Pass-the-Hash Attacks. Michael Grafnetter

Transcription

1 Pass-the-Hash Attacks Michael Grafnetter

2 Agenda PtH Attack Anatomy Mitigation Proactive Reactive Windows 10 + Windows Server 2016

3 PtH History and Future 1988 Microsoft releases Lan Manager 1997 Pass-the-Hash demonstrated using a modified Samba 2007 Benjamin Delpy releases Mimikatz 2008 Pass-the-Ticket attack demonstrated 2012 Microsoft releases Pass-the-Hash guidance 2013 Windows contains built-in defenses against PtH 2015 Michael Grafnetter releases the DSInternals tools ;-) 2016 More defense mechanisms coming to Windows

4 PtH Attack Anatomy Theft Use Compromise

5 Lateral and Vertical Movement

6 Metasploit Framework

7 Metasploit Framework

8 Mimikatz

9 DEMO Pass-the-Hash + RDP

10 LSASS NTLM Hashes

11 Passing the Hash

12 PtH Attack Premises Single Sign-On Symmetric Cryptography Pass-the-Hash Attack Surface

13 Stealing the Hash

14 Credentials Lifecycle / Attack Vectors

15 Credentials Lifecycle / Attack Vectors

16 Hashes in SAM/AD Authentication Method Hash Function Salted LM DES NO NTLM, NTLMv2 MD4 NO Kerberos (RC4) MD4 NO Kerberos (AES) PBKDF2 (4096*HMAC_SHA1) YES Digest MD5 YES

17 Active Directory Database - Offline Files C:\Windows\NTDS\ntds.dit C:\Windows\System32\config\SYSTEM Acquire Locally: ntdsutil IFM Remotely: WMI (Win32_Process), psexec Offline: VHDs, VMDKs, Backups Extract Windows: DSInternals PowerShell Module Linux: NTDSXtract

18 DEMO Extracting hashes from ntds.dit

19 GUI Tools

20 KRBTGT Account

21 Proactive Measures Encryption RODC Backup protection Regular password changes

22 Active Directory Database - Online MS-DRSR/RPC

23 Go to for demo ;-)

24 Proactive Measures Avoid using administrative accounts Do not run untrusted SW Do not delegate the right to replicate directory changes Use an application firewall / IDS???

25 SAM Database Offline Files C:\Windows\System32\config\SAM C:\Windows\System32\config\SYSTEM Tools Windows Password Recovery Online Mimikatz

26 Online SAM Dump

27 Proactive Measures Bitlocker Randomize local Administrator passwords Restrict administrative access LSA Protected Process

28 GP Local Admin Pwd Management Solution

29 Restrict Local Admins - KB

30 Credentials Lifecycle / Attack Vectors

31 Windows Integrated Authentication

32 LSASS NTLM Hashes

33 LSASS Kerberos Keys

34 LSASS Kerberos Tickets

35 Memory Dump

36 Memory Dump

37 SSP Cached Creds (SSO)

38 Proactive Measures Enable Additional LSA Protection? Restrict administrative access Applocker/SRP whitelisting Protected Users group Restricted Admin RDP Authentication Policies and Silos Disable Automatic Restart Sign-On Do not submit minidumps

39 Enabling LSA Protected Process

40 Disabling LSA Protected Process

41 Protected LSA

42 Protected LSA

43 Bypassing the LSA protection

44 Bypassing the LSA protection

45 Debug Privilege

46 RestrictedAdmin RDP - KB

47 Credential Delegation Security vs. Comfort

48 Disable Wdigest SSO KB

49 Protected Users Group

50 Automatic Restart Sign-On

51 Blacklisting?

52 Credentials Lifecycle / Attack Vectors

53 ARP Poisoning + NTLM Downgrade

54 Using the Hash/Key/Ticket

55 Passing the Hash

56 PTH Firefox

57 RDP NTLM Authentication

58 Kerberos Golden and Silver Tickets

59 Proactive Measures Disable NTLM Authentication Disable Kerberos RC4-HMAC Shorten Kerberos ticket lifetime Implement Smartcard Authentication

60 Strengthening Kerberos Security

61 Kerberos Ticket Lifetime

62 SmartCard Authentication

63 PtH Mitigation Strategies

64 Planning for compromise Identify all high-value assets Protect against known and unknown threats Detect PtH and related attacks Respond to suspicious activity Recover from a breach

65 NIST Framework for Improving Critical Infrastructure Cybersecurity

66 NIST Framework for Improving Critical Infrastructure Cybersecurity

67 High-Value Accounts Admins Domain Adminis Enterprise Admin Schema Adminis BUILTIN\Administrators BUILTIN\Hyper-V Adminstrators Service Accounts SCCM, SCOM, DPM, Software Installation, BMC Accounts

68 Tier Model

69 Tier Model - Administrative logon restrictions

70 Authentication Policies and Silos

71 PtH Detection

72 Attack Graph

73 Events Authentication Success Failure Replication Traffic Group Membership Changes

74 Audit Process Creation

75 Audit Process Creation

76 Audit Process Creation

77 Reactive Measures Change account passwords (including services!) Reset computer account passwords Disable+Enable smartcard-enforced accounts Reset KRBTGT account Implement countermeasures

78 Windows 10 + Windows Server 2016

79 Hypervisor Code Integrity protected by VSM

80 Device Guard

81 Privileged Access Management for AD

82 Microsoft Passport (FIDO) + Windows Hello

83 Endanced AD FS / DRA GUI

84 Next Steps

85 Learn more about PtH Attacks

86 Have fun with the tools

87 Secure your network

88 Pass-the-Hash Attacks Michael Grafnetter