1 OWNED In 60 Seconds From Network Guest to Windows Domain Admin Directed By Zack Dutchess Fasel
2 We Now Present Your Obligatory Intro
3 What s This Talk About? Weaknesses in NTLM Auth, Specifically NTLM Relaying New techniques to take advantage of these flaws Ways to externally leverage NTLM Relaying Corporate Impact to NTLM Relaying Cool New Shiny Toolset Demo? Let s see... ;) Ways to Protect Yourself and Remediate
4 The Goal?
5 Get Domain Admin (or sensitive data) in 60 seconds or less
6 So Who Are You Zack Fasel on twitter - Codename: Duchess Founder and Managing Partner of Co-Creator and Tech Lead Lead Organizer the party tonight.
8 95 Slides. Let s Get Started
9 So Let s Talk About LM/NTLM
10 The Minute Intro To X X LM/NTLM And All It s Flavors
11 So What Is LM/NTLM Windows Land! Password Hashing Algorithm Network Challenge/Authentication
12 Let s Start With Hashing
13 So Windows Pass Hashes Stored on Local Machine SAM File Local Accounts Memory For Local and Cached Accounts Stored on Domain Controller
14 LM? It s Bad Mmmkay We all know this. And have for years. But we re reviewing. 7 Character Chunks, CAPITALized Pad from 56 to 64 bytes DES Encrypt using Password as key and as the data. Viola. Hash.
15 LM? It s Bad Mmmkay We all know this. And have for years. Hunter2LOL! HUNTER2 / LOL! 93D1F9EA182DF34B / 20069D7FB184D83A
16 So the LaMe Problems? Obviously Easy to Crack now. Rainbow tables - every precomputed possibility in a dictionary Blah blah old news...
17 So How is NTLM Better? MD4(UTF-16(Password)) A Real Hash! Hunter2Hunter2 93D1F9EA182DF34B 93D1F9EA182DF34B DC020E672D09B BC0449B90C7CB
18 Obtaining Hash..es pwdump gsecdump mimikatz hashdump in meterpreter the list goes on...
19 Oh There s So Much More! But we only have an hour...well...50 minutes...or 45 by now...
20 NTLM Network Auth
21 Network Auths Used for various network services SPNEGO Plain Text NTLM Kerberos
22 3 Way Handshake Here It Goes TYPE 1 TYPE 2 TYPE 3 CLIENT SERVER Type 1 - Let s Talk. I Support X...Y...And Z Type 2 - I Support X...Y...And Q. Here s a CHALLENGE (salt) Type 3 - I m Sterling Archer of Isis. Password fx(guest,salt),sig
23 Type 1 - Let s Nego
24 Type 2 - I Challenge You!!
25 Type 3 - The password is...
26 The Flavors and Flags LM - Uses Weak LM Hash NTLM - Uses NTLM Hash NTLMv2 - Uses NTLM Hash with Added Client Chal LMv2 - Uses LM hash with Added Client Chal NTLM2 Signing - We ll Talk about That Later
27 So What s the Problem? You Know, The Security Issues...
28 Pass The Hash, Bro Doesn t require knowledge of the password. Utilizes the password hash to authenticate Requires existing access to obtain hashes (i.e. local admin)
29 But We ve Already Heard about PTH Twice This Con Mubix s Talk and Skip/Chris Talk But what about doing this with no existing access?
30 We Can Relay the Auth NTLM Authenticates the User to the Server, not mutual Remember Types 1 / 2 / 3? So how can we take advantage of this?
31 3 Way Handshake Here It Goes TYPE 1 - NEGO TYPE 2 - CHAL TYPE 3 - AUTH CLIENT SERVER ATTACKER
32 That s the Background Everyone Should be a Windows Auth Expert Now I ll be handing out CWAE Certifications Later
34 Mid Talk Checklist 1) Services Capture Auth 2) Auth Can Be Relayed to Other Services 3)... 4) PROFIT
35 MITM? That s Limited... Introducing Windows Integrated Auth
36 AUTH TO ALL THE THINGS Usability to prevent having to type password in over and over and over and over and over... Windows Auto-Logins to things without prompting
37 So What Ways Do They Auto Auth?
38 HTTP Auto Auth Local Trusted Security Context In Browser, only typically in IE, but can be enabled in FF/Chrome
39 How does Name Lookup? c:\windows\system32\drivers\etc\hosts DNS - name.sub.domain.tld, name.domain.tld NBNS Broadcast
40 NBNS You Say? Broadcast to local network looking for xyz name Spoof responses back (msf aux/spoof/nbns...) Viola, one word names auto auth
41 So I have to SE Someone? NOPE Web Proxy Auto Detect (WPAD) Looks up for proxy settings Auto Authenticates
43 So I have to use IE Systems auto authenticate too! DOMAIN\SYSTEM$ - Member of Domain Computers Even when no one is at the system
45 So Only On The Same LAN Nope Dynamic DHCP hostnames ;) hostname = hostname.sub.domain.tld Or DNS Poisoning...
46 So HTTP Only? Nope. Let s not Forget SMB
47 Browser Pages
48 But No Go in FF/Chrome
49 Until Now
50 But Chrome Is a PITA
51 How about Office Suite Word Doc Referencing UNC paths images Convert HTML file into Word Doc...viola! Excel? Power Point? Sure :)
52 What Else in Office? How about Outlook s Yes, it prompts for opening an image...but it works
53 Let s Extend This Further desktop.ini Files.lnk files
54 So Internally Only? NOPE! :) SMB doesn t respect local security context file://ip.add.re.ss/share/file.ext - Works over Net ;)
55 So Auto Auth via... NBNS Spoofing Browser Pages / HTML Office (Word/Excel/PPT/OUTLOOK) Docs desktop.ini / LNK Shortcuts
56 So What Can I Relay To?
57 HTTP NTLM Auth for HTTP Services
58 SMB We ve been doing this for a while MS08_069 fixed relaying back to source SMB RPC permits ability to execute commands / get shell, but requires admin access
59 LDAP So SMB Signing is forced by default on domain controllers...what can we relay to on the DC? LDAP Doesn t force signing by default! LDAP Supports NTLM Auth... WIN! Note: Can t change passwords unless SSL/Encrypted
60 Others? There s other things that use NTLM auth that permit further research! Remote Desktop VPN Telnet FTP...
61 So Internal Only, Lame Not So Fast...
62 HTTP Externally Sharepoint Servers?
63 People needed Mobiles
64 Exchange...Oh Exchange.. RPC EWS
66 The Pieces Come Together Let s Re-elaborate Impact Though
67 Give Me Some Scenarios You Bet. Here s 3.
68 Internal Employee Desktop.ini on Network Share Wait for admin to view share Admin auto authenticates to an smb share Relay to servers / ldap on domain controller Promote user account to domain admin, add new users
69 Rogue Wifi Rogue DNS + Proxy / NBNS+WPAD Relay to other Rogue Clients on AP or to EWS Om nom nom data
70 External Attacker Social Engineering /Persistent XSS Relay to Exchange Web Services or sharepoint
71 I Heard There s Some Tools Hey, Quit calling me a tool.
72 Existing Tools smb_relay Squirtle! There s a lot more
73 But They Fall Short Relay Everything to One Destination Only HTTP or SMB servers in separate roles No payload generation Limited target surface (i.e. get shell)
74 ZackATTACK! Relaying NTLM Like Nobody Else
75 Overall Design Difference Knows Who the User is before relaying! Rules to relay to unique destinations based on user Utilize limited user access as well as admin
76 So There s 4 Components Servers - Clients - Payloads - Rules
77 Servers SMB HTTP
78 What s Different? Remember type 1/2/3? We don t know user till 3. Challenge is sent in type 2. How do we know the user to send different users different challenges? Track by IP? Won t work Externally Cookies? Only for HTTP and not preserved with WPAD UUID? SMB2 Only
Actuality of SMBRelay in Modern Windows Networks Ares, April 2012 firstname.lastname@example.org http://sniff.su Intro I first came across SMBRelay in the middle of 2000s and the experience was unsatisfying..
Internal Penetration Test Agenda Time Agenda Item 10:00 10:15 Introduction 10:15 12:15 Seminar: Web Application Penetration Test 12:15 12:30 Break 12:30 13:30 Seminar: Social Engineering Test 13:30 15:00
Five Steps to Improve Internal Network Security Chattanooga ISSA 1 Find Me AverageSecurityGuy.info @averagesecguy email@example.com github.com/averagesecurityguy ChattSec.org 2 Why? The methodical
Exploiting Transparent User Identification Systems Wayne Murphy Benjamin Burns Version 1.0a 1 CONTENTS 1.0 Introduction... 3 1.1 Project Objectives... 3 2.0 Brief Summary of Findings... 4 3.0 Background
Network Configuration Settings Many small businesses already have an existing firewall device for their local network when they purchase Microsoft Windows Small Business Server 2003. Often, these devices
IT Advisory Windows passwords security ADVISORY WHOAMI 2 Agenda The typical windows environment Local passwords Secure storage mechanims: Syskey & SAM File Password hashing & Cracking: LM & NTLM Into the
Penetration Testing with Kali Linux PWK Copyright 2014 Offensive Security Ltd. All rights reserved. Page 1 of 11 All rights reserved to Offensive Security, 2014 No part of this publication, in whole or
How to Configure Captive Portal Captive portal is one of the user identification methods available on the Palo Alto Networks firewall. Unknown users sending HTTP or HTTPS 1 traffic will be authenticated,
Get Success in Passing Your Certification Exam at first attempt! Exam : 920-440 Title : nncde wireless lan Version : DEMO 1. A customer wants to access the Microsoft Outlook Web Access application through
H E R A LAB ID: 10 SNIFFING Sniffing in a switched network ARP Poisoning Analyzing a network traffic Extracting files from a network trace Stealing credentials Mapping/exploring network resources 1. LAB
WHITE PAPER SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X) INTRODUCTION This document covers the recommended best practices for hardening a Cisco Personal Assistant 1.4(x) server. The term
https://elearn.zdresearch.com https://training.zdresearch.com/course/pentesting Chapter 1 1. Introducing Penetration Testing 1.1 What is penetration testing 1.2 Different types of test 1.2.1 External Tests
Account Policies Enforce password history 24 Maximum Password Age - 42 days Minimum Password Age 2 days Minimum password length - 8 characters Password Complexity - Enable Store Password using Reversible
MaaS360 Mobile Enterprise Gateway Administrator Guide Copyright 2013 Fiberlink Communications Corporation. All rights reserved. Information in this document is subject to change without notice. The software
Sophos UTM Remote Access via PPTP Configuring UTM and Client Product version: 9.000 Document date: Friday, January 11, 2013 The specifications and information in this document are subject to change without
Websense Support Webinar: Questions and Answers Configuring Websense Web Security v7 with Your Directory Service Can updating to Native Mode from Active Directory (AD) Mixed Mode affect transparent user
MaaS360 Mobile Enterprise Gateway Administrator Guide Copyright 2014 Fiberlink, an IBM Company. All rights reserved. Information in this document is subject to change without notice. The software described
Vulnerability Assessment and Penetration Testing Module 1: Vulnerability Assessment & Penetration Testing: Introduction 1.1 Brief Introduction of Linux 1.2 About Vulnerability Assessment and Penetration
VPN Configuration Guide Dell SonicWALL 2013 equinux AG and equinux USA, Inc. All rights reserved. Under copyright law, this manual may not be copied, in whole or in part, without the written consent of
Pass-the-Hash II: Admin s Revenge Skip Duckwall & Chris Campbell Do you know who I am? Skip Co-presented PTH talk last year at BH, Derbycon http://passing-the-hash.blogspot.com @passingthehash on twitter
Introduction to Mobile Access Gateway Installation This document describes the installation process for the Mobile Access Gateway (MAG), which is an enterprise integration component that provides a secure
BlackHat Briefings, 2009 Breaking the Myths of Extended Validation SSL Certificates Alexander Sotirov phmsecurity.com Mike Zusman intrepidusgroup.com Introduction Chosen-prefix MD5 collisions allowed us
User Identification (User-ID) Tips and Best Practices Nick Piagentini Palo Alto Networks www.paloaltonetworks.com Table of Contents PAN-OS 4.0 User ID Functions... 3 User / Group Enumeration... 3 Using
Trouble Shooting SiteManager to GateManager access If you are unsure if a SiteManager will be able to access the GateManager through the corporate firewall, or you experience connection issues, this document
1 Table of Contents Introduction... 3 What is SSL?... 4 How does SSL work?... 7 Google & SSL... 11 SSL/TLS... 13 Web Filtering SSL... 14 About Lightspeed Systems... 26 2 Introduction SSL is a challenge
Virtual Managment Appliance Setup Guide 2 Sophos Installing a Virtual Appliance Installing a Virtual Appliance As an alternative to the hardware-based version of the Sophos Web Appliance, you can deploy
CAC/PIV PKI Solution Installation Survey & Checklist Konica Minolta CAC/PIV Solution Revision: 1.3 Date: 10/19/09 1 Document Overview This document must be completed and used as a checklist or questionnaire
Windows Assessment Vulnerability Assessment Course All materials are licensed under a Creative Commons Share Alike license. http://creativecommons.org/licenses/by-sa/3.0/ 2 Agenda Windows Security Overview
Public Key Infrastructure (PKI) In this video you will learn the quite a bit about Public Key Infrastructure and how it is used to authenticate clients and servers. The purpose of Public Key Infrastructure
Topics in Network Security Jem Berkes MASc. ECE, University of Waterloo B.Sc. ECE, University of Manitoba www.berkes.ca February, 2009 Ver. 2 In this presentation Wi-Fi security (802.11) Protecting insecure
1. Introduction 2. Web Application 3. Components 4. Common Vulnerabilities 5. Improving security in Web applications 2 What does World Wide Web security mean? Webmasters=> confidence that their site won
VPN Configuration Guide LANCOM equinux AG and equinux USA, Inc. 2008 equinux USA, Inc. All rights reserved. Under the copyright laws, this manual may not be copied, in whole or in part, without the written
Virtual Web Appliance Setup Guide 2 Sophos Installing a Virtual Appliance Installing a Virtual Appliance This guide describes the procedures for installing a Virtual Web Appliance. If you are installing
Create and Use an SSL on Goals Provide secure and encrypted 5250 data stream conversations with the server (including authentication) use a digital certificate we create with Digital Manager Show a client
Mike Pilkington SANS Forensics and IR Summit June, 2011 Since graduating from UT-Austin in 1996, I ve worked for a large oil and gas services company I ve held several positions in IT, including Software
Deployment Guide Deploying RSA ClearTrust with the FirePass Controller Deploying RSA ClearTrust with the FirePass controller Welcome to the FirePass RSA ClearTrust Deployment Guide. This guide shows you
Life of a Packet CS 640, 2015-01-22 Outline Recap: building blocks Application to application communication Process to process communication Host to host communication Announcements Syllabus Should have
Guide Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief October 2012 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 21 Contents
Introduction to the EIS Guide The AirWatch Enterprise Integration Service (EIS) provides organizations the ability to securely integrate with back-end enterprise systems from either the AirWatch SaaS environment
User-ID Best Practices PAN-OS 5.0, 5.1, 6.0 Revision A 2011, Palo Alto Networks, Inc. www.paloaltonetworks.com Table of Contents PAN-OS User-ID Functions... 3 User / Group Enumeration... 3 Using LDAP Servers
How to Set-up Microsoft Outlook to Connect to your Arrowmail Exchange Mailbox Although you can use Outlook to connect to Arrowmail using POP3 or IMAP, by far the best email experience is obtained by connecting
Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are
VPN Configuration Guide SonicWALL with SonicWALL Simple Client Provisioning SonicOS Enhanced 2010 equinux AG and equinux USA, Inc. All rights reserved. Under copyright law, this manual may not be copied,
Dashlane Security Whitepaper November 2014 Protection of User Data in Dashlane Protection of User Data in Dashlane relies on 3 separate secrets: The User Master Password Never stored locally nor remotely.
Professional Mailbox Email Software Setup Guide Table of contents Before you start... 2 Setting up Outlook 2010... 2 Using Autodiscover to configure Outlook 2010... 2 The Autodiscover wizard has not worked...
Small Business Server Part 2 Presented by : Robert Crane BE MBA MCP firstname.lastname@example.org Computer Information Agency http://www.ciaops.com Agenda Week 1 What is SBS / Setup Week 2 Using & configuring SBS
Five Steps to Improve Internal Network Security Chattanooga Information security Professionals Who Am I? Security Analyst: Sword & Shield Blogger: averagesecurityguy.info Developer: github.com/averagesecurityguy
Getting Started Guide CensorNet Professional Copyright CensorNet Limited, 2007-2011 This document is designed to provide information about the first time configuration and testing of the CensorNet Professional
Network Technologies Glenn Strong Department of Computer Science School of Computer Science and Statistics Trinity College, Dublin January 28, 2014 What Happens When Browser Contacts Server I Top view:
Kautilya: Teensy beyond shells Kautilya Toolkit for Teensy device Nikhil Mittal 1 P a g e Contents Kautilya Toolkit for Teensy device... 1 Nikhil Mittal... 1 Abstract... 3 Attack Surface and Scenarios...
WL/IP-8000VPN VPN Setup Guide Version 0.6 Document Revision Version Date Note 0.1 11/10/2005 First version with four VPN examples 0.2 11/15/2005 1. Added example 5: dynamic VPN using TheGreenBow VPN client
Attack and Penetration Testing 101 Presented by Paul Petefish PaulPetefish@Solutionary.com July 15, 2009 Copyright 2000-2009, Solutionary, Inc. All rights reserved. Version 2.2 Agenda Penetration Testing
DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access With IDENTIKEY Server / Axsguard IDENTIFIER Integration Guidelines Disclaimer Disclaimer of Warranties and Limitations
Hosted Microsoft Exchange Client Setup & Guide Book Section 1 Microsoft Outlook Web Access (OWA) access directions Section 2 Windows 10 Mail App setup & configuration Section 3 Windows Mobile Phone ActiveSync
About Microsoft Windows Server 003 Windows Server 003 (WinK3) requires extensive provisioning to meet both industry best practices and regulatory compliance. By default the Windows Server operating system
VPN Configuration Guide Cisco ASA 5500 Series 2010 equinux AG and equinux USA, Inc. All rights reserved. Under copyright law, this configuration guide may not be copied, in whole or in part, without the
F-SECURE MESSAGING SECURITY GATEWAY DEFAULT SETUP GUIDE This guide describes how to set up and configure the F-Secure Messaging Security Gateway appliance in a basic e-mail server environment. AN EXAMPLE
SonicWALL WAN Acceleration FAQ Document Technology, Models, Licensing 1. What is SonicWALL s WAN Acceleration solution and how is it deployed? The SonicWALL WXA series available as live CD, Hardware and
Deployment Guide Deploying Microsoft Exchange Server/Outlook Web Access and F5 s FirePass Controller Introducing the FirePass and Microsoft Exchange Server configuration Welcome to the FirePass Exchange
Security Awareness For Server Administrators State of Illinois Central Management Services Security and Compliance Solutions Purpose and Scope To present a best practice approach to securing your servers
HTTP Mutual authentication and Web security Yutaka OIWA SAAG, IETF 80 Prague Web security Its importance no need to say Transaction security (credit card, PayPal etc.) User data privacy Most online consumer
Microsoft Windows Server 2012 R2 Remote Desktop Services - How to Set Up (Mostly) Seamless Logon for RDP Connections KRISTIN L. GRIFFIN MVP, REMOTE DESKTOP SERVICES Tech Editor: Toby Phipps MVP, Remote
FileMaker Server 13 Getting Started Guide 2007 2013 FileMaker, Inc. All Rights Reserved. FileMaker, Inc. 5201 Patrick Henry Drive Santa Clara, California 95054 FileMaker and Bento are trademarks of FileMaker,
Technical Note ACE Management Server Deployment Guide VMware ACE 2.0 This technical note provides guidelines for the deployment of VMware ACE Management Servers, including capacity planning and best practices.
6 Working with VPN Service 6 This chapter describes how to set up and manage VPN service in Mac OS X Server. By configuring a Virtual Private Network (VPN) on your server you can give users a more secure
The standard communication model for outgoing calls is for the appliance to simply make a direct connection to the destination host. This paradigm does not suit all business needs. The Barracuda SSL VPN
Configuration Manual English version Frama F-Link Configuration Manual (EN) All rights reserved. Frama Group. The right to make changes in this Installation Guide is reserved. Frama Ltd also reserves the
VPN Configuration Guide Linksys (Belkin) LRT214 / LRT224 Gigabit VPN Router 2014 equinux AG and equinux USA, Inc. All rights reserved. Under copyright law, this manual may not be copied, in whole or in
Installation Guide For ChoiceMail Enterprise Edition How to Install ChoiceMail Enterprise On A Server In Front Of Your Company Mail Server August, 2004 Version 2.6x Copyright DigiPortal Software, 2002-2004
qliqdirect Active Directory Guide qliqdirect is a Windows Service with Active Directory Interface. qliqdirect resides in your network/server and communicates with qliqsoft cloud servers securely. qliqdirect
Movie Cube User s Guide to Wireless Function Table of Contents 1. WLAN USB Adapter Connection...3 2. Wireless Setup...4 2.1 Infrastructure (AP)...5 2.2 Peer to Peer (Ad Hoc)...7 2.3 Settings for PC...8
Contents Is Rumpus Secure? 2 Use Care When Creating User Accounts 2 Managing Passwords 3 Watch Out For Aliases 4 Deploy A Firewall 5 Minimize Running Applications And Processes 5 Manage Physical Access
HTTP Internet Engineering Fall 2015 Bahador Bakhshi CE & IT Department, Amirkabir University of Technology Questions Q1) How do web server and client browser talk to each other? Q1.1) What is the common
Solution for Integrating Authentication using IWA Direct SGOS 6.5 Third Party Copyright Notices 2014 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER,