Attacking Kerberos Deployments

Similar documents
-- Mario G. Salvadori, Why Buildings Fall Down*

NIST PKI 06: Integrating PKI and Kerberos (updated April 2007) Jeffrey Altman

Kerberos. Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, BC. From Italy (?).

4.2: Kerberos Kerberos V4 Kerberos V5. Chapter 5: Security Concepts for Networks. Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme

WATCHING THE WATCHDOG: PROTECTING KERBEROS AUTHENTICATION WITH NETWORK MONITORING

Stealing credentials for impersonation

Introduction to Computer Security

Taming the beast : Assess Kerberos-protected networks

10.2 World Wide Web Security S-HTTP (secure hypertext transfer protocol) SEA (security extension architecture)

Entrust Managed Services PKI

Windows 2000 Security Architecture. Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation

Kerberos. Login via Password. Keys in Kerberos

Introduction to Computer Security

Authentication Applications

CS 356 Lecture 28 Internet Authentication. Spring 2013

Active Directory network protocols and traffic

iscsi Security (Insecure SCSI) Presenter: Himanshu Dwivedi

TOPIC HIERARCHY. Distributed Environment. Security. Kerberos

Check Point FDE integration with Digipass Key devices

Configuring Security Features of Session Recording

Authentication Application

SECO Whitepaper. SuisseID Smart Card Logon Configuration Guide. Prepared for SECO. Publish Date Version V1.0

Chapter 4. Authentication Applications. COSC 490 Network Security Annie Lu 1

Security Overview for Windows Vista. Bob McCoy, MCSE, CISSP/ISSAP Technical Account Manager Microsoft Corporation

Basic network security threats

Client Server Registration Protocol

IWA AUTHENTICATION FUNDAMENTALS AND DEPLOYMENT GUIDELINES

Microsoft Auditing Events for Windows 2000/2003 Active Directory. By Ed Ziots Version 1.6 9/20/2005

Leverage Active Directory with Kerberos to Eliminate HTTP Password

Kerberos and Active Directory symmetric cryptography in practice COSC412

CERTIFICATES AND CRYPTOGRAPHY

TIBCO ActiveMatrix BPM Single Sign-On

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Enterprise Security: Building On All Your Assets

How To Use Kerberos

Configuring HP Integrated Lights-Out 3 with Microsoft Active Directory

Kerberos authentication made easy on OpenVMS

Integration with Active Directory. Jeremy Allison Samba Team

Implementing and Managing Security for Network Communications

Troubleshooting smart card logon authentication on active directory

Using Entrust certificates with VPN

Windows Advanced Audit Policy Configuration

Step- by- Step guide to Configure Single sign- on for HTTP requests using SPNEGO web authentication

Recommended Practices for Deploying & Using Kerberos in Mixed Environments

Going in production Winbind in large AD domains today. Günther Deschner (Red Hat / Samba Team)

Chapter 15 User Authentication

Red Hat Enterprise ipa

Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access

Exploiting Transparent User Identification Systems

OPC UA vs OPC Classic

KERBEROS ROAD MAP SAM HARTMAN MIT KERBEROS CONSORTIUM APRIL 7, 2008

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Configuring Integrated Windows Authentication for JBoss with SAS 9.3 Web Applications

Windows Server 2008/2012 Server Hardening

Contents. Supported Platforms. Event Viewer. User Identification Using the Domain Controller Security Log. SonicOS

TIBCO ActiveMatrix BPM Single Sign-On

NETASQ SSO Agent Installation and deployment

Wireless Robust Security Networks: Keeping the Bad Guys Out with i (WPA2)

FreeIPA Cross Forest Trusts

Security Provider Integration Kerberos Authentication

Firewalls, Tunnels, and Network Intrusion Detection

Configuring Integrated Windows Authentication for JBoss with SAS 9.2 Web Applications

Basic network security threats

Understanding and evaluating risk to information assets in your software projects

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Authentication Types. Password-based Authentication. Off-Line Password Guessing

CAC AND KERBEROS FROM VISION TO REALITY

Active Directory network protocols and traffic

Configure the Application Server User Account on the Domain Server

Microsoft Windows Server 2012 R2 Remote Desktop Services - How to Set Up (Mostly) Seamless Logon for RDP Connections

Internal Server Names and IP Address Requirements for SSL:

Chapter 8 Security. IC322 Fall Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Kerberos on z/os. Active Directory On Windows Server William Mosley z/os NAS Development. December Interaction with.

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Why it s Time to Make the Change Analysis of Current Technologies for Multi-Factor Authentication in Active Directory

Authentication Applications

Authentication in XenMobile 8.6 with a Focus on Client Certificate Authentication

Security: Focus of Control. Authentication

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

How to Configure Captive Portal

PC Business Banking. Technical Requirements

Using etoken for SSL Web Authentication. SSL V3.0 Overview

CrashPlan Security SECURITY CONTEXT TECHNOLOGY

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

HOBCOM and HOBLink J-Term

Successful DB2 NETLOGON in LAB (Sniffer on LAB HUB)

Host Access Management and Security Server

Embedded Web Server Security

Deploying the BIG-IP LTM and APM with Citrix XenApp or XenDesktop

Univention Corporate Server. Operation of a Samba domain based on Windows NT domain services

Kerberos. Guilin Wang. School of Computer Science, University of Birmingham

Internet Protocol Security (IPSec)

Juniper Networks Secure Access Kerberos Constrained Delegation

Topics in Network Security

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

User Documentation for SmartPolicy. Version 1.2

CS 4803 Computer and Network Security

Single sign-on websites with Apache httpd: Integrating with Active Directory for authentication and authorization

BlueCoat s Guide to Authentication V1.0

Single Sign-On for Kerberized Linux and UNIX Applications

Transcription:

Attacking Kerberos Deployments Breaking the Intranet Rachel Engel, Brad Hill and Scott Stender Black Hat USA 2010 https://www.isecpartners.com

About Us Who are you? Security Consultants at isec Partners Work in our application security consulting practice Based in Seattle What is this talk about? Performing practical attacks against common Kerberos deployment patterns Why should I care? If you have authenticated to another machine at work, you have probably used Kerberos 2

Agenda Protocol Overview Initial Authentication and Etype Downgrades PKINIT: Kerberos and Smart Cards Hijacking Active Directory Workstations with Smart Card login: Own one box, own the Enterprise Hijacking Kerberized Services AP-REQ replay attack and defense Mutual authentication and SPNs 3

A quick introduction to Kerberos

Kerberos: The Basic Protocol AS-REQ AS-REP KDC TGS-REQ [host/fileserver] TGS-REP client fileserver 5

Kerberos rules the Intranet Interoperable and standardized Most widely utilized and preferred protocol for authentication in large, centrally managed environments Windows Active Directory Networks Large educational networks on Unix/Linux Still being adopted in new places Hadoop Web Services InfoCard 6

Initial Authentication and Etypes

Cryptographic Primitives Cryptographic Agility was a big driver for Kerberos v5 Etypes define the set of primitives to be used for cryptographic operations Examples include: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-md5 rc4-hmac-exp 8

Etype Negotiation AS-REQ ENC-TIMESTAMP: NULL aes-256-cts-hmac-sha1-96 des-cbc-md5 ERR PREAUTH REQUIRED KDC aes-256-cts-hmac-sha1-96 des-cbc-md5 AS-REQ ENC-TIMESTAMP: 6ba4 aes-256 aes-256-cts-hmac-sha1-96 des-cbc-md5 AS-REP ENC-PART: bc32 aes-256 client 9

Attacking Etype Negotiation How can an active attacker influence etype negotiation to his or her advantage? Lie to the server about client capabilities Downgrade initial anonymous AS-REQ Downgrade the authenticated AS-REQ Lie to the client about server capabilities Downgrade ERR PREAUTH REQUIRED and several others 10

Benefits of Downgrade The key used to encrypt the authenticator is derived directly from the user s password. Try: Active downgrade Capture authenticator Use the key to make your own authenticator later 11

Benefits of Downgrade Frank O Dwyer demonstrated the feasibility of password grinding on RC4 other etypes are similarly vulnerable Newer etypes have been designed to resist such attacks Even when exhaustive key search is unavailable, downgrade can make password grinding feasible 12

Does this Affect Me? Windows 2008 / Windows Vista and previous enable DES for both outbound and inbound Rather recent open-source distributions of Kerberos do the same, but your mileage will vary on your distribution and configuration steps. Windows 7 emits, but does not accept, export-grade RC4 Enabling DES etypes is still surprisingly common for interoperability 13

Protecting Against Downgrade In a word, disable weak etypes DES, Export-Grade If possible, everything but the latest and greatest AES Disabling etypes Always configurable in MIT and similar distributions Windows 2008 R2 / Windows 7 introduced a new security policy for this These are increasingly disabled by default Windows 2008 R2, MIT Kerb 1.8 14

Public Key Kerberos and Smart Cards

Basics of PKINIT Client Preauthenticator AuthPack KdcName KdcRealm Cusec Ctime Nonce Client Certificate RSA SHA1 Signature KDC Reply EncKeyPack RecipientInfo IssuerAndSerialNumber Encrypted Key EncryptedContentInfo ReplyKeyPack ReplyKey AS Checksum ReplyKeyPack Signature KDC Certificate

Mutual authentication? In traditional Kerberos, the user and KDC shared a secret. Now we have PKI involved. As HTTPS has repeatedly shown us, PKI is tricky. 17

Who are the trust roots for Public Key Kerberos? Luckily, the usual suspects from the Web are not involved. Certificates must be issued by a specific root CA(s) Config file for Unix/Linux clients Registry and Active Directory for Windows clients Client certs must be issued by this authority and have the Smart Card Authentication EKU How is the KDC authenticated by the client? 18

PKINIT KDC Authentication Certificate must be issued by the designated authority. Must have the subject indicated in a correct format. Usually a UPN (email address) MIT & Heimdal look for the KDC Key Purpose ID EKU. What do Windows clients verify? Not documented. 19

New group policy in Vista SP1: Require strict KDC validation This policy setting controls the Kerberos client's behavior in validating the KDC certificate. If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dnsname subjectaltname (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAUTH store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate. Yadda yadda yadda 20

If you disable or do not configure this policy setting, the Kerberos client will require only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions. What other certificates have the Server Auth EKU? 21

Web Server template Have you been following security advice to use HTTPS on your intranet? How many internal web servers do you have with certificates issued by the Enterprise CA? How much to you trust these systems and those with administrative access to them? Even if you use NAP/NAC, at least one of these is accessible to non-compliant clients. (remediation server) 22

Computer Template Default AD Cert Services Enterprise Authority configuration: 23

Impersonate the KDC in PKINIT In a default install, any workstation in the domain has access to credentials that allow impersonation of the KDC. In a default install, works for all clients through and including Win 7. And for MIT and Heimdal clients configured for interop with a Windows Server KDC. (pkinit_require_eku = false) 24

Can t the Kerberos client match the X.509 Subject in the KDC certificate? MIT & Heimdal could check that the name is in the list of KDCs for the realm in /etc/krb5.conf, but don t Windows doesn t know who the DC / KDC is. It asks the network via a combination of insecure protocols: DNS SRV records NetBIOS Unauthenticated CLDAP Doesn t bother do to DNS to CNAME match, anyway DNSSEC won t save you And Kerberos traffic is usually exempt from IPSEC policy 25

Elevation: MIT/Heimdal kinit+nfs PK-AS-REQ Impostor KDC KDC www Windows Domain Controller PK-AS-REP TGS-REQ [host/fileserver] TGS-REP Victim fileserver 26

AP-REQ AP-REP Elevation: Windows Smart Card Logon PK-AS-REQ Impostor KDC KDC www Windows Domain Controller PK-AS-REP TGS-REQ [host/workstation] TGS-REP Victim For Domain logon, first action of client after getting a user TGT is to mutually authenticate itself to the workstation. The evil KDC can forge a TGS-REP, but doesn t don t know the symmetric secret of the workstation, so it won t be accepted, and the AP- REQ/REP happens locally so it can t be influenced by a MITM. Workstation 27

How to get around this? Find a scenario where the computer account verification isn t needed or can t happen. Domain join Based entirely on user credentials If we have an account that is privileged to join machines to the domain: Act as silent MITM, learn system account password. Assuming control of such an account may already be game over in many deployments. Or join to impostor domain, supply policy that provides persistent control, then re-join to real domain once a user with appropriate privilege logs in again. 28

We can do better 29

What if we have a conspiring user? Usually, all users allowed to logon to all workstations. User Principal Name Canonicalization: If the "canonicalize" KDC option is set, then the KDC MAY change the client and server principal names and types in the AS response and ticket returned from the name type of the client name in the request. In a TGS exchange, the server principal name and type may be changed. [draft-ietf-krb-wg-kerberos-referrals-11] 30

AS-REQ [patient0] AS-REP [patient0] TGS-REQ [host/workstation ] TGS-REP AP-REQ PK-AS-REQ [victim] PK-AS-REP [patient0] Impostor KDC www TGS-REQ [host/workstation] User Ticket, Client Name: patient0 Server Ticket, Client Name: patient0 Referral TGS-REP Victim OK, patient0 Workstation KDC Windows Domain Controller The client should expect, when sending names with the "canonicalize" KDC option, that names in the KDC's reply MAY be different than the name in the request. [RFC4120].

What now? User is at trusted, healthy workstation. Has just logged on with smart card. But we control the interactive user session and can impersonate any other server, push policy as the DC, etc. Run a trojan: Put up the Installing updates screen. After a suitable delay, put up the Insert a smart card to unlock screen. If user forgets to Ctl-Alt-Delete and enters their PIN. Unlock smart card, make AS-REQ to real KDC. Get NTOWF from PAC supplemental credential buffer Get TGT renewable for 7 days Remove trojan, reboot. 32 32

Own One Machine, Own The Enterprise Complex and difficult elevation path, but reliable and quiet. Few, if any, network forensics traces. Normal protocols on normal ports. Must be allowed through firewalls. Differences between normal and attack payloads are in the encrypted portion of authentication protocols. IPSec and DNSSEC won t stop it. 33

Smart Card Kerberos Recommendations

Turn on Strict KDC Validation Policy Available on Vista SP1 and above Retire XP or don t use Smart Cards Enroll all Domain Controllers for the Kerberos Authentication template first. Included in AD Certificate Services on Windows Server 2008 and later Includes KDC Authentication EKU and Domain DNS and NetBIOS names as Subject Alt Names Still not default for DCs on Windows Server 2008 domains 35

Domain Join Defaults are not secure and it is hard to apply policy to make it secure before a machine is joined to the domain. Strengthen local policy on default images Reduce the number of users privileged to join machines to the domain Audit domain joins (event ID 645) Compare Caller User Name to expected Use an account with a strong password Use offline domain join or join only on an isolated, trusted network 36

Fixing it for MIT & Heimdal Linux KDC = OK (with good issuance policies!) For Windows KDC, don t turn off pkinit_require_eku. Reissue server certificates as described. 37

Are Smart Cards better than passwords? Yes, but Default configuration for workstations and KDCs in an Active Directory is vulnerable Be careful with Enterprise CA management Be careful with domain join Windows XP crypto and policy options are past their sellby date for both smart card and standard Kerberos 38

Hijacking Kerberized Applications

The Punchline Replay attacks are often effective against poorly Kerberized services. You want a tie between authentication and protocol, but have to build it yourself. Authentication to a Kerberized service is accomplished with the AP-REQ message. This message can be replayed (Kasslin, Tikkanen, Virtanen. Kerberos V Security: Replay Attacks. AUSTRALIAN INFORMATION WARFARE & IT SECURITY 2004) 40

AP-REQ Message Field Version, Message Type, and Options Target Principal & Realm Ticket (includes session key, client principal name & address) Authenticator (ctime, cutime, cksum) Manner of Protection Unprotected Unprotected Encrypted using service key Encrypted using session key 41

Authenticator The authenticator is used to prevent invalid replay of tickets by proving to the server that the client knows the session key of the ticket and thus is entitled to use the ticket. rfc 4120 42

Authenticator Contains material used to detect replays cksum: checksum field Sometimes blank (useless) Service binding (containing a magic number) Can t protect bidirectional protocol cutime, ctime: used to verify AP-REQ freshness cname(ticket): contains client network address. Network address is spoofable. Cached on service to detect replays (an authenticator can only be sent once) 43

Why This Doesn t Work A single checksum in adequate for bidirectional protocols An attacker actively intercepting traffic is going to send spoofed tickets immediately, will pass cutime/ctime freshness check. The attacker will appear to be coming from the client s ip, checking that does no good. The attacker can intercept and send a copy before the client, caching does no good. Don t rely on the authenticator alone to detect replays. 44

The Right Way To Do It The integrity of the messages exchanged between principals can also be guaranteed by using the session key (passed in the ticket and contained in the credentials). This approach provides detection of both replay attacks and message stream modification attacks. It is accomplished by generating and transmitting a collision-proof checksum (elsewhere called a hash or digest function) of the client's message, keyed with the session key. rfc 4120 45

What can be done You will perish in flames! Louis Tully Developers Ensure session has integrity protection that uses the kerberos established session key Administrators Evaluate services for poor kerberos integration. Ensure integrity and encryption are provided between kerberos endpoints (possibly stunnel or ipsec) 46

What can be done - Windows Each major authenticated protocol in Windows provides some mechanism for binding If you use something off the beaten path, you may need to call EncryptMessage and SignMessage yourself However, the some mechanism is not always up to the developer or the system administrator 47

Binding Protocols Protocol Name Dev Binding Admin Binding LDAP RPC DCOM Use LDAP API to require Signing/Sealing Set binding on client to require Packet Integrity or better. Check the same in the security callback on the server. Set proxy blanket on client to require Packet Integrity or better. Configure service to require the same authorization level. Specify Require Signing security policy for client and server. N/A Set machine-wide default and per-app DCOM authorization levels using the Component Services MMC plug-in. 48

Binding Protocols Protocol Name Dev Binding Admin Binding SMB / Named Pipe HTTPS N/A Transparent in most applications. Specify Digitally Sign Communications Always for network clients and servers. Enable Extended Protection registry keys and on web applications 49

Mutual Authentication? One major benefit of Kerberos is true mutual authentication. Mutual authentication means, at best, I have a session key with my friend designated by this SPN. How do self-organizing background services get that SPN? Here s a hint: 50

Mutual Authentication? You do not get mutual authentication if you: Ask the attacker what their SPN is Call an API that asks the attacker what their SPN is Ask DNS what the attacker s SPN is Pull the attacker s SPN out of a service definition served by the attacker Fail to set a proper, fully-qualified, SPN Fail to set any SPN whatsoever 51

Configuring SPNs This is a surprisingly widespread and difficult problem The easy way is human configuration. Error-prone Fails to scale A well-organized set of services can provide secure, automated service resolution Often carries custom requirements and limitations 52

Thank you for coming! rachel@isecpartners.com brad@isecpartners.com scott@isecpartners.com What we didn t have time to tell you in one hour can be found at: https://www.isecpartners.com/ 53

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information