Windows authentication methods and pitfalls

Transcription

1 Windows authentication methods and pitfalls hashes and protocols vulnerabilities attacks P. Veríssimo All rights reserved. Reproduction only by permission 1 EXAMPLE: Windows authentication methods Windows stores hashes of locally entered passwords: LM or NTLM hashes historically, network authent. method has evolved: LAN Manager auth. protocol with LM Hash (< Windows NT) NTLMv1 auth. protocol with NTLM Hash (Windows NT) NTLMv2 auth. protocol with NTLM Hash (Windows NT SP4) Kerberos auth. protocol, with NTLM or pure ( Windows 2000) Windows 7: Default: LM & NTLMv1 disabled, NTLMv2 enabled User s password (NTLM hash) is converted to a pre-authentication encrypted key that is stored in the workstation's credential cache and can be used by whatever authentication provider is indicated for the logon type. Pure Kerberos possible with NTLM auth. completely disabled 2

2 Windows authentication methods (a long history of vulnerabilities) 3 EXAMPLE: Windows authentication (LM LAN Manager password hash) How the LM hash of a password is computed: 1. The user s password is converted into all uppercase letters 2. The password has null characters added to it until it equals 14 characters 3. The new password is split into two 7 character halves 4. These values are used to create two DES encryption keys, one from each half with a parity byte added to each to create 64bit keys. 5. Each DES key is used to encrypt a preset ASCII string (KGS!@#$%), resulting in two 8- byte (64bit) ciphertext values 6. The two 8-byte ciphertext values are combined to form a 16-byte (128bit) value, which is the complete LM hash 0. PassWord PASSWORD PASSWORD PASSWOR D PASSWOR1 D E52CAC67419A9A A852F61 6. E52CAC67419A9A A852F61 4

3 EXAMPLE: Windows authentication (LM hash vulnerabilities) encryption is based on DES weak key length password is converted to all uppercase, padded to fourteen characters, and split into two seven character halves from universe of possible passwords one gets to 69 7 LM passwords incredibly vulnerable to brute force cracking attempts 5 EXAMPLE: Windows authentication (NTLM NT LAN Manager password hash) How the NTLM hash of a password is computed: 1. The user s (case-sensitive) password passes three times through a hash function, to form a 16-byte (128bit) value, which is the complete NTLM hash NB: NTLM hash uses MD4 NB2: max password length 127-characters 0. PassWord h P = H 3 (PassWord123) = D5B87105D7FEC0F3BF500B33 6

4 EXAMPLE: Windows authentication (NTLM hash vulnerabilities) MD4 not perfect but stronger than DES, allows for longer password lengths, and for distinction between uppercase and lowercase letters and it does not split the password into smaller, easier to crack chunks. Number of 127-character passwords 4.9* objective: EXAMPLE: Windows authentication protocol: 1. A wants to login to server S 2. S sends nonce Xs 3. A computes two sets of 3 DES keys from the hpx Pad = 128b+40b = 3x56b 4. A computes two 24B=192b=3x64b LM and NT responses RLM, RNT, each encrypting Xs three times with K1,2,3 5. A sends RLM and RNT responses to S 6. S performs the operations in 3 and 4 on its stored hpx hashes and Xs and checks (NTLMv1 login) unilateral authentication by cryptographic checksum between A and S remote authentication used in Windows notation : A has secret password P symmetric crypto (DES) is used to encrypt challenge and response material A and S share two secrets, the password hashes hpl and hpn respectively the LM- and NThash (LM used for legacy), and hence the three DES keys derived from each of them (K1L, K2L, K3L and K1N, K2N, K3N) S generates random nonce Xs secret hpl and hpn,pad is 5 0-bytes 1. A S <A, login> 2. S A Xs 3. A hpl Pad K1L K2L K3L hpn Pad K1N K2N K3N 4. A RLM= f(hpl,xs)= E K1L(Xs) E K2L(Xs) E K3L (Xs) RNT= f(hnt,xs)= E K1N(Xs) E K2N(Xs) E K3N (Xs) 5. A S RLM RNT 6. S RLM RNT ok? 7. S A You re logged on 8

5 EXAMPLE: Windows authentication (NTLMv1 vulnerabilities) unilateral, challenge only defined by server, allows spoofing attack and reflection attack pre-computation attacks possible 10 objective: EXAMPLE: Windows authentication (NTLMv2 login) mutual authentication by cryptographic checksum between A and S remote authentication used in Windows notation : A has secret password P in domain D, global time available HMAC-MD5 is used to process challenge and response material (H in protocol listing) A and S share one secret, the NTLM password hash hpn A and S generate random 64-bit nonces Xa and Xs protocol: 1. A wants to login to server S 2. S sends nonce Xs 3. A computes NTv2-hash with HMAC-MD5 using NT-hash hpn as key. 4. A computes two response blocks with HMAC- MD5 using hntv2 as key. 24B LMv2 and 16B NTv2. 5. They are sent concatenated with Ablob containing nonce Xa, timestamp Ta, domain D, and header data 6. S performs the operations in 3 and 4 on its stored hpn hash, Xs, Ablob and checks secret hpn, Ablob= <Xa, Ta, D, header> 1. A S <A, login> 2. S A Xs 3. A hntv2 = H(hPN, A D) 4. A LMv2= H(hNTv2, Xs Xa) Xa NTv2= H(hNTv2, Xs Ablob) 5. A S LMv2 NTv2 Ablob 6. S LMv2 NTv2 Ablob ok? 7. S A You re logged on 11

6 EXAMPLE: Windows authentication (NTLMv2 vulnerabilities) immune to replay attacks due to timestamp partially mitigates reflection attack due to (keyed) crypto checksum and cli ID included therein Windows don t use salting: worthwhile to break passwords in one machine expecting to escalate to other machines in domain, e.g. using rainbow tables but pre-computation attacks more difficult because hashed response depends both on srv and cli nonce (and current time for NTv2 resp.) but see work of Ochoa on weak nonces 13 Windows authentication methods (attacks) 14

7 RECALL: Spoofing (interposition) Alice Spoofer Malicious Code Bob Modus operandi: malicious host intercepts communications between two participants, reading and/or changing its contents dynamically Some examples: e.g., insertion/deletion or replay of whole messages on-the-fly modification of message content appending malicious code to downloads or messages 15 Windows authentication NTLMv1 vulnerability and attack : (THREAT: spoofed server) challenge is unilaterally chosen by server spoofed server M will have its own rainbow table of DES Ek(X)=f(K) for a fixed X, i.e. the result of Ek(X) for all or many possible keys K spoofer M chooses and sends conveniently Xs=X, receives the several E Kxy(X) responses solution: use NTLMv2, where server and client mutually exchange challenges 1. A M <A, login> 2. M A X secret hpl and hpn,pad is 5 0-bytes 3. A hpl Pad K1L K2L K3L hpn Pad K1N K2N K3N 4. A R1= E K1L(X) E K2L(X) E K3L (X) R2= E K1N(X) E K2N(X) E K3N (X) 5. A M R1 R2 6. M Looks up each E Kxy(X) in table and recovers all Kxy 7. M all Kxy + Pad => hpl, hpn disclosed 16

8 Windows authentication NTLMv1 (THREAT: spoofed server) Mallory creates a rainbow table preparing for attack Mallory impersonates Trent, an honest server, and attacks A trying to get access to its password hashes hpl, hpn rainbow table for X K Y 1. E1(X) 2. E2(X) k Ek(X) [X] spoofed session (A to M) 1. A M <A, login> 2. M A X secret hpl and hpn,pad is 5 0-bytes 3. A hpl Pad K1L K2L K3L hpn Pad K1N K2N K3N 4. A R1= E K1L(X) E K2L(X) E K3L (X) R2= E K1N(X) E K2N(X) E K3N (X) 5. A M R1 R2 6. M Looks up each E Kxy(X) in table and recovers all Kxy 7. M all Kxy + Pad => hpl, hpn disclosed 17 RECALL: Reflection (challenge-challenge-response) Trudy <Xs?> <Xs?> <Xs> Server <Xs!> Modus operandi : malicious host resends messages sent by peer, or initiates cross-coupled sessions, trying to confuse its peer into mistakenly giving access or info Some examples : challenge-response authentication on a server 18

9 Windows authentication NTLMv1 vulnerability and attack : (THREAT: reflection attack) challenge is unilaterally chosen by server malicious server M poses as actual server accepting client A connection request meantime, M opens reflected session posing as client to the actual client A M uses challenge received from A as its own challenge to A in primitive session, and waits for A s response M uses A s response as its own response in reflected session since response is f(hpl,xa), A will check positively, and grants access to M solution: use NTLMv2, where server and client mutually exchange challenges and client ID is hashed inside HMAC 1. A S <A, login> 2. S A Xs secret hpl and hpn,pad is 5 0-bytes 3. A hpl Pad K1L K2L K3L hpn Pad K1N K2N K3N 4. A RLM= f(hpl,xs)= E K1L(Xs) E K2L(Xs) E K3L (Xs) RNT= f(hnt,xs)= E K1N(Xs) E K2N(Xs) E K3N (Xs) 5. A S RLM RNT 6. S RLM RNT ok? 7. S A You re logged on 19 Windows authentication NTLMv1 (THREAT: reflection attack) Mallory impersonates Trent, Mallory attacks A trying an honest server to get access spoofed session (A to M) reflected session (M to A) 1. A M <A, login> 2. M A Xa secret hpl and hpn,pad is 5 0-bytes Mallory Mallory suspends continues this session this session 3. A hpl Pad K1L K2L K3L hpn Pad K1N K2N K3N 4. A RLM= f(hpl,xa)= E K1L(Xa) E K2L(Xa) E K3L (Xa) RNT= f(hnt, Xa)= E K1N(Xa) E K2N(Xa) E K3N (Xa) 5. A M RLM RNT 6. RLM RNT ok? 7. M A You re logged on 1. M A <M, login> 2. A M Xa 5. M A RLM RNT... and starts another one... : secret hpl and hpn,pad is 5 0-bytes hpl Pad K1L K2L K3L hpn Pad K1N K2N K3N RLM= f(hpl,xa)= E K1L(Xa) E K2L(Xa) E K3L (Xa) RNT= f(hnt, Xa)= E K1N(Xa) E K2N(Xa) E K3N (Xa) 6. A RLM RNT ok? 7. A M You re logged on Mallory finishes attack 20

10 Getting LM,NTLM hashes hpl or hpn where from: Memory: during process run time Disk: available throughout a reboot of the operating system Network: sniffing encrypted LM/NTLM dialogues by whom: Admin-level privileges on a machine Local Security Authority Security Accounts Manager enabling scenarios: 1. Accounts that are on the system (e.g. initial set-up, incl. sys_admins who have logged on previously) 2. User B who uses workstation of user A (physical access) 3. User B who uses workstation of user A (remote desktop) 4. User B who uses VNC to remotely access session of user A 5. Credentials provided for "run as..." 6. Credentials provided for mounting a share ( net use...") 22 Using LM,NTLM hashes Brute-Force, Dictionary-Attack may take a long time (TYP: LM hashes are cracked within a few hours and NTLM hashes within a few days or weeks) Rainbow-Table Attack pre-computed hashes stored in online files, can be looked up within seconds. Pass-The-Hash Attack immediate, ready-to-use credentials, no need to recover the plaintext password as previous two 23

11 Pass-the-hash attack on Windows Pass-the-hash allows an attacker to use LM & NTLM hashes to authenticate to a remote host (using NTLM auth) without having to brute-force those hashes to obtain the cleartext password was we saw earlier, Windows domain computers keep a cache of the LM & NTLM hashes used in previous logons, either/both in LASS and SAM, so that in offline-mode the user can still logon 24 RECALL: Spoofing (credential forwarding) Alice Spoofer h(pbob) ACCbob h(pbob) I m Bob. Modus operandi : malicious host steals/recovers/extracts stored or transmitted credencials from legitimate users and passes them on to third parties, impersonating those users Some examples : pass-the-hash attack 27

12 Windows authentication NTLMvx (THREAT: pass-the-hash-attack) Alice 3. User supplies Username and Password 1. Client attempts to access resource 2. Server sends authentication challenge Server 4. Supplied Password is transformed into hash 5. Response composed from hash sent to server f(hp(alice)) 7. Server grants access to resource 6. Server checks response against its stored hash copy 28 Windows authentication NTLMvx (THREAT: pass-the-hash-attack) Mallory 3. Mallory supplies Username and stolen hp(alice) 1. Client attempts to access resource 2. Server sends authentication challenge Server 5. Response composed from hash sent to server f(hp(alice)) 7. Server grants access to resource to Mallory, thinking it s Alice 6. Server checks response against its stored hash copy (of Alice) 29

13 Windows authentication methods (mitigation) very difficult to defend against there are countless exploits in Windows and applications running on Windows that can be used by an attacker to elevate their privileges and then carry out the hash harvesting that facilitates the attack However, better than nothing is Least-privilege security principle low privileges to normal users separate accounts for admins to log on regular machines Monitoring Privilege Use (System Log) Anti-Virus Process Education checklists of do s and don ts in admin work 30 Windows authentication methods (mitigation) Protect your password hash Patch-Management (prevent first compromise) Hardening (limit exposure, disable at least LM, NTLMv1) Cached Domain Logons Number of previous logons to cache: 1 Logon Local SAM Credentials Do not store LAN Manager hash value on next password change Active LSA Session Credentials Send NTLMv2 response only. Refuse LM & NTLM Windows 7, Windows 2008 R2: NTLM can be disabled altogether 31