1 Still Passing the Hash 15 Years Later Using the Keys to the Kingdom to Access All Your Data Alva Skip Duckwall Chris Campbell
2 Help Us Get Better! Please Fill Out The Speaker Surveys!
3 Do You Know Who I Am? Alva 'Skip' Duckwall Full Scope Pen-Tester for Northrop Grumman GSE, OSCP, CISSP, CISA, RHCE, among others 19 Years Working with Linux Chris Campbell Full Scope Pen-Tester for Northrop Grumman MSIA, OSCP, CISSP, CISA, MCSE, among others Former Army Signal Officer
4 Shameless Plug Patches available from: Also Chris and I will be blogging about how to use the various tools in the coming weeks: (chris)
5 A Little History In 1997 Paul Ashton posted the theory about the first "Pass the Hash" attack to NTBugTraq against the Lan Manager protocol The result? A modified Samba client that accepts LM hashes instead of a password to access a remote file share.
6 Your Data is Your Kingdom Business Relies on Data Files on a share Intranet applications (Sharepoint) Databases What would happen if somebody else had control of your data?
7 Typical Day at the Microsoft Office Regular user's day: Login Check Visit the intranet Sysad's day - all of the above plus: Log into a database Manage servers / services All of this and the password only gets typed once
8 The Windows Single Sign On Once a user logs in, their credentials are cached locally and reused by the OS on the user's behalf User prompted parely after initial login Password hashes are cached locally Plaintext as well (Digest Auth)
9 Windows Password Hashes Passwords hashed 2 different ways: LM (Lan Manager) Hash NTLM Hash Modern versions of Windows don't save LM hashes, however they are still calculated and stored in memory if the password is 14 characters or less, even if they aren't saved...
10 Logging In When a user logs in, a security token is created containing: Security IDentifiers (SID) for the user SIDs for all groups the user is a member of Default ACLs (if no other ACLs apply) Per user audit settings Impersonation level
11 Impersonation Tokens have 4 different security levels: Anonymous Identification Impersonation Delegation Interactive logins (Windows Console) -> delegation tokens Non-interactive (Network Login) -> impersonation tokens "Incognito" tool / module allows for a lot of post exploitation fun with tokens allowing a malicious user to steal other identities of people logged into a server...
12 Windows Authentication Methods Kerberos Uses tickets Tickets can be reused for lower overhead NTLM Challenge-response protocol Every transaction authenticated, high overhead Digest Authentication Hashed password (usually with MD5) Requires plaintext password to be stored
13 Windows Authentication Methods (contd) Smart Cards Two-factor authentication, bolted onto kerberos Only for interactive (console) sessions Hashes still stored on the back end Keyfobs, etc (SecurID) Two-factor authentication Only used for interactive logons Radius (or radius-like) used on the back end - gives thumbs up/down on 2nd factor Password hashes used on the back end
14 Kerberos vs. NTLM Kerberos Default Both client/server must be in the domain Reliance on DNS NTLM Used if client/server not in the domain Used if addressed by IP
15 Services that Can Use NTLM Web Services o o Sharepoint Custom web apps (.net based) Exchange o o o MAPI IMAP / POP3 SMTP Things that can't join the domain o o Appliances Printers / copiers / digital senders
16 Difficult to Eliminate NTLM Only recently implemented Requires windows 7 for all clients Domain must be at 2008R2 functional level Probably will break things Copiers / printers / digital senders Web apps / appliances Internet / customer-facing applications Anything not in the domain
17 Passing the Hash Windows authentication protocols operate on password hashes Kerberos uses the NT hash as encryption keys NTLM uses password hashes as part of the challenge response o o Password hash along with nonce hashed to confirm knowledge of the password Excellent detailed descriptions of the process available at the Davenport website
18 Knocked Over the DC, Got the Hashes, Now What? Maybe crack the passwords? Works for weak or easily guessed passwords Can look impressive if wildly successful (>50%) Might not be allowed by the rules of engagement Lacks C-level wow -factor
19 Perhaps a Traditional Pass The Hash Attack?
20 Super Sexy for Pentesters...
21 For C-Level Folks... Not so Much I don t know anybody named NT System in my company
22 Boring! "You logged into the Domain Controller, but you can't read my . We're secure, right?" Remember, the crown jewels of the network is the data. Nobody gets excited unless that's put at risk.
23 Slightly More Interesting PTH Access File Shares Find all sorts of interesting things o o o o o Personally Identifiable Information (PII) Database backups Saved Inventory information Design specs Accessing proprietary information starts getting some attention We can use a modified samba client (more later)
24 Accessing Data Many Windows applications Pass The Hash to access data. Why can't we?
25 Demo Domain Assumptions Sitting inside the domain Already dumped the hashes (post exploitation) We care about 3 people o o o Alice Bob CEO
26 Our Windows Attack Platform Windows 7 fully-patched Not in the domain No AV No Host-Based Intrusion Detection System Latest version of the Windows Credential Editor (WCE) by Hernan Ochoa Client software we want to use
27 WCE Overview Written by Hernan Ochoa of Amplia Security Successor to the Pass The Hash Toolkit Capable of examining memory to list hashes for all logged in users ( -l ) Can be used to inject or dump Kerberos tickets ( -k / -K) Can be used to change the credentials of the currently logged in session ( -s ) Can be used to launch a program with different credentials in a new session ( -c )
28 Why Not CMD.EXE? Running WCE with both '-s' and '-c' allows us to create a new process running as an arbitrary domain user with their hash. Using cmd.exe as the process, any command executed from this DOS box will be running as that user, even if the local computer isn't on the domain!
29 Or explorer.exe Using task manager, We kill explorer.exe and restart it using WCE. This allows us to browse file shares using explorer.exe as the user. Also, any programs started with the "Start Menu" automatically get launched as that user as well...
30 Now What? Launch IE at the local Sharepoint site. Internet Explorer might need to be configured to automatically pass credentials: 1. IE config: security -> custom level for the zone -> automatic logon only in intranet zone 2. Add Sharepoint to the Local Intranets Group
31 How About Outlook? Use Outlook to access /calendar for our impersonated user. 1. Enable profiles in the mail control panel: control panel -> mail -> always prompt for profiles 2. Create a profile for each user
32 Access File Shares We can either use the explorer.exe trick or use net commands to mount / browse file shares. Note: The '/savecred' doesn't work with hashes. Apparently it only saves a plaintext password... who knew?
33 MS SQL Simply launch the MSSQL client and point it at a database to log in, assuming it uses Windows Authentication... Access or monkey with the data, depending on the ROE of course...
34 Sysadmin Tasks Simply run from the command line: PSExec (Sysinternals) WMI PowerShell o new feature in Win8, Web PowerShell WinRM (if enabled) Active Directory Users and Computers Computer Management
35 Windows Demo Pictures worth a thousand words...
36 Demo Gotcha's Outlook 2007 inconsistent One demo environment worked fine, another didn't Outlook 2003 worked perfectly ;-) ADUC couldn't assign passwords, but could change group membership, create computer accounts
37 Demo Gotcha's (contd) Can't open Multiple GUI apps as multiple users at the same time (IE/Outlook) Probably just spawns another thread rather than another process
38 It Works, But... Obviously Windows behaves strangely if you do this... expect other magical failures or side effects!
39 Meh, I'm a Linux guy... What About Linux? How about we do all of that with Linux instead?
40 The Foofus Patch The previously mentioned modified version of Samba was patched by JMK of Foofus.net. Allows us to set an env. variable with the password hash we want to substitute Substitutes the hash in all the appropriate places for NTLM authentication
41 An Additional Technique We Added Instead of the env. variable, the hash can be specified as the password as long as it's in one of 2 forms: LM:NT (65 chars) LM:NT::: (68 chars, thanks JMK for the suggestion) If the password is 65 or 68 characters long, substitute the hash
42 Benefits of the New Technique Easier to use in scripts - just change the password Allows us to pass hashes in GUI programs without the need to kill and reset environmental variables
43 Anatomy of a Patch Find where the application hashes the password in the source code (grep i md4) Check to see if the password is 65 or 68 characters If so, convert the 32-byte NT Hash into a 16- byte array by converting 2 hex nibbles into a byte, then substitute
44 Samba - Just for Shares, Right? Libraries for Interfacing with MS DCE/RPC Utilities for managing Windows domains / users Multiple 3rd party programs link in with Samba for access to MS DCE/RPC. Patching Samba will patch downstream programs... We are releasing "The Pass the Hash Rosetta Stone". It's a list of Samba commands and their corresponding Windows net commands for common tasks.
45 Openchange Open-source framework to interface with Exchange from Linux Utilities That Link with Samba Winexe PSExec Clone (32/64 bit) WMI Run basic WMI queries from Linux Includes blind command execution via WMI
46 What About Firefox? By default Firefox tries to query the local OS for NTLM creds if enabled using Samba Or Use Firefox's built-in implementation based on Davenport o o o Patched Firefox's NTLM implementation with the 65/68 character Hash Patch Enabled in "about:config" network.auth.force-generic-ntlm -> true
47 What About MSSQL? FreeTDS Provides libraries to interface with Sybase / MSSQL NTLM authentication code based on Davenport (Guess what we already have code for?) Combine with SQSH (SQL Shell) to gain interactive access to MSSQL for Linux
48 Linux Demo
49 Defenses Try to Eliminate the Use of NTLM Difficult to do Requires 2008R2 domain functional level All clients need to be Windows 7 Will break things that can't do Kerberos o o o Printers / copiers / digital senders Appliances / NAS devices Can t join new computers to the domain Of course, a Defense-in-Depth approach to prevent compromise of the DC works too!
50 Kerberos Is Safe, Right? Kerberos uses NT hashes for encrypting tickets to principals Discussed in more detail in the whitepaper Short version: Compromising the encryption keys is still very bad (tm)!
51 Quick Recap Windows + WCE + Hashes = Access To Data Native Windows tools work albeit oddly at times Definitely not exactly how Windows wants to work Linux + PTH Tools + Hashes = Access To Data Open-source tools FTW! Exchange, MS SQL, Sharepoint, File shares and WMI
52 Shouts! Aaron, Pete, Mike, Jeff, Brian, Don, Devin, Sean, jcran, Will, Damien, Mubix JMK at foofus for the 68 character suggestion
54 Help Us Get Better! Please Fill Out The Speaker Surveys!
Pass-the-Hash II: Admin s Revenge Skip Duckwall & Chris Campbell Do you know who I am? Skip Co-presented PTH talk last year at BH, Derbycon http://passing-the-hash.blogspot.com @passingthehash on twitter
Internal Penetration Test Agenda Time Agenda Item 10:00 10:15 Introduction 10:15 12:15 Seminar: Web Application Penetration Test 12:15 12:30 Break 12:30 13:30 Seminar: Social Engineering Test 13:30 15:00
Five Steps to Improve Internal Network Security Chattanooga ISSA 1 Find Me AverageSecurityGuy.info @averagesecguy email@example.com github.com/averagesecurityguy ChattSec.org 2 Why? The methodical
ed Attacks How We're Getting Creamed By Ed Skoudis June 9, 2011 ed Attacks - 2011 Ed Skoudis 1 $ cut -f5 -d: /etc/passwd grep -i skoudis Ed Skoudis Started infosec career at Bellcore in 1996 working for
Hosted by Introductions Christopher Cognetta Practice Manager Client Field Engineering Microsoft Dynamics CRM MVP firstname.lastname@example.org CRMUG Chairperson Miami & Tampa Co Chair 250+ Dynamics CRM
How to Secure a Groove Manager Web Site Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations,
Why You Need to Detect More Than PtH Matt Hathaway, Senior Product Manager, Rapid7 Jeff Myers, Lead Software Engineer, Rapid7 Who We Are! Matt Hathaway Senior Product Manager for Rapid7 UserInsight Former
Five Steps to Improve Internal Network Security Chattanooga Information security Professionals Who Am I? Security Analyst: Sword & Shield Blogger: averagesecurityguy.info Developer: github.com/averagesecurityguy
Introduction to WolfTech Active Directory 6 October 2011 10am-12pm Daniels 201 http://activedirectory.ncsu.edu What we are going to cover... What AD is and isn't The WolfTech implementation of AD Management
IT Advisory Windows passwords security ADVISORY WHOAMI 2 Agenda The typical windows environment Local passwords Secure storage mechanims: Syskey & SAM File Password hashing & Cracking: LM & NTLM Into the
Websense Support Webinar: Questions and Answers Configuring Websense Web Security v7 with Your Directory Service Can updating to Native Mode from Active Directory (AD) Mixed Mode affect transparent user
Mike Pilkington SANS Forensics and IR Summit June, 2011 Since graduating from UT-Austin in 1996, I ve worked for a large oil and gas services company I ve held several positions in IT, including Software
Account Policies Enforce password history 24 Maximum Password Age - 42 days Minimum Password Age 2 days Minimum password length - 8 characters Password Complexity - Enable Store Password using Reversible
How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration
How-to: Single Sign-On Document version: 1.02 nirva systems email@example.com nirva-systems.com How-to: Single Sign-On - page 2 This document describes how to use the Single Sign-On (SSO) features
Team Foundation Server 2013 Installation Guide Page 1 of 164 Team Foundation Server 2013 Installation Guide Benjamin Day firstname.lastname@example.org v1.1.0 May 28, 2014 Team Foundation Server 2013 Installation Guide
Michael Mayer-Gishyan NSA IT Consulting e.u. @mike_srv02 email@example.com http://nsa.co.at From Zero to Hero Domain Admin in einem Tag Agenda Vita Introduction to NTLM and Kerberos Pass-the-Hash Techniques
RSA Security Analytics Event Source Log Configuration Guide Microsoft SQL Server Last Modified: Thursday, July 30, 2015 Event Source Product Information: Vendor: Microsoft Event Source: SQL Server Versions:
Best Practice www.suse.com SUSE Manager 1.2.x ADS Authentication How to use MS-ADS authentiction (Version 0.7 / March 2 nd 2012) P r e f a c e This paper should help to integrate SUSE Manager to an existing
VMware Identity Manager Administration VMware Identity Manager 2.4 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new
Intel Entry Storage System SS4200-E Active Directory Implementation and Troubleshooting 1 Active Directory Overview SS4200-E Active Directory is based on the Samba 3 implementation The SS4200-E will function
Ten Things Web Developers Still Aren't Doing Frank Kim Think Security Consulting Background Frank Kim Consultant, Think Security Consulting Security in the SDLC SANS Author & Instructor DEV541 Secure Coding
Defense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations March 2009 Version 2.2 This page intentionally left blank. 2 1. Introduction...4
OVERVIEW OF TYPICAL WINDOWS SERVER ROLES Before you start Objectives: learn about common server roles which can be used in Windows environment. Prerequisites: no prerequisites. Key terms: network, server,
FREQUENTLY ASKED QUESTIONS Secure Bytes, October 2011 This document is confidential and for the use of a Secure Bytes client only. The information contained herein is the property of Secure Bytes and may
WHITE PAPER SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X) INTRODUCTION This document covers the recommended best practices for hardening a Cisco Personal Assistant 1.4(x) server. The term
Implementation Guidelines Dyna Pass Wireless Secure Access Implementation Guidelines Implementation Guidelines Abstract This document describes implementations. Examples are based on different technologies
OKENA 71 Second Ave., 3 rd Floor Waltham, MA 02451 Phone 781 209 3200 Fax 781 209 3199 6WRUP:DWFK Policies for Dedicated SQL Servers Group The sample policies shipped with StormWatch address both application-specific
Introduction to Active Directory December 10th, 2008 1-3pm Daniels 407 What we are going to cover... The basics of Active Directory What AD is What AD isn't Tools Management Concepts Additional Services
Citrix Access on SonicWALL SSL VPN Document Scope This document describes how to configure and use Citrix bookmarks to access Citrix through SonicWALL SSL VPN 5.0. It also includes information about configuring
SNARE Agent for Windows v 4.2.3 - Release Notes Snare is a program that facilitates the central collection and processing of the Windows Event Log information. All three primary event logs (Application,
BROADVIEW NETWORKS Hosts HARDENING WINDOWS NETWORKS TRAINING COURSE OVERVIEW A hands-on security course that teaches students how to harden, monitor and protect Microsoft Windows based networks. A hardening
Locking down a Hitachi ID Suite server 2016 Hitachi ID Systems, Inc. All rights reserved. Organizations deploying Hitachi ID Identity and Access Management Suite need to understand how to secure its runtime
OV Operations for Windows 7.x Common questions about OV Operations for Windows Security Setup, Users and groups Whitepaper V.1.01 August 6, 2003 New: Updated for OV Operations for Windows 7.20 Troubleshoot
Team Foundation Server 2012 Installation Guide Page 1 of 143 Team Foundation Server 2012 Installation Guide Benjamin Day firstname.lastname@example.org v1.0.0 November 15, 2012 Team Foundation Server 2012 Installation
How to monitor AD security with MOM A article about monitor Active Directory security with Microsoft Operations Manager 2005 Anders Bengtsson, MCSE http://www.momresources.org November 2006 (1) Table of
ecopy ShareScan v4.3 Pre-Installation Checklist This document is used to gather data about your environment in order to ensure a smooth product implementation. The Network Communication section describes
April 2007 About RemotelyAnywhere... 2 About RemotelyAnywhere... 2 About this Guide... 2 Installation of RemotelyAnywhere... 2 Software Activation...3 Accessing RemotelyAnywhere... 4 About Dynamic IP Addresses...
Millbeck Communications Secure Remote Access Service Internet VPN Access to N3 VPN Client Set Up Guide Version 6.0 COPYRIGHT NOTICE Copyright 2013 Millbeck Communications Ltd. All Rights Reserved. Introduction
Univention Corporate Server Operation of a Samba domain based on Windows NT domain services 2 Table of Contents 1. Components of a Samba domain... 4 2. Installation... 5 3. Services of a Samba domain...
Enterprise Random Password Manager 4.83.1 Training Guide Draft Published: January 11, 2011 Updated: February 9, 2011 Summary This guide provides an overview of Enterprise Random Password Manager (ERPM)
Platform IT Brief This IT brief outlines features of the system: Communication security, load balancing and failover, authentication options, and recommended practices for licenses and access. It primarily
SINGLE SIGN-ON FOR MTWEB FOR MASSTRANSIT ENTERPRISE WINDOWS SERVERS WITH DIRECTORY SERVICES INTEGRATION Group Logic, Inc. November 26, 2008 Version 1.1 CONTENTS Revision History...3 Feature Highlights...4
FORENSIC ARTIFACTS FROM A PASS THE HASH (PTH) ATTACK BY: GERARD LAYGUI DISCLAIMER: THE VIEWS AND OPINIONS EXPRESSED IN THIS PRESENTATION ARE THOSE OF THE AUTHOR S AND DOES NOT NECESSARILY REPRESENT THE
Data Breaches and Web Servers: The Giant Sucking Sound Guy Helmer CTO, Palisade Systems, Inc. Lecturer, Iowa State University @ghelmer Session ID: DAS-204 Session Classification: Intermediate The Giant
Quick Install Guide 1. Installation Overview Thank you for selecting Bitdefender Business Solutions to protect your business. This document enables you to quickly get started with the installation of Bitdefender
Setting up an MS SQL Server for IGSS Table of Contents Table of Contents...1 Introduction... 2 The Microsoft SQL Server database...2 Setting up an MS SQL Server...3 Installing the MS SQL Server software...3
Red vs. Blue: Modern Active Directory Attacks, Detection, & Protection Sean Metcalf (@PyroTek3) CTO, DAn Solutions sean [@] dansolutions _._com DAnSolutions.com ADSecurity.org ABOUT Chief Technology Officer
Integration with Active Directory Jeremy Allison Samba Team Benefits of using Active Directory Unlike the earlier Microsoft Windows NT 4.x Domain directory service which used proprietary DCE/RPC calls,
User Identification (User-ID) Tips and Best Practices Nick Piagentini Palo Alto Networks www.paloaltonetworks.com Table of Contents PAN-OS 4.0 User ID Functions... 3 User / Group Enumeration... 3 Using
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) email@example.com Open Web Application Security Project http://www.owasp.org
Dell SonicWALL SRA 7.5 Citrix Access Document Scope This document describes how to configure and use Citrix bookmarks to access Citrix through Dell SonicWALL SRA 7.5. It also includes information about
1 How to Scale out SharePoint Server 2007 from a single server farm to a 3 server farm with Microsoft Network Load Balancing on the Web servers. Back to Basics Series By Steve Smith, MVP SharePoint Server,
User guide Business Email June 2013 Contents Introduction 3 Logging on to the UC Management Centre User Interface 3 Exchange User Summary 4 Downloading Outlook 5 Outlook Configuration 6 Configuring Outlook
Load Balancing Exchange 2007 SP1 Hub Transport Servers using Windows Network Load Balancing Technology Introduction Exchange Server 2007 (RTM and SP1) Hub Transport servers are resilient by default. This
Bypassing Local Windows Authentication to Defeat Full Disk Encryption Ian Haken Who Am I? Currently a security researcher at Synopsys, working on application security tools and Coverity s static analysis
Red vs. Blue: Modern Active Directory Attacks, Detection, & Protection Sean Metcalf (@PyroTek3) CTO, DAn Solutions sean [@] dansolutions _._com http://dansolutions.com http://www.adsecurity.org ABOUT Chief
HELP DOCUMENTATION E-SSOM INSTALLATION GUIDE Copyright 1998-2013 Tools4ever B.V. All rights reserved. No part of the contents of this user guide may be reproduced or transmitted in any form or by any means
How to configure your Desktop Computer and Mobile Devices post migrating to Microsoft Office 365 1 Contents Purpose... 3 Office 365 Mail Connections... 3 Finding IMAP server... 3 Desktop computers... 4
STEALTHbits Technologies, Inc. StealthAUDIT v5.1 System Requirements and Installation Notes June 2011 Table of Contents Overview... 3 Installation Overview... 3 Hosting System Requirements... 4 Recommended
User-ID Best Practices PAN-OS 5.0, 5.1, 6.0 Revision A 2011, Palo Alto Networks, Inc. www.paloaltonetworks.com Table of Contents PAN-OS User-ID Functions... 3 User / Group Enumeration... 3 Using LDAP Servers
Deployment Guide Deploying Microsoft Exchange Server/Outlook Web Access and F5 s FirePass Controller Introducing the FirePass and Microsoft Exchange Server configuration Welcome to the FirePass Exchange
. All right reserved. For more information about Specops Self Service Portal and other Specops products, visit www.specopssoft.com Copyright and Trademarks Specops Self Service Portal is a trademark owned
How to configure your Windows PC post migrating to Microsoft Office 365 1 Contents Purpose... 3 Document Support Boundaries... 3 Examples used in this document... 4 Several different Microsoft Office 365
Activity 1: Scanning with Windows Defender 1. Click on Start > All Programs > Windows Defender 2. Click on the arrow next to Scan 3. Choose Custom Scan Page 1 4. Choose Scan selected drives and folders
Configuring and Securing Complex BI Applications in a SharePoint 2010 Environment with SQL Server 2012 Tom Wisnowski - Architect, Microsoft Consulting Service Hello. Welcome to Configuring and Securing
Set up Outlook for your new student e mail with IMAP/POP3 settings 1. Open Outlook. The Account Settings dialog box will open the first time you open Outlook. If the Account Settings dialog box doesn't
SQL Server Automated Administration To automate administration: Establish the administrative responsibilities or server events that occur regularly and can be administered programmatically. Define a set
Dell SonicWALL and SecurEnvoy Integration Guide Authenticating Users Using SecurAccess Server by SecurEnvoy Contact information SecurEnvoy www.securenvoy.com 0845 2600010 Merlin House Brunel Road Theale
Vmware ESX 4/5/6 - Provision virtual machines through vsphere, assign available resources and install operating systems. - Configure the various built in alarms for monitoring, configure alarm thresholds
IceWarp to IceWarp Server Migration Registered Trademarks iphone, ipad, Mac, OS X are trademarks of Apple Inc., registered in the U.S. and other countries. Microsoft, Windows, Outlook and Windows Phone
Guideline Configuring IBM Cognos Controller 8 to use Single Sign- On Product(s): IBM Cognos Controller 8.2 Area of Interest: Security Configuring IBM Cognos Controller 8 to use Single Sign-On 2 Copyright