Hacktivity 2011 presentation about IPv6 Teredo protocol, Windows pass-the-hash attack
Original video in Hungarian: http://vimeo.com/31359639
Translated version: http://vimeo.com/31360814
IndiaWest: Your Trusted Source for Today's Global News
[ENG] IPv6 shipworm + My little Windows domain pwnie
1. IPv6 shipworm + My little
Windows domain pwnie
18. 09. 2011
Zoltán Balázs
2. Disclaimer
• All views and opinions I share with you today
are my own.
• The following presentation does not represent
the views of any of my previous or present
employers.
• don’t try this at home or at work
– for educational purposes only
2
3. Who am I?
• Certified Interspecie-ial Sheep Shearing
Professional (CISSP)
• Certified Pajama Toaster Specialist (CPTS)
• Microsoft Certified Psychopath (MCP)
• Certified Propeller Beanie Hat Script Kiddie
(CPBHSK)
• 7 years of experience with IT Security
3
4. This presentation is NOT about...
• assembly
– buffer overflow, egghunting, NOPsled, SEH
exploits, ROP
• kernel rootkits
• stuxnet
• zero day
• any new stuff you can find on the internet
4
5. This presentation is NOT about...
• assembly
– buffer overflow, egghunting, NOPsled, SEH
exploits, ROP
• kernel rootkits
• stuxnet
• zero day
• any new stuff you can find on the internet
5
6. What’s next?
• a fictitious hacking scenario
– IPv6 Teredo protocol
– Pass the hash – NTLM authentication
• Both attacks are known for more than a
decade, but still (or even more) effective.
– “precious ancient treasures”
6
7. IPv6 Teredo basics
• IPv6
• native, 6in4, 6over4, 6to4, 6rd, ISATAP, Teredo, etc ...
• goal of Teredo (a.k.a. IPv6 shipworm)
• IPv6 behind IPv4 NAT (UDP tunneling)
• Teredo components
– client
– server
– relay || host-specific relay
– IPv6 peer
• attention conspiracy theory fans
– teredo.ipv6.microsoft.com – default MS WIN server
– knows every non Teredo IPv6 peers you are
communicating with ... 7
15. Our journey begins
• target of the attack
– auditor/pentester company
– steal reports/findings
• TCP/(known service UDP) port scan – nmap
– no TCP/known service UDP ports opened
• google fu
– we locate a forum post from the pentester
• Linux – BackTrack5 user
– No Script
– no Java/Flash/browser 0-day 15
17. Pwning the BT5
• The pentester was complaining on the forum that
IPv6 is not working on his BT5
– We suggest to run: miredo (Teredo Linux implementation)
• get the pentester to visit a our website (e.g. test IPv6
here), or find XSS on the forum
– IPv6 object (image, iframe) hosted by the attacker
– extract Teredo IPv6 address from webserver logs
• portscan the Teredo IPv6 address
• TCP port 22 (SSH) on Teredo address open
17
19. Lightning round – for 1 HACKER PSCHORR
• What could be the password for the user root
after double rot13 encryption, if we know it is
a Backtrack5 OS?
19
20. Lightning round – for 1 HACKER PSCHORR
• What could be the password for the user root
after double rot13 encryption, if we know it is
a Backtrack5 OS?
• yes, the answer is toor
• default SSHD configuration
– listens on every interface (IPv4, IPv6)
– PermitRootLogin yes
20
24. Windows Teredo implementation is
secure by default
• although Teredo enabled by default
• Windows firewall will blocks Teredo
• if not explicitly allowed for the
port/application
• IPV6_PROTECTION_LEVEL:
PROTECTION_LEVEL_UNRESTRICTED
• Teredo is secure till vuln in ...
– Windows firewall
– UDP/TCP/IP/IPV6/Teredo stack
– NIC driver level
• Teredo backdoor
– meterpreter IPv6 bind shell
• Teredo DNS spoofing…
24
25. Lessons learned
• Teredo has security holes by design
• know the protocol you are using
• change passwords, srsly, change passwords
• disable SSH listening on every interface
• configure ip6tables locally
• Close ports on the network firewall if they are
not needed, even outbound ones. Especially
close every outgoing UDP which is not needed.
• use Windows
25
26. Pass the hash – a.k.a.
My little Windows domain pwnie
known since 1997
Bugtraq ID number 233
27. Windows local admin hashes
• local login - user password is verified by NTLM (NT Lan
Manager)
if (NTLMHash(userPassword) ==
decryptWithSyskey( encryptedLocalUserNTLMHash))
login();
else raise WrongPasswordException();
• Security Accounts Management Database (SAM)
(%SystemRoot%/SAM )
– stores encrypted hashed copies of (local) user passwords
• syskey is either stored in
– registry (%SystemRoot%/SYSTEM) – optionally password protected
– floppy …
27
28. Extract hashes of the Windows local
admin(s)
• well known tools to extract the local user hashes
– online OS – via dll injection – pwdumpX/fgdump/cain
– offline OS – access to SAM files – bkhive, samdump2
• security rule of thumb: never ever reuse
passwords
– do you reuse local admin passwords if you have thousands
of workstations?
• common excuses for password reuse
– „it is random, 20 character long with special characters”
– „the weak LM hash is not stored”
– „noone can break it”
28
29. Lightning round – for another HACKER PSCHORR
• What is the minimum number of characters in
the password, if the local admin password
hash looks like this?
– User:Domain:aad3b435b51404eeaad3b435b5140
4ee:25edfdbf01ae5d63be05f958b4221fb9
– additional info:
HKEY_LOCAL_MACHINESYSTEMCurrentControlS
etControlLsaNoLMHash = 0
29
30. Scenario
• BackTrack5 was installed as a dual boot OS
– mount Win NTFS partition
– extract local admin hashes
30
33. Pass the hash
• cracking NTLM hash of a 15 long mixed case
random AlphaNumeric password takes …
– 1.7*1010 years to crack with today GPU
• even with life-time GPU warranty it looks impossible…
– the universe is around 1.375*1010 years old
• What is the purpose of cracking
hashes???
– we can authenticate with the hash
• without knowing the password!!! 33
34. Romeo – get Juliet’s fingerprint
(not the finger, just the fingerprint)
Juliet has access to Lord
Capulet’s room
with fingerprint authentication
Which means Romeo has
access to Capulet’s room, too.
34
35. Pass the hash
• „NTLM single sign on” is a security problem
by design
• in the RAM, there has to be something (e.g.
hash) you can authenticate with
– it would be slightly inconvenient to type
your password every time you want to
authenticate to a network resource
35
36. Pass the hash attack – in theory and on
SecurityTube
• search for a workstation
– with a logged in domain administrator
• authenticate to this workstation as a local admin with the
local admin hash – SMB (Server Message Block + psexec)
• two ways to go
– grab the domain admin password hashes (e.g. Windows
Credentials Editor)
– token impersonation (e.g. Meterpreter Incognito)
• with the hash/token we are domain admin
• this means PROFIT ...
– where is the ??? step
38. Pass the hash attack - in practice
• works on SMB if domain admin uses WinXP
• fails on SMB if domain admin uses
Vista/Win7/Win2k8
– if authenticating as local admin via network, admin
privileges are dropped
• Vista/Win7/Win2k8 SMB attack may be possible
– HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciessystemLocalAccountToke
nFilterPolicy = 1 (remote UAC)
• Vista/Win7/Win2k8 attack is possible
– Remote Desktop single sign on uses NTLM - (attack
only in theory, yet)
– SQL Server Windows auth. uses NTLM (local priv.
escalation still required)
38
42. How not to try to prevent pass the
hash?
• security people
– non representative survey in 2010, USA *
– 2/3 of security professionals never heard about the pass the
hash attack
* references
42
43. How not to try to prevent pass the
hash?
• security people
– non representative survey in 2010, USA *
– 2/3 of security professionals never heard about the pass the
hash attack
• antivirus
* references
43
44. How not to try to prevent pass the
hash?
• security people
– non representative survey in 2010, USA *
– 2/3 of security professionals never heard about the pass the
hash attack
• antivirus
• HIPS
* references
44
45. How not to try to prevent pass the
hash?
• security people
– non representative survey in 2010, USA *
– 2/3 of security professionals never heard about the pass the
hash attack
• antivirus
• HIPS
• Kerberos
– pass the ticket
* references
45
46. How not to try to prevent pass the
hash?
• security people
– non representative survey in 2010, USA *
– 2/3 of security professionals never heard about the pass the
hash attack
• antivirus
• HIPS
• Kerberos
– pass the ticket
• smartcard !
* references
46
47. Pass the hash prevention tips
• the following advices could help you to prevent the attack
shown before
– pass the hash attack will be still effective, it’s by design
• full disc encryption
• different local admin password
– e.g. trunc(hashAlphaNum(Passwd || WorkstationNumber),15)
• separate domain admin workstations
– physically
– network
• domain admins should login as domain admin only on servers
– on workstations login as domain user
• don’t use the same workstation for web browsing and
administrator tasks
47
48. Pass the hash attack detection
• legitim events in event logs
– it may be possible to locate the „attacker”
workstation
• 552 Windows event code
– „explicit credentials were used from another
account”
• too many false positives
• in practice, if you detect the attack, you have
been already pwned
48
49. SMB pass the hash „worm”
• this is my idea
• implemented by my friend Buherator
– metasploit module
– http://bit.ly/qrM2V8
49
50. References
• The Teredo Protocol:Tunneling Past Network
Security and Other Security Implications
– Dr. James Hoagland Principal Security Researcher
– Symantec Advanced Threat Research
– http://www.symantec.com/avcenter/reference/Teredo_Se
• Hernan Ochoa: Windows Credentials Editor tool
• Pass-the-hash attacks: Tools and Mitigation
– Bashar Ewaida
– http://www.sans.org/reading_room/whitepapers/testing/p
50
The relay sends an encapsulated bubble packet to the Teredo client’s server with the IPv6 destination set to the Teredo peer. The server address is extracted from the client’s Teredo address. 2. The server passes the bubble along to the Teredo client, adding origin data (the IPv4 address and port of the relay). 3. The NAT receives the packet and passes it on to the client. The NAT allows this because the client and server communicate on a regular basis. 4. Upon receipt of the bubble, the client sends an encapsulated bubble to the address and port in the origin data (the relay). 5. The encapsulated bubble is received by the NAT and forwarded to the relay. The NAT now sees the relay as a recent peer and allows incoming packets from it.
Even if you turn off firewall (or install a least secure one),
El kell inditani dc-t + támadó + támadott win7-est Mutatni ahogy domain admin belép a gépére 15 karakteres majd zárolja Belépni támadó win7-re 8 karakteres jelszóval Wce-vel beállítani új hasht új usert létrehozni és domain admin jogokat adni Előtte: