OWNED In 60 Seconds From Network Guest to Windows Domain Admin Directed By Zack Dutchess Fasel
We Now Present Your Obligatory Intro
What s This Talk About? Weaknesses in NTLM Auth, Specifically NTLM Relaying New techniques to take advantage of these flaws Ways to externally leverage NTLM Relaying Corporate Impact to NTLM Relaying Cool New Shiny Toolset Demo? Let s see... ;) Ways to Protect Yourself and Remediate
The Goal?
Get Domain Admin (or sensitive data) in 60 seconds or less
So Who Are You Zack Fasel - @zfasel on twitter - derbycon@zfasel.com Codename: Duchess Founder and Managing Partner of Co-Creator and Tech Lead for @THOTCON Lead Organizer of @_dc312_ DJing @ the party tonight.
Certifications/Credentials
95 Slides. Let s Get Started
So Let s Talk About LM/NTLM
The 3 5 7 Minute Intro To X X LM/NTLM And All It s Flavors
So What Is LM/NTLM Windows Land! Password Hashing Algorithm Network Challenge/Authentication
Let s Start With Hashing
So Windows Pass Hashes Stored on Local Machine SAM File Local Accounts Memory For Local and Cached Accounts Stored on Domain Controller
LM? It s Bad Mmmkay We all know this. And have for years. But we re reviewing. 7 Character Chunks, CAPITALized Pad from 56 to 64 bytes DES Encrypt using Password as key and KGS!@#$% as the data. Viola. Hash.
LM? It s Bad Mmmkay We all know this. And have for years. Hunter2LOL! HUNTER2 / LOL! 93D1F9EA182DF34B / 20069D7FB184D83A
So the LaMe Problems? Obviously Easy to Crack now. Rainbow tables - every precomputed possibility in a dictionary Blah blah old news...
So How is NTLM Better? MD4(UTF-16(Password)) A Real Hash! Hunter2Hunter2 93D1F9EA182DF34B 93D1F9EA182DF34B DC020E672D09B854 672BC0449B90C7CB
Obtaining Hash..es pwdump gsecdump mimikatz hashdump in meterpreter the list goes on...
Oh There s So Much More! But we only have an hour...well...50 minutes...or 45 by now...
NTLM Network Auth
Network Auths Used for various network services SPNEGO Plain Text NTLM Kerberos
3 Way Handshake Here It Goes TYPE 1 TYPE 2 TYPE 3 CLIENT SERVER Type 1 - Let s Talk. I Support X...Y...And Z Type 2 - I Support X...Y...And Q. Here s a CHALLENGE (salt) Type 3 - I m Sterling Archer of Isis. Password fx(guest,salt),sig
Type 1 - Let s Nego
Type 2 - I Challenge You!!
Type 3 - The password is...
The Flavors and Flags LM - Uses Weak LM Hash NTLM - Uses NTLM Hash NTLMv2 - Uses NTLM Hash with Added Client Chal LMv2 - Uses LM hash with Added Client Chal NTLM2 Signing - We ll Talk about That Later
So What s the Problem? You Know, The Security Issues...
Pass The Hash, Bro Doesn t require knowledge of the password. Utilizes the password hash to authenticate Requires existing access to obtain hashes (i.e. local admin)
But We ve Already Heard about PTH Twice This Con Mubix s Talk and Skip/Chris Talk But what about doing this with no existing access?
We Can Relay the Auth NTLM Authenticates the User to the Server, not mutual Remember Types 1 / 2 / 3? So how can we take advantage of this?
3 Way Handshake Here It Goes TYPE 1 - NEGO TYPE 2 - CHAL TYPE 3 - AUTH CLIENT SERVER ATTACKER
That s the Background Everyone Should be a Windows Auth Expert Now I ll be handing out CWAE Certifications Later
Mid Talk Checklist 1) Services Capture Auth 2) Auth Can Be Relayed to Other Services 3)... 4) PROFIT
MITM? That s Limited... Introducing Windows Integrated Auth
AUTH TO ALL THE THINGS Usability to prevent having to type password in over and over and over and over and over... Windows Auto-Logins to things without prompting
So What Ways Do They Auto Auth?
HTTP Auto Auth Local Trusted Security Context http://name/ In Browser, only typically in IE, but can be enabled in FF/Chrome
How does Name Lookup? c:\windows\system32\drivers\etc\hosts DNS - name.sub.domain.tld, name.domain.tld NBNS Broadcast
NBNS You Say? Broadcast to local network looking for xyz name Spoof responses back (msf aux/spoof/nbns...) Viola, one word names auto auth
So I have to SE Someone? NOPE Web Proxy Auto Detect (WPAD) Looks up http://wpad/wpad.dat for proxy settings Auto Authenticates
So I have to use IE Systems auto authenticate too! DOMAIN\SYSTEM$ - Member of Domain Computers Even when no one is at the system
So Only On The Same LAN Nope Dynamic DHCP hostnames ;) hostname = hostname.sub.domain.tld Or DNS Poisoning...
So HTTP Only? Nope. Let s not Forget SMB
Browser Pages
But No Go in FF/Chrome
Until Now
But Chrome Is a PITA
How about Office Suite Word Doc Referencing UNC paths images Convert HTML file into Word Doc...viola! Excel? Power Point? Sure :)
What Else in Office? How about Outlook emails Yes, it prompts for opening an image...but it works
Let s Extend This Further desktop.ini Files.lnk files
So Internally Only? NOPE! :) SMB doesn t respect local security context file://ip.add.re.ss/share/file.ext - Works over Net ;)
So Auto Auth via... NBNS Spoofing Browser Pages / HTML Office (Word/Excel/PPT/OUTLOOK) Docs desktop.ini / LNK Shortcuts
So What Can I Relay To?
HTTP NTLM Auth for HTTP Services
SMB We ve been doing this for a while MS08_069 fixed relaying back to source SMB RPC permits ability to execute commands / get shell, but requires admin access
LDAP So SMB Signing is forced by default on domain controllers...what can we relay to on the DC? LDAP Doesn t force signing by default! LDAP Supports NTLM Auth... WIN! Note: Can t change passwords unless SSL/Encrypted
Others? There s other things that use NTLM auth that permit further research! Remote Desktop VPN Telnet FTP...
So Internal Only, Lame Not So Fast...
HTTP Externally Sharepoint Servers?
People needed Mobiles
Exchange...Oh Exchange.. RPC EWS
The Pieces Come Together Let s Re-elaborate Impact Though
Give Me Some Scenarios You Bet. Here s 3.
Internal Employee Desktop.ini on Network Share Wait for admin to view share Admin auto authenticates to an smb share Relay to servers / ldap on domain controller Promote user account to domain admin, add new users
Rogue Wifi Rogue DNS + Proxy / NBNS+WPAD Relay to other Rogue Clients on AP or to EWS Om nom nom data
External Attacker Social Engineering Email/Persistent XSS Relay to Exchange Web Services or sharepoint
I Heard There s Some Tools Hey, Quit calling me a tool.
Existing Tools smb_relay Squirtle! There s a lot more
But They Fall Short Relay Everything to One Destination Only HTTP or SMB servers in separate roles No payload generation Limited target surface (i.e. get shell)
ZackATTACK! Relaying NTLM Like Nobody Else
Overall Design Difference Knows Who the User is before relaying! Rules to relay to unique destinations based on user Utilize limited user access as well as admin
So There s 4 Components Servers - Clients - Payloads - Rules
Servers SMB HTTP
What s Different? Remember type 1/2/3? We don t know user till 3. Challenge is sent in type 2. How do we know the user to send different users different challenges? Track by IP? Won t work Externally Cookies? Only for HTTP and not preserved with WPAD UUID? SMB2 Only
The Alzheimer's Feature HTTP Auth, 302 Redirect, Repeat SMB Auth, Setup, Reauth Request, Repeat
Payloads Auto Generation Desktop.ini, HTML pages, Word Docs, Emails HowTo for Manual Generation.LNK Files
Payloads HTML Payloads IE Firefox/Chrome/Safari Javascript Payload
Clients SMB Socks Proxy HTTP Exchange Web Services LDAP
Rules Auto Actions When you see X user, connect to Y server using Z service and perform Q actions.
Cool! Is there a Demo? Maybe...
So How Do We Fix This? It s Not Easy Kids
Currently, Mixed Solutions
There s Two Core Issues
NTLM Relaying & Automatic Authentication
There s A Lot To Consider Security is to help the business, not interfere Legacy OSs 3rd Party Devices
In A Perfect World NTLM Disabled Kerberos Only SMB Signing FORCED LDAP Signing FORCED External HTTP Services Require Client SSL Certs or VPN (yes, exchange too)
Group Policies for Win7 There s Some, but it s a stop gap
Firewalling Limits some exposure, but again, doesn t fix shit.
Where do we go from here Further Development of tool Further education and training to secure more Grab your Pitch Forks! Let s Put NTLM to Rest!
Questions? derbycon@zfasel.com - @zfasel on twitters - zfasel.com
And that s 95 slides. Whew