Hacktivity 2011 presentation about IPv6 Teredo protocol, Windows pass-the-hash attack Original video in Hungarian: http://vimeo.com/31359639 Translated version: http://vimeo.com/31360814

1. IPv6 shipworm + My little
Windows domain pwnie
18. 09. 2011
Zoltán Balázs

2. Disclaimer
• All views and opinions I share with you today
are my own.
• The following presentation does not represent
the views of any of my previous or present
employers.
• don’t try this at home or at work
– for educational purposes only
2

3. Who am I?
• Certified Interspecie-ial Sheep Shearing
Professional (CISSP)
• Certified Pajama Toaster Specialist (CPTS)
• Microsoft Certified Psychopath (MCP)
• Certified Propeller Beanie Hat Script Kiddie
(CPBHSK)
• 7 years of experience with IT Security
3

4. This presentation is NOT about...
• assembly
– buffer overflow, egghunting, NOPsled, SEH
exploits, ROP
• kernel rootkits
• stuxnet
• zero day
• any new stuff you can find on the internet
4

5. This presentation is NOT about...
• assembly
– buffer overflow, egghunting, NOPsled, SEH
exploits, ROP
• kernel rootkits
• stuxnet
• zero day
• any new stuff you can find on the internet
5

6. What’s next?
• a fictitious hacking scenario
– IPv6 Teredo protocol
– Pass the hash – NTLM authentication
• Both attacks are known for more than a
decade, but still (or even more) effective. 
– “precious ancient treasures”
6

7. IPv6 Teredo basics
• IPv6
• native, 6in4, 6over4, 6to4, 6rd, ISATAP, Teredo, etc ...
• goal of Teredo (a.k.a. IPv6 shipworm)
• IPv6 behind IPv4 NAT (UDP tunneling)
• Teredo components
– client
– server
– relay || host-specific relay
– IPv6 peer
• attention conspiracy theory fans
– teredo.ipv6.microsoft.com – default MS WIN server
– knows every non Teredo IPv6 peers you are
communicating with ... 7

8. 8

9. Teredo address decoding
2001:0000:53aa:064c:0055:6bbf:a67b:7887
Bits 0 - 31 32 - 63 64 - 79 80 - 95 96 - 127
Length 32 bits 32 bits 16 bits 16 bits 32 bits
Teredo Obfuscated Client
Description Prefix Flags
server IPv4 UDP port public IPv4
Part 2001:0000 53aa:064c 0055 6bbf a67b:7887
Decoded 83.170.6.76 37952 89.132.135.120
online decoder: http://isc.sans.org/tools/ipv6.html
9

10. 10

11. Qualification (simplified …)
11

12. Bubble packets
bubble packets are sent out every 30 seconds for keep-alive
12

13. NAT hole – ICMPv6 bubble
13

14. NAT hole – with Romeo and Juliet
14

15. Our journey begins
• target of the attack
– auditor/pentester company
– steal reports/findings
• TCP/(known service UDP) port scan – nmap
– no TCP/known service UDP ports opened
• google fu
– we locate a forum post from the pentester
• Linux – BackTrack5 user
– No Script
– no Java/Flash/browser 0-day 15

16. scenario
16

17. Pwning the BT5
• The pentester was complaining on the forum that
IPv6 is not working on his BT5
– We suggest to run: miredo (Teredo Linux implementation)
• get the pentester to visit a our website (e.g. test IPv6
here), or find XSS on the forum
– IPv6 object (image, iframe) hosted by the attacker
– extract Teredo IPv6 address from webserver logs
• portscan the Teredo IPv6 address
• TCP port 22 (SSH) on Teredo address open
17

18. Lightning round – for 1 HACKER PSCHORR
18

19. Lightning round – for 1 HACKER PSCHORR
• What could be the password for the user root
after double rot13 encryption, if we know it is
a Backtrack5 OS?
19

20. Lightning round – for 1 HACKER PSCHORR
• What could be the password for the user root
after double rot13 encryption, if we know it is
a Backtrack5 OS?
• yes, the answer is toor
• default SSHD configuration
– listens on every interface (IPv4, IPv6)
– PermitRootLogin yes
20

21. Video
21

22. scenario
22

23. Root access is like the key to the
kingdom for Romeo
23

24. Windows Teredo implementation is
secure by default
• although Teredo enabled by default
• Windows firewall will blocks Teredo
• if not explicitly allowed for the
port/application
• IPV6_PROTECTION_LEVEL:
PROTECTION_LEVEL_UNRESTRICTED
• Teredo is secure till vuln in ...
– Windows firewall
– UDP/TCP/IP/IPV6/Teredo stack
– NIC driver level
• Teredo backdoor
– meterpreter IPv6 bind shell
• Teredo DNS spoofing…
24

25. Lessons learned
• Teredo has security holes by design
• know the protocol you are using
• change passwords, srsly, change passwords
• disable SSH listening on every interface
• configure ip6tables locally
• Close ports on the network firewall if they are
not needed, even outbound ones. Especially
close every outgoing UDP which is not needed.
• use Windows 
25

26. Pass the hash – a.k.a.
My little Windows domain pwnie
known since 1997
Bugtraq ID number 233

27. Windows local admin hashes
• local login - user password is verified by NTLM (NT Lan
Manager)
if (NTLMHash(userPassword) ==
decryptWithSyskey( encryptedLocalUserNTLMHash))
login();
else raise WrongPasswordException();
• Security Accounts Management Database (SAM)
(%SystemRoot%/SAM )
– stores encrypted hashed copies of (local) user passwords
• syskey is either stored in
– registry (%SystemRoot%/SYSTEM) – optionally password protected
– floppy …
27

28. Extract hashes of the Windows local
admin(s)
• well known tools to extract the local user hashes
– online OS – via dll injection – pwdumpX/fgdump/cain
– offline OS – access to SAM files – bkhive, samdump2
• security rule of thumb: never ever reuse
passwords
– do you reuse local admin passwords if you have thousands
of workstations?
• common excuses for password reuse
– „it is random, 20 character long with special characters”
– „the weak LM hash is not stored”
– „noone can break it”
28

29. Lightning round – for another HACKER PSCHORR
• What is the minimum number of characters in
the password, if the local admin password
hash looks like this?
– User:Domain:aad3b435b51404eeaad3b435b5140
4ee:25edfdbf01ae5d63be05f958b4221fb9
– additional info:
HKEY_LOCAL_MACHINESYSTEMCurrentControlS
etControlLsaNoLMHash = 0
29

30. Scenario
• BackTrack5 was installed as a dual boot OS
– mount Win NTFS partition
– extract local admin hashes
30

31. Video
31

32. Scenario
32

33. Pass the hash
• cracking NTLM hash of a 15 long mixed case
random AlphaNumeric password takes …
– 1.7*1010 years to crack with today GPU
• even with life-time GPU warranty it looks impossible…
– the universe is around 1.375*1010 years old
• What is the purpose of cracking
hashes???
– we can authenticate with the hash
• without knowing the password!!! 33

34. Romeo – get Juliet’s fingerprint
(not the finger, just the fingerprint)
Juliet has access to Lord
Capulet’s room
with fingerprint authentication
Which means Romeo has
access to Capulet’s room, too.
34

35. Pass the hash
• „NTLM single sign on” is a security problem
by design
• in the RAM, there has to be something (e.g.
hash) you can authenticate with
– it would be slightly inconvenient to type
your password every time you want to
authenticate to a network resource
35

36. Pass the hash attack – in theory and on
SecurityTube
• search for a workstation
– with a logged in domain administrator
• authenticate to this workstation as a local admin with the
local admin hash – SMB (Server Message Block + psexec)
• two ways to go
– grab the domain admin password hashes (e.g. Windows
Credentials Editor)
– token impersonation (e.g. Meterpreter Incognito)
• with the hash/token we are domain admin
• this means PROFIT ...
– where is the ??? step

37. The ??? step: STATUS_ACCES_DENIED
37

38. Pass the hash attack - in practice
• works on SMB if domain admin uses WinXP
• fails on SMB if domain admin uses
Vista/Win7/Win2k8
– if authenticating as local admin via network, admin
privileges are dropped
• Vista/Win7/Win2k8 SMB attack may be possible
– HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciessystemLocalAccountToke
nFilterPolicy = 1 (remote UAC)
• Vista/Win7/Win2k8 attack is possible
– Remote Desktop single sign on uses NTLM - (attack
only in theory, yet)
– SQL Server Windows auth. uses NTLM (local priv.
escalation still required)
38

39. Video
39

40. Scenario
40

41. Scenario Romeo – having the credentials of Lord
Capulet
41

42. How not to try to prevent pass the
hash?
• security people
– non representative survey in 2010, USA *
– 2/3 of security professionals never heard about the pass the
hash attack
* references
42

43. How not to try to prevent pass the
hash?
• security people
– non representative survey in 2010, USA *
– 2/3 of security professionals never heard about the pass the
hash attack
• antivirus
* references
43

44. How not to try to prevent pass the
hash?
• security people
– non representative survey in 2010, USA *
– 2/3 of security professionals never heard about the pass the
hash attack
• antivirus
• HIPS
* references
44

45. How not to try to prevent pass the
hash?
• security people
– non representative survey in 2010, USA *
– 2/3 of security professionals never heard about the pass the
hash attack
• antivirus
• HIPS
• Kerberos
– pass the ticket
* references
45

46. How not to try to prevent pass the
hash?
• security people
– non representative survey in 2010, USA *
– 2/3 of security professionals never heard about the pass the
hash attack
• antivirus
• HIPS
• Kerberos
– pass the ticket
• smartcard !
* references
46

47. Pass the hash prevention tips
• the following advices could help you to prevent the attack
shown before
– pass the hash attack will be still effective, it’s by design
• full disc encryption
• different local admin password
– e.g. trunc(hashAlphaNum(Passwd || WorkstationNumber),15)
• separate domain admin workstations
– physically
– network
• domain admins should login as domain admin only on servers
– on workstations login as domain user
• don’t use the same workstation for web browsing and
administrator tasks
47

48. Pass the hash attack detection
• legitim events in event logs
– it may be possible to locate the „attacker”
workstation
• 552 Windows event code
– „explicit credentials were used from another
account”
• too many false positives
• in practice, if you detect the attack, you have
been already pwned
48

49. SMB pass the hash „worm”
• this is my idea
• implemented by my friend Buherator
– metasploit module
– http://bit.ly/qrM2V8
49

50. References
• The Teredo Protocol:Tunneling Past Network
Security and Other Security Implications
– Dr. James Hoagland Principal Security Researcher
– Symantec Advanced Threat Research
– http://www.symantec.com/avcenter/reference/Teredo_Se
• Hernan Ochoa: Windows Credentials Editor tool
• Pass-the-hash attacks: Tools and Mitigation
– Bashar Ewaida
– http://www.sans.org/reading_room/whitepapers/testing/p
50

51. H___
t__
p_____!
Zoltan1.Balazs@gmail.com
ZBalazs@DeloitteCE.com
51