SlideShare a Scribd company logo

Wce12 uba ampliasecurity_eng

•
•
F
fangjiafu

The document discusses how Windows Credentials Editor (WCE) can be used to obtain credentials stored in memory on Windows systems, allowing an attacker to steal usernames and hashes to perform pass-the-hash attacks without cracking passwords. WCE enables bypassing common pre-exploitation techniques by directly using harvested credentials. Leaving logon sessions disconnected rather than logged off can leave credentials exposed in memory as "zombie sessions".

Technology
1 of 56
Download to read offline
Post-Exploitation with WCE v1.2 Pass-the-Hash. Pass-the-ticket & more… Date: 01-07-2011 Author: Hernan Ochoa <hernan@ampliasecurity.com>
Windows Authentication h1 = LMHash(“pwd1”) SAM Database h2 = NTHash(“pwd1”) User Hash LM Hash NT cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. … … … Network • The cleartext password is not sent • The NTLM protocol is used
NTLM Authentication lmhash = LMHash(“pwd1”) nthash = NTHash(“pwd1”) Init connection Responds C = challenge random Sends cgarcia, R SAM Database R = f(lmhash/nthash, C) User Hash LM Hash NT cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. R’ = f(SAM[lmhash/nthash], C) … … … R’ == R => Access Granted R’ <> R => Access Denied
pre-Pass-the-Hash Attacks • After compromising a Windows box… – ‘ Dump’ the SAM • pwdump3/3e/4/5/6/7,fgdump,etc – Administrator:500:0102030405060708090A0B0C0D0E0F10:1020 30405060708090A0B0C0D0E0F10 – Crack/Brute-Force hashes to obtain cleartext password • Takes time.. (e.g.: pentest time is limited) • No guarantee the password will be obtained • Rainbow tables were not widely used – Less computing power, storage, etc – Still, not the answer to everything
Pass-The-Hash Technique Published by Paul Ashton in 1997 http://www.securityfocus.com/bid/233/discuss
Pass-the-hash Technique lmhash = LMHash(“pwd1”) nthash = NTHash(“pwd1”) Init connection Responds C = challenge random Sends cgarcia, R SAM Database R = f(lmhash/nthash, C) User Hash LM Hash NT cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. • Cleartext password is not needed for NTLM auth … … … • Only lmhash/nthash are needed • No need to crack/brute-force R’ = f(SAM[lmhash/nthash], C) • Just use the hashes directly R’ == R => Access Granted R’ <> R => Access Denied
Pass-the-hash: ‘exploitation’ • Modified Smbclient (SAMBA) – smbclient //192.168.1.120/c$ -U Administrator -p 4ECC0E7568976B7EAAD3B435B51404EE:551E3B3 215FFD87F5E037B3E3523D5F6 • Samba-TNG • Many 3rd-party SMB+NTLM stacks – Python, Ruby, Java, etc
3rd-party SMB+NTLM stacks: Limitations • Limited and partial functionality • Always running behind Windows – New functionality has to be implemented, some by reverse engineering • Complex, requires time and effort • Cannot use native Windows applications – They ask for username and cleartext password, not hashes…
Enter, Windows Credentials Editor...
What is WCE? • Tool to manipulate Windows logon sessions – Add, list, delete, modify – Obtain credentials associated with logon sessions – Pass-the-hash (NTLM) – Pass-the-ticket (Kerberos)
Pre-WCE/Pass-the-hash attacks • Without WCE.. – Crack/Brute-force hashes to obtain cleartext password – Crack/Brute-force ´encrypted´ hashes (C,R->NTLM) to obtain cleartext password – Use 3rd-party SMB+NTLM stacks, w/limited and partial functionality – More difficult/not possible to do pass-the-hash while pivoting among Windows boxes
Post-WCE/Pass-the-hash attacks • With WCE… – Do Pass-the-hash directly with the hashes • No need to attempt to crack/brute-force hashes • Will be able to use them even if you cannot crack them – 3rd-party SMB+NTLM stacks problems eliminated – Easier to do Pass-the-hash while pivoting among Windows boxes
Demo #1 WCE: Pass-the-hash
WCE: ‘Steal’ Credentials from memory • New ´attack´ implemented by WCE – It is not Pass-the-hash, it´s another technique.. – Sometimes the two are confused, but they are not the same.. • Allows you to obtain usernames and NTLM hashes stored in memory
WCE: ‘Steal’ Credentials from memory • Why are they in memory? • NTLM auth package • SSO cgarcia pwd1 Network
WCE: ‘Steal’ Credentials from memory When are they stored in memory? • Interactive logon sessions at the console • Remote logon sessions via RDP • RunAs • Windows Services running under specific user accounts • Windows APIs used by applications • Etc.
WCE: ‘Steal’ Credentials from memory When are they stored in memory? • Interactive logon sessions at the console cgarcia pwd1
WCE: ‘Steal’ Credentials from memory When are they stored in memory? • Remote logon sessions via RDP Network
WCE: ‘Steal’ Credentials from memory When are they stored in memory? • RunAs
WCE: ‘Steal’ Credentials from memory When are they stored in memory? • Windows Services
WCE: ‘Steal’ Credentials from memory When are they stored in memory? • Windows APIs used by applications Example:
WCE: ‘Steal’ Credentials from memory • WCE can obtain the LM Hash.. – By default, nowadays, Windows does not store the LM hash in the SAM • It is weak; “easy” to crack
WCE: ‘Steal’ Credentials from memory • WCE can obtain the LM Hash from memory – Windows generates and stores the hashes in memory, including the LM hash • Interactive sessions • Others previously mentioned – Possible to crack it and obtain cleartext password to use in places where NTLM is not the auth method
WCE: ‘Steal’ Credentials from memory Example: The LM Hash is not in the SAM Pwdump output The LM Hash is in memory WCE output
WCE: ‘Steal’ Credentials from memory When are they NOT stored in memory? • Network Logons – The hashes never reach the remote server Init Connection Responds C = challenge random Sends cgarcia, R
WCE: ‘Steal’ Credentials from memory Post-explotation attack scenario Attacker compromises remote Windows box • Run WCE to obtain credentials stored in memory • Use those hashes to do Pass-The-Hash with WCE
Demo #2 WCE: ‘Steal’ credentials from memory
WCE: ‘Steal’ Credentials from memory Especially interesting in Windows Domain Environments Domain Controller (DC) Domain User Hash LM Hash NT User SAM cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. … … … Domain User Backups Server Domain User
WCE: ‘Steal’ Credentials from memory WITHOUT WCE.. Domain Controller (DC) Domain User Hash LM Hash NT User SAM cgarcia A6BCD.. B0FD1.. SAM ajuarez B90DF.. CCDF.. User Hash LM Hash NT … … … Administ FDDE.. CCDH1.. rador Guest AABCD.. FFD4F.. Domain User Backups Server Attacker • Attacker owns remote Windows box • Only has access to local SAM.. • No Domain Users there, not very useful…
WCE: ‘Steal’ Credentials from memory WITH WCE.. Domain Domain:Admi Controller (DC) Domain nistrator:CDB User Hash LM Hash NT User 70D9EDA812 SAM cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. DBF:C9DF712 … … … D09D7DF1C Domain User Backups Server Attacker • Attacker owns Backups server • Obtains credentials from memory.. • Probably will find Domain Users there.. • Can possibly compromise the whole domain!
WCE: ‘Steal’ Credentials from memory Typical Scenario Domain Controller (DC) Domain Administrator Domain User Backups Server Attacker
WCE: ‘Steal’ Credentials from memory Typical Scenario Domain:Admi nistrator:CDB Domain 70D9EDA812 Controller (DC) Domain DBF:C9DF712 Administrator D09D7DF1C Domain User Backups Server Attacker
WCE: ‘Steal’ Credentials from memory Typical Scenario Domain:Admi nistrator:CDB Domain 70D9EDA812 Controller(DC) Domain DBF:C9DF712 Administrator D09D7DF1C Domain User Backups Server Attacker • WCE ‘steals’ the Domain Administrator Credentials!
WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials • When you RDP to a remote box, you leave the NTLM hashes of your password in the remote server´s memory • NTLM hashes are equivalent to the cleartext password (pass-the-hash+wce) • So, we could say you are leaving there your password…
WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials • Even when using pass-through authentication • Credentials (user+domain+hashes) are stored in Domain Controller • But when you use RDP, they are also left in the memory of the remote Windows box you are RDPing to! • Be careful where you are RDPing to…
WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials • Attacker on the remote Windows box can obtain credentials from memory • Local Administrator • Regular Domain User w/local admin privs • Attacker that owns less secured box, regular users are more vulnerable • Etc.
WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials: Example Domain Controller (DC) Domain User Hash LM Hash NT Administrator SAM cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. … … … Domain User Domain User Workstation Attacker
WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials: Example Domain Controller (DC) Domain User Hash LM Hash NT Administrator SAM cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. … … … Domain User Domain User Workstation Attacker
WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials: Example Domain:Admi nistrator:CDB Domain 70D9EDA812 Controller (DC) DBF:C9DF712 Domain User Hash LM Hash NT D09D7DF1C Administrator SAM cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. … … … Domain User Domain User Workstation Attacker
WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials: Example Domain Controller (DC) Domain User Hash LM Hash NT Administrator SAM cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. … … … Domain User Domain:Admi Domain User nistrator:CDB Workstation 70D9EDA812 Attacker DBF:C9DF712 D09D7DF1C
WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials: Example Domain Controller (DC) Domain User Hash LM Hash NT Administrator SAM cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. … … … Domain User Domain:Admi Domain User nistrator:CDB Workstation 70D9EDA812 Attacker DBF:C9DF712 D09D7DF1C
WCE: ‘Steal’ Credentials from memory RDP: Disconnect != Log Off
WCE: ‘Steal’ Credentials from memory RDP: Disconnect != Log Off
WCE: ‘Steal’ Credentials from memory RDP: Disconnect != Log Off
WCE: ‘Steal’ Credentials from memory RDP: Disconnect != Log Off • ´Disconnect´ leaves NTLM hashes in memory • The Logon session is not terminated • ´Log Off´ terminates the logon session • Hashes are erased from memory • Always ´Log Off´! • Users tend to just ´Disconnect´… • Including Administrators..
WCE: ‘Steal’ Credentials from memory Zombie Logon Sessions
WCE: ‘Steal’ Credentials from memory Bug: Zombie Logon Sessions! Domain Controller (DC) Domain Administrator Domain User Backups Server Attacker Day 1
WCE: ‘Steal’ Credentials from memory Bug: Zombie Logon Sessions! Domain:Admi nistrator:CDB Domain 70D9EDA812 Controller (DC) Domain DBF:C9DF712 Administrator D09D7DF1C Domain User Backups Server Attacker Day 1
WCE: ‘Steal’ Credentials from memory Bug: Zombie Logon Sessions! Domain:Admi nistrator:CDB Domain 70D9EDA812 Controller (DC) Domain DBF:C9DF712 Administrator D09D7DF1C Domain User • Administrator logs off, Backups Server disconnects, finished what he/she was Attacker doing.. Day 1
WCE: ‘Steal’ Credentials from memory Bug: Zombie Logon Sessions! Domain:Admi nistrator:CDB Domain 70D9EDA812 Controller (DC) Domain DBF:C9DF712 Administrator D09D7DF1C Domain BUG! User Windows does not erase from memory NTLM Backups Server hashes! Attacker Day 1
WCE: ‘Steal’ Credentials from memory Bug: Zombie Logon Sessions! Domain:Admi nistrator:CDB Domain 70D9EDA812 Controller (DC) Domain DBF:C9DF712 Administrator D09D7DF1C Domain User Backups Server Attacker Day 31.. ~ A month later..
WCE: Pass-the-Ticket (Kerberos) • New attack implemented by WCE v1.2 – First and only tool that implements this AFAIK • Post-exploitation • Equivalent to Pass-The-Hash for NTLM • You can ‘steal’ Kerberos TGT/tickets & use them in other Windows and *Unix boxes
WCE: Pass-the-Ticket (Kerberos) • ´Stolen´ tickets can be used to access remote services – Example: SMB shares • The TGT (Ticket Granting Ticket) can be used to create new tickets – Gain access to more services / computers
Conclusions • WCE brings new post-exploitation techniques – Pass-the-Hash (NTLM) – Steal NTLM from memory – Pass-the-ticket (Kerberos) • Useful for pentests • You need to know them to defend yourself – Not just to attack..
More information • “WCE Internals” Presentation – RootedCon 2011; Madrid, España – More technical details about implementation http://www.ampliasecurity.com/research/WCE_ Internals_RootedCon2011_ampliasecurity.pdf
Questions? Thank you! hernan@ampliasecurity.com @hernano @ampliasecurity www.ampliasecurity.com

Recommended

BlueHat v18 || Hardening hyper-v through offensive security research
BlueHat v18 || Hardening hyper-v through offensive security researchBlueHat v18 || Hardening hyper-v through offensive security research
BlueHat v18 || Hardening hyper-v through offensive security research
BlueHat Security Conference
 
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat Security Conference
 
Porting Xen Paravirtualization to MIPS Architecture
Porting Xen Paravirtualization to MIPS ArchitecturePorting Xen Paravirtualization to MIPS Architecture
Porting Xen Paravirtualization to MIPS Architecture
The Linux Foundation
 
IBM Ported Tools for z/OS: OpenSSH User's Guide
IBM Ported Tools for z/OS: OpenSSH User's GuideIBM Ported Tools for z/OS: OpenSSH User's Guide
IBM Ported Tools for z/OS: OpenSSH User's Guide
IBM India Smarter Computing
 
Nested Virtual Machines and Proxies
Nested Virtual Machines and Proxies Nested Virtual Machines and Proxies
Nested Virtual Machines and Proxies
Kuniyasu Suzaki
 
A Deep Dive into Apache Cassandra for .NET Developers
A Deep Dive into Apache Cassandra for .NET DevelopersA Deep Dive into Apache Cassandra for .NET Developers
A Deep Dive into Apache Cassandra for .NET Developers
Luke Tillman
 
Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...
Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...
Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...
Priyanka Aash
 
Santorini island. 2
Santorini island. 2Santorini island. 2
Santorini island. 2
Nikos
 

Recommended

BlueHat v18 || Hardening hyper-v through offensive security research
BlueHat v18 || Hardening hyper-v through offensive security researchBlueHat v18 || Hardening hyper-v through offensive security research
BlueHat v18 || Hardening hyper-v through offensive security research
BlueHat Security Conference
 
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat Security Conference
 
Porting Xen Paravirtualization to MIPS Architecture
Porting Xen Paravirtualization to MIPS ArchitecturePorting Xen Paravirtualization to MIPS Architecture
Porting Xen Paravirtualization to MIPS Architecture
The Linux Foundation
 
IBM Ported Tools for z/OS: OpenSSH User's Guide
IBM Ported Tools for z/OS: OpenSSH User's GuideIBM Ported Tools for z/OS: OpenSSH User's Guide
IBM Ported Tools for z/OS: OpenSSH User's Guide
IBM India Smarter Computing
 
Nested Virtual Machines and Proxies
Nested Virtual Machines and Proxies Nested Virtual Machines and Proxies
Nested Virtual Machines and Proxies
Kuniyasu Suzaki
 
A Deep Dive into Apache Cassandra for .NET Developers
A Deep Dive into Apache Cassandra for .NET DevelopersA Deep Dive into Apache Cassandra for .NET Developers
A Deep Dive into Apache Cassandra for .NET Developers
Luke Tillman
 
Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...
Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...
Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...
Priyanka Aash
 
Santorini island. 2
Santorini island. 2Santorini island. 2
Santorini island. 2
Nikos
 
Wce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityWce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurity
fangjiafu
 
Cursor injection
Cursor injectionCursor injection
Cursor injection
fangjiafu
 
Bypass dbms assert
Bypass dbms assertBypass dbms assert
Bypass dbms assert
fangjiafu
 
Oss forensics fosscomm_2011
Oss forensics fosscomm_2011Oss forensics fosscomm_2011
Oss forensics fosscomm_2011
fangjiafu
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101
fangjiafu
 
Etude Statistique d'un mois de VulnĂŠrabilitĂŠs en Afrique
Etude Statistique d'un mois de VulnĂŠrabilitĂŠs en AfriqueEtude Statistique d'un mois de VulnĂŠrabilitĂŠs en Afrique
Etude Statistique d'un mois de VulnĂŠrabilitĂŠs en Afrique
Valdes Nzalli
 
Cam cybersec fgi_reseaux_sociaux_et_securite_version_1.1
Cam cybersec fgi_reseaux_sociaux_et_securite_version_1.1Cam cybersec fgi_reseaux_sociaux_et_securite_version_1.1
Cam cybersec fgi_reseaux_sociaux_et_securite_version_1.1
Valdes Nzalli
 
PĂŠnĂŠtration de l'Internet en Afrique : Qu'en est-il des ĂŠquipements ?
PĂŠnĂŠtration de l'Internet en Afrique : Qu'en est-il des ĂŠquipements ?PĂŠnĂŠtration de l'Internet en Afrique : Qu'en est-il des ĂŠquipements ?
PĂŠnĂŠtration de l'Internet en Afrique : Qu'en est-il des ĂŠquipements ?
Valdes Nzalli
 
Collaboration Between Infosec Community and CERT Teams : Project Sonar case
Collaboration Between Infosec Community and CERT Teams : Project Sonar caseCollaboration Between Infosec Community and CERT Teams : Project Sonar case
Collaboration Between Infosec Community and CERT Teams : Project Sonar case
Valdes Nzalli
 
Internet et Vie PrivÊe Analyse des comportements en Afrique après PRISM
Internet et Vie PrivÊe Analyse des comportements en Afrique après PRISMInternet et Vie PrivÊe Analyse des comportements en Afrique après PRISM
Internet et Vie PrivÊe Analyse des comportements en Afrique après PRISM
Valdes Nzalli
 
Understanding and selecting_dsp_final
Understanding and selecting_dsp_finalUnderstanding and selecting_dsp_final
Understanding and selecting_dsp_final
fangjiafu
 
Ddos analizi
Ddos analiziDdos analizi
Ddos analizifangjiafu
 
Abusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get itAbusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get it
E Hacking
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Nate Lawson
 
Bh usa-01-kaminsky
Bh usa-01-kaminskyBh usa-01-kaminsky
Bh usa-01-kaminsky
Dan Kaminsky
 
2011 10-19
2011 10-192011 10-19
2011 10-19
Yaoyao Wang
 
Windows Malware Techniques
Windows Malware TechniquesWindows Malware Techniques
Windows Malware Techniques
Lee C
 
2016-tcpkali-websocket
2016-tcpkali-websocket2016-tcpkali-websocket
2016-tcpkali-websocket
Lev Walkin
 
NTLM
NTLMNTLM
NTLM
Guang Ying Yuan
 
Post Metasploitation
Post MetasploitationPost Metasploitation
Post Metasploitation
egypt
 
Virtualization Primer for Java Developers
Virtualization Primer for Java DevelopersVirtualization Primer for Java Developers
Virtualization Primer for Java Developers
Richard McDougall
 

More Related Content

Viewers also liked

Wce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityWce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurity
fangjiafu
 
Cursor injection
Cursor injectionCursor injection
Cursor injection
fangjiafu
 
Bypass dbms assert
Bypass dbms assertBypass dbms assert
Bypass dbms assert
fangjiafu
 
Oss forensics fosscomm_2011
Oss forensics fosscomm_2011Oss forensics fosscomm_2011
Oss forensics fosscomm_2011
fangjiafu
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101
fangjiafu
 
Etude Statistique d'un mois de VulnĂŠrabilitĂŠs en Afrique
Etude Statistique d'un mois de VulnĂŠrabilitĂŠs en AfriqueEtude Statistique d'un mois de VulnĂŠrabilitĂŠs en Afrique
Etude Statistique d'un mois de VulnĂŠrabilitĂŠs en Afrique
Valdes Nzalli
 
Cam cybersec fgi_reseaux_sociaux_et_securite_version_1.1
Cam cybersec fgi_reseaux_sociaux_et_securite_version_1.1Cam cybersec fgi_reseaux_sociaux_et_securite_version_1.1
Cam cybersec fgi_reseaux_sociaux_et_securite_version_1.1
Valdes Nzalli
 
PĂŠnĂŠtration de l'Internet en Afrique : Qu'en est-il des ĂŠquipements ?
PĂŠnĂŠtration de l'Internet en Afrique : Qu'en est-il des ĂŠquipements ?PĂŠnĂŠtration de l'Internet en Afrique : Qu'en est-il des ĂŠquipements ?
PĂŠnĂŠtration de l'Internet en Afrique : Qu'en est-il des ĂŠquipements ?
Valdes Nzalli
 
Collaboration Between Infosec Community and CERT Teams : Project Sonar case
Collaboration Between Infosec Community and CERT Teams : Project Sonar caseCollaboration Between Infosec Community and CERT Teams : Project Sonar case
Collaboration Between Infosec Community and CERT Teams : Project Sonar case
Valdes Nzalli
 
Internet et Vie PrivÊe Analyse des comportements en Afrique après PRISM
Internet et Vie PrivÊe Analyse des comportements en Afrique après PRISMInternet et Vie PrivÊe Analyse des comportements en Afrique après PRISM
Internet et Vie PrivÊe Analyse des comportements en Afrique après PRISM
Valdes Nzalli
 
Understanding and selecting_dsp_final
Understanding and selecting_dsp_finalUnderstanding and selecting_dsp_final
Understanding and selecting_dsp_final
fangjiafu
 
Ddos analizi
Ddos analiziDdos analizi
Ddos analizifangjiafu
 

Viewers also liked (12)

Wce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityWce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurity
 
Cursor injection
Cursor injectionCursor injection
Cursor injection
 
Bypass dbms assert
Bypass dbms assertBypass dbms assert
Bypass dbms assert
 
Oss forensics fosscomm_2011
Oss forensics fosscomm_2011Oss forensics fosscomm_2011
Oss forensics fosscomm_2011
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101
 
Etude Statistique d'un mois de VulnĂŠrabilitĂŠs en Afrique
Etude Statistique d'un mois de VulnĂŠrabilitĂŠs en AfriqueEtude Statistique d'un mois de VulnĂŠrabilitĂŠs en Afrique
Etude Statistique d'un mois de VulnĂŠrabilitĂŠs en Afrique
 
Cam cybersec fgi_reseaux_sociaux_et_securite_version_1.1
Cam cybersec fgi_reseaux_sociaux_et_securite_version_1.1Cam cybersec fgi_reseaux_sociaux_et_securite_version_1.1
Cam cybersec fgi_reseaux_sociaux_et_securite_version_1.1
 
PĂŠnĂŠtration de l'Internet en Afrique : Qu'en est-il des ĂŠquipements ?
PĂŠnĂŠtration de l'Internet en Afrique : Qu'en est-il des ĂŠquipements ?PĂŠnĂŠtration de l'Internet en Afrique : Qu'en est-il des ĂŠquipements ?
PĂŠnĂŠtration de l'Internet en Afrique : Qu'en est-il des ĂŠquipements ?
 
Collaboration Between Infosec Community and CERT Teams : Project Sonar case
Collaboration Between Infosec Community and CERT Teams : Project Sonar caseCollaboration Between Infosec Community and CERT Teams : Project Sonar case
Collaboration Between Infosec Community and CERT Teams : Project Sonar case
 
Internet et Vie PrivÊe Analyse des comportements en Afrique après PRISM
Internet et Vie PrivÊe Analyse des comportements en Afrique après PRISMInternet et Vie PrivÊe Analyse des comportements en Afrique après PRISM
Internet et Vie PrivÊe Analyse des comportements en Afrique après PRISM
 
Understanding and selecting_dsp_final
Understanding and selecting_dsp_finalUnderstanding and selecting_dsp_final
Understanding and selecting_dsp_final
 
Ddos analizi
Ddos analiziDdos analizi
Ddos analizi
 

Similar to Wce12 uba ampliasecurity_eng

Abusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get itAbusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get it
E Hacking
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Nate Lawson
 
Bh usa-01-kaminsky
Bh usa-01-kaminskyBh usa-01-kaminsky
Bh usa-01-kaminsky
Dan Kaminsky
 
2011 10-19
2011 10-192011 10-19
2011 10-19
Yaoyao Wang
 
Windows Malware Techniques
Windows Malware TechniquesWindows Malware Techniques
Windows Malware Techniques
Lee C
 
2016-tcpkali-websocket
2016-tcpkali-websocket2016-tcpkali-websocket
2016-tcpkali-websocket
Lev Walkin
 
NTLM
NTLMNTLM
NTLM
Guang Ying Yuan
 
Post Metasploitation
Post MetasploitationPost Metasploitation
Post Metasploitation
egypt
 
Virtualization Primer for Java Developers
Virtualization Primer for Java DevelopersVirtualization Primer for Java Developers
Virtualization Primer for Java Developers
Richard McDougall
 
Tatu: ssh as a service
Tatu: ssh as a serviceTatu: ssh as a service
Tatu: ssh as a service
Pino deCandia
 
Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)
Nate Lawson
 
8.SSL encryption.ppt
8.SSL encryption.ppt8.SSL encryption.ppt
8.SSL encryption.ppt
NoName261177
 
イマドキなNetwork/IO
イマドキなNetwork/IOイマドキなNetwork/IO
イマドキなNetwork/IO
Takuya ASADA
 
Xen and Apache cloudstack
Xen and Apache cloudstack Xen and Apache cloudstack
Xen and Apache cloudstack
The Linux Foundation
 
Cassandra Performance and Scalability on AWS
Cassandra Performance and Scalability on AWSCassandra Performance and Scalability on AWS
Cassandra Performance and Scalability on AWS
Adrian Cockcroft
 
Windsor: Domain 0 Disaggregation for XenServer and XCP
Windsor: Domain 0 Disaggregation for XenServer and XCP Windsor: Domain 0 Disaggregation for XenServer and XCP
Windsor: Domain 0 Disaggregation for XenServer and XCP
The Linux Foundation
 
Playing CTFs for Fun & Profit
Playing CTFs for Fun & ProfitPlaying CTFs for Fun & Profit
Playing CTFs for Fun & Profit
impdefined
 
Intro To Hacking
Intro To HackingIntro To Hacking
Intro To Hacking
nayakslideshare
 
In the Wake of Kerberoast
In the Wake of KerberoastIn the Wake of Kerberoast
In the Wake of Kerberoast
ken_kitahara
 

Similar to Wce12 uba ampliasecurity_eng (20)

Abusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get itAbusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get it
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
 
Bh usa-01-kaminsky
Bh usa-01-kaminskyBh usa-01-kaminsky
Bh usa-01-kaminsky
 
2011 10-19
2011 10-192011 10-19
2011 10-19
 
Windows Malware Techniques
Windows Malware TechniquesWindows Malware Techniques
Windows Malware Techniques
 
2016-tcpkali-websocket
2016-tcpkali-websocket2016-tcpkali-websocket
2016-tcpkali-websocket
 
NTLM
NTLMNTLM
NTLM
 
Post Metasploitation
Post MetasploitationPost Metasploitation
Post Metasploitation
 
Virtualization Primer for Java Developers
Virtualization Primer for Java DevelopersVirtualization Primer for Java Developers
Virtualization Primer for Java Developers
 
Tatu: ssh as a service
Tatu: ssh as a serviceTatu: ssh as a service
Tatu: ssh as a service
 
Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)
 
8.SSL encryption.ppt
8.SSL encryption.ppt8.SSL encryption.ppt
8.SSL encryption.ppt
 
イマドキなNetwork/IO
イマドキなNetwork/IOイマドキなNetwork/IO
イマドキなNetwork/IO
 
Xen and Apache cloudstack
Xen and Apache cloudstack Xen and Apache cloudstack
Xen and Apache cloudstack
 
Cassandra Performance and Scalability on AWS
Cassandra Performance and Scalability on AWSCassandra Performance and Scalability on AWS
Cassandra Performance and Scalability on AWS
 
Windsor: Domain 0 Disaggregation for XenServer and XCP
Windsor: Domain 0 Disaggregation for XenServer and XCP Windsor: Domain 0 Disaggregation for XenServer and XCP
Windsor: Domain 0 Disaggregation for XenServer and XCP
 
Playing CTFs for Fun & Profit
Playing CTFs for Fun & ProfitPlaying CTFs for Fun & Profit
Playing CTFs for Fun & Profit
 
Intro To Hacking
Intro To HackingIntro To Hacking
Intro To Hacking
 
In the Wake of Kerberoast
In the Wake of KerberoastIn the Wake of Kerberoast
In the Wake of Kerberoast
 

More from fangjiafu

Create user to_sysdba
Create user to_sysdbaCreate user to_sysdba
Create user to_sysdba
fangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
fangjiafu
 
Layer 7 ddos
Layer 7 ddosLayer 7 ddos
Layer 7 ddos
fangjiafu
 
Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02
fangjiafu
 
Crypto hlug
Crypto hlugCrypto hlug
Crypto hlug
fangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
fangjiafu
 
Rr 7944
Rr 7944Rr 7944
Rr 7944
fangjiafu
 
Proper passwordhashing
Proper passwordhashingProper passwordhashing
Proper passwordhashing
fangjiafu
 
Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰fangjiafu
 
Oech03
Oech03Oech03
Oech03
fangjiafu
 
2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronization2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronization
fangjiafu
 
Unit07
Unit07Unit07
Unit07
fangjiafu
 
Unit05
Unit05Unit05
Unit05
fangjiafu
 
Network security
Network securityNetwork security
Network security
fangjiafu
 
Ids
IdsIds
Ids
fangjiafu
 
Cloud computing security
Cloud computing securityCloud computing security
Cloud computing security
fangjiafu
 
Layer one 2011-sam-bowne-layer-7-dos
Layer one 2011-sam-bowne-layer-7-dosLayer one 2011-sam-bowne-layer-7-dos
Layer one 2011-sam-bowne-layer-7-dos
fangjiafu
 
Sqlmap readme
Sqlmap readmeSqlmap readme
Sqlmap readme
fangjiafu
 
Wisr2011 en
Wisr2011 enWisr2011 en
Wisr2011 en
fangjiafu
 

More from fangjiafu (20)

Create user to_sysdba
Create user to_sysdbaCreate user to_sysdba
Create user to_sysdba
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Layer 7 ddos
Layer 7 ddosLayer 7 ddos
Layer 7 ddos
 
Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02
 
Crypto hlug
Crypto hlugCrypto hlug
Crypto hlug
 
Fp
FpFp
Fp
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Rr 7944
Rr 7944Rr 7944
Rr 7944
 
Proper passwordhashing
Proper passwordhashingProper passwordhashing
Proper passwordhashing
 
Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰
 
Oech03
Oech03Oech03
Oech03
 
2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronization2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronization
 
Unit07
Unit07Unit07
Unit07
 
Unit05
Unit05Unit05
Unit05
 
Network security
Network securityNetwork security
Network security
 
Ids
IdsIds
Ids
 
Cloud computing security
Cloud computing securityCloud computing security
Cloud computing security
 
Layer one 2011-sam-bowne-layer-7-dos
Layer one 2011-sam-bowne-layer-7-dosLayer one 2011-sam-bowne-layer-7-dos
Layer one 2011-sam-bowne-layer-7-dos
 
Sqlmap readme
Sqlmap readmeSqlmap readme
Sqlmap readme
 
Wisr2011 en
Wisr2011 enWisr2011 en
Wisr2011 en
 

Recently uploaded

Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
saastr
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
BibashShahi
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Neo4j
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Precisely
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 

Recently uploaded (20)

Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 

Wce12 uba ampliasecurity_eng

  • 1. Post-Exploitation with WCE v1.2 Pass-the-Hash. Pass-the-ticket & more… Date: 01-07-2011 Author: Hernan Ochoa <hernan@ampliasecurity.com>
  • 2. Windows Authentication h1 = LMHash(“pwd1”) SAM Database h2 = NTHash(“pwd1”) User Hash LM Hash NT cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. … … … Network • The cleartext password is not sent • The NTLM protocol is used
  • 3. NTLM Authentication lmhash = LMHash(“pwd1”) nthash = NTHash(“pwd1”) Init connection Responds C = challenge random Sends cgarcia, R SAM Database R = f(lmhash/nthash, C) User Hash LM Hash NT cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. R’ = f(SAM[lmhash/nthash], C) … … … R’ == R => Access Granted R’ <> R => Access Denied
  • 4. pre-Pass-the-Hash Attacks • After compromising a Windows box… – ‘ Dump’ the SAM • pwdump3/3e/4/5/6/7,fgdump,etc – Administrator:500:0102030405060708090A0B0C0D0E0F10:1020 30405060708090A0B0C0D0E0F10 – Crack/Brute-Force hashes to obtain cleartext password • Takes time.. (e.g.: pentest time is limited) • No guarantee the password will be obtained • Rainbow tables were not widely used – Less computing power, storage, etc – Still, not the answer to everything
  • 5. Pass-The-Hash Technique Published by Paul Ashton in 1997 http://www.securityfocus.com/bid/233/discuss
  • 6. Pass-the-hash Technique lmhash = LMHash(“pwd1”) nthash = NTHash(“pwd1”) Init connection Responds C = challenge random Sends cgarcia, R SAM Database R = f(lmhash/nthash, C) User Hash LM Hash NT cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. • Cleartext password is not needed for NTLM auth … … … • Only lmhash/nthash are needed • No need to crack/brute-force R’ = f(SAM[lmhash/nthash], C) • Just use the hashes directly R’ == R => Access Granted R’ <> R => Access Denied
  • 7. Pass-the-hash: ‘exploitation’ • Modified Smbclient (SAMBA) – smbclient //192.168.1.120/c$ -U Administrator -p 4ECC0E7568976B7EAAD3B435B51404EE:551E3B3 215FFD87F5E037B3E3523D5F6 • Samba-TNG • Many 3rd-party SMB+NTLM stacks – Python, Ruby, Java, etc
  • 8. 3rd-party SMB+NTLM stacks: Limitations • Limited and partial functionality • Always running behind Windows – New functionality has to be implemented, some by reverse engineering • Complex, requires time and effort • Cannot use native Windows applications – They ask for username and cleartext password, not hashes…
  • 10. What is WCE? • Tool to manipulate Windows logon sessions – Add, list, delete, modify – Obtain credentials associated with logon sessions – Pass-the-hash (NTLM) – Pass-the-ticket (Kerberos)
  • 11. Pre-WCE/Pass-the-hash attacks • Without WCE.. – Crack/Brute-force hashes to obtain cleartext password – Crack/Brute-force ´encrypted´ hashes (C,R->NTLM) to obtain cleartext password – Use 3rd-party SMB+NTLM stacks, w/limited and partial functionality – More difficult/not possible to do pass-the-hash while pivoting among Windows boxes
  • 12. Post-WCE/Pass-the-hash attacks • With WCE… – Do Pass-the-hash directly with the hashes • No need to attempt to crack/brute-force hashes • Will be able to use them even if you cannot crack them – 3rd-party SMB+NTLM stacks problems eliminated – Easier to do Pass-the-hash while pivoting among Windows boxes
  • 14. WCE: ‘Steal’ Credentials from memory • New ´attack´ implemented by WCE – It is not Pass-the-hash, it´s another technique.. – Sometimes the two are confused, but they are not the same.. • Allows you to obtain usernames and NTLM hashes stored in memory
  • 15. WCE: ‘Steal’ Credentials from memory • Why are they in memory? • NTLM auth package • SSO cgarcia pwd1 Network
  • 16. WCE: ‘Steal’ Credentials from memory When are they stored in memory? • Interactive logon sessions at the console • Remote logon sessions via RDP • RunAs • Windows Services running under specific user accounts • Windows APIs used by applications • Etc.
  • 17. WCE: ‘Steal’ Credentials from memory When are they stored in memory? • Interactive logon sessions at the console cgarcia pwd1
  • 18. WCE: ‘Steal’ Credentials from memory When are they stored in memory? • Remote logon sessions via RDP Network
  • 19. WCE: ‘Steal’ Credentials from memory When are they stored in memory? • RunAs
  • 20. WCE: ‘Steal’ Credentials from memory When are they stored in memory? • Windows Services
  • 21. WCE: ‘Steal’ Credentials from memory When are they stored in memory? • Windows APIs used by applications Example:
  • 22. WCE: ‘Steal’ Credentials from memory • WCE can obtain the LM Hash.. – By default, nowadays, Windows does not store the LM hash in the SAM • It is weak; “easy” to crack
  • 23. WCE: ‘Steal’ Credentials from memory • WCE can obtain the LM Hash from memory – Windows generates and stores the hashes in memory, including the LM hash • Interactive sessions • Others previously mentioned – Possible to crack it and obtain cleartext password to use in places where NTLM is not the auth method
  • 24. WCE: ‘Steal’ Credentials from memory Example: The LM Hash is not in the SAM Pwdump output The LM Hash is in memory WCE output
  • 25. WCE: ‘Steal’ Credentials from memory When are they NOT stored in memory? • Network Logons – The hashes never reach the remote server Init Connection Responds C = challenge random Sends cgarcia, R
  • 26. WCE: ‘Steal’ Credentials from memory Post-explotation attack scenario Attacker compromises remote Windows box • Run WCE to obtain credentials stored in memory • Use those hashes to do Pass-The-Hash with WCE
  • 27. Demo #2 WCE: ‘Steal’ credentials from memory
  • 28. WCE: ‘Steal’ Credentials from memory Especially interesting in Windows Domain Environments Domain Controller (DC) Domain User Hash LM Hash NT User SAM cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. … … … Domain User Backups Server Domain User
  • 29. WCE: ‘Steal’ Credentials from memory WITHOUT WCE.. Domain Controller (DC) Domain User Hash LM Hash NT User SAM cgarcia A6BCD.. B0FD1.. SAM ajuarez B90DF.. CCDF.. User Hash LM Hash NT … … … Administ FDDE.. CCDH1.. rador Guest AABCD.. FFD4F.. Domain User Backups Server Attacker • Attacker owns remote Windows box • Only has access to local SAM.. • No Domain Users there, not very useful…
  • 30. WCE: ‘Steal’ Credentials from memory WITH WCE.. Domain Domain:Admi Controller (DC) Domain nistrator:CDB User Hash LM Hash NT User 70D9EDA812 SAM cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. DBF:C9DF712 … … … D09D7DF1C Domain User Backups Server Attacker • Attacker owns Backups server • Obtains credentials from memory.. • Probably will find Domain Users there.. • Can possibly compromise the whole domain!
  • 31. WCE: ‘Steal’ Credentials from memory Typical Scenario Domain Controller (DC) Domain Administrator Domain User Backups Server Attacker
  • 32. WCE: ‘Steal’ Credentials from memory Typical Scenario Domain:Admi nistrator:CDB Domain 70D9EDA812 Controller (DC) Domain DBF:C9DF712 Administrator D09D7DF1C Domain User Backups Server Attacker
  • 33. WCE: ‘Steal’ Credentials from memory Typical Scenario Domain:Admi nistrator:CDB Domain 70D9EDA812 Controller(DC) Domain DBF:C9DF712 Administrator D09D7DF1C Domain User Backups Server Attacker • WCE ‘steals’ the Domain Administrator Credentials!
  • 34. WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials • When you RDP to a remote box, you leave the NTLM hashes of your password in the remote server´s memory • NTLM hashes are equivalent to the cleartext password (pass-the-hash+wce) • So, we could say you are leaving there your password…
  • 35. WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials • Even when using pass-through authentication • Credentials (user+domain+hashes) are stored in Domain Controller • But when you use RDP, they are also left in the memory of the remote Windows box you are RDPing to! • Be careful where you are RDPing to…
  • 36. WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials • Attacker on the remote Windows box can obtain credentials from memory • Local Administrator • Regular Domain User w/local admin privs • Attacker that owns less secured box, regular users are more vulnerable • Etc.
  • 37. WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials: Example Domain Controller (DC) Domain User Hash LM Hash NT Administrator SAM cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. … … … Domain User Domain User Workstation Attacker
  • 38. WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials: Example Domain Controller (DC) Domain User Hash LM Hash NT Administrator SAM cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. … … … Domain User Domain User Workstation Attacker
  • 39. WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials: Example Domain:Admi nistrator:CDB Domain 70D9EDA812 Controller (DC) DBF:C9DF712 Domain User Hash LM Hash NT D09D7DF1C Administrator SAM cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. … … … Domain User Domain User Workstation Attacker
  • 40. WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials: Example Domain Controller (DC) Domain User Hash LM Hash NT Administrator SAM cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. … … … Domain User Domain:Admi Domain User nistrator:CDB Workstation 70D9EDA812 Attacker DBF:C9DF712 D09D7DF1C
  • 41. WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials: Example Domain Controller (DC) Domain User Hash LM Hash NT Administrator SAM cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. … … … Domain User Domain:Admi Domain User nistrator:CDB Workstation 70D9EDA812 Attacker DBF:C9DF712 D09D7DF1C
  • 42. WCE: ‘Steal’ Credentials from memory RDP: Disconnect != Log Off
  • 43. WCE: ‘Steal’ Credentials from memory RDP: Disconnect != Log Off
  • 44. WCE: ‘Steal’ Credentials from memory RDP: Disconnect != Log Off
  • 45. WCE: ‘Steal’ Credentials from memory RDP: Disconnect != Log Off • ´Disconnect´ leaves NTLM hashes in memory • The Logon session is not terminated • ´Log Off´ terminates the logon session • Hashes are erased from memory • Always ´Log Off´! • Users tend to just ´Disconnect´… • Including Administrators..
  • 46. WCE: ‘Steal’ Credentials from memory Zombie Logon Sessions
  • 47. WCE: ‘Steal’ Credentials from memory Bug: Zombie Logon Sessions! Domain Controller (DC) Domain Administrator Domain User Backups Server Attacker Day 1
  • 48. WCE: ‘Steal’ Credentials from memory Bug: Zombie Logon Sessions! Domain:Admi nistrator:CDB Domain 70D9EDA812 Controller (DC) Domain DBF:C9DF712 Administrator D09D7DF1C Domain User Backups Server Attacker Day 1
  • 49. WCE: ‘Steal’ Credentials from memory Bug: Zombie Logon Sessions! Domain:Admi nistrator:CDB Domain 70D9EDA812 Controller (DC) Domain DBF:C9DF712 Administrator D09D7DF1C Domain User • Administrator logs off, Backups Server disconnects, finished what he/she was Attacker doing.. Day 1
  • 50. WCE: ‘Steal’ Credentials from memory Bug: Zombie Logon Sessions! Domain:Admi nistrator:CDB Domain 70D9EDA812 Controller (DC) Domain DBF:C9DF712 Administrator D09D7DF1C Domain BUG! User Windows does not erase from memory NTLM Backups Server hashes! Attacker Day 1
  • 51. WCE: ‘Steal’ Credentials from memory Bug: Zombie Logon Sessions! Domain:Admi nistrator:CDB Domain 70D9EDA812 Controller (DC) Domain DBF:C9DF712 Administrator D09D7DF1C Domain User Backups Server Attacker Day 31.. ~ A month later..
  • 52. WCE: Pass-the-Ticket (Kerberos) • New attack implemented by WCE v1.2 – First and only tool that implements this AFAIK • Post-exploitation • Equivalent to Pass-The-Hash for NTLM • You can ‘steal’ Kerberos TGT/tickets & use them in other Windows and *Unix boxes
  • 53. WCE: Pass-the-Ticket (Kerberos) • ´Stolen´ tickets can be used to access remote services – Example: SMB shares • The TGT (Ticket Granting Ticket) can be used to create new tickets – Gain access to more services / computers
  • 54. Conclusions • WCE brings new post-exploitation techniques – Pass-the-Hash (NTLM) – Steal NTLM from memory – Pass-the-ticket (Kerberos) • Useful for pentests • You need to know them to defend yourself – Not just to attack..
  • 55. More information • “WCE Internals” Presentation – RootedCon 2011; Madrid, EspaĂąa – More technical details about implementation http://www.ampliasecurity.com/research/WCE_ Internals_RootedCon2011_ampliasecurity.pdf
  • 56. Questions? Thank you! hernan@ampliasecurity.com @hernano @ampliasecurity www.ampliasecurity.com