Pass-the-Hash Attacks

Transcription

1 Pass-the-Hash Attacks Mgr. Michael Grafnetter

2 Agenda PtH Attack Anatomy Mitigation Proactive Reactive Windows 10 + Windows Server 2016 Microsoft Advanced Threat Analytics

3 PtH Attack Anatomy Theft Use Compromise

4 Lateral and Vertical Movement

5 Mimikatz

6 Metasploit Framework

7 Metasploit Framework

8 DEMO Pass-the-Hash + RDP

9 LSASS NTLM Hashes

10 Passing the Hash

11 Stealing the Hash

12 Credentials Lifecycle / Attack Vectors

13 Credentials Lifecycle / Attack Vectors

14 Hashes in SAM/AD Authentication Method Hash Function LM DES NO NTLM, NTLMv2 MD4 NO Kerberos (RC4) MD4 NO Kerberos (AES) PBKDF2 (4096*HMAC_SHA1) Salted YES Digest MD5 YES

15 Active Directory Database - Offline Files C:\Windows\NTDS\ntds.dit C:\Windows\System32\config\SYSTEM Acquire Locally: ntdsutil IFM Remotely: WMI (Win32_Process), psexec Offline: VHDs, VMDKs, Backups Extract Windows: DSInternals PowerShell Module Linux: NTDSXtract

16 DEMO Extracting hashes from ntds.dit

17 Proactive Measures Encryption RODC Backup protection Regular password changes

18 Active Directory Database - Online MS-DRSR/RPC

19 DEMO Extracting hashes from ntds.dit

20 Proactive Measures Avoid using administrative accounts Do not run untrusted SW Do not delegate the right to replicate directory changes Use an application firewall / IDS

21 SAM Database Offline Files C:\Windows\System32\config\SAM C:\Windows\System32\config\SYSTEM Tools Windows Password Recovery Online Mimikatz

22 Online SAM Dump

23 Proactive Measures Bitlocker Randomize local Administrator passwords Restrict administrative access LSA Protected Process

24 GP Local Admin Password Management Solution

25 Restrict Local Admins - KB

26 Credentials Lifecycle / Attack Vectors

27 Windows Integrated Authentication

28 LSASS NTLM Hashes

29 LSASS Kerberos Keys

30 LSASS Kerberos Tickets

31 Memory Dump

32 Memory Dump

33 SSP Cached Creds (SSO)

34 Proactive Measures Enable Additional LSA Protection? Restrict administrative access Applocker/SRP whitelisting Protected Users group Restricted Admin RDP Authentication Policies and Silos Disable Automatic Restart Sign-On Do not submit minidumps

35 Enabling LSA Protected Process

36 Disabling LSA Protected Process

37 Protected LSA

38 Protected LSA

39 Bypassing the LSA protection

40 Debug Privilege

41 RestrictedAdmin RDP - KB

42 Credential Delegation Security vs. Comfort

43 Disable Wdigest SSO KB

44 Protected Users Group

45 Blacklisting?

46 Credentials Lifecycle / Attack Vectors

47 ARP Poisoning + NTLM Downgrade

48 Using the Hash/Key/Ticket

49 Passing the Hash

50 PTH Firefox

51 RDP NTLM Authentication

52 Kerberos Golden and Silver Tickets

53 Proactive Measures Disable NTLM Authentication Disable Kerberos RC4-HMAC Shorten Kerberos ticket lifetime Implement Smartcard Authentication

54 Strengthening Kerberos Security

55 Kerberos Ticket Lifetime

56 SmartCard Authentication

57 PtH Mitigation Strategies

58 NIST Framework for Improving Critical Infrastructure Cybersecurity

59 High-Value Accounts Admins Domain Adminis Enterprise Admin Schema Adminis BUILTIN\Administrators BUILTIN\Hyper-V Adminstrators Service Accounts SCCM, SCOM, DPM, Software Installation, BMC Accounts

60 Tier Model

61 Tier Model - Administrative logon restrictions

62 Authentication Policies and Silos

63 PtH Detection

64 Attack Graph

65 Events Authentication Success Failure Replication Traffic Group Membership Changes Process Creation

66 Audit Process Creation

67 Audit Process Creation

68 Audit Process Creation

69 Reactive Measures Change account passwords (including services!) Reset computer account passwords Disable+Enable smartcard-enforced accounts Reset KRBTGT account Implement countermeasures

70 Windows 10 + Windows Server 2016

71 Hypervisor Code Integrity protected by VSM

72 Device Guard

73 Privileged Access Management for AD

74 Microsoft Passport (FIDO) + Windows Hello

75 Microsoft Advanced Threat Analytics

76

77 Introducing Microsoft Advanced Threat Analytics An on-premises platform to identify advanced security attacks before they cause damage Detection for known attacks and issues Behavioral Analytics Advanced Threat Detection

78 Key ATA Benefits Speed Adaptability Simplicity Accuracy

79 What ATA Detects Security issues and risks Broken trust Weak protocols LDAP Simple Binds Known protocol vulnerabilities Malicious attacks Pass-the-Ticket (PtT) Pass-the-Hash (PtH) Overpass-the-Hash Golden Ticket MS-DRSR Attack DPAPI Backup Key Retrieval Abnormal Behavior Password sharing Anomalous logins Remote execution Lateral movement BruteForce Encryption Downgrade Forged PAC (MS14-068) Silver PAC (MS11-013) Skeleton key malware Kerberos Account Enumeration DNS Reconnaissance SMB Session Enumeration Massive Object Deletion

80 ATA Architecture

81 Alert Sample

82 Next Steps

83 Learn more about PtH Attacks

84 Have fun with the tools

85 Secure your network

86 Pass-the-Hash Attacks Mgr. Michael Grafnetter