encryption
Share winter 2016 encryptionbigendiansmalls
 
Running Applications on the NetBSD Rump Kernel by Justin Cormack
Running Applications on the NetBSD Rump Kernel by Justin Cormack Running Applications on the NetBSD Rump Kernel by Justin Cormack
Running Applications on the NetBSD Rump Kernel by Justin Cormack eurobsdcon
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesScott K. Larson
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersYury Chemerkin
 
Simplest-Ownage-Human-Observed… - Routers
 Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - RoutersLogicaltrust pl
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1   t. yunusov k. nesterov - bootkit via smsD1 t1   t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) Hypervisor
AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) HypervisorAsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) Hypervisor
AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) HypervisorDave Voutila
 
Get rid of TLS certificates - using IPSec for large scale cloud protection
Get rid of TLS certificates - using IPSec for large scale cloud protectionGet rid of TLS certificates - using IPSec for large scale cloud protection
Get rid of TLS certificates - using IPSec for large scale cloud protectionPawel Krawczyk
 
HES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you canHES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you canHackito Ergo Sum
 
Hackito Ergo Sum 2011: Capture me if you can!
Hackito Ergo Sum 2011: Capture me if you can!Hackito Ergo Sum 2011: Capture me if you can!
Hackito Ergo Sum 2011: Capture me if you can!stricaud
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013dotCloud
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Docker, Inc.
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 

Similar to [ENG] IPv6 shipworm + My little Windows domain pwnie (20)

Share winter 2016 encryption
Share winter 2016 encryptionShare winter 2016 encryption
Share winter 2016 encryption
 
Security Onion
Security OnionSecurity Onion
Security Onion
 
Volatility101
Volatility101Volatility101
Volatility101
 
Running Applications on the NetBSD Rump Kernel by Justin Cormack
Running Applications on the NetBSD Rump Kernel by Justin Cormack Running Applications on the NetBSD Rump Kernel by Justin Cormack
Running Applications on the NetBSD Rump Kernel by Justin Cormack
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
 
You suck at Memory Analysis
You suck at Memory AnalysisYou suck at Memory Analysis
You suck at Memory Analysis
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
 
Simplest-Ownage-Human-Observed… - Routers
 Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1   t. yunusov k. nesterov - bootkit via smsD1 t1   t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) Hypervisor
AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) HypervisorAsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) Hypervisor
AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) Hypervisor
 
Get rid of TLS certificates - using IPSec for large scale cloud protection
Get rid of TLS certificates - using IPSec for large scale cloud protectionGet rid of TLS certificates - using IPSec for large scale cloud protection
Get rid of TLS certificates - using IPSec for large scale cloud protection
 
HES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you canHES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you can
 
Hackito Ergo Sum 2011: Capture me if you can!
Hackito Ergo Sum 2011: Capture me if you can!Hackito Ergo Sum 2011: Capture me if you can!
Hackito Ergo Sum 2011: Capture me if you can!
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 

More from Zoltan Balazs

[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchain[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchainZoltan Balazs
 
Web3 + scams = It's a match
Web3 + scams = It's a matchWeb3 + scams = It's a match
Web3 + scams = It's a matchZoltan Balazs
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedZoltan Balazs
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Zoltan Balazs
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Hacking with Remote Admin Tools (RAT)
 Hacking with Remote Admin Tools (RAT) Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT)Zoltan Balazs
 
[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitlandZoltan Balazs
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Zoltan Balazs
 
[HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking [HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking Zoltan Balazs
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensionsZoltan Balazs
 
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012Zoltan Balazs
 
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitőZoltan Balazs
 
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’sZoltan Balazs
 

More from Zoltan Balazs (17)

[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchain[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchain
 
MLSEC 2020
MLSEC 2020MLSEC 2020
MLSEC 2020
 
Web3 + scams = It's a match
Web3 + scams = It's a matchWeb3 + scams = It's a match
Web3 + scams = It's a match
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 
Sandboxes
SandboxesSandboxes
Sandboxes
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
Hacking with Remote Admin Tools (RAT)
 Hacking with Remote Admin Tools (RAT) Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT)
 
[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
 
[HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking [HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
 
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
 
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
 
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
 

Recently uploaded

Emerging issues in migration policies.ppt
Emerging issues in migration policies.pptEmerging issues in migration policies.ppt
Emerging issues in migration policies.pptNandinituteja1
 
11042024_First India Newspaper Jaipur.pdf
11042024_First India Newspaper Jaipur.pdf11042024_First India Newspaper Jaipur.pdf
11042024_First India Newspaper Jaipur.pdfFIRST INDIA
 
Foreign Relation of Pakistan with Neighboring Countries.pptx
Foreign Relation of Pakistan with Neighboring Countries.pptxForeign Relation of Pakistan with Neighboring Countries.pptx
Foreign Relation of Pakistan with Neighboring Countries.pptxunark75
 
Geostrategic significance of South Asian countries.ppt
Geostrategic significance of South Asian countries.pptGeostrategic significance of South Asian countries.ppt
Geostrategic significance of South Asian countries.pptUsmanKaran
 
16042024_First India Newspaper Jaipur.pdf
16042024_First India Newspaper Jaipur.pdf16042024_First India Newspaper Jaipur.pdf
16042024_First India Newspaper Jaipur.pdfFIRST INDIA
 
13042024_First India Newspaper Jaipur.pdf
13042024_First India Newspaper Jaipur.pdf13042024_First India Newspaper Jaipur.pdf
13042024_First India Newspaper Jaipur.pdfFIRST INDIA
 
Political-Ideologies-and-The-Movements.pptx
Political-Ideologies-and-The-Movements.pptxPolitical-Ideologies-and-The-Movements.pptx
Political-Ideologies-and-The-Movements.pptxSasikiranMarri
 
Transforming Andhra Pradesh: TDP's Legacy in Road Connectivity
Transforming Andhra Pradesh: TDP's Legacy in Road ConnectivityTransforming Andhra Pradesh: TDP's Legacy in Road Connectivity
Transforming Andhra Pradesh: TDP's Legacy in Road Connectivitynarsireddynannuri1
 
14042024_First India Newspaper Jaipur.pdf
14042024_First India Newspaper Jaipur.pdf14042024_First India Newspaper Jaipur.pdf
14042024_First India Newspaper Jaipur.pdfFIRST INDIA
 
Mitochondrial Fusion Vital for Adult Brain Function and Disease Understanding...
Mitochondrial Fusion Vital for Adult Brain Function and Disease Understanding...Mitochondrial Fusion Vital for Adult Brain Function and Disease Understanding...
Mitochondrial Fusion Vital for Adult Brain Function and Disease Understanding...The Lifesciences Magazine
 
12042024_First India Newspaper Jaipur.pdf
12042024_First India Newspaper Jaipur.pdf12042024_First India Newspaper Jaipur.pdf
12042024_First India Newspaper Jaipur.pdfFIRST INDIA
 
15042024_First India Newspaper Jaipur.pdf
15042024_First India Newspaper Jaipur.pdf15042024_First India Newspaper Jaipur.pdf
15042024_First India Newspaper Jaipur.pdfFIRST INDIA
 
Power in International Relations (Pol 5)
Power in International Relations (Pol 5)Power in International Relations (Pol 5)
Power in International Relations (Pol 5)ssuser583c35
 
lok sabha Elections in india- 2024 .pptx
lok sabha Elections in india- 2024 .pptxlok sabha Elections in india- 2024 .pptx
lok sabha Elections in india- 2024 .pptxdigiyvbmrkt
 

Recently uploaded (14)

Emerging issues in migration policies.ppt
Emerging issues in migration policies.pptEmerging issues in migration policies.ppt
Emerging issues in migration policies.ppt
 
11042024_First India Newspaper Jaipur.pdf
11042024_First India Newspaper Jaipur.pdf11042024_First India Newspaper Jaipur.pdf
11042024_First India Newspaper Jaipur.pdf
 
Foreign Relation of Pakistan with Neighboring Countries.pptx
Foreign Relation of Pakistan with Neighboring Countries.pptxForeign Relation of Pakistan with Neighboring Countries.pptx
Foreign Relation of Pakistan with Neighboring Countries.pptx
 
Geostrategic significance of South Asian countries.ppt
Geostrategic significance of South Asian countries.pptGeostrategic significance of South Asian countries.ppt
Geostrategic significance of South Asian countries.ppt
 
16042024_First India Newspaper Jaipur.pdf
16042024_First India Newspaper Jaipur.pdf16042024_First India Newspaper Jaipur.pdf
16042024_First India Newspaper Jaipur.pdf
 
13042024_First India Newspaper Jaipur.pdf
13042024_First India Newspaper Jaipur.pdf13042024_First India Newspaper Jaipur.pdf
13042024_First India Newspaper Jaipur.pdf
 
Political-Ideologies-and-The-Movements.pptx
Political-Ideologies-and-The-Movements.pptxPolitical-Ideologies-and-The-Movements.pptx
Political-Ideologies-and-The-Movements.pptx
 
Transforming Andhra Pradesh: TDP's Legacy in Road Connectivity
Transforming Andhra Pradesh: TDP's Legacy in Road ConnectivityTransforming Andhra Pradesh: TDP's Legacy in Road Connectivity
Transforming Andhra Pradesh: TDP's Legacy in Road Connectivity
 
14042024_First India Newspaper Jaipur.pdf
14042024_First India Newspaper Jaipur.pdf14042024_First India Newspaper Jaipur.pdf
14042024_First India Newspaper Jaipur.pdf
 
Mitochondrial Fusion Vital for Adult Brain Function and Disease Understanding...
Mitochondrial Fusion Vital for Adult Brain Function and Disease Understanding...Mitochondrial Fusion Vital for Adult Brain Function and Disease Understanding...
Mitochondrial Fusion Vital for Adult Brain Function and Disease Understanding...
 
12042024_First India Newspaper Jaipur.pdf
12042024_First India Newspaper Jaipur.pdf12042024_First India Newspaper Jaipur.pdf
12042024_First India Newspaper Jaipur.pdf
 
15042024_First India Newspaper Jaipur.pdf
15042024_First India Newspaper Jaipur.pdf15042024_First India Newspaper Jaipur.pdf
15042024_First India Newspaper Jaipur.pdf
 
Power in International Relations (Pol 5)
Power in International Relations (Pol 5)Power in International Relations (Pol 5)
Power in International Relations (Pol 5)
 
lok sabha Elections in india- 2024 .pptx
lok sabha Elections in india- 2024 .pptxlok sabha Elections in india- 2024 .pptx
lok sabha Elections in india- 2024 .pptx
 

[ENG] IPv6 shipworm + My little Windows domain pwnie

  • 1. IPv6 shipworm + My little Windows domain pwnie 18. 09. 2011 Zoltán Balázs
  • 2. Disclaimer • All views and opinions I share with you today are my own. • The following presentation does not represent the views of any of my previous or present employers. • don’t try this at home or at work – for educational purposes only 2
  • 3. Who am I? • Certified Interspecie-ial Sheep Shearing Professional (CISSP) • Certified Pajama Toaster Specialist (CPTS) • Microsoft Certified Psychopath (MCP) • Certified Propeller Beanie Hat Script Kiddie (CPBHSK) • 7 years of experience with IT Security 3
  • 4. This presentation is NOT about... • assembly – buffer overflow, egghunting, NOPsled, SEH exploits, ROP • kernel rootkits • stuxnet • zero day • any new stuff you can find on the internet 4
  • 5. This presentation is NOT about... • assembly – buffer overflow, egghunting, NOPsled, SEH exploits, ROP • kernel rootkits • stuxnet • zero day • any new stuff you can find on the internet 5
  • 6. What’s next? • a fictitious hacking scenario – IPv6 Teredo protocol – Pass the hash – NTLM authentication • Both attacks are known for more than a decade, but still (or even more) effective.  – “precious ancient treasures” 6
  • 7. IPv6 Teredo basics • IPv6 • native, 6in4, 6over4, 6to4, 6rd, ISATAP, Teredo, etc ... • goal of Teredo (a.k.a. IPv6 shipworm) • IPv6 behind IPv4 NAT (UDP tunneling) • Teredo components – client – server – relay || host-specific relay – IPv6 peer • attention conspiracy theory fans – teredo.ipv6.microsoft.com – default MS WIN server – knows every non Teredo IPv6 peers you are communicating with ... 7
  • 8. 8
  • 9. Teredo address decoding 2001:0000:53aa:064c:0055:6bbf:a67b:7887 Bits 0 - 31 32 - 63 64 - 79 80 - 95 96 - 127 Length 32 bits 32 bits 16 bits 16 bits 32 bits Teredo Obfuscated Client Description Prefix Flags server IPv4 UDP port public IPv4 Part 2001:0000 53aa:064c 0055 6bbf a67b:7887 Decoded 83.170.6.76 37952 89.132.135.120 online decoder: http://isc.sans.org/tools/ipv6.html 9
  • 10. 10
  • 12. Bubble packets bubble packets are sent out every 30 seconds for keep-alive 12
  • 13. NAT hole – ICMPv6 bubble 13
  • 14. NAT hole – with Romeo and Juliet 14
  • 15. Our journey begins • target of the attack – auditor/pentester company – steal reports/findings • TCP/(known service UDP) port scan – nmap – no TCP/known service UDP ports opened • google fu – we locate a forum post from the pentester • Linux – BackTrack5 user – No Script – no Java/Flash/browser 0-day 15
  • 16. scenario 16
  • 17. Pwning the BT5 • The pentester was complaining on the forum that IPv6 is not working on his BT5 – We suggest to run: miredo (Teredo Linux implementation) • get the pentester to visit a our website (e.g. test IPv6 here), or find XSS on the forum – IPv6 object (image, iframe) hosted by the attacker – extract Teredo IPv6 address from webserver logs • portscan the Teredo IPv6 address • TCP port 22 (SSH) on Teredo address open 17
  • 18. Lightning round – for 1 HACKER PSCHORR 18
  • 19. Lightning round – for 1 HACKER PSCHORR • What could be the password for the user root after double rot13 encryption, if we know it is a Backtrack5 OS? 19
  • 20. Lightning round – for 1 HACKER PSCHORR • What could be the password for the user root after double rot13 encryption, if we know it is a Backtrack5 OS? • yes, the answer is toor • default SSHD configuration – listens on every interface (IPv4, IPv6) – PermitRootLogin yes 20
  • 21. Video 21
  • 22. scenario 22
  • 23. Root access is like the key to the kingdom for Romeo 23
  • 24. Windows Teredo implementation is secure by default • although Teredo enabled by default • Windows firewall will blocks Teredo • if not explicitly allowed for the port/application • IPV6_PROTECTION_LEVEL: PROTECTION_LEVEL_UNRESTRICTED • Teredo is secure till vuln in ... – Windows firewall – UDP/TCP/IP/IPV6/Teredo stack – NIC driver level • Teredo backdoor – meterpreter IPv6 bind shell • Teredo DNS spoofing… 24
  • 25. Lessons learned • Teredo has security holes by design • know the protocol you are using • change passwords, srsly, change passwords • disable SSH listening on every interface • configure ip6tables locally • Close ports on the network firewall if they are not needed, even outbound ones. Especially close every outgoing UDP which is not needed. • use Windows  25
  • 26. Pass the hash – a.k.a. My little Windows domain pwnie known since 1997 Bugtraq ID number 233
  • 27. Windows local admin hashes • local login - user password is verified by NTLM (NT Lan Manager) if (NTLMHash(userPassword) == decryptWithSyskey( encryptedLocalUserNTLMHash)) login(); else raise WrongPasswordException(); • Security Accounts Management Database (SAM) (%SystemRoot%/SAM ) – stores encrypted hashed copies of (local) user passwords • syskey is either stored in – registry (%SystemRoot%/SYSTEM) – optionally password protected – floppy … 27
  • 28. Extract hashes of the Windows local admin(s) • well known tools to extract the local user hashes – online OS – via dll injection – pwdumpX/fgdump/cain – offline OS – access to SAM files – bkhive, samdump2 • security rule of thumb: never ever reuse passwords – do you reuse local admin passwords if you have thousands of workstations? • common excuses for password reuse – „it is random, 20 character long with special characters” – „the weak LM hash is not stored” – „noone can break it” 28
  • 29. Lightning round – for another HACKER PSCHORR • What is the minimum number of characters in the password, if the local admin password hash looks like this? – User:Domain:aad3b435b51404eeaad3b435b5140 4ee:25edfdbf01ae5d63be05f958b4221fb9 – additional info: HKEY_LOCAL_MACHINESYSTEMCurrentControlS etControlLsaNoLMHash = 0 29
  • 30. Scenario • BackTrack5 was installed as a dual boot OS – mount Win NTFS partition – extract local admin hashes 30
  • 31. Video 31
  • 32. Scenario 32
  • 33. Pass the hash • cracking NTLM hash of a 15 long mixed case random AlphaNumeric password takes … – 1.7*1010 years to crack with today GPU • even with life-time GPU warranty it looks impossible… – the universe is around 1.375*1010 years old • What is the purpose of cracking hashes??? – we can authenticate with the hash • without knowing the password!!! 33
  • 34. Romeo – get Juliet’s fingerprint (not the finger, just the fingerprint) Juliet has access to Lord Capulet’s room with fingerprint authentication Which means Romeo has access to Capulet’s room, too. 34
  • 35. Pass the hash • „NTLM single sign on” is a security problem by design • in the RAM, there has to be something (e.g. hash) you can authenticate with – it would be slightly inconvenient to type your password every time you want to authenticate to a network resource 35
  • 36. Pass the hash attack – in theory and on SecurityTube • search for a workstation – with a logged in domain administrator • authenticate to this workstation as a local admin with the local admin hash – SMB (Server Message Block + psexec) • two ways to go – grab the domain admin password hashes (e.g. Windows Credentials Editor) – token impersonation (e.g. Meterpreter Incognito) • with the hash/token we are domain admin • this means PROFIT ... – where is the ??? step
  • 37. The ??? step: STATUS_ACCES_DENIED 37
  • 38. Pass the hash attack - in practice • works on SMB if domain admin uses WinXP • fails on SMB if domain admin uses Vista/Win7/Win2k8 – if authenticating as local admin via network, admin privileges are dropped • Vista/Win7/Win2k8 SMB attack may be possible – HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciessystemLocalAccountToke nFilterPolicy = 1 (remote UAC) • Vista/Win7/Win2k8 attack is possible – Remote Desktop single sign on uses NTLM - (attack only in theory, yet) – SQL Server Windows auth. uses NTLM (local priv. escalation still required) 38
  • 39. Video 39
  • 40. Scenario 40
  • 41. Scenario Romeo – having the credentials of Lord Capulet 41
  • 42. How not to try to prevent pass the hash? • security people – non representative survey in 2010, USA * – 2/3 of security professionals never heard about the pass the hash attack * references 42
  • 43. How not to try to prevent pass the hash? • security people – non representative survey in 2010, USA * – 2/3 of security professionals never heard about the pass the hash attack • antivirus * references 43
  • 44. How not to try to prevent pass the hash? • security people – non representative survey in 2010, USA * – 2/3 of security professionals never heard about the pass the hash attack • antivirus • HIPS * references 44
  • 45. How not to try to prevent pass the hash? • security people – non representative survey in 2010, USA * – 2/3 of security professionals never heard about the pass the hash attack • antivirus • HIPS • Kerberos – pass the ticket * references 45
  • 46. How not to try to prevent pass the hash? • security people – non representative survey in 2010, USA * – 2/3 of security professionals never heard about the pass the hash attack • antivirus • HIPS • Kerberos – pass the ticket • smartcard ! * references 46
  • 47. Pass the hash prevention tips • the following advices could help you to prevent the attack shown before – pass the hash attack will be still effective, it’s by design • full disc encryption • different local admin password – e.g. trunc(hashAlphaNum(Passwd || WorkstationNumber),15) • separate domain admin workstations – physically – network • domain admins should login as domain admin only on servers – on workstations login as domain user • don’t use the same workstation for web browsing and administrator tasks 47
  • 48. Pass the hash attack detection • legitim events in event logs – it may be possible to locate the „attacker” workstation • 552 Windows event code – „explicit credentials were used from another account” • too many false positives • in practice, if you detect the attack, you have been already pwned 48
  • 49. SMB pass the hash „worm” • this is my idea • implemented by my friend Buherator – metasploit module – http://bit.ly/qrM2V8 49
  • 50. References • The Teredo Protocol:Tunneling Past Network Security and Other Security Implications – Dr. James Hoagland Principal Security Researcher – Symantec Advanced Threat Research – http://www.symantec.com/avcenter/reference/Teredo_Se • Hernan Ochoa: Windows Credentials Editor tool • Pass-the-hash attacks: Tools and Mitigation – Bashar Ewaida – http://www.sans.org/reading_room/whitepapers/testing/p 50

Editor's Notes

  1. slide theme: folio, studio, tradition
  2. The relay sends an encapsulated bubble packet to the Teredo client’s server with the IPv6 destination set to the Teredo peer. The server address is extracted from the client’s Teredo address. 2. The server passes the bubble along to the Teredo client, adding origin data (the IPv4 address and port of the relay). 3. The NAT receives the packet and passes it on to the client. The NAT allows this because the client and server communicate on a regular basis. 4. Upon receipt of the bubble, the client sends an encapsulated bubble to the address and port in the origin data (the relay). 5. The encapsulated bubble is received by the NAT and forwarded to the relay. The NAT now sees the relay as a recent peer and allows incoming packets from it.
  3. Even if you turn off firewall (or install a least secure one),
  4. El kell inditani dc-t + támadó + támadott win7-est Mutatni ahogy domain admin belép a gépére 15 karakteres majd zárolja Belépni támadó win7-re 8 karakteres jelszóval Wce-vel beállítani új hasht új usert létrehozni és domain admin jogokat adni Előtte: