eyes wide shut: what do your passwords do when no one is watching?

Download Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Post on 08-Feb-2017

92 views

Category:

Software

2 download

Embed Size (px)

TRANSCRIPT

  • Eyes Wide Shut: What Do Your Passwords Do When No One is Watching

    Paula JanuszkiewiczCQURE: Director of Consulting,; Security ExpertCQURE Academy: TrainerMVP: Enterprise Securitywww.cqureacademy.com

    @CQUREAcademy

    CONSULTING

  • Hacking Live Workshop 2017

  • Used to group one or more Web Applications

    Purpose: Assign resources, serve as a security sandbox

    Use Worker Processes (w3wp.exe)

    Their identity is defined in Application Pool settings

    Process requests to the applications

    Passwords for AppPool identity can be decrypted even offline

    They are stored in the encrypted form in applicationHost.config

    Conclusion: IIS relies its security on Machine Keys (Local System)

  • Demo: Application Pools

  • Demo: IISWasKey

  • Class names for keys from HKLM\SYSTEM\CCS\Control\Lsa

    HKLM\SECURITY\Cache

    HKLM\SECURITY\Policy\Secrets

    HKLM\SECURITY\Policy\Secrets

  • Store configuration in the registry

    Always need some identity to run the executable!

    Local Security Authority (LSA) Secrets

    Must be stored locally, especially when domain credentials are used

    Can be accessed when we impersonate to Local System

    Their accounts should be monitored

    If you cannot use gMSA, MSA, use subscription for svc_ accounts (naming convention)

    Conclusion: Think twice before using an Administrative account, use gMSA

  • Demo: Services

  • The above means:

    To read the clear text password you need to struggle!

  • Demo: SAM/NTDS.dit

  • Are cached credentials safe?

  • DK = PBKDF2(PRF, Password, Salt, c, dkLen)

    Microsofts implementation: MSDCC2=

    PBKDF2(HMAC-SHA1, DCC1, username, 10240, 16)

    Legend

  • Before the attacks facilitated by pass-the-hash, we can only

    rejoice the "salting" by the username.

    There are a number pre-computed tables for users as

    Administrator facilitating attacks on these hashes.

  • There is actually not much of a difference with XP / 2003!

    No additional salting.

    PBKDF2 introduced a new variable: the number of

    iterations SHA1 with the same salt as before (username).

  • The number of iterations in PBKDF2, it is

    configurable through the registry:

    HKEY_LOCAL_MACHINE\SECURITY\Cache

    DWORD (32) NL$IterationCount

    If the number is less than 10240, it is a multiplier

    by 1024 (20 therefore gives 20480 iterations)

    If the number is greater than 10240, it is the

    number of iterations (rounded to 1024)

  • Demo: Cached Credentials

  • Based on the following components:

    Password, data blob, entropy

    Is not prone to password resets!

    Protects from outsiders when being in offline access

    Effectively protects users data

    Stores the password history

    You need to be able to get access to some of your passwords from the past

    Conclusion: OS greatly helps us to protect secrets

  • Demo: Classic DPAPI

  • Demo: DPAPI Taken Further

  • Demo: RDG Passwords

  • 1.

    2.

    3.

    Location Plaintext passwords

    (Reversibly

    encrypted)

    NT Hash LM Hash TGT Windows logon

    cached password

    verifiers

    Security Accounts Manager (SAM)

    database

    - Yes Maybe1 - -

    Local Security Authority

    Subsystem (LSASS) process

    memory

    Yes Yes Yes Yes -

    Active Directory Database - Yes Maybe1 - -

    The Credential Manager

    (CredMan) store

    Maybe2 - - - -

    LSA Secrets in the registry Service Accounts,

    Scheduled Tasks, etc.

    Computer

    Account

    - - -

    HKLM\Security - - - - Yes

    Windows 10 with VSM enabled - Yes / No3 Yes/ No3 No4 -

  • DPAPI-NG

  • PowerBroker Password Safe

    v6.2

    Martin Cannard Product Manager

  • Comprehensive Security Management

    Secure and automate the process for managing privileged account passwords and keys

    Control how people, services, applications and scripts access managed credentials

    Auto-logon users onto RDP, SSH sessions and apps, without revealing the password

    Record all user and administrator activity (with keystrokes) in a comprehensive audit trail

    Alert in real-time as passwords, and keys are released, and session activity is started

    Monitor session activity in real-time, and immediately lock/terminate suspicious activity

    Block & Alert when SSH commands are entered during privileged sessions

    Privileged Password Management

    People Services A2A

    Privileged

    Session

    Management

    SSH Key

    Management

  • Native desktop tool (MSTSC/PuTTY etc.) connects

    to Password Safe which proxies connection through

    to requested resource

    Protected ResourcesUser authenticates to Password Safe and requests

    session to protected resource

    RDP/SSH session is proxied through the Password

    Safe applianceHTTPS RDP / SSH

    RDP / SSH

    Password

    SafeProxyProxy

    Privileged Session Management

  • Differentiator:

    Adaptive Workflow Control

  • Adaptive Workflow Control

    Day

    Date

    Time

    Who

    What

    Where

  • Differentiator:

    Included API Cache

    (no extra cost)

  • API for Passwords / Sessions / Onboarding

    SessionRelease

    PasswordRelease

    Password SafeAppliance

    API

    APICache

    PasswordRelease

    Host/Account Provisioning

    Local Area Connection

    Locahost Connection

    PasswordRelease

    PasswordRelease

    APICache

    PasswordRelease

    Locahost Connection

  • Differentiator:

    Controlling Application Access

  • Automatic Login to ESXi example

    Browser

    RDP Client

    ESXRDP (4489) RDP (3389)

    User selects vSphere application

    and credentials

    vSphere RemoteApp

    CredentialCheckout

    Credential Management

    UserStore

    Session Recording / Logging

    HTTPS

  • Automatic Login to Unix/Linux Applications

    Typical Use Cases

    Jump host in DMZ

    Menu-driven Apps

    Backup Scripts

    Role-based Apps

    Browser

    RDP Client

    SSH (22) SSH (22)

    User selects SSH application and

    credentials

    SSH Application

    CredentialCheckout

    Session Recording / Logging

    HTTPS

  • Differentiator:

    Reporting & Analytics

  • Actionable Reporting

  • Advanced Threat Analytics

  • What makes Password Safe different?

    Adaptive workflow control to evaluate and intelligently route based on the

    who, what, where, and when of the request

    Full network scanning capabilities with built-in auto-onboard capabilities

    Integrated data warehouse and analytics capability

    Smart Rules for building permission sets dynamically according to data

    pulled back from scans

    Session management / live monitoring at NO ADDITIONAL COST

    Clean, uncluttered, and intuitive HTML5 interface for end users

  • Market Validation

    Leader: Forrester PIM Wave, Q3 2016

    Top-ranked Current Offering (product) among all 10

    vendors reviewed

    BeyondTrust excels with its privileged session

    management capabilities.

    BeyondTrust [] provides the machine learning and

    predictive behavior analytics capabilities.

    Leadership

    Gartner: BeyondTrust is a representative vendor for all

    five key PAM solution categories.

    OVUM: BeyondTrust [] provides an integrated, one-

    stop approach to PAM one of only a small band of

    PAM providers offering end-to-end coverage.

    SC Magazine: Recommended product.

    and more from IDC, KuppingerCole, TechNavio, 451Research,

    Frost & Sullivan and Forrester

    http://www.google.com/url?sa=i&source=images&cd=&cad=rja&docid=AL7FutS0XddNZM&tbnid=0u7MM9nPHQXbFM:&ved=0CAgQjRwwAA&url=http://cloudtimes.org/2012/12/14/gartner-cloud-security-predictions-for-2013/&ei=I_gMUqHbKMWkyAGNtoGoBw&psig=AFQjCNEzsJ2_35M7v5OTzi66xhe_gpt5OQ&ust=1376668067707282

  • DEMO

  • Poll

  • Q&A

    Thank you for attending!