Reality BitesThe Attacker’s View of
Windows Authentication and Post-exploitation
Chris CAMPBELL `obscuresec`Benjamin DELPY `genti lkiwi`
Skip DUCKWALL `passingthehash`
2
`whoami /groups` ?Chris CAMPBELL - @obscuresec– Pentester /Researcher / Former Army Red Team– One of the authors of PowerSploit – PowerShell based post-exploitation toolkit– Presented at Blackhat, Defcon, and more
Benjamin DELPY - @gentilkiwi– Security researcher (the French guy with flashy Tahitian shirts)– Author of mimikatz– Presented at Black Hat, Defcon, PHDays, and more
Skip DUCKWALL - @passingthehash– Pentester /Researcher / Former Army Red Team– Patched pass-the-hash functionality into many tools used by pentesters– Presented at Blackhat, Defcon, and more
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
3
What we’re talking aboutThe world that exists outside Microsoft
Windows authentication in the real world
Popular attacks against Windows authentication in the real world
mimikatz
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
4
One quick question?Who won the Xbox One?
All three of us have asked a lot–Even at MSRC ;)
So let’s use #askpth–… for official hashtag of this talk!
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
5
The Idealistic ViewEverybody runs the most up-to-date software
–All clients are Windows 8.1 / servers are 2012R2
–Domain / forest is at 2012R2 functional level
–All software is patched quickly
–Completely homogeneous Microsoft environment
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
6
A More Realistic View - EnvironmentHeterogeneous environments
Mix of Linux / Unix / Windows on the server side– License costs prohibitive if not bundled with server hardware– Virtualization makes spinning up new servers quick and easy
• license costs can grow quickly as well
Desktops are often a mix of various flavors of Windows– Some OSX / Macs as well
Unix authentication sometimes integrated with Active Directory– LDAP
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
7
The Realistic View - PatchingPatching is inconsistent– Especially 3rd-party software• Java / Acrobat Reader
Some services will be patched quickly
Some services on ‘don’t touch’ lists
Patching usually inversely proportional to the criticality of the system
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
8
The Realistic View - DesktopMost enterprises are still transitioning from XP to Windows 7– Licenses are expensive and often paired with hardware upgrades
None of the enterprises we’ve seen use 8.1– Most enterprises have decided to see what happens with 10+ (XP approach)
Some places still have 2000 or NT and older– See @Viss scan of the internet– Shodan HQ
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
9
The Realistic View - OfficeMix of Office 2007 / 2010 in use–with a lot of VBA ;)
Little incentive to upgrade–Making stuff more “cloud capable” causes issues in many
enterprises• 3rd party doctrine regarding information remaining private / confidential• Ownership issues• Technology has evolved, laws haven’t caught up
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
10
The Realistic View – Server OSMany places still run 2003 domain functional level and are only now transitioning to 2008 / 2008R2
Most Windows servers are running 2008 / 2008R2
Server 2003 being transitioned away from due to EOL
Server 2012 / 2012R2 has some traction
Criticality of server determines upgrades– More critical , less likely
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
11
The Realistic View - Other Server SoftwareSQL server– Whatever version the developer / app wanted to use when installed– Usually multiple versions at the same time– If the app works, little incentive to upgrade
Exchange– 2007 or 2010– Not a lot of incentive to upgrade since it’s viewed as critical infrastructure
SharePoint– 2007 or 2010– Not a lot of incentive to upgrade depending on usage
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
12
The Net Result?New features for the latest software will not be present in the average environment
Most enterprises will not regard a new security feature to be worthy of upgrading the platform
It could be 5+ years before some features will be seen in the average environment
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
13
Attackers in the Real World (1)“Real World” attack knowledge suffers from research bias– Sometimes we only find what we’re looking for– Once we find something in the past, we tend to look for that first the next time– New or novel attacks go unnoticed for years
Attackers are less interested in being disruptive
Attackers are more interested in gaining access to corporate data– Domain / enterprise admin usually not the ultimate goal– Usually a checkpoint along the way to find the people with access to the goods– Possible with targeted attacks to never touch any privileged accounts
• Example: Target devs or HR
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
14
Attackers in the Real World (2)Most discovered attacks don’t involve 0-day exploits–0-days are expensive–More difficult to discover post-attack– Likely only required for hardened targets
Most breach responders overestimate their defensive capabilities, therefore overestimate attacker capabilities
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
15
Attackers in the Real World (3)Client-side attacks combined with social engineering are the most likely vectors– Everybody clicks on dancing cats– Email addresses are easy to collect or figure out– Client-side vulnerabilities appear to be more plentiful
– Some products have come a long way : IE with EMET– Some still have a ways to go : Java / Flash / Acrobat Reader
– Recentish breaches give attackers access to employee’s social networks• Easier to create more legit looking context
Use an exploit to start then depend on bad architecture to work deeper
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
16
Attackers in the Real World (4)After initial compromise, attackers will take their time on post-exploitation– Targeted information sought
• Client lists• Source Code• Schematics• Financial Information• Credit card info / PII / PHI• Private keys / certificates / code signing certs
Attackers usually have weeks to months– Detection usually takes months based on the latest Verizon report
• http://www.verizonenterprise.com/DBIR/
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
17
Post-exploitation Techniques (1)An entirely different talk
A few highlights– Group Policy Preferences
• Anybody with access to DC could recover any credentials set with GPP• Potentially allows elevation in automation scripts• ~Patched with MS14-025
– Plaintext credentials in automation scripts• Mount a share somewhere, copy stuff
– Service accounts• Tend to be privileged with easy-to-guess passwords that haven’t changed in years
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
18
Post-exploitation Techniques (2)Poorly configured file shares– Password lists
• Search for ‘password.txt’
– Backups of critical infrastructure / configs– Unattended installers
• If automagically joins the domain, means there’s a password somewhere
Poorly configured Sharepoint– Use the search functionality to find password lists and config files
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
19
Post-exploitation Tools (1)Attackers have a wide variety of tools they can use
Many are legit tools being used nefariously– PowerShell• Allows access to WINAPI / entire .NET framework• Can be used to bypass even the most mature application whitelisting products• Trivial AV bypass
– SysInternals• Why not do ‘bad things’ with Microsoft signed binaries?• PsExec, AdExplorer, ProcDump, and others
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
20
Post-exploitation Tools (2)NT Resource Kit– Many useful utilities that are now built-in commands– sc, dnsquery, etc– srvany – make any program a service
Built-in commands– net.exe, cmd.exe, netsh.exe
Some tools are really only useful for post-exploitation– mimikatz
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
21
mimikatz (1)Designed by Benjamin to learn more about Windows programming– Seriously– We aren’t joking
Exposed several issues with plaintext passwords being stored in memory– Passwords being stored in LSASS by various SSP
• WDigest and others
– Partially fixed by Microsoft– Passwords will be back in LSASS if users need certain SSO– Third party SSP still have access to passwords
• RSA for example• mimikatz rolled its own as well
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
22
mimikatz (2)Can recover keys / hashes for accounts in memory
Can be used to implement pass-the-hash attacks– PTH = using hashes as password equivalents – NTLM is DESIGNED this way– Windows OS uses PTH• NTLM service provider only stores the hash in memory
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
NTLM (md4)
LM
cc36cf7a8514893e
fccd332446158b1a
cc36cf7a8514893e
fccd332446158b1a
23
mimikatz (3)Can be used to implement Kerberos attacks
– Can be used to recover a user’s Kerberos tickets• Both TGTs and service tickets
– Can be used to insert tickets into LSASS for use• Using a native Windows API
– Can be used to upgrade NTLM hash to a Kerberos ticket• This is “overpass-the-hash”• Introduced at Black Hat USA 2014• Also works for recovered AES keys on the client side
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
des_cbc_md5
LSASS (kerberos)for « chocolate.local » domain
rc4_hmac_nt(NTLM/md4)
cc36cf7a8514893efccd332446158b1a
aes128_hmac
aes256_hmac
KDC
KDC
TGT
TGS
① AS-REQ
② AS-REP
③ TGS-REQ
④ TGS-REP
⑤ Usage
cc36cf7a8514893efccd332446158b1a
des_cbc_md5
LSASS (kerberos)for « chocolate.local » domain
rc4_hmac_nt(NTLM/md4)
aes128_hmac
aes256_hmac
KDC
KDC
TGT
TGS
① AS-REQ
② AS-REP
③ TGS-REQ
④ TGS-REP
⑤ UsageTGT
24
Demo !
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
New version of mimikatzin
New version of Windowsin
Front of Microsoft staff
25
mimikatz :: Golden Tickets (1)Can be used to implement Golden Ticket attacks
– If KRBTGT hash/keys lost• Domain dump
– Password audit (legitimate use case)– Poorly redacted pentest report
• Other – Compromise
– File backup of the domain controller• Shadow copy trick• Recovery of backup tapes or access to backup file share
– Compromise of virtual machine infrastructure• Copy the drive image or a snapshot of the image
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
26
mimikatz :: Golden Tickets (2)Made worse by KRBTGT rarely changing
– Only changes during domain functional upgrade from NT5 -> NT6
– 2000/2003 to 2008/2012• 2008 -> 2012 doesn’t change the value• the previous one (n-1) still valid…
– Means the age of the hash on the average operational environments is measured in YEARS
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
27
mimikatz :: Golden Tickets (3)KRBTGT hash can be used to generate arbitrary TGTs for use– Can make user a member of any group, even make it multiple users!
• Even users and SIDs that do not exist– TGTs will only work for 20 minutes to get service tickets (however any service tickets will be good for 10 hours by
default)• Any account can create / used spoofed ticket, doesn’t require elevated rights
– Can be used to bypass account restrictions• Disabled / expired• Authentication silos• “protected users” group is just a group SID in the TGT
– Create a trail of false events• Incident handlers rely on event logs• Easy to frame another user
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
28
Demo !
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
29
mimikatz :: BlackHat erratumAt BlackHat, we announced that to forge a TGS, we need 2 keys– krbtgt key– target key
The krbtgt is needed to sign the PAC, to avoid alterations– But how a remote service can check this
signature without the Key ?• Remember ? Kerberos is SYMETRIC
– Easy : it delegates PAC checks to the KDC…
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
30
mimikatz :: BlackHat erratumWindows 2000 Server and Windows XP do not validate the PAC when the application server is running under the local system context or has SeTcbPrivilege […]
Windows Server 2003 does not validate the PAC when the application server is running under the local system context, the network service context, or has SeTcbPrivilege. […]
Windows Server 2003 with SP1 does not validate the PAC when the application server is under the local system context, the network service context, the local service context, or has SeTcbPrivilege privilege. […]
Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 do not validate the PAC by default for services. Windows still validates the PAC for processes that are not running as services. PAC validation can be enabled when the application server is not running in the context of local system, network service, or local service; or it does not have SeTcbPrivilege […]
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
http://msdn.microsoft.com/library/cc224027.aspx#id2
31
mimikatz :: Silver Tickets (1)So “in real life”, TGS only need the target key… no classic services will check signature…, let’s call them : Silver Tickets !
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
Default lifetime
Minimum number of
KDC accesses
Multiple targets
Available with
Smartcard
Realtime check for restrictions
(account disabled, logon hours...)
Protected UsersCheck for Encryption
(RC4/AES)Can be found in Is funky
Normal 42 days 2 Yes Yes Yes Yes n.a. No
Overpass-the-hash(Pass-the-key)
42 days 2 Yes No Yes YesActive DirectoryClient Memory
No(ok, a l ittle;))
Pass-the-Ticket(TGT)
10 hours 1 Yes Yes No (20mn after) No Client Memory Yes
Pass-the-Ticket(TGS)
10 hours 0 No Yes No No Client Memory Yes
Silver Ticket [30;60] days 0 No Yes No No n.a. Yes
Golden Ticket 10 years 1 Yes Yes No (we can cheat) No n.a. Fuck, Yes!
32
mimikatz :: Silver Tickets (2)How do we make a Silver Ticket ?– Exactly such as a Golden Ticket, except the krbtgt key– Target name (server FQDN)– Service name– We must have the “Target Key”
• From Client Memory• From Active Directory (ok, we can make Golden Ticket ;)• or... from the registry (even, offline !)
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
mimikatz # lsadump::secretsDomain : CLIENTSysKey : 5418b222b48866feea6f633efcf8417d
Policy subsystem is : 1.13LSA Key(s) : 1, default {13e98d1c-c7d5-1099-6477-5dbbed69ec73} [00] {13e98d1c-c7d5-1099-6477-5dbbed69ec73} c2e2ee5bfeb6a4fd4f58ab8554c42a585a093b116ee8ce830ee227e0c31071a4
Secret : $MACHINE.ACCcur/NTLM:1acf72e4e8a2d6209fe96920ff800110/text: ,QK@Y+i$ nA9BCcrRvnPsaWE/m3_h?U+U^3AL-LF!_8y<2.xH>'^F;>OA.(9v9!(_[=51Pj_]YqKV!5`LIsk=*F`q-/dP:kP))bDhA'!2R/x#u=)O$2W\0me
33
mimikatz :: Silver Tickets (3)Before that, who cares about this computer password ?– No… really ?– Yeah, like for the krbtgt account– At least, this time the password can change every 30 days...
• But the n-1 still valid (so [30;60 days])… and the password still works if not changed…
$MACHINE.ACC is the new krbtgt, localized to a computer– And it’s in the registry
Silver ticket is the new Golden Ticket, localized to a target/service
When you use a Service Account linked to a Kerberized Service, it can be localized to multiple targets (see SPN)– A lot of chances that you can find it in registry too ;)
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
34
mimikatz :: Silver Tickets (4)Kerberos services relies on SPN– Nobody likes to setup SPN (like MIT Kerberos)– that’s why Microsoft made it ~easy for you (like MIT Kerberos)
host SPN is not only for “host”, but is an alias for :
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
alerter appmgmt cisvc clipsrv browser dhcp
dnscache replicator eventlog eventsystem policyagent oakley
dmserver dns mcsvc fax msiserver ias
messenger netlogon netman netdde netddedsm nmagent
plugplay protectedstorage rasman rpclocator rpc rpcss
remoteaccess rsvp samss scardsvr scesrv seclogon
scm dcom cifs spooler snmp schedule
tapisrv trksvr trkwks ups time wins
www http w3svc iisadmin msdtc
35
mimikatz :: Silver Tickets (5)kerberos::golden/domain:blue.local <= domain name/sid:S-1-5-21-4174036629-1679296857-797215250 <= domain SID/rc4:1acf72e4e8a2d6209fe96920ff800110 <= NTLM/RC4 of the Target/Service/target:client.blue.local <= Target FQDN/service:cifs <= Service name/user:Administrator <= username you wanna be/id:500 <= RID of username (500 is THE domain admin)/groups:513,512,520,518,519 <= Groups list of the user (be imaginative)/ticket:cifs.client.kirbi <= the ticket filename (or /ptt)
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
36
Demo !
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
New version of mimikatzin
New version of Windowsin
Front of Microsoft staffwith
new features
37
mimikatz :: BonusMimikatz is full of love for pentesters, but we can’t show all!– We are modest
A little driver to bypass Protected Process– Avoid RunAsPPL for LSASS by example
AddSid– An experimental function to add SID of users/groups to another one user in Active Directory (admin without
admin group)
Thinking that PIN code and Picture password are better?– You’ve a l33t company, you use Fingerprints in Windows 8?– Password are in the local vault of the SYSTEM… you know ? The same with the password in registry…
mimilib & memssp– Grab all passwords!
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
38
Demo !
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
39
Do Smart Cards Help? (1)With Windows Auth, not really– High cost– Painful deployment– Other benefits (email certs, ID certs for web servers)
Password hashes are randomly generated and stored– They never change by default– Useful for PTH– Password could still be reset
• One location set the password after smart card enrollment to the same password for all users (thousands)
– NTLM hash stored in Kerberos ticket
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
40
Do Smart Cards Help? (2)Smart cards are only required for INTERACTIVE logon– Second factor null and void for network logons– File shares, etc
Smart cards are considered a stronger form of authentication– means that somebody could launch a password guessing attack against the
account, possibly lock it– Account is silently unlocked with a successful smart card login– User never notified– Even with that, it gives to the user… Kerberos tickets… usable without SC.
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
41
What does a compromise really mean?Need to be honest with ourselves:– A domain CANNOT BE RECOVERED once it is COMPROMISED• … but very few people can detect when their domain is compromised
– How does “assume breach” mentality collide with the “10 Immutable Laws of Security”?
– Education• If this is the new stance, step up and release actionable guidance for strategic
decision makers– C-Level– Security Managers
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
42
Next Steps (1)Not all technical– Educational– Strategic
Must give client the real keys to make the transition easy– Disabling NTLM has been an option for a long time, but who cares?
• That and people like devices like printers and scanners that use network authentication
– WDigest can be disabled on Windows 7, but who will push the fixit?
– Using CNG or Virtual Smart Cards too, but who cares?• Most products are not compatible
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
43
Next Steps (2)Good security must not be a hard option to set AFTER compromise
Give sysadmins / blue teams tools for serious monitoring (eventlog is very NT4)– Recent addition of command line auditing is a good first step, what’s next?
Enhance admin tools to securely manage large deployments– Provide a secure method for managing local users across an enterprise– One of the appeals of GPP was user management, although poorly implemented/insecure
Service / feature minimization– Unix has done this for years– If you don’t need a feature, make it so it can be easily disable / removed– Issue guidance on what features are required and how to disable those that aren’t
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
44
Next Steps (3)Design services that are breach-resistant– Advice can’t be to rebuild the forest every day / week– Design services that are more “tamper evident”• Alert defenders if key services are touched• Develop interesting methods to detect things like the Kerberos attacks
Authentication is hard– If we had the solution, we’d be rich– Requires active research• Not a one-size-fits-all solution• Local authentication != cloud authentication• Room for many solutions
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
45
Next Steps (4)Asymmetric encryption might be the answer?– Key exchange is always the problem• Figure this one out and you might have a way forward
Hardware integration?– Critical credentials stored on a crypto chip that is tied to a particular
computer?
Third Party Support– Accept the fact that most environments are heterogeneous– Printers / Scanners / Future devices need to authenticate– Develop proactive solutions for authentication, document and share
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
46
Next Steps (5)Minimize and learn from previous mistakes
– NTLM weakness = hash is password equivalent
– AES keys are treated the same way currently in Windows• Recover AES keys, get Kerberos ticket, win
– Kerberos design weaknesses have been well documented since 1990s• Designed to minimize authentication traffic / load, not necessarily for security /
robustness
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
47
Next Steps (6)Break with the past–Backwards compatibility will always get you–At some point in time you have to put it out of your misery
Remember that solution can’t be Microsoft only–Printers / scanners / etc. need to be able to interact as well–Design for future network needs as well
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
48
Defensive MeasuresIt’s difficult to get everything correct– Old adage: Defenders have to be right all the time, attackers only have to be
right once– Try to move towards “secure by default” or “fail closed”
• Or at least give enterprises the capability to do so if they choose to
Best measures are usually detective– Know what normal looks like for privileged users– Spot the abnormalities• Defensive staff knows when an admin is on vacation or off shift
– Enhance auditing capabilities and increase alerting10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-
exploitation
49
That’s all Folks!We would specially thanks:
– Will Peteroy– Joe Bialek– Akila Srinivasan
– 80’s (first versions of Kerberos)– 90’s (first versions of NTLM)– All (previous?) architects of Microsoft for making it possible
Seriously, we know it’s hard to change things in Security with retro compatibility and business in the balance !
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
50
Websites, Source Codes & Contact
10/10/2014 Chris, Ben & Skip @ BlueHat Reality Bites - The Attacker’s View of Windows Authentication and Post-exploitation
blog http://blog.gentilkiwi.commimikatz http://blog.gentilkiwi.com/mimikatzsource https://github.com/gentilkiwi/mimikatzcontact @gentilkiwi / [email protected]
blog http://obscuresecurity.blogspot.comsource https://github.com/obscureseccontact @obscuresec / [email protected]
blog http://passing-the-hash.blogspot.comsource https://github.com/gentilkiwi/mimikatzcontact @passingthehash / [email protected]