Microsoft 2016 5/21/2018 10:21 AM BRK3292 Understand Credential Security: Important Things You Need to Know About Storing Your Identity Paula Januszkiewicz.

Slides:



Advertisements
Similar presentations
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
Advertisements

Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security
Understanding Office MAC: What Windows Admins need to know
Enterprise grade security in your Hadoop clusters on Azure
Manage Office 365 more effectively: what’s new in Office 365 admin?
Microsoft Ignite /16/2018 3:12 PM BRK2119
5/29/2018 1:51 AM THR2071 Managing enterprise applications, permissions, and consent in Azure Active Directory Adam Steenwyk & Jeff Sakowicz Program Managers.
Microsoft /4/2018 8:21 AM BRK3082 Build solutions and apps with Microsoft OneDrive API and Microsoft Graph API Ryan Gregg Principal Program Manger,
Microsoft /4/ :15 PM THR2219 How Microsoft IT enables modern mobility with Windows 10 security and productivity features Rekha Nair IT Program.
6/11/2018 8:14 AM THR2175 Building and deploying existing ASP.NET applications using VSTS and Docker on Windows Marcel de Vries CTO, Xpirit © Microsoft.
Microsoft Ignite /17/2018 4:41 AM BRK4016
Modernizing your Remote Access
6/25/ :13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.
6/26/2018 5:24 AM THR1083 Enabling Advanced Security Capabilities: Drive consistent authorization across multiple applications Bryan Bolling Solution Architect,
Microsoft /1/2018 5:38 PM Send secure to anyone with the power of Office 365 and  Azure Information Protection Gagan Gulati Ian Hameroff.
Optimizing Microsoft OneDrive for the enterprise
The power of common identity across any cloud
Intelligent search for the modern workplace with Bing
Examine common architectures for hybrid identity
A Fast Track into Device Guard
SQL Server on Linux on All-Flash Arrays
Microsoft /6/ :30 PM BRK3293 Explore adventures in the underland: Forensic techniques against hackers evading the hook Paula Januszkiewicz.
SQL Server for Java developers
Microsoft Ignite /8/2018 6:39 PM
9/11/ :59 PM THR3021 Why Microsoft is updating the new OneDrive sync engine in a different way Hans Brender Cloud Productivity Evangelist Bright.
Serverless Architecture in Azure
Troubleshooting Windows 10 Deployment: Top 10 Tips and Tricks
9/14/2018 2:22 AM THR2026 Set up secure and efficient collaboration for your organization with Office 365 Joe Davies Senior Content Developer Brenda Carter.
How to run a successful user group
Use server-based personal desktops in Windows Server 2016
Device Guard: AppLocker on steroids
Drive productivity with OneDrive and SharePoint file collaboration
Deploy Windows 10 Mobile for the mobile workforce
Microsoft Ignite /9/2018 5:03 AM BRK1010
Master Windows 10 Deployments - Expert Level
11/12/2018 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Protect your OneDrive and SharePoint files on mobile devices
Meetup: Use Microsoft Technologies to Real World IoT Scenario
11/15/2018 3:42 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Laura A. Robinson July 10, June 30, /15/2018 4:19 PM
Windows 10 and Office 365, better together – the reunion
Microsoft Ignite /20/2018 2:21 PM
Azure Advisor: Optimization in the best way
Improve Office 365 Adoption: Top 10 Ways
12/5/2018 2:50 AM How to secure your front door with real-time risk assessments of your logons Jan Ketil Skanke COO and Principal Cloud Architect CloudWay.
Everything starts with a fan – The German Windows Insider Community
Five mistakes to avoid when deploying Enterprise Mobility + Security
Office 365 Secure Score: Actionable Security Analytics
Can I get a side of OneDrive for Business with my SharePoint?
TechEd /15/2019 8:08 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Meetup User Experience Design for SharePoint
Overview: Dynamics 365 for Project Service Automation
Understand your Azure cloud assets dependencies with BMC Discovery
Surviving identity management in a hybrid world
Ask the Experts: Windows 10 deployment, servicing, and provisioning
Learn how to leverage the Microsoft Store for Education in your school
4/9/2019 5:05 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS.
Choosing between Microsoft PowerPoint & Sway
“Hey Mom, I’ll Fix Your Computer”
Taking Windows Security to the Next Level with Group Policy
Discussion Panel: Windows Server MVP Panel
Consolidate, manage, backup, and secure your cloud content
Ask the Experts: Windows 10 deployment and servicing
Learn from MVPs: Panel Discussion on all Things SharePoint
Passwordless Service Accounts
Understand the impact of the future of SharePoint
Digital Transformation: Putting the Jigsaw Together
Diagnostics and troubleshooting in Azure App Service Support Center
Optimizing your content for search and discovery
OneDrive Unplugged A panel discussion on all things OneDrive
Presentation transcript:

Microsoft 2016 5/21/2018 10:21 AM BRK3292 Understand Credential Security: Important Things You Need to Know About Storing Your Identity Paula Januszkiewicz CQURE: CEO, Penetration Tester / Security Expert CQURE Academy: Trainer MVP: Enterprise Security, MCT Contact: paula@cqure.us | http://cqure.us http://cqureacademy.com @paulacqure @CQUREAcademy © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft 2016 5/21/2018 10:21 AM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Definition of credentials Set of data that allows other party to believe me when I tell who I am

Bootkey: SAM/NTDS.dit (MD4 Hashes) C:\windows\system32\config Microsoft 2016 Bootkey: Class names for keys from HKLM\SYSTEM\CCS\Control\Lsa 5/21/2018 10:21 AM SAM/NTDS.dit (MD4 Hashes) C:\windows\system32\config C:\windows\system32\NTDS Data GBG JD Skew1 LSA Secrets (Service Accounts) HKLM\SECURITY\Policy\Secrets $MACHINE.ACC (SYSTEM’s Clear Text Password) DPAPI_SYSTEM (Master Keys) HKLM\SECURITY\Policy\Secrets MSDCC2 (Cached Logon Data) HKLM\SECURITY\Cache More information: http://cqureacademy.com/blog © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Are ‘cached credentials’ safe? Microsoft 2016 5/21/2018 10:21 AM Are ‘cached credentials’ safe? © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Encrypted Cached Credentials: Legend DK = PBKDF2(PRF, Password, Salt, c, dkLen) Microsoft’s implementation: MSDCC2= PBKDF2(HMAC-SHA1, DCC1, username, 10240, 16)

Cached Logons: It used to be like this… Microsoft 2016 5/21/2018 10:21 AM Cached Logons: It used to be like this… Windows 2003 / XP The encryption algorithm is RC4. The hash is used to verify authentication is calculated as follows: DCC1 = MD4(MD4(Unicode(password)) . LowerUnicode(username)) is DCC1 = MD4(hashNTLM . LowerUnicode(username)) Usage in the attack Before the attacks facilitated by pass-the-hash, we can only rejoice the "salting" by the username. There are a number pre-computed tables for users as Administrator facilitating attacks on these hashes. © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Cached Logons: Now it is like this! Microsoft 2016 5/21/2018 10:21 AM Cached Logons: Now it is like this! Windows Vista / 2008 + The encryption algorithm is AES128. The hash is used to verify authentication is calculated as follows: MSDCC2 = PBKDF2(HMAC-SHA1, Iterations, DCC1, LowerUnicode(username)) with DCC 1 calculated in the same way as for 2003 / XP. There is actually not much of a difference with XP / 2003! No additional salting. PBKDF2 introduced a new variable: the number of iterations SHA1 with the same salt as before (username). Usage in the attack Sysmon stores a hash base It can be used for malware or unwanted activity discovery © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Cached Logons: Iterations Microsoft 2016 5/21/2018 10:21 AM Cached Logons: Iterations The number of iterations in PBKDF2, it is configurable through the registry: HKEY_LOCAL_MACHINE\SECURITY\Cache DWORD (32) NL$IterationCount If the number is less than 10240, it is a multiplier by 1024 (20 therefore gives 20480 iterations) If the number is greater than 10240, it is the number of iterations (rounded to 1024) © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Demo: Cached Credentials Microsoft Ignite 2015 5/21/2018 10:21 AM Demo: Cached Credentials + getting access to user’s secrets © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Classic Data Protection API Based on the following components: Password, data blob, entropy Is not prone to password resets! Protects from outsiders when being in offline access Effectively protects users data Stores the password history You need to be able to get access to some of your passwords from the past Conclusion: OS greatly helps us to protect secrets

Demo: Classic DPAPI + getting access to user’s secrets in the domain Microsoft Ignite 2015 5/21/2018 10:21 AM Demo: Classic DPAPI + getting access to user’s secrets in the domain © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Demo: DPAPI Taken Further Microsoft Ignite 2015 5/21/2018 10:21 AM Demo: DPAPI Taken Further + Keepass © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft 2016 5/21/2018 10:21 AM Demo: RDG Passwords When centralization should be done with a bit more awareness © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

IIS Structure 1 2 HTTP.SYS w3wp.exe WWWPS W(P)AS User Mode Kernel Mode Microsoft 2016 5/21/2018 10:21 AM IIS Structure A lot of things going on here, but not that important for us now. w3wp.exe applicationHost.config 2 2 – WPAS starts the process with some identity 1 1 – WPAS reads the configuration WWWPS W(P)AS User Mode Kernel Mode HTTP.SYS © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Application Pools Used to group one or more Web Applications Purpose: Assign resources, serve as a security sandbox Use Worker Processes (w3wp.exe) Their identity is defined in Application Pool settings Process requests to the applications Passwords for AppPool identity can be ’decrypted’ even offline They are stored in the encrypted form in applicationHost.config Conclusion: IIS relies it’s security on Machine Keys (Local System)

Demo: Application Pools Microsoft 2016 5/21/2018 10:21 AM Demo: Application Pools Getting password from IIS configuration © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

IISWasKey + extracting the data from the registry Microsoft Ignite 2015 5/21/2018 10:21 AM IISWasKey + extracting the data from the registry © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Services Store configuration in the registry Microsoft 2016 5/21/2018 10:21 AM Services Store configuration in the registry Always need some identity to run the executable! Local Security Authority (LSA) Secrets Must be stored locally, especially when domain credentials are used Can be accessed when we impersonate to Local System Their accounts should be monitored If you cannot use gMSA, MSA, use subscription for svc_ accounts (naming convention) Conclusion: Think twice before using an Administrative account, use gMSA © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Demo: Services Getting password from LSA Secrets Microsoft 2016 5/21/2018 10:21 AM Demo: Services Getting password from LSA Secrets © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Chasing the obvious: NTDS.DIT, SAM To perform an analysis on NTDS.DIT the following information sources are needed from the domain controller: NTDS.DIT Registry hives (at least the SYSTEM hive) SAM, ntds.dit are stored locally on the server’s drive They do not contain Passwords They use MD4 as a way of storing them They are encrypted The above means: To read the clear text password you need to struggle!

Demo: SAM/NTDS.dit Hash spree - offline Microsoft 2016 © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Two AMAZING discoveries! Microsoft 2016 5/21/2018 10:21 AM Two AMAZING discoveries! Kerberos Pre-Authentication Smart card logon is possible without a smart card DPAPI-NG: SID Protected PFX Files Private keys can be extracted from the PFX files without having a password © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Kerberos Pre-Auth Securing Yourself for a Rainy Day Microsoft 2016 5/21/2018 10:21 AM Kerberos Pre-Auth Securing Yourself for a Rainy Day © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

DPAPI-NG SID-Protected PFX Files… Unprotected Microsoft 2016 5/21/2018 10:21 AM DPAPI-NG SID-Protected PFX Files… Unprotected © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Credentials Security Takeways Offline access Cryptography that relies on keys stored in the registry is as safe as your offline access. Domain Admins We all know that they should log on to the Domain Controllers only. Who are they? Can we trust them? Mechanisms are safe …when extracted. In practice they are as safe as your approach.

Please evaluate this session 5/21/2018 10:21 AM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at http://myignite.microsoft.com From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting https://aka.ms/ignite.mobileapp © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.