security assessment of microsoft directaccess · 14.03.2016 security assessment of microsoft...

ERNW GmbH.

Security Assessment of Microsoft DirectAccess

Ali Hardudi

Supervised by

Prof. Dr. rer. nat. habil. Dirk Westhoff M. Sc. Enno Rey

A thesis for the completion of Master of Science in Communication and Media Engineering CME

ERNW GmbH.

Agenda ¬ Introduction

Objective

A Quick Look into DirectAccess

¬ DirectAccess Lab

¬ Assessment

Scenarios and Attacker

IPv6 Attacks

TLS and IPSEC Default Configuration

¬ Conclusion

14.03.2016 Security Assessment of Microsoft DirectAccess #2

ERNW GmbH.

Introduction

ERNW GmbH.

Thesis Objective

¬ Thesis objective Study the DirectAccess

Performing a security evaluation

ERNW GmbH.

Pure IPv6 No user interaction Remote management and administration Bidirectional access Enhanced security features Working over IPv4 Internet infrastructure

DirectAccess Features

ERNW GmbH.

Not all Windows OS’s are supported

The following options are not always possible: End to End encryption

Force tunneling

Performance degradation when IP-HTTPS tunneling is used

Complex technology

DirectAccess Limitations

ERNW GmbH.

¬ Active Directory Domain Controller (AD DC).

¬ IPSEC

¬ Public Key Infrastructure (PKI)

¬ HTTPS server as Network Location Service (NLS)

¬ Name Resolution Policy Table (NRPT)

¬ IPv6 tunneling technologies

¬ NAT64/DNS64

¬ Others (e.g. Forefront Unified Access Gateway (UAG), Network Access Protection (NAP))

IKE, HTTPS, DNS64, ISAKMP, Kerberos, PKI, NTLM, DHCPV6

TCP, UDP

IPv6, IPv6 Tunneling, ICMPv6

IPsec (ESP, AH), NAT64

Figure 1 DirectAccess stack of main protocols

Technologies and Protocols

ERNW GmbH. Security Assessment of Microsoft DirectAccess #8

D ir e c t A c c e s s C lie n t

T L S h a n d s h a k e

D ir e c t A c c e s s S e r v e r

H T T P S s e r v ic e

14.03.2016

Figure 2 DirectAccess connection steps using IP-HTTPS

D ir e c t A c c e s s C lie n t D ir e c t A c c e s s

S e r v e r

IP -H T T P S t u n n e l

14.03.2016

S e r v e r

C o m p le t e N D p r o t o c o l

14.03.2016

S e r v e r

IP -H T T P S in t e r fa c e

14.03.2016

S e r v e r

N T L M v 2

A u t h e n t ic a t in g a n d B u ild in g t h e IP S E C in f r a s t r u c t u r e t u n n e l

14.03.2016

S e r v e r

IPSEC Infrastructure tunnel

14.03.2016

S e r v e r

D N S c o n v e r s a t io n

14.03.2016

S e r v e r

14.03.2016

S e r v e r

14.03.2016

S e r v e r

A u t h e n t ic a t in g a n d B u ild in g t h eIP S E C in t r a n e t t u n n e l

K e r b e r o s

14.03.2016

S e r v e r

IPSEC Intranet tunnel

14.03.2016

S e r v e r

D N S c o n v e r s a t io n

14.03.2016

S e r v e r

R e s o u r c e s

14.03.2016

ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess #21

Lab Deployment

Ubuntu 14.04.3 TLS (Attacking computer)

Windows server 2012 R2 (Internet Service Provider (ISP))

Windows server 2012 R2 (AD DC)

Windows server 2012 R2 (DirectAccess server)

Windows 8.1 Enterprise (DirectAccess client)

Windows server 2012 R2 (Internal resources)

Windows server 2012 R2 (Certificate Authority)

Cisco Catalyst 2950 series

Windows server 2012 R2 (Host VM)

Figure 3 DirectAccess lab components

IP-HTTPS Interface

ERNW GmbH.

Full access model

DirectAccess server is an edge topology

The DirectAccess computers are assigned to a security group

The IPv6 tunneling is IP-HTTPS

All the certificates are issued by the corpnet Certificate Authority (CA)

IPSEC Encapsulated Security Payload (ESP) protocol tunnel mode

Windows 8.1 uses Null cipher suites for IP-HTTPS

DirectAccess configuration

Figure 4 Screenshot for the configuration panel of DirectAccess

Figure 5 DirectAccess lab topology

Assessment

ERNW GmbH.

Scenarios and Attacker

¬ Two different scenarios were assessed:

IP-HTTPS default configuration

Authenticated IP-HTTPS

¬ Attacker knowledge and capabilities:

URL/IP of the DirectAccess server

Compromised or a trusted certificate

Position of attacker is remotely settled or within the local subnet of the client

A D D C

N L SH T T P S s e r v ic e

In t r a n e tU n a u t h e n t ic a t e d IP -H T T P S t u n n e l

D ir e c t A c c e s s c lie n t

IC M P v 6

A t t a c k e r

A t t a c k e r c a n e s t a b lis h t h is t u n n e l w it h o u t a u t h e n t ic a t io n

A t t a c k e r c a n u t i l iz e s o m e t y p e s o f IC M P v 6 p a c k e t s

R e s o u r c e s

IP S E C in f r a s t r u c t u r e t u n n e l

IP S E C in t r a n e t t u n n e l

IC M P v 6 t r a v e ls o u t s id e t h e IP S E C t u n n e ls

C e r t if ic a t e A u t h o r it yN T L M v 2

K e r b e r o s

In t e r n e t

Figure 6 IP-HTTPS default configuration scenario

¬ The IP-HTTPS tunnel was established

¬ The internal servers were reachable using ICMPv6 echo request

IP-HTTPS using Python

Figure 7 Using Ubuntu and Python IP-HTTPS interface to connect to the DirectAccess server

¬ The IP-HTTPS tunnel was established

¬ The internal servers were reachable using ICMPv6 echo request

IP-HTTPS using Python

Figure 8 Python IP-HTTPS was configured with IPv6 addresses

ERNW GmbH.

Performed Attacks

The unauthenticated IP-HTTPS:

¬ Packets with multicast destination addresses are not forwarded

¬ Packets with unicast addresses are not forwarded

¬ Server replies on behalf of clients, if a client wants to configure an address that is already configured

L Attack Attacker position

1 Scan alive hosts using Ping scan

Local or remote

2 Scan for alive DA clients using Duplicate Address Local or remote

3 Send packets with spoofed IPv6 addresses Local or remote

4 Denial of Service against IP-HTTPS tunnel

Local or remote

5 Neighbor Cache exhaustion Local or remote

6 MITM using a trusted certificate Local or remote

7 MITM by relaying IPSEC packets via attacker’s computer

Table 1 Attacks that were performed on the unauthenticated IP-HTTPS tunnel

ERNW GmbH.

spoofing attack

Figure 9 A packet with a spoofed source address

ERNW GmbH.

spoofing attack

Figure10 DirectAccess server replied to the spoofed address

ERNW GmbH.

spoofing attack

Figure10 DirectAccess server replied to the spoofed address

¬ Windows server 2012 uses RFC 7048 “Neighbor Unreachability Detection Is Too Impatient”

¬ Unreachable state is maintained for a cache entry (CE)

Neighbor Cache Exhaustion

Figure11 DirectAccess server neighbor cache

Scan Connected DirectAccess Clients

Figure12 Clients IPv6 enumeration using Duplicate Address Detection

Scan Connected DirectAccess Clients

Figure13 DirectAccess server replied on behalf of the existing DirectAccess client

A D D C

N L SH T T P S s e r v ic e

In t r a n e t

In t e r n e t

A u t h e n t ic a t e d IP -H T T P S t u n n e l

IC M P v 6

A t t a c k e r

A t t a c k e r e s t a b lis h e s t h e IP -H T T P S t u n n e l u s in g a

s t o le n / t r u s t e d c e r t if ic a t eA t t a c k e r c a n u t i l iz e s o m e t y p e s o f IC M P v 6 p a c k e t s

R e s o u r c e s

IP S E C in f r a s t r u c t u r e t u n n e l

IP S E C in t r a n e t t u n n e l

IC M P V 6 p a c k e t s f r o m t h e a t t a c k e r c a n r e a c h D ir e c t A c c e s s c l ie n t / s

C e r t if ic a t e A u t h o r it y

N T L M v 2K e r b e r o s

Figure 14 Authenticated IP-HTTPS scenario

¬ Almost all types of packets are accepted by the DirectAccess

¬ Null cipher suites can not be used any more

DA client certificate was extracted using mimikatz

Figure 15 Configuring IP-HTTPS server component to use authentication

Figure 16 Using certificate mapping to finish configuring authentication on IP-HTTPS tunnel

Figure 17 Packets where received by Python IP-HTTPS interface on Ubuntu

ERNW GmbH.

Performed Attacks

¬ All the authenticated IP-HTTPS connections are trusted

¬ The only packets that are not forwarded those which have unspecified IPv6 source address “::”

L Attack Attacker position

1 Scan for alive DirectAccess clients using Ping scan Local or remote

2 Scan DirectAccess clients for open ports

Local or remote

3 DoS against DirectAccess clients by sending fake Router

Advertisement (RA) with randomized prefixes

Local or remote

4 Hijacking IPSEC packets that are sent to the client and cause a DoS

Local or remote

DoS DirectAccess client, by sending unsolicited Neighbor Solicitation (NS) with the IPv6 of the

DirectAccess server as a source address

Local or remote

Table 2 Attacks that were performed on the authenticated IP-HTTPS tunnel

DoS with Fake RA

Figure 18 Part of the addresses that were configured after receiving a fake RA with randomized prefixes

A u t h e n t ic a t e d IP -H T T P S tu n n e l

IPSEC NS NA IPSEC

N t im e s S p o o fe d N A

Figure 19 Hijacking the IPSEC downstream traffic

MITM The IP-HTTPS Traffic

Figure 20 The attacking machine received IPSEC packets after a DirectAccess client was switched off

Figure 21 Sending spoofed NA’s to the DirectAccess server and hijacking the connection from server to the client

¬ Spoof the server RA

¬ Set the Router Preference flag with high priority

¬ Set all Route Information (RFC 4191) options with high priority

¬ Use the same advertised Prefix Information

Figure 22 Router Advertisement (RA) sent by DirectAccess server

In t e r n e t

A C C E S S P o in t

Fake RA

Figure 23 MITM on the local subnet

NS IPSEC

Source: https://www.schneier.com/essays/archives/1999/11/a_plea_for_simplicit.html

ERNW GmbH.

Conclusion ¬ DirectAccess is a relatively new technology that offers the corpnet users a

flexible, an always-on and an automatic access to the internal resources.

¬ The security assessment process showed that IP-HTTPS is a very critical component, which could be utilized by attackers to perform many IPv6 attacks on both DirectAccess client and server.

¬ The Thesis also pointed out the necessity of reviewing the configuration of both TLS and IPSEC protocol.

¬ The infrastructure tunnel and the 6to4 tunneling represent very attractive sources of attacks.

ERNW GmbH. #57

Security Assessment of Microsoft DirectAccess 14.03.2016

security assessment of microsoft directaccess · 14.03.2016 security assessment of microsoft...

Documents

kayserİ haber arİvİ 14.03.2016–20.03.2016 “zaman...

14.03.2016 12:1214.03.2016 12:12 gedanken über...

tumors of middle and inner ear dr.sithanandha kumar...

Газета "Наш край", №2 (14.03.2016) -...

6ártalanul forefront uag + directaccess

how to troubleshoot directaccess

conditional access directaccess & automatic vpn desktop...

microsoft directaccess mit forefront uag jörg riether

reinventando o acesso remoto com directaccess

wsv404 directaccess server (server 2008 r2) directaccess...

soutenance thèse e-beauté - salina ziane - 14.03.2016

directaccess - безопасный и прозрачный...

diario la tercera 14.03.2016

directaccess is an enterprise solution: no support for...

gisvm 14.04.3 geoserver quickstart & passwords

directaccess - безопасный прозрачный...

configuring and implementing directaccess with windows...

directaccess with unified access gateway (uag)

directaccess med windows 7 og windows server 2008...

noticias del sistema educativo michoacano al 14.03.2016