insidious implicit windows trust relationships

8/10/2019 Insidious Implicit Windows Trust Relationships

1/42

PLEASE STAND BY

Insidious Implicit Windows TrustRelationships

7 June 2013 BSides DetroitJames oster

6ote a9out where to &et these slides later and whether or not this is 9ein& recorded@

6ote to -ol s readin& these slides and notes directl(*the word TR)6SITI;6 in the notes is Must a reminderto me that I ha,e animations or transitions on thatslide@ Gou can i&nore it in the $D ,ersion@

6one o- the in-ormation presented here is ori&inal wor it:s all stu-- other people ha,e -i&ured out@ I:m

Must tr(in& to spread the nowled&e@


2/42


3/42

Who am I!

I do* Securit( assessments + penetration tests Incident response Whate,er other securit( related stu-- comes up

I ha,e* .1/ (ears o- e0perience in ,arious IT roles the last

.2 in IT securit(3 doin& lots o- di--erent stu-- BS%S3 %ISS$3 4%I5


4/42

Intended audience

6ot pentesters "the( alread( now this#

6on8securit( IT -ol s IT securit( -ol s who are 9us( with other thin&s Those tas ed with supportin& + de-endin&

Windows s(stems especiall(


5/42


6/42

Wh( this presentation!

6ot enou&h people now a9out this Some that now it don:t -ull( understand it $entesters will use this a&ainst (ou "common

pro9lem we -ind durin& assessments# Bad &u(s "internal and e ternal# will use this

a&ainst (ou )$T1 will use this a&ainst (ou

TR)6SITI;6

Be-ore I was an attac er I -ell into the second

cate&or(@

Remem9er* I didn:t disco,er an( o- the in-ormationpresented here@ I:m Must &ood at summariFin& ande plainin&@


7/42

Steps o- )$T st(le intrusion

1# Spearphish user

2# ;wn user:s 9o

3# T5IS

TR)6SITI;6

$art o- step 3 is e ploitin& implied trust relationships@

;-ten this is a 9i& part o- Hmo,e laterall( andHescalate pri,ile&es @

6ow that (ou:re -ull( con,inced how important thistopic is let:s &o@


8/42

Two inds o- trusts

' plicit these (ou intend to e ist Implicit "implied# these (ou don:t


9/42

' plicit

?oanin& (our car e(s to (our -riend "to use(our car#

Domain ) trusts Domain B to authenticateusers

5osts@eAui, "don:t do this# We9 sin&le si&n on "e@&@ ;penID#

TR)6SITI;6

In the last case the Rel(in& $arties "we9sites (ou:re

tr(in& to lo&in to# e plicitl( trust third8part( Identit($ro,iders "e& 4oo&le# to authenticate (ou@


10/42

Implicit

' tra set o- house e(s are in the &lo,e 9o ser:s password in domain ) CC their password

in domain B ?in edIn password CC online 9an in& password 'mail account -or online 9an in& password

resets CC online 9an in& Same local administrator password on all client

$%s

TR)6SITI;6


11/42

Implicitl( Insidious

These are nast( thin&s att 5onan "not the whole hac 9ut Twitter E

4mail E me@com#http*++www@wired@com+&ad&etla9+2012+0/+apple8amaFon8mat8honan8hac in&+all+

)$T1 " andiant report# http*++intelreport@mandiant@com+ Separate $%I domain Windows to non8Windows

TR)6SITI;6

The( wanted att:s Twitter account@ It used his

4mail account -or password reset+reco,er( so the(needed that -irst@ 5is 4mail account used hisme@com ")pple# account -or passwordreset+reco,er(@ The( new how to &et )ppleaccounts "a di--erent attac # so once the( &ot thatthe( &ot his 4mail and Twitter -or -ree@

The last two are stories -rom assessments@


12/42

ocus on Windows

Gou:,e &ot the &eneral idea ?et:s see wh( implicit trusts matter so much in

Windows


13/42

irst ? + 6T?

? + 6T? password hashin& al&orithm ? + 6T? networ authentication protocol These are two di--erent thin&s althou&h the -irst is

used in the second I reall( wish one o- these was called somethin&

else 9ecause this is con-usin&

I will tr( and sa( H6T? hash and H6T?authentication to di--erentiate the two

TR)6SITI;6

I:m Must &oin& to sa( 6T? -rom now on since it:s

easier and this all applies to en,ironments thatHaren:t usin& ? an(more an(wa(@


14/42

6T? password hashin& al&orithm

%reates a -i ed8len&th hash -rom a,aria9le8len&th password

or our purposes similar enou&h to an( otherhashin& mechanism li e D or S5)81

'as( to &o -orward hard to &o 9ac ward 5ashes o- the password Hpassword *

? * ' 2%)%K7=1 ) )22=)3B10/ 3 )K%BKD 6T? * //=K 7')''/ B117)D0KBDD/30B7 /K%

6ote the lac o- salt

TR)6SITI;6

What does the lac o- salt mean!

%an use rain9ow ta9les@

sers with the same password will ha,e the samehash re&ardless o- username s(stem domain,ersion o- Windows lan&ua&e etc@


15/42

6T? networ authenticationprotocol

ain networ authentication protocol -orWindows "(eah Ler9eros in )cti,e Director(#

Steps*1# %reate 6T? hash o- password2# Blah 9lah3 client+ser,er challen&es3 9lah 9lah3# Do math and hashes with the 6T? hash and

challen&es3 send stu-- 9ac7 and -orth3 9lah 9lah 6ote the input to steps 2 and 9e(ond is Must the

6T? hash

TR)6SITI;6

The details o- steps 2 and 9e(ond don:t matter -or

our purposes@ The output o- step 1 is Must the 6T?hash o- the password with nothin& else added@

So what does this mean -or 6T? authentication!

What i- we ha,e a user:s hash 9ut don:t now theirpassword "couldn:t crac it whate,er#@

Doesn:t matter 9ecause the hash wor s Must as well@


16/42

5ashes CC passwords

"-or 6T? authentication# ;-ten called Hpass8the8hash "$T5# )nd not Must -or the one user -or all users who

ha,e the same password


17/42

Wh( so 9ad in Windows!

6T? authentication e,er(where Desi&n called -or sin&le si&n on "SS;# 5ashes CC passwords "-or all users with same

password# $er,asi,e pro9lem eas( to e ploit ses le&itimate protocols e istin& accounts Gou can:t tell the di--erence 9etween an

authentication that started with the password orone that started with the hash

TR)6SITI;6

)-ter all do (ou want to ha,e to re8t(pe (our

password -or e,er( new Windows resource (ours(stem connects to!

or SS; to wor the s(stem has to either now (ourpassword "or its hash in 6T? authentication# orha,e some to en "li e in Ler9eros#@


18/42

Windows implicit trustrelationship t(pes

?ocal account %ached credential )ccess to en


19/42

?ocal account

$assword hashes -or local accounts are storedlocall( on dis "persist as lon& as the accounte ists#

These can 9e accessed 9( an( local admin Remem9er that password hashes CC

passwords -or 6T? auth t(pes ,ia $T5 There-ore an( local admin can assume the

identit( o- an( local account on that 9o

TR)6SITI;6


20/42

?ocal account

;nce (ou ha,e the hashes (ou can tr( themother places

Gou can tr( them with other accounts )&ainst other similar s(stems "clients ser,ers

etc@# )&ainst the domain "or other domains# ?oo s li e re&ular Windows lo&on

successes+-ailures normal protocols

Gou mi&ht &uess that this password "hash# is thesame -or this same username on other s(stems@;-ten (ou:d 9e ri&ht@

Gou mi&ht &uess that this password "hash# is thesame -or other usernames on other s(stems@Sometimes (ou:d 9e ri&ht@

Sometimes it:s the same in the domain too@


21/42

?ocal account

;n a domain controller all domain accounts are Must Hlocal accounts in this sense

4et Hlocal admin on a domain controller &etthe hashes o- all domain accounts

Ga(>

This ma( seem o9,ious@ In order to compromise anentire domain and steal all o- its users: hashes (ou

Must need to compromise a domain controller and

(ou:re done@


22/42

%ached credentials

$assword hashes -or domain accounts ma( 9ecached on dis on domain8connected s(stems

)llow domain accounts to lo&on todomain8connected s(stems when notconnected to the domain "laptops#

$ersist -or con-i&ura9le N o- lo&ons These can 9e accessed 9( an( local admin

TR)6SITI;6


23/42

%ached credentials

These hashes can:t 9e used -or $T5 "the( aresalted#

To 9e use-ul (ou ha,e to crac the hashes too9tain the password ",eeeer( slow#

I- crac ed the password could then 9e used tolo&on to this domain account

The password could also 9e tried a&ainst otheraccounts in the domain or local on other

s(stems 9ut (ou had to crac it -irst

TR)6SITI;6

;- course i- the password is tri,ial it doesn:t matter

i- the crac in& is Hslow (ou:ll &et it in a -ew secondsan(wa(@

This has allowed me to compromise a domain 9utit:s reall( the least use-ul o- the three inds o- impliedtrusts@ So we:ll mo,e on@


24/42

)ccess to ens

%reated in memor( upon a success-ul interacti,elo&on

5old the user:s authentication in-ormation andother account attri9utes "&roup mem9erships etc@#used to authenticate and &ain authoriFation toother s(stems+o9Mects "ena9les SS; etc@#

6ot written to dis so erased 9( a re9oot 5owe,er not erased 9( lo&&in& o--

These can 9e accessed 9( an( local admin

TR)6SITI;6

Sometimes people call these Haccount to ens

Hlo&on to ens or Must Hto ens @

6ote that Must mappin& a dri,e does not create aninteracti,e lo&on to the tar&et so this is not enou&hto create an access to en@


25/42

)ccess to ens %ontain ? and 6T? password hashes "not salted so

$T5 wor s# Did I mention these can 9e read 9( an( local admin! There-ore an( local admin can assume the identit( o- an(

user who lo&&ed in "interacti,el(# since the last re9oot Wor s -or local and domain accounts 9ut (ou alread( ha,e

hashes -or the local accounts so who cares se a domain account a&ainst the domain and an(

domain8connected s(stem

TR)6SITI;6

We Must lo,e access to ens 9elon&in& to domain

admins@ Tast(@


26/42

Show o- hands

5ow man( people here ha,e a domain adminaccount!

5a,e (ou e,er lo&&ed on to a s(stem and then didn:tre9oot it a-terwards!

) user:s s(stem!

)ll this -or P @ ! %an (ou 9elie,e it!


27/42


28/42


29/42

So implicit trusts

;wn a 9o own all local accounts ?ocal account ha,in& same password across

multiple s(stems own them all ;wn a 9o "ma(9e# own all domain accounts

that lo&&ed on within the last N lo&ons ;wn a 9o own all accounts that lo&&ed on

since the last re9oot )n( other account on an( other local 9o or in

the domain share that password! ;wn that too@

TR)6SITI;6


30/42

6i&htmare

sers &ranted local admin to their own 9o Same local )dministrator password on all user

9o es@@@ @@@includin& 9o es on the des s o- IT sta-- IT sta--er lo&s into her own 9o with domain

admin account )ll users could own the domain simpl( ,ia trust

relationships

TR)6SITI;6

It:s also 9ad when (ou ha,e ser,ers where lots o-

users includin& pri,ile&ed ones lo&on interacti,el(@

)lthou&h not completel( tested or studied we ha,eseen most domain users: access to ens on an' chan&e ser,er in at least one en,ironment@ Thisimplies that at least in some situations ;utloo :sconnection to the ' chan&e ser,er constitutes an

interacti,e lo&on and creates an access to en there@


31/42

We ma e &raphs

?ocal admin account trusts Domain admin access to en trusts

These &raphs are -rom a recent internal assessment@6etwor had around 1 700 Windows 9o es wesampled a9out 1 00 o- them to &et the data -or

these &raphs@

Gou can:t read the la9els on an(thin& in the &raphson purpose@


32/42

Blue o,als are hosts red 9o es are credentials"username+password com9ination# and (ellow spotsare the domains "domain controllers to 9e speci-ic#@

The Hcredentials in this one are local administrati,eaccounts so this represents local account trusts -oradministrati,e le,el users "admin on hosts and+or thedomain controllers#@

.1 =00 hosts in,ol,ed in trusts with at least one

other man( with man( others includin& the domain@


33/42

Blue o,als are hosts red 9o es are credentials"username+password com9ination# and (ellow spotsare the domains "domain controllers to 9e speci-ic#@

The Hcredentials in this one are local adminaccounts so this shows local account trusts -oradmin le,el users "admin on hosts and+or the domaincontrollers# 'Q%'$T that this time the actualH)dministrator accounts are e cluded@ In other

words it:s the same as the pre,ious &raph i- the(

were to -i Must all o- the local H)dministratoraccounts@ ;nl( 12 hosts now in,ol,ed in localaccount trust relationships@ So 9( -i in& the localH)dministrator account on all their 9o es the( canachie,e an order o- ma&nitude impro,ement in Nhosts in,ol,ed@


34/42


35/42

iti&ation

5ow do we -i this!

I:,e used up all m( time e plainin& the pro9lem 5a,e a nice da(>

Just iddin& I hope@


36/42

iti&ation

icroso-t:s pass8the8hash miti&ation paper

Don:t let them &et hashes+to ens+passwords"local admin# in the -irst place

$atch3 &ood passwords3 -irewalls3 etc@ )pplication control + whitelistin& sers not local admins would 9e &ood

Does two -actor auth "smart cards 9iometrics etc@#-i this! 5a,en:t tested 9ut pro9a9l( not due to thenature o- the pro9lem@


37/42


38/42

iti&ation

I- the( do &et hashes+to ens+passwords ma ethem useless to mo,e around with

6o shared passwords Disa9le local admin accounts Turn o-- networ7 access to unnecessar( accounts

"networ7 and RD$#


39/42

iti&ation

?imit lateral mo,ement %lient -irewalls "not Windows -irewall in Hdomain

mode# 6etwor7 se&mentation %lient isolation "pri,ate O?)6s#

or these t(pes o- attac s we:re tal in& a9outWindows networ in& ports "13 813 == # -or themost part@


40/42

iti&ation

?imit pri,ile&e escalation protect pri,ile&edaccount hashes+to ens especiall( domainadmins

Reduce num9er o- pri,ile&ed accounts $ri,ile&e separation ;nl( use pri,ile&ed accounts on a limited num9er o-

more trusted3 more secured and isolated hosts

?)ST S?ID'


41/42


42/42

insidious implicit windows trust relationships

Documents