OWNED In 60 Seconds. From Network Guest to Windows Domain Admin. Directed By Zack Dutchess Fasel

Transcription

1 OWNED In 60 Seconds From Network Guest to Windows Domain Admin Directed By Zack Dutchess Fasel

2 We Now Present Your Obligatory Intro

3 What s This Talk About? Weaknesses in NTLM Auth, Specifically NTLM Relaying New techniques to take advantage of these flaws Ways to externally leverage NTLM Relaying Corporate Impact to NTLM Relaying Cool New Shiny Toolset Demo? Let s see... ;) Ways to Protect Yourself and Remediate

4 The Goal?

5 Get Domain Admin (or sensitive data) in 60 seconds or less

6 So Who Are You Zack Fasel on twitter - derbycon@zfasel.com Codename: Duchess Founder and Managing Partner of Co-Creator and Tech Lead Lead Organizer the party tonight.

7 Certifications/Credentials

8 95 Slides. Let s Get Started

9 So Let s Talk About LM/NTLM

10 The Minute Intro To X X LM/NTLM And All It s Flavors

11 So What Is LM/NTLM Windows Land! Password Hashing Algorithm Network Challenge/Authentication

12 Let s Start With Hashing

13 So Windows Pass Hashes Stored on Local Machine SAM File Local Accounts Memory For Local and Cached Accounts Stored on Domain Controller

14 LM? It s Bad Mmmkay We all know this. And have for years. But we re reviewing. 7 Character Chunks, CAPITALized Pad from 56 to 64 bytes DES Encrypt using Password as key and KGS!@#$% as the data. Viola. Hash.

15 LM? It s Bad Mmmkay We all know this. And have for years. Hunter2LOL! HUNTER2 / LOL! 93D1F9EA182DF34B / 20069D7FB184D83A

16 So the LaMe Problems? Obviously Easy to Crack now. Rainbow tables - every precomputed possibility in a dictionary Blah blah old news...

17 So How is NTLM Better? MD4(UTF-16(Password)) A Real Hash! Hunter2Hunter2 93D1F9EA182DF34B 93D1F9EA182DF34B DC020E672D09B BC0449B90C7CB

18 Obtaining Hash..es pwdump gsecdump mimikatz hashdump in meterpreter the list goes on...

19 Oh There s So Much More! But we only have an hour...well...50 minutes...or 45 by now...

20 NTLM Network Auth

21 Network Auths Used for various network services SPNEGO Plain Text NTLM Kerberos

22 3 Way Handshake Here It Goes TYPE 1 TYPE 2 TYPE 3 CLIENT SERVER Type 1 - Let s Talk. I Support X...Y...And Z Type 2 - I Support X...Y...And Q. Here s a CHALLENGE (salt) Type 3 - I m Sterling Archer of Isis. Password fx(guest,salt),sig

23 Type 1 - Let s Nego

24 Type 2 - I Challenge You!!

25 Type 3 - The password is...

26 The Flavors and Flags LM - Uses Weak LM Hash NTLM - Uses NTLM Hash NTLMv2 - Uses NTLM Hash with Added Client Chal LMv2 - Uses LM hash with Added Client Chal NTLM2 Signing - We ll Talk about That Later

27 So What s the Problem? You Know, The Security Issues...

28 Pass The Hash, Bro Doesn t require knowledge of the password. Utilizes the password hash to authenticate Requires existing access to obtain hashes (i.e. local admin)

29 But We ve Already Heard about PTH Twice This Con Mubix s Talk and Skip/Chris Talk But what about doing this with no existing access?

30 We Can Relay the Auth NTLM Authenticates the User to the Server, not mutual Remember Types 1 / 2 / 3? So how can we take advantage of this?

31 3 Way Handshake Here It Goes TYPE 1 - NEGO TYPE 2 - CHAL TYPE 3 - AUTH CLIENT SERVER ATTACKER

32 That s the Background Everyone Should be a Windows Auth Expert Now I ll be handing out CWAE Certifications Later

33

34 Mid Talk Checklist 1) Services Capture Auth 2) Auth Can Be Relayed to Other Services 3)... 4) PROFIT

35 MITM? That s Limited... Introducing Windows Integrated Auth

36 AUTH TO ALL THE THINGS Usability to prevent having to type password in over and over and over and over and over... Windows Auto-Logins to things without prompting

37 So What Ways Do They Auto Auth?

38 HTTP Auto Auth Local Trusted Security Context In Browser, only typically in IE, but can be enabled in FF/Chrome

39 How does Name Lookup? c:\windows\system32\drivers\etc\hosts DNS - name.sub.domain.tld, name.domain.tld NBNS Broadcast

40 NBNS You Say? Broadcast to local network looking for xyz name Spoof responses back (msf aux/spoof/nbns...) Viola, one word names auto auth

41 So I have to SE Someone? NOPE Web Proxy Auto Detect (WPAD) Looks up for proxy settings Auto Authenticates

42

43 So I have to use IE Systems auto authenticate too! DOMAIN\SYSTEM$ - Member of Domain Computers Even when no one is at the system

44

45 So Only On The Same LAN Nope Dynamic DHCP hostnames ;) hostname = hostname.sub.domain.tld Or DNS Poisoning...

46 So HTTP Only? Nope. Let s not Forget SMB

47 Browser Pages

48 But No Go in FF/Chrome

49 Until Now

50 But Chrome Is a PITA

51 How about Office Suite Word Doc Referencing UNC paths images Convert HTML file into Word Doc...viola! Excel? Power Point? Sure :)

52 What Else in Office? How about Outlook s Yes, it prompts for opening an image...but it works

53 Let s Extend This Further desktop.ini Files.lnk files

54 So Internally Only? NOPE! :) SMB doesn t respect local security context file://ip.add.re.ss/share/file.ext - Works over Net ;)

55 So Auto Auth via... NBNS Spoofing Browser Pages / HTML Office (Word/Excel/PPT/OUTLOOK) Docs desktop.ini / LNK Shortcuts

56 So What Can I Relay To?

57 HTTP NTLM Auth for HTTP Services

58 SMB We ve been doing this for a while MS08_069 fixed relaying back to source SMB RPC permits ability to execute commands / get shell, but requires admin access

59 LDAP So SMB Signing is forced by default on domain controllers...what can we relay to on the DC? LDAP Doesn t force signing by default! LDAP Supports NTLM Auth... WIN! Note: Can t change passwords unless SSL/Encrypted

60 Others? There s other things that use NTLM auth that permit further research! Remote Desktop VPN Telnet FTP...

61 So Internal Only, Lame Not So Fast...

62 HTTP Externally Sharepoint Servers?

63 People needed Mobiles

64 Exchange...Oh Exchange.. RPC EWS

65

66 The Pieces Come Together Let s Re-elaborate Impact Though

67 Give Me Some Scenarios You Bet. Here s 3.

68 Internal Employee Desktop.ini on Network Share Wait for admin to view share Admin auto authenticates to an smb share Relay to servers / ldap on domain controller Promote user account to domain admin, add new users

69 Rogue Wifi Rogue DNS + Proxy / NBNS+WPAD Relay to other Rogue Clients on AP or to EWS Om nom nom data

70 External Attacker Social Engineering /Persistent XSS Relay to Exchange Web Services or sharepoint

71 I Heard There s Some Tools Hey, Quit calling me a tool.

72 Existing Tools smb_relay Squirtle! There s a lot more

73 But They Fall Short Relay Everything to One Destination Only HTTP or SMB servers in separate roles No payload generation Limited target surface (i.e. get shell)

74 ZackATTACK! Relaying NTLM Like Nobody Else

75 Overall Design Difference Knows Who the User is before relaying! Rules to relay to unique destinations based on user Utilize limited user access as well as admin

76 So There s 4 Components Servers - Clients - Payloads - Rules

77 Servers SMB HTTP

78 What s Different? Remember type 1/2/3? We don t know user till 3. Challenge is sent in type 2. How do we know the user to send different users different challenges? Track by IP? Won t work Externally Cookies? Only for HTTP and not preserved with WPAD UUID? SMB2 Only

79 The Alzheimer's Feature HTTP Auth, 302 Redirect, Repeat SMB Auth, Setup, Reauth Request, Repeat

80 Payloads Auto Generation Desktop.ini, HTML pages, Word Docs, s HowTo for Manual Generation.LNK Files

81 Payloads HTML Payloads IE Firefox/Chrome/Safari Javascript Payload

82 Clients SMB Socks Proxy HTTP Exchange Web Services LDAP

83 Rules Auto Actions When you see X user, connect to Y server using Z service and perform Q actions.

84 Cool! Is there a Demo? Maybe...

85 So How Do We Fix This? It s Not Easy Kids

86 Currently, Mixed Solutions

87 There s Two Core Issues

88 NTLM Relaying & Automatic Authentication

89 There s A Lot To Consider Security is to help the business, not interfere Legacy OSs 3rd Party Devices

90 In A Perfect World NTLM Disabled Kerberos Only SMB Signing FORCED LDAP Signing FORCED External HTTP Services Require Client SSL Certs or VPN (yes, exchange too)

91 Group Policies for Win7 There s Some, but it s a stop gap

92 Firewalling Limits some exposure, but again, doesn t fix shit.

93 Where do we go from here Further Development of tool Further education and training to secure more Grab your Pitch Forks! Let s Put NTLM to Rest!

94 Questions? on twitters - zfasel.com

95 And that s 95 slides. Whew