1 OWNED In 60 Seconds From Network Guest to Windows Domain Admin Directed By Zack Dutchess Fasel
2 We Now Present Your Obligatory Intro
3 What s This Talk About? Weaknesses in NTLM Auth, Specifically NTLM Relaying New techniques to take advantage of these flaws Ways to externally leverage NTLM Relaying Corporate Impact to NTLM Relaying Cool New Shiny Toolset Demo? Let s see... ;) Ways to Protect Yourself and Remediate
4 The Goal?
5 Get Domain Admin (or sensitive data) in 60 seconds or less
6 So Who Are You Zack Fasel on twitter - Codename: Duchess Founder and Managing Partner of Co-Creator and Tech Lead Lead Organizer the party tonight.
8 95 Slides. Let s Get Started
9 So Let s Talk About LM/NTLM
10 The Minute Intro To X X LM/NTLM And All It s Flavors
11 So What Is LM/NTLM Windows Land! Password Hashing Algorithm Network Challenge/Authentication
12 Let s Start With Hashing
13 So Windows Pass Hashes Stored on Local Machine SAM File Local Accounts Memory For Local and Cached Accounts Stored on Domain Controller
14 LM? It s Bad Mmmkay We all know this. And have for years. But we re reviewing. 7 Character Chunks, CAPITALized Pad from 56 to 64 bytes DES Encrypt using Password as key and as the data. Viola. Hash.
15 LM? It s Bad Mmmkay We all know this. And have for years. Hunter2LOL! HUNTER2 / LOL! 93D1F9EA182DF34B / 20069D7FB184D83A
16 So the LaMe Problems? Obviously Easy to Crack now. Rainbow tables - every precomputed possibility in a dictionary Blah blah old news...
17 So How is NTLM Better? MD4(UTF-16(Password)) A Real Hash! Hunter2Hunter2 93D1F9EA182DF34B 93D1F9EA182DF34B DC020E672D09B BC0449B90C7CB
18 Obtaining Hash..es pwdump gsecdump mimikatz hashdump in meterpreter the list goes on...
19 Oh There s So Much More! But we only have an hour...well...50 minutes...or 45 by now...
20 NTLM Network Auth
21 Network Auths Used for various network services SPNEGO Plain Text NTLM Kerberos
22 3 Way Handshake Here It Goes TYPE 1 TYPE 2 TYPE 3 CLIENT SERVER Type 1 - Let s Talk. I Support X...Y...And Z Type 2 - I Support X...Y...And Q. Here s a CHALLENGE (salt) Type 3 - I m Sterling Archer of Isis. Password fx(guest,salt),sig
23 Type 1 - Let s Nego
24 Type 2 - I Challenge You!!
25 Type 3 - The password is...
26 The Flavors and Flags LM - Uses Weak LM Hash NTLM - Uses NTLM Hash NTLMv2 - Uses NTLM Hash with Added Client Chal LMv2 - Uses LM hash with Added Client Chal NTLM2 Signing - We ll Talk about That Later
27 So What s the Problem? You Know, The Security Issues...
28 Pass The Hash, Bro Doesn t require knowledge of the password. Utilizes the password hash to authenticate Requires existing access to obtain hashes (i.e. local admin)
29 But We ve Already Heard about PTH Twice This Con Mubix s Talk and Skip/Chris Talk But what about doing this with no existing access?
30 We Can Relay the Auth NTLM Authenticates the User to the Server, not mutual Remember Types 1 / 2 / 3? So how can we take advantage of this?
31 3 Way Handshake Here It Goes TYPE 1 - NEGO TYPE 2 - CHAL TYPE 3 - AUTH CLIENT SERVER ATTACKER
32 That s the Background Everyone Should be a Windows Auth Expert Now I ll be handing out CWAE Certifications Later
34 Mid Talk Checklist 1) Services Capture Auth 2) Auth Can Be Relayed to Other Services 3)... 4) PROFIT
35 MITM? That s Limited... Introducing Windows Integrated Auth
36 AUTH TO ALL THE THINGS Usability to prevent having to type password in over and over and over and over and over... Windows Auto-Logins to things without prompting
37 So What Ways Do They Auto Auth?
38 HTTP Auto Auth Local Trusted Security Context In Browser, only typically in IE, but can be enabled in FF/Chrome
39 How does Name Lookup? c:\windows\system32\drivers\etc\hosts DNS - name.sub.domain.tld, name.domain.tld NBNS Broadcast
40 NBNS You Say? Broadcast to local network looking for xyz name Spoof responses back (msf aux/spoof/nbns...) Viola, one word names auto auth
41 So I have to SE Someone? NOPE Web Proxy Auto Detect (WPAD) Looks up for proxy settings Auto Authenticates
43 So I have to use IE Systems auto authenticate too! DOMAIN\SYSTEM$ - Member of Domain Computers Even when no one is at the system
45 So Only On The Same LAN Nope Dynamic DHCP hostnames ;) hostname = hostname.sub.domain.tld Or DNS Poisoning...
46 So HTTP Only? Nope. Let s not Forget SMB
47 Browser Pages
48 But No Go in FF/Chrome
49 Until Now
50 But Chrome Is a PITA
51 How about Office Suite Word Doc Referencing UNC paths images Convert HTML file into Word Doc...viola! Excel? Power Point? Sure :)
52 What Else in Office? How about Outlook s Yes, it prompts for opening an image...but it works
53 Let s Extend This Further desktop.ini Files.lnk files
54 So Internally Only? NOPE! :) SMB doesn t respect local security context file://ip.add.re.ss/share/file.ext - Works over Net ;)
55 So Auto Auth via... NBNS Spoofing Browser Pages / HTML Office (Word/Excel/PPT/OUTLOOK) Docs desktop.ini / LNK Shortcuts
56 So What Can I Relay To?
57 HTTP NTLM Auth for HTTP Services
58 SMB We ve been doing this for a while MS08_069 fixed relaying back to source SMB RPC permits ability to execute commands / get shell, but requires admin access
59 LDAP So SMB Signing is forced by default on domain controllers...what can we relay to on the DC? LDAP Doesn t force signing by default! LDAP Supports NTLM Auth... WIN! Note: Can t change passwords unless SSL/Encrypted
60 Others? There s other things that use NTLM auth that permit further research! Remote Desktop VPN Telnet FTP...
61 So Internal Only, Lame Not So Fast...
62 HTTP Externally Sharepoint Servers?
63 People needed Mobiles
64 Exchange...Oh Exchange.. RPC EWS
66 The Pieces Come Together Let s Re-elaborate Impact Though
67 Give Me Some Scenarios You Bet. Here s 3.
68 Internal Employee Desktop.ini on Network Share Wait for admin to view share Admin auto authenticates to an smb share Relay to servers / ldap on domain controller Promote user account to domain admin, add new users
69 Rogue Wifi Rogue DNS + Proxy / NBNS+WPAD Relay to other Rogue Clients on AP or to EWS Om nom nom data
70 External Attacker Social Engineering /Persistent XSS Relay to Exchange Web Services or sharepoint
71 I Heard There s Some Tools Hey, Quit calling me a tool.
72 Existing Tools smb_relay Squirtle! There s a lot more
73 But They Fall Short Relay Everything to One Destination Only HTTP or SMB servers in separate roles No payload generation Limited target surface (i.e. get shell)
74 ZackATTACK! Relaying NTLM Like Nobody Else
75 Overall Design Difference Knows Who the User is before relaying! Rules to relay to unique destinations based on user Utilize limited user access as well as admin
76 So There s 4 Components Servers - Clients - Payloads - Rules
77 Servers SMB HTTP
78 What s Different? Remember type 1/2/3? We don t know user till 3. Challenge is sent in type 2. How do we know the user to send different users different challenges? Track by IP? Won t work Externally Cookies? Only for HTTP and not preserved with WPAD UUID? SMB2 Only
79 The Alzheimer's Feature HTTP Auth, 302 Redirect, Repeat SMB Auth, Setup, Reauth Request, Repeat
80 Payloads Auto Generation Desktop.ini, HTML pages, Word Docs, s HowTo for Manual Generation.LNK Files
82 Clients SMB Socks Proxy HTTP Exchange Web Services LDAP
83 Rules Auto Actions When you see X user, connect to Y server using Z service and perform Q actions.
84 Cool! Is there a Demo? Maybe...
85 So How Do We Fix This? It s Not Easy Kids
86 Currently, Mixed Solutions
87 There s Two Core Issues
88 NTLM Relaying & Automatic Authentication
89 There s A Lot To Consider Security is to help the business, not interfere Legacy OSs 3rd Party Devices
90 In A Perfect World NTLM Disabled Kerberos Only SMB Signing FORCED LDAP Signing FORCED External HTTP Services Require Client SSL Certs or VPN (yes, exchange too)
91 Group Policies for Win7 There s Some, but it s a stop gap
92 Firewalling Limits some exposure, but again, doesn t fix shit.
93 Where do we go from here Further Development of tool Further education and training to secure more Grab your Pitch Forks! Let s Put NTLM to Rest!
94 Questions? on twitters - zfasel.com
95 And that s 95 slides. Whew