From Public Key to Exploitation: Exploiting the Authentication in MS-RDP [CVE ]
|
|
- Dorothy Bruce
- 6 years ago
- Views:
Transcription
1 From Public Key to Exploitation: Exploiting the Authentication in MS-RDP [CVE ] Eyal Karni, Preempt Research Team
2 Contents 1. Introduction Vulnerability Issue # Toward Issue # Issue # Exploitation Broken RSA Finding Primes Finding Protocols Exploitation Real World Obstacles Summary Reference/Technical Background...9
3 3 1. Introduction In March 2018 Patch Tuesday, Microsoft released a patch for CVE , a critical vulnerability that was discovered by Preempt. This vulnerability can be classified as a logical remote code execution (RCE) vulnerability. It resembles a classic relay attack, but with a nice twist: It is related to RSA cryptography (and prime numbers) which makes it quite unique and interesting. The vulnerability consists of a design flaw in CredSSP, which is a Security Support Provider involved in the Microsoft Remote Desktop and Windows Remote Management (Including Powershell sessions). An attacker with complete Man in the Middle (MITM) control over such a session can abuse it to run an arbitrary code on the target server on behalf of the user! We have demonstrated the attack for Remote Desktop Protocol (RDP) in a domain environment. If the user is a local administrator on the target system, the exploit allows the attacker to run code as SYSTEM, effectively compromising the target server. This is applicable both to Restricted Admin mode and to regular mode of RDP. Figure 1 - An illustration of CVE exploit scenario For the described reasons, and since RDP sessions are very common, this vulnerability could be really valuable to attackers. Further, because it is by design, the vulnerability resides in all windows versions (from Vista), as long as fix is not applied. Fix can be found here: In this paper, we will go through the journey I went in facilitating the exploit. Along the way, I will explain the technical and mathematical details of the vulnerability. It is assumed that the reader has some familiarity with the Active Directory (AD) environment, mainly with Kerberos, NT LAN Manager (NTLM), MS-RDP and Security Support Provider Interface (SSPI). If you would like to learn more about these terms you can find it in the
4 4 2. Vulnerability Details 2.1 Issue #1 Our journey begins with another vulnerability that we discovered at Preempt. In the context of that vulnerability we demonstrated the ability to do NTLM relay in the case of RDP Restricted Admin mode even without knowledge of the private key of the destination server. This is not trivial since the entire process is done under Transport Layer Security (TLS), and is thus encrypted by the certificate of the server. Exploiting the NTLM relay vulnerability was possible because of the way RDP is implemented. Let s take a look at the process: 1. Negotiation over capabilities (Usually CredSSP is chosen) 2. TLS is established 3. Network Layer Authentication (NLA) is carried out using CredSSP 4. The client verifies the certificate, displaying warning if needed 5. The user accepts the warning 6. The user sends its password over CredSSP (In Regular Mode) 7. Login and remote UI activities After establishing the encrypted secure session, the next step in RDP is NLA. The server validates that the client possesses the credentials for the user by the usual method of authentication (e.g., Kerberos). This saves the need to allocate resources needed for logon. In step 4, the client checks the certificate. A warning won t be shown if the certificate is signed by a trusted Certificate Authority (CA) or if the certificate is trusted manually. However, Microsoft decided the server is also considered validated if Kerberos authentication is performed. The certificate is coupled with the Kerberos Identity in step 3. If neither condition is met, a warning will be shown as in Figure 2. You can see that NLA happens before validating the certificate. Thus, step 3 can be made with any forged certificate. Assuming everything else is done securely and correctly, this won t be an issue, but this is not the case here. We will call this issue #1. Figure 2 - A standard MS-RDP warning
5 5 2.2 Toward Issue #2 When dealing with issues, sometimes it takes two to tango. I found a second issue when I looked at the specification of CredSSP. CredSSP is the underlying protocol that is used to relay the credentials of the user in MS-RDP. Basically, this protocol is very simple: TSRequest messages are transferred from the client to the server and vice versa. These messages carry SPNEGO tokens used for the negotiation phase of the authentication protocol. The negotiation is transparent for the CredSSP client/ server. The protocol is carried over the secured TLS session established in step 1. Let s take a look at the chart: Figure 3 - CredSSP NLA Part In the final negotiation message (accept_complete), the client computer transfers the NLTM/ Kerberos final token, but it also sends the public key of the server encrypted and signed with SSPI. The public key structure is derived from the key parameters of the RSA. What is important for now, is that it contains the N,e parameters that are the essence of the server certificate.
6 6 This is a common variant of a technique called Channel Binding which is aimed at thwarting credential relay attacks by binding the TLS session with the Windows authentication. So, the identity of the server (as represented by the certificate) is coupled with the standard Windows Authentication identity (as represented by the relevant account secret 1 ). Still, this design carries a fatal flaw inherent in it. In this stage, you might want to take a few minutes to spot it yourself. 2.3 Issue #2 The second issue is that the client trusts the public key of the server. It actually encrypts and signs bytes of the server (the public key structure) without first validating its identity. We can see the attack as a private case of a Chosen Plaintext Attack (CPA). In this case, it encrypts and signs it the same way it does for an application in SSPI (compared to a classical attack which only encrypts). This is the essence of the vulnerability. To exploit it, an attacker would set up a rogue server, and use the public key both as application data and as a valid RSA key. Then it would forward the encrypted and signed application data to the real intended server (no other server is possible in the current exploit). Figure 4 - A diagram of the exploit 1 As a side note, in CredSSP by default a User2User process is taking place instead of regular kerberos. First the server sends its TGT to the client. Then the TGS is encrypted with the TGT session key. This has no effect on the vulnerability, so it is ignored.
7 7 But is it really possible? After all, the public key is dual purposed. It should be valid as both an RSA key and as a signed application data of a yet-to-be-determined windows protocol. This protocol should support SSPI of course, but all the standard windows protocols do support it. Let us focus our attention first on what seems to be the toughest problem: we need control over the RSA public key (which is translated to Application Data). 3. Exploitation 3.1 Broken RSA
8 3.2 Finding Primes 8
9 9 3.3 Finding Protocols Protocol Requirements The most obvious requirement is that the Public Key Structure will be coded as the Application Data. This structure is ASN.1 2. Figure 5 - Public Key Structure What it means for us is that the first 8 bytes of the data are not under our (full) control. NTLM or Kerberos A question to consider is whether we can implement NTLM or Kerberos. SSPI has standard mechanisms for signing based on NTLM and Kerberos authentication. In both cases a header that contains the checksum and sequence number is added to the Application Data, if signing was agreed in the negotiation. In addition, the SPNEGO negotiation ends with signing and encryption enabled, and the the sequence number in the case of Public Key Structure will be 0. 2 CredSSP version 2-4
10 10 However, there is an important difference between NTLM and Kerberos handling. It is demonstrated in the following diagram (for RPC as an important example) 3 4 : Figure 6 - NTLM vs Kerberos in GSSAPI The Public Key Structure is actually encoded as headerless protocol. The entire structure is encrypted and signed in NTLM case, but the RPC server expects only the Application Data to be encrypted. So, NTLM adds another restriction for the protocol. This restriction actually prevented us from implementing the attack for NTLM because we couldn t find a suitable headerless protocol. We aren t sure that it is impossible. Finding such protocol would likely produce a stronger exploit, allowing the attacker to choose a different server to target using NTLM Relay. Another point to note is that in Kerberos, ticket service name is not strictly forced, as long as the account matches. The account in RDP is the machine account. So, we can say that Kerberos is mildly vulnerable to Kerberos Relay. A data signed for use in one application can be used in another one, given a similar CPA. Here is a summary of the requirements for the protocol: Supports SPNEGO Encoding requirements Application Data is Non-ASN.1 Specific 8-bytes Prefix which we have no control over Includes some degree of freedom No Header if dealing with NTLM Able to do harm with a single signed packet Available on wide variety of machines One protocol that satisfies all of the requirements is MSRPC (Besides the extra requirement required for NTLM to work). We are not aware of any other protocol that meets these requirements. 3 Application Data is actually more generally the data wrapped by GSS_WRAP or similar method 4 This happens in modern NTLM usage if NEGOTIATE_EXTENDED_SESSIONSECURITY is on
11 Exploitation The coding of MSRPC Application Data is MIDL. This is quite an messy and very diverse structure that basically describes the arguments passed to the remote procedure. For the 8 uncontrolled bytes in the beginning we can choose any function where its first argument is string(maybe pointer in general). This is because an 8-bytes field (in the case of 64-bit implementation) called ReferentId is present, where the destination server is indifferent to its value. As for the freedom bytes, it wouldn t have been much of a problem anyway, but RPC ignores excessive bytes, so it is easiest to put them all at the end. The exploit uses the following function (Opnum 1) of the Task Scheduler Interface: Figure 7 - The exported function The Task Scheduler Interface is the modern interface for managing scheduled tasks in windows. It is similar to the ATSvc interface (triggered by the AT command), but is more powerful, as it provides more control over the created task and its properties. This is an example for the command that is coded in the exploit:
12 12 This command creates a task with user id of SYSTEM 5. The executable is found in a share controlled by the attacker, and it is run immediately. Therefore, it could be any stale code. So, there is no need to do privilege escalation if the user is already an Administrator. 3.5 Real World Obstacles Finally, we consider some real world obstacles. While doing MITM, in many cases, is not that difficult for an attacker (for example through ARP Poisoning), the real obstacle here is Windows Firewall. If it is ON, then on a regular modern OS, incoming RPC is not enabled by default for any interface 6. Despite this, the vulnerability and threat is still very much real, and applying the patch is important. Because of the following reasons: 1. Domain Controllers are still vulnerable to this attack by default. This is because a rule concerning RPC exists in Domain Controllers that enables any svchosts.exe DCOM interfaces. Furthermore, a quick survey found that RDP is the most common way in which domain admins tends to access the DC. In other words, by exploiting this attack, an attacker is likely to gain a full control over the domain! 2. Many times, Windows Firewall is turned OFF or RPC is enabled extensively (It is recommended to enable it selectively for the services you need) 3. It could be exploited in various ways, bypassing different possible defences in various environments. Not only using different interfaces of MSRPC, but also exploiting different protocols 7. (If you manage to, we would like to know) In the scenario described in the beginning, the remote desktop session would fail with the following message after a few seconds: Figure 8: Error message displayed after RDP 5 given local administration privileges, that should work 6 Verified on Windows Server 2012 and Windows 10 7 If you manage to create another exploitation, please let us know. Databases seems like a really strong target.
13 13 And a malicious payload would run silently on the server in a privileged context. Other than this, no warning or suspicious indication will be present. 4 Summary In this paper, we have laid out the details for an attack on MS-RDP with the Task Scheduler Interface as the destination. This attack has nearly 100% success given a server with RPC enabled. And assuming an attacker is capable of doing MITM. Hopefully you found this vulnerability interesting. Apparently, strong protocol-based logical vulnerabilities haven t passed from the world. I think this vulnerability stresses the importance of identity validation as soon as possible and strictly before signing any data. The issue brought here of public key signing might be something to look for in general. You can see the demo of the attack here: The author wishes to thank Yaron Zinar, Preempt Research Team Lead, for the support and guidance along the way, as well as on help in writing this paper. And also to Heather Howland, VP Marketing, and to Wade Williamson, Product Marketing for all their assistance regarding this paper. We intend to release the tools used for the exploit after we present at Black Hat Asia later in March Reference / Technical Background Unfortunately, this vulnerability tends to be quite evolved. The technical background section is given as a reference for completing the required knowledge for this vulnerability. Kerberos in Active Directory Kerberos is the basic authentication protocol in Active Directory Environment. It is used by default (in case you refer to a server by DNS) and is considered secure and trusted. Basically, it provides authenticity and SSO across the entire Windows domain, by relaying on shared secrets found on DCs (Domain Controllers). DCs are the trusted entities that manages the domain. Compromising a DC (or a special account called KRBTGT) would result in complete compromise of the domain.
14 14 There are many sites that explains how kerberos works. Although the most of the details wouldn t be relevant for our vulnerability, it would be nice to get the overall picture: NTLM (Network LAN Manager) NTLM is a legacy protocol used for authentication in Active Directory Environment. It is still used quite widely today, mainly in scenarios where there is no domain trust, and in legacy software. This is an old style challenge-response protocol. The important variant is version 2, providing some protection against some attacks. It is not resilient for NTLM relay attack in case there is no additional protection from relay such as server signing or EPA. But you might find more details here: Actually, it is good source to learn about ntlm relay from SSPI (Security Support Provider Interface) SSPI is an API that allows application to add authenticity and authorization almost transparently (Although some pain might be involved). Any application that supports Windows Authentication as a provider also support SSPI. For example: Microsoft SQL Server Essentially, that means that it supports the security providers offered by Windows (Again, this is transparent to the application). It is implemented as a layer over the application protocol. The data that is protected using SSPI is called (at least in this blog) Application Data. Among the providers you could find : NTLM, Kerberos as well as SPNEGO. SPNEGO is used to negotiate over the chose the authentication protocol (some variant of NTLM or Kerberos usually), which will be used to derive keys for encrypting and/or signing the session data. PKI It is the infrastructure that makes sure that the identity of entities is reliable. It does so based on commonly trusted entities called CAs, and on digital signatures. Public_key_infrastructure
15 15 RSA 9 It can be formulated more meticulously 10 By multiplying two numbers from this group (co-prime to N) you get a number still in this group
16 16 MS-RDP Microsoft Remote Desktop Protocol is a protocol used to remotely control another computer. Mostly, the user has to type its username and password in order to connect. MS-RDP offers a Restricted Admin mode that is used when an administrator can use its credentials to connect to another computer seamlessly. This mode is considered more secure (although it has its limitations). Microsoft even suggested to use it in situation where you suspect the destination machine is compromised: For helpdesk support scenarios in which personnel require administrative access to provide remote assistance to computer users via Remote Desktop sessions, Microsoft recommends that Windows Defender Remote Credential Guard should not be used in that context. This is because if an RDP session is initiated to a compromised client that an attacker already controls, the attacker could use that open channel to create sessions on the user s behalf (without compromising credentials) to access any of the user s resources for a limited time (a few hours) after the session disconnects. Therefore, we recommend instead that you use the Restricted Admin mode option. MSRDP is vulnerable to the attack we will describe as it relies on a vulnerable protocol CredSSP for the authentication. The restricted admin mode is vulnerable as well. preempt.com info@preempt.com 2018 Preempt Security, Inc. All rights reserved. Preempt protects organizations by eliminating security threats. Threats are not black or white and the Preempt Platform is the only solution that preempts threats with continuous threat prevention that automatically adapts based on identity, behavior and risk. This ensures that both security threats and risky employee activities are responded to with the right level of security at the right time. The platform easily scales to provide comprehensive identity based protection across organizations of any size.
Server Tailgating A Chosen- Plaintext Attack on RDP. - Eyal Karni - Yaron Zinar - Roman Blachman
Server Tailgating A Chosen- Plaintext Attack on RDP - Eyal Karni - Yaron Zinar - Roman Blachman Speaker Info Eyal Karni Security Researcher @ Preempt Yaron Zinar Lead Security Researcher @ Preempt Roman
More informationComputers Gone Rogue. Abusing Computer Accounts to Gain Control in an Active Directory Environment. Marina Simakov & Itai Grady
Computers Gone Rogue Abusing Computer Accounts to Gain Control in an Active Directory Environment Marina Simakov & Itai Grady Motivation Credentials are a high value target for attackers No need for 0-day
More informationRadius, LDAP, Radius, Kerberos used in Authenticating Users
CSCD 303 Lecture 5 Fall 2018 Radius, LDAP, Radius, Kerberos used in Authenticating Users Kerberos Authentication and Authorization Previously Said that identification, authentication and authorization
More informationPrecisionAccess Trusted Access Control
Data Sheet PrecisionAccess Trusted Access Control Defeats Cyber Attacks Credential Theft: Integrated MFA defeats credential theft. Server Exploitation: Server isolation defeats server exploitation. Compromised
More informationProtocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh
Protocols II Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 17th February 2011 Outline Introduction Shared-key Authentication Asymmetric authentication protocols
More informationCryptographic Checksums
Cryptographic Checksums Mathematical function to generate a set of k bits from a set of n bits (where k n). k is smaller then n except in unusual circumstances Example: ASCII parity bit ASCII has 7 bits;
More informationBalabit s Privileged Session Management and Remote Desktop Protocol Scenarios
Balabit s Privileged Session Management and Remote Desktop Protocol Scenarios May 02, 2018 Abstract Common RDP scenarios for Balabit s Privileged Session Management (PSM) Copyright 1996-2018 Balabit, a
More informationBojan Ždrnja, CISSP, GCIA, GCIH, GWAPT INFIGO IS
Laterally pwning Windows Bojan Ždrnja, CISSP, GCIA, GCIH, GWAPT Bojan.Zdrnja@infigo.hr INFIGO IS http://www.infigo.hr Who am I? Senior information security consultant at INFIGO IS Penetration testing (all
More informationLocking down a Hitachi ID Suite server
Locking down a Hitachi ID Suite server 2016 Hitachi ID Systems, Inc. All rights reserved. Organizations deploying Hitachi ID Identity and Access Management Suite need to understand how to secure its runtime
More informationEvaluating the Security Risks of Static vs. Dynamic Websites
Evaluating the Security Risks of Static vs. Dynamic Websites Ballard Blair Comp 116: Introduction to Computer Security Professor Ming Chow December 13, 2017 Abstract This research paper aims to outline
More informationjk0-022 Exam Questions Demo CompTIA Exam Questions jk0-022
CompTIA Exam Questions jk0-022 CompTIA Academic/E2C Security+ Certification Exam Voucher Only Version:Demo 1.An attacker used an undocumented and unknown application exploit to gain access to a file server.
More informationNetwork Security Essentials
Network Security Essentials Fifth Edition by William Stallings Chapter 4 Key Distribution and User Authentication No Singhalese, whether man or woman, would venture out of the house without a bunch of
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationJoe Stocker, CISSP, MCITP, VTSP Patriot Consulting
Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting Microsoft Cloud Evangelist at Patriot Consulting Principal Systems Architect with 17 Years of experience Technical certifications: MCSE, MCITP Office
More informationPOA Bridge. Security Assessment. Cris Neckar SECUREWARE.IO
POA Bridge Security Assessment Cris Neckar SECUREWARE.IO Executive Summary The engagement team performed a limited scope, source code assessment of POA Network s POA Bridge. The purpose of this assessment
More informationSecurity and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web
Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/
More information(2½ hours) Total Marks: 75
(2½ hours) Total Marks: 75 N. B.: (1) All questions are compulsory. (2) Makesuitable assumptions wherever necessary and state the assumptions made. (3) Answers to the same question must be written together.
More informationData Security and Privacy. Topic 14: Authentication and Key Establishment
Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt
More informationKERBEROS PARTY TRICKS
KERBEROS PARTY TRICKS Weaponizing Kerberos Protocol Flaws Geoffrey Janjua Who is Exumbra Operations Group? Security services and consulting Specialized services: Full scope red-team testing, digital and
More informationNetwork Security: Kerberos. Tuomas Aura
Network Security: Kerberos Tuomas Aura Kerberos authentication Outline Kerberos in Windows domains 2 Kerberos authentication 3 Kerberos Shared-key protocol for user login authentication Uses passwords
More informationMan-In-The-Browser Attacks. Daniel Tomescu
Man-In-The-Browser Attacks Daniel Tomescu 1 About me Work and education: Pentester @ KPMG Romania Moderator @ Romanian Security Team MSc. Eng. @ University Politehnica of Bucharest OSCP, CREST CRT Interests:
More informationBecoming the Adversary
SESSION ID: CIN-R06 Becoming the Adversary Tyrone Erasmus Managing Security Consultant MWR InfoSecurity @metall0id /usr/bin/whoami Most public research == Android Something different today 2 Overview Introduction
More informationCIP Security Pull Model from the Implementation Standpoint
CIP Security Pull Model from the Implementation Standpoint Jack Visoky Security Architect and Sr. Project Engineer Rockwell Automation Joakim Wiberg Team Manager Technology and Platforms HMS Industrial
More informationSegmentation for Security
Segmentation for Security Do It Right Or Don t Do It At All Vidder, Inc. Segmentation for Security 1 Executive Summary During the last 30 years, enterprises have deployed large open (flat) networks to
More informationPass-the-Hash Attacks
Pass-the-Hash Attacks Mgr. Michael Grafnetter www.dsinternals.com Agenda PtH Attack Anatomy Mitigation Proactive Reactive Windows 10 + Windows Server 2016 Microsoft Advanced Threat Analytics PtH Attack
More informationInformation Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
More informationConfiguring OpenVPN on pfsense
Configuring OpenVPN on pfsense Configuring OpenVPN on pfsense Posted by Glenn on Dec 29, 2013 in Networking 0 comments In this article I will go through the configuration of OpenVPN on the pfsense platform.
More informationDetecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC
Detecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC Agenda Introduction to JPCERT/CC About system-wide intrusions
More informationGrandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide
Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide Table of Contents SUPPORTED DEVICES... 5 INTRODUCTION... 6 GWN7000 VPN FEATURE... 7 OPENVPN CONFIGURATION... 8 OpenVPN
More informationMan in the Middle Attacks and Secured Communications
FEBRUARY 2018 Abstract This document will discuss the interplay between Man in The Middle (MiTM/ MITM) attacks and the security technologies that are deployed to prevent them. The discussion will follow
More informationDeploy and Configure Microsoft LAPS. Step by step guide and useful tips
Deploy and Configure Microsoft LAPS Step by step guide and useful tips 2 Table of Contents Challenges today... 3 What is LAPS... 4 Emphasis and Tips... 5 How LAPS Work... 6 Components... 6 Prepare, Deploy
More informationForeScout Extended Module for Carbon Black
ForeScout Extended Module for Carbon Black Version 1.0 Table of Contents About the Carbon Black Integration... 4 Advanced Threat Detection with the IOC Scanner Plugin... 4 Use Cases... 5 Carbon Black Agent
More informationModern Realities of Securing Active Directory & the Need for AI
Modern Realities of Securing Active Directory & the Need for AI Our Mission: Hacking Anything to Secure Everything 7 Feb 2019 Presenters: Dustin Heywood (EvilMog), Senior Managing Consultant, X-Force Red
More informationChapter 9: Key Management
Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures Slide #9-1 Overview Key exchange Session vs. interchange
More informationContents. SSL-Based Services: HTTPS and FTPS 2. Generating A Certificate 2. Creating A Self-Signed Certificate 3. Obtaining A Signed Certificate 4
Contents SSL-Based Services: HTTPS and FTPS 2 Generating A Certificate 2 Creating A Self-Signed Certificate 3 Obtaining A Signed Certificate 4 Enabling Secure Services 5 SSL/TLS Security Level 5 A Note
More informationIMPLEMENTING MICROSOFT CREDENTIAL GUARD FOR ISO 27001, PCI, AND FEDRAMP
IMPLEMENTING MICROSOFT CREDENTIAL GUARD FOR ISO 27001, PCI, AND FEDRAMP North America Latin America Europe 877.224.8077 info@coalfire.com coalfire.com Coalfire sm and CoalfireOne sm are registered service
More informationRadius, LDAP, Radius used in Authenticating Users
CSCD 303 Lecture 5 Fall 2017 Kerberos Radius, LDAP, Radius used in Authenticating Users Introduction to Centralized Authentication Kerberos is for authentication only and provides Single Sign-on (SSO)
More informationCryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 38 A Tutorial on Network Protocols
More informationNigori: Storing Secrets in the Cloud. Ben Laurie
Nigori: Storing Secrets in the Cloud Ben Laurie (benl@google.com) April 23, 2013 1 Introduction Secure login is something we would clearly like, but achieving it practically for the majority users turns
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationThe PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference
The PKI Lie Attacking Certificate Based Authentication Ofer Maor CTO, Hacktics OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Copyright 2007 - The OWASP Foundation Permission is granted to copy,
More informationOverview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.
Overview of SSL/TLS Luke Anderson luke@lukeanderson.com.au 12 th May 2017 University Of Sydney Overview 1. Introduction 1.1 Raw HTTP 1.2 Introducing SSL/TLS 2. Certificates 3. Attacks Introduction Raw
More informationTECHNOLOGY Introduction The Difference Protection at the End Points Security made Simple
APPGATE TECHNOLOGY UNIFIED TECHNOLOGY Introduction The AppGate solution truly delivers holistic security and access control where other approaches fall short. It is designed to address the security and
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 24 April 16, 2012 CPSC 467b, Lecture 24 1/33 Kerberos Secure Shell (SSH) Transport Layer Security (TLS) Digital Rights Management
More informationRouterCheck Installation and Usage
RouterCheck Installation and Usage February 16, 2015 No part of this document may be reproduced, copied, or distributed in any fashion without the express written permission of Sericon Technology Inc.
More informationFirewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003
Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003 A system or combination of systems that enforces a boundary between two or more networks - NCSA
More informationWHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution
WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution Tervela helps companies move large volumes of sensitive data safely and securely over network distances great and small. We have been
More informationL7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806
L7: Key Distributions Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806 9/16/2015 CSCI 451 - Fall 2015 1 Acknowledgement Many slides are from or are
More informationActive Directory Attacks and Detection Part -II
Active Directory Attacks and Detection Part -II #Whoami Working as an Information Security Executive Blog : www.akijosberryblog.wordpress.com You can follow me on Twitter: @AkiJos Key Takeaways How to
More informationComputer Security 3e. Dieter Gollmann. Chapter 18: 1
Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 18: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTTP request HTML + CSS data web server backend systems Chapter
More informationSecuring Active Directory Administration
Securing Active Directory Administration April 18, 2019 Sponsored by @BlackHatEvents / #BlackHatWebcasts Agenda On-Prem AD vs Azure AD Evolution of Administration Exploiting Typical Administration Methods
More informationKerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos
Kerberos and Public-Key Infrastructure Key Points Kerberos is an authentication service designed for use in a distributed environment. Kerberos makes use of a thrusted third-part authentication service
More informationCheating CHAP. Sebastian Krahmer February 2, 2002
Cheating CHAP Sebastian Krahmer krahmer@cs.uni-potsdam.de February 2, 2002 Abstract The Challenge Handshake Authentication Protocol (CHAP) is used to verify the identity of a peer in a 3-way handshake
More informationCISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks
CISNTWK-440 Intro to Network Security Chapter 4 Network Vulnerabilities and Attacks Objectives Explain the types of network vulnerabilities List categories of network attacks Define different methods of
More informationLecture 6 - Cryptography
Lecture 6 - Cryptography CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12 Question Setup: Assume you and I donʼt know anything about
More informationKerberos V Security: Replay Attacks
Abstract Kerberos V Security: Replay Attacks Kerberos V is a trusted third-party authentication mechanism designed for TCP/IP networks. It uses strong symmetric cryptography to enable secure authentication
More informationIntegrating Okta and Preempt Detecting and Preventing Threats With Greater Visibility and Proactive Enforcement
Integrating Okta and Preempt Detecting and Preventing Threats With Greater Visibility and Proactive Enforcement The Challenge: Smarter Attackers and Dissolving Perimeters Modern enterprises are simultaneously
More informationHong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)
Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS) This document (IMPS) facilitates an organization to provide relevant information to describe how it fulfils the normative
More informationSample excerpt. Virtual Private Networks. Contents
Contents Overview...................................................... 7-3.................................................... 7-5 Overview of...................................... 7-5 IPsec Headers...........................................
More informationNetwork Access Control and VoIP. Ben Hostetler Senior Information Security Advisor
Network Access Control and VoIP Ben Hostetler Senior Information Security Advisor Objectives/Discussion Points Network Access Control Terms & Definitions Certificate Based 802.1X MAC Authentication Bypass
More informationTransport Layer Security
CEN585 Computer and Network Security Transport Layer Security Dr. Mostafa Dahshan Department of Computer Engineering College of Computer and Information Sciences King Saud University mdahshan@ksu.edu.sa
More informationHacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK
Hacker Academy Ltd COURSES CATALOGUE Hacker Academy Ltd. LONDON UK TABLE OF CONTENTS Basic Level Courses... 3 1. Information Security Awareness for End Users... 3 2. Information Security Awareness for
More informationSecurity context. Technology. Solution highlights
Code42 CrashPlan Security Code42 CrashPlan provides continuous, automatic desktop and laptop backup. Our layered approach to security exceeds industry best practices and fulfills the enterprise need for
More informationGrandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide
Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide Table of Contents INTRODUCTION... 4 SCENARIO OVERVIEW... 5 CONFIGURATION STEPS... 6 Core Site Configuration... 6 Generate Self-Issued Certificate
More informationConfiguring Request Authentication and Authorization
CHAPTER 15 Configuring Request Authentication and Authorization Request authentication and authorization is a means to manage employee use of the Internet and restrict access to online content. This chapter
More informationSecuring Office 365 & Other SaaS
Securing Office 365 & Other SaaS PrecisionAccess Vidder, Inc. Securing Office 365 & Other SaaS 1 Executive Summary Securing Office 365 means securing Email, SharePoint, OneDrive, and a number of other
More informationSecurity+ SY0-501 Study Guide Table of Contents
Security+ SY0-501 Study Guide Table of Contents Course Introduction Table of Contents About This Course About CompTIA Certifications Module 1 / Threats, Attacks, and Vulnerabilities Module 1 / Unit 1 Indicators
More informationAuthentication Methods
CERT-EU Security Whitepaper 16-003 Authentication Methods D.Antoniou, K.Socha ver. 1.0 20/12/2016 TLP: WHITE 1 Authentication Lately, protecting data has become increasingly difficult task. Cyber-attacks
More informationCERN Certification Authority
CERN Certification Authority Emmanuel Ormancey (IT/IS) What are Certificates? What are Certificates? Digital certificates are electronic credentials that are used to certify the identities of individuals,
More informationHP Instant Support Enterprise Edition (ISEE) Security overview
HP Instant Support Enterprise Edition (ISEE) Security overview Advanced Configuration A.03.50 Mike Brandon Interex 03 / 30, 2004 2003 Hewlett-Packard Development Company, L.P. The information contained
More informationLast mile authentication problem
Last mile authentication problem Exploiting the missing link in end-to-end secure communication DEF CON 26 Our team Sid Rao Doctoral Candidate Aalto University Finland Thanh Bui Doctoral Candidate Aalto
More informationRecommendations for Device Provisioning Security
Internet Telephony Services Providers Association Recommendations for Device Provisioning Security Version 2 May 2017 Contact: team@itspa.org.uk Contents Summary... 3 Introduction... 3 Risks... 4 Automatic
More informationMobile Secure Management Platform
Mobile Secure Management Platform Mobile Automation Security Analysis White Paper Document Revision 5.1 Document ID: MLMS security white paper 5.1.2.doc July 2, 2003 Prepared by: Revision History VERSION/RELEASE
More informationSobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.
Sobering statistics The frequency and sophistication of cybersecurity attacks are getting worse. 146 >63% $500B $3.8M The median # of days that attackers reside within a victim s network before detection
More informationCYBER ATTACKS EXPLAINED: WIRELESS ATTACKS
CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS Wireless networks are everywhere, from the home to corporate data centres. They make our lives easier by avoiding bulky cables and related problems. But with these
More informationThe Kerberos Authentication Service
The Kerberos Authentication Service By: Cule Stevan ID#: 0047307 SFWR 4C03 April 4, 2005 Last Revision: April 5, 2005 Stevan Cule 0047307 SOFTWARE ENGINEERING 4C03 WINTER 2005 The Kerberos Authentication
More informationEncryption. INST 346, Section 0201 April 3, 2018
Encryption INST 346, Section 0201 April 3, 2018 Goals for Today Symmetric Key Encryption Public Key Encryption Certificate Authorities Secure Sockets Layer Simple encryption scheme substitution cipher:
More informationLogMeIn Security. An In-Depth Look
LogMeIn Security An In-Depth Look Table of Contents Remote Access Axioms... 3 LogMeIn Architecture... 5 LogMeIn Security Mechanisms... 7 Intrusion Detection... 13 Data Forwarding... 18 UDP NAT Traversal...
More informationAuthentication is not limited to the workstation logon but it supports also Remote Desktop, Shares, Hyper-V Sessions, etc.
Aloaha Smartlogin Aloaha Smartlogin allows you to logon to your windows machine with a Smart Card, PKCS #11 Token, USB Memory Stick or just a plain Memory Card such as I2c or Mifare. Authentication is
More informationCloud Access Manager Overview
Cloud Access Manager 8.1.3 Overview Copyright 2017 One Identity LLC. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished
More informationDreamFactory Security Guide
DreamFactory Security Guide This white paper is designed to provide security information about DreamFactory. The sections below discuss the inherently secure characteristics of the platform and the explicit
More informationThe World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to
1 The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to compromises of various sorts, with a range of threats
More informationIP Mobility vs. Session Mobility
IP Mobility vs. Session Mobility Securing wireless communication is a formidable task, something that many companies are rapidly learning the hard way. IP level solutions become extremely cumbersome when
More informationCrypto meets Web Security: Certificates and SSL/TLS
CSE 484 / CSE M 584: Computer Security and Privacy Crypto meets Web Security: Certificates and SSL/TLS Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationUser Authentication Principles and Methods
User Authentication Principles and Methods David Groep, NIKHEF User Authentication - Principles and Methods 1 Principles and Methods Authorization factors Cryptographic methods Authentication for login
More informationFirepower Threat Defense Site-to-site VPNs
About, on page 1 Managing, on page 3 Configuring, on page 3 Monitoring Firepower Threat Defense VPNs, on page 11 About Firepower Threat Defense site-to-site VPN supports the following features: Both IPsec
More informationDIRECTORY INTEGRATION: USING ACTIVE DIRECTORY FOR AUTHENTICATION. Gabriella Davis The Turtle Partnership
DIRECTORY INTEGRATION: USING ACTIVE DIRECTORY FOR AUTHENTICATION Gabriella Davis The Turtle Partnership In This Session Review possible use cases for multiple directories Understand security implications
More informationIntercepting SNC-protected traffic
Intercepting SNC-protected traffic Martin Gallo Penetration Testing SME March 2017 Agenda Introduction Problem SAP Protocols SAP SNC (Secure Network Connections) Attack vectors Vulnerable scenarios Demo
More informationAttacking Networks. Joshua Wright LightReading LIVE! October 1, 2003
Attacking 802.11 Networks Joshua Wright Joshua.Wright@jwu.edu LightReading LIVE! October 1, 2003 Attention The material presented here reflects the personal experience and opinions of the author, and not
More informationCloud FastPath: Highly Secure Data Transfer
Cloud FastPath: Highly Secure Data Transfer Tervela helps companies move large volumes of sensitive data safely and securely over network distances great and small. Tervela has been creating high performance
More informationMost Common Security Threats (cont.)
Most Common Security Threats (cont.) Denial of service (DoS) attack Distributed denial of service (DDoS) attack Insider attacks. Any examples? Poorly designed software What is a zero-day vulnerability?
More informationGOING WHERE NO WAFS HAVE GONE BEFORE
GOING WHERE NO WAFS HAVE GONE BEFORE Andy Prow Aura Information Security Sam Pickles Senior Systems Engineer, F5 Networks NZ Agenda: WTF is a WAF? View from the Trenches Example Attacks and Mitigation
More informationCS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?
50fb6be35f4c3105 9d4ed08fb86d8887 b746c452a9c9443b 15b22f450c76218e CS 470 Spring 2018 9df7031cdbff9d10 b700a92855f16328 5b757e66d2131841 62fedd7d9131e42e Mike Lam, Professor Security a.k.a. Why on earth
More informationUser Authentication. Modified By: Dr. Ramzi Saifan
User Authentication Modified By: Dr. Ramzi Saifan Authentication Verifying the identity of another entity Computer authenticating to another computer Person authenticating to a local/remote computer Important
More informationCase Studies, Lessons Learned. Ing. Tijl Deneut Lecturer Applied Computer Sciences Howest Researcher XiaK, Ghent University
Case Studies, Lessons Learned Ing. Tijl Deneut Lecturer Applied Computer Sciences Howest Researcher XiaK, Ghent University Case Study Overview 3 different types of cases Troubleshooting We have systems
More informationTHE ESSENTIAL GUIDE TO CYBER SECURITY FOR OFFSITE EVENTS
THE ESSENTIAL GUIDE TO CYBER SECURITY FOR OFFSITE EVENTS THE ESSENTIAL GUIDE TO CYBER SECURITY FOR OFFSITE EVENTS You are taking your team offsite for training or a meeting. During this offsite session,
More informationPCI DSS Compliance. White Paper Parallels Remote Application Server
PCI DSS Compliance White Paper Parallels Remote Application Server Table of Contents Introduction... 3 What Is PCI DSS?... 3 Why Businesses Need to Be PCI DSS Compliant... 3 What Is Parallels RAS?... 3
More informationOpenVMS Security Update 1M01
OpenVMS Update M0 Helmut Ammer TCSC München Agenda Ratings ITSEC E C & E B update on V6. TCSEC C Ramp -> > Common Criteria COE DII Current Projects: Enterprise Features & Projects History Per- Profiles
More informationVidder PrecisionAccess
Vidder PrecisionAccess Transparent Multi-Factor Authentication June 2015 910 E HAMILTON AVENUE. SUITE 430. CAMPBELL, CA 95008 P: 408.418.0440 F: 408.706.5590 WWW.VIDDER.COM Table of Contents I. Overview...
More informationSecurity Fundamentals for your Privileged Account Security Deployment
Security Fundamentals for your Privileged Account Security Deployment February 2016 Copyright 1999-2016 CyberArk Software Ltd. All rights reserved. CAVSEC-PASSF-0216 Compromising privileged accounts is
More information