GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS Passwords Everywhere Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | ondrej@sevecek.com | www.sevecek.com | GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS

Take care of your passwords People use the same passwords for different services AD network, mobile phone, credit card PIN, facebook, e-shops, free-mail, … People type their passwords on unknown computers Passwords travel over network unencrypted Somebody else is your computer administrator Computers store passwords often in full form

Hardware keyloggers Easy soldier

Different service = different password? Do you thing the databases of facebook, google+, gmail, microsoft, alza, seznam, … are encrypted? nonsense What do you thing the Indians do when bored? are they surfing your email, or facebook? What do you thing is the first thing a virus is going to do after infection? list all user accounts touch anything in your network with your current password

User Account Control (UAC) Locally limits Administrators group membership Does nothing over network It matters only for a BFU on a single machine It does not affect administrative accounts

Windows authentication seems secure Kerberos, Kerberos, Kerberos, sometimes NTLM Encrypted network transport AES, mutual authentication, rekeying, etc.

Passwords are in memory plaintext password LSASS IS Client Internet Explorer Ctrl-Alt-Del Outlook Lync

Passwords are in LSASS memory plaintext password Local LSASS Server LSASS IS Client Kerberos Server Internet Explorer NTLM Outlook Lync

Who can steal passwords from LSASS Local Administrators Debug privilege is just the only necessary to break into LSASS memory

Basic authentication HTTP Basic authentication LDAP Simple bind RDP used veeeeery often even on intranets mostly BFU accounts LDAP Simple bind used veeeeery often by third-party NAS, VPN, VoIP, gateways, routers, VMWare console, etc. often administrative accounts RDP used extreeeeemely often extreeeeemely often administrative accounts

Passwords are in LSASS memory Server LSASS plaintext password VPN MSTSC IS Client plain-text Server Internet Explorer Outlook Lync

Passwords are stored in full form IIS application pools Services Scheduled tasks

After attack, change your password! Really? Password filter on DC or on local SAM database

Good password Long at least 12 characters All four types of characters (a-z, A-Z, 0-9, #$%^…) 80% passwords are alfa-numeric Never reuse the same password for critical services not too much change necessary

Password locking? Do not exagerate 6 characters complex password 75 trials per one lock for 1 minute = 3 300 years

Cracking from local/AD hashes (non-cache) MD4 hashes brute-force 8 characters complex 1 CPU = 25 years 10 GPUs = 15 days rainbow-table 8 characters complex = minutes = 120 GB Every character makes it 80x more difficult 12 characters complex password is unbreakable at least for non-NSA mortals

Cracking from network trace and password cache No use for rainbow-table MD4 salted Only brute-force possible

What to remember Never type a password on an unknown computer Accessing remote machines with RDP sends there your password Disable all HTTP Basic and LDAP Simple bind authentications Use smart cards instead

Where to read more http://www.sevecek.com/Lists/Categories/Category.aspx?CategoryId=17&Name=(Anti)hacking http://www.sevecek.com/Lists/Posts/Post.aspx?ID=145

GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS NASHLEDANOU na kurzech v počítačové škole GOPAS, a.s. GOC171 - Active Directory Troubleshooting GOC172 - Kerberos Troubleshooting GOC173 - Enterprise PKI Deployment GOC175 - Administering Security GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS