RID HIJACKING Maintaining Access on Windows Machines.
|
|
- Milton Manning
- 5 years ago
- Views:
Transcription
1 RID HIJACKING Maintaining Access on Windows Machines. Security Conference Bogotá, Colombia. 2018
2 Agenda 0x01. Exposing the RID Hijacking Attack. 0x02. Windows Logon in a nutshell. 0x03. Hijacking the RID. 0x04. Demo (Metasploit vs Win10). 0x05. Conclusions.
3 Agenda 0x01. Exposing the RID Hijacking Attack. 0x02. Windows Logon in a nutshell. 0x03. Hijacking the RID. 0x04. Demo. 0x05. Conclusions.
4 What is RID Hijacking? A new persistence technique that affects ALL Windows Systems since NT. (Haven t tried this on Windows 95 nor Phone ). A stealthy way to maintain access by only using OS resources. A method which takes advantage of important security issues found at the Windows Security Architecture. Not reliable on Domain Controllers (yet).
5 What does it do? This technique hijacks the RID of any existing user account on the victim host and assigns it to another one. SID <Guest Account> ========================================== S SID <Guest hijacked Administrator> ======================================== S RID HIJACKING
6 What does it do? 0x01. Assigns the privileges of the hijacked account to the hijacker one, even if the hijacked account is disabled. 0x02. Allows to authenticate with the hijacker account credentials (also remotely, depending on machine s configuration), and obtain authorized access as the hijacked user. 0x03. Permits to register any operation executed on the event log as the hijacked user, despite of being logged on as the hijacker one.
7 How does it look like? whoami net user Guest writing on System32 folder
8 Agenda 0x01. Exposing the RID Hijacking Attack. 0x02. Windows Logon in a nutshell. 0x03. Hijacking the RID. 0x04. Demo. 0x05. Conclusions.
9 A Windows Logon Story
10 A Windows Logon Story
11 Windows Security Architecture Local Security Authority Subsystem <LSASS> Winlogon winlogon.exe LSA Server lsasrv.dll MSV1_0.dll kerberos.dll Others KDC Kdcsvc.dll SAM Server samsrv.dll AD Services ntdsa.dll HKLM\SAM AD DB LSA DB HKLM\SECURITY
12 Windows Security Architecture Local Security Authority Subsystem <LSASS> Winlogon winlogon.exe LSA Server lsasrv.dll MSV1_0.dll SAM Server samsrv.dll HKLM\SAM LSA DB HKLM\SECURITY
13 Quick Logon Overview User: Administrator Pass: iamgreen OK! WINLOGON & LSASS User: Group1: Group2: Privileges: - - ACCESS TOKEN Administrator S Everyone S Administrators S SRM READ: WRITE: File_X s DACL Everyone S Administrators S
14 Security Identifiers <SID> Literal prefix Three Sub Authorities for Uniqueness S Identifier Autority Sub Autority Indicating this class of ID Relative ID
15 Authentication Hi! ADMIN here. Pass: ilovegreen
16 Authentication Steps 0x01. WINLOGON Initialization. 0x02. WINLOGON calls LOGONUI (using CPs). 0x03. WINLOGON creates an unique LOGON SID. 0x04. WINLOGON calls LSASS and prepares a handle for an Authentication Package.
17 Authentication Packages List: HKLM\SYSTEM\CurrentControlSet\Control\Lsa For interactive logons: <MSV1_0.dll>: Standalone Authentication. <Kerberos.dll>: Domain Kerberos Authentication. Kerberos authentication package will be ignored by now.
18 Authentication Steps 0x05. WINLOGON sends logon info to the MSV1_0 calling LsaLogonUser. Logon Info: Username/Password. LOGON SID. MSV1_0 is also used on domain-member computers when are disconnected of the network.
19 Authentication Steps 0x06. MSV1_0 sends username and hashed password to the SAMSRV. 0x07. SAMSRV queries on the SAM database with the logon data, retrieving some security info. MSV1_0.dll Samsrv.dll HKLM\SAM
20 Authentication Steps 0x08. MSV1_0 checks the information obtained from the SAMSRV response. 0x09. If OK, MSV1_0 generates a LUID for the session. 0x0A. MSV1_0 sends the login information (including LUID) to LSASS. All the data sent will be used for the further access token creation.
21 Authorization HELLO 500. Creating your Access token
22 Authorization Steps 0x0B. LSASS checks the LSA database for the user s allowed access. 0x0C. LSASS adds the Groups, SIDs and privileges to the access token. 0x0D. LSASS formally creates a primary access token.
23 Authorization WELCOME ADMIN Here s your Access token
24 Authorization ACCESS GRANTED TOKEN
25 Agenda 0x01. Exposing the RID Hijacking Attack. 0x02. Windows Logon in a nutshell. 0x03. Hijacking the RID. 0x04. Demo. 0x05. Conclusions.
26 Understanding the attack How is the user identified by the system after being successfully authenticated? S How does the system associate an username with his SID? Using the Samsrv.dll black magic :)
27 Remembering 0x06. MSV1_0 sents username and hashed password to the SAMSRV. 0x07. SAMSRV queries on the SAM database with the logon data, retrieving some security info. MSV1_0.dll Samsrv.dll HKLM\SAM
28 Remembering 0x06. MSV1_0 sents username and hashed password to the SAMSRV. How is the username associated with the SID? 0x07. SAMSRV queries on the SAM database with the logon data, retrieving some security info. What security info is retrieved? MSV1_0.dll Samsrv.dll HKLM\SAM
29 Samsrv.dll and SAM SAMSRV looks for the username at the SAM database. HKLM\SAM\SAM\Domains\Account\Users\Names
30 Samsrv.dll and SAM SAMSRV looks for the username at the SAM database. HKLM\SAM\SAM\Domains\Account\Users\Names Each key contains a REG_BINARY value.
31 Samsrv.dll and SAM SAMSRV looks for the username at the SAM database. HKLM\SAM\SAM\Domains\Account\Users\Names Each key contains a REG_BINARY value. The REG_BINARY has as Type the RID of the account.
32 Samsrv.dll and MSV1_0.dll SAMSRV looks for the key associated with the RID. HKLM\SAM\SAM\Domains\Account\Users
33 Samsrv.dll and MSV1_0.dll SAMSRV looks for the key associated with the RID. HKLM\SAM\SAM\Domains\Account\Users SAMSRV grabs all the data stored in the referenced key.
34 Samsrv.dll and MSV1_0.dll MSV1_0.dll SAMSRV looks for the key associated with the RID. SAMSRV grabs all the data stored in the referenced key. MSV1_0.dll receives back all the data from SAMSRV. Samsrv.dll
35 Understanding the attack Why does the SAM store only the RID?
36 Understanding the attack Why does the SAM store only the RID? S Consistent for all local users SIDs Relative
37 Understanding the attack Why does the SAM store only the RID? S Consistent for all local users SIDs Relative What info is retrieved from the SAM?
38 Understanding the attack Why does the SAM store only the RID? S Consistent for all local users SIDs Relative What info is retrieved from the SAM? Password s Hash. Account status (Active: Y/N). Some account restrictions. A copy of the user s RID.
39 Login as Guest Hi! GUEST here. Pass: sexygirl
40 Login as Guest Guest A85666C E19 E23AEEDAB77E108 MSV1_0.dll Samsrv.dll HKLM\SAM
41 Login as Guest Guest A85666C E19 E23AEEDAB77E108 Username: Guest MSV1_0.dll Samsrv.dll HKLM\SAM
42 Login as Guest Guest A85666C E19 E23AEEDAB77E108 Username: Guest 0x1F5 MSV1_0.dll Samsrv.dll HKLM\SAM
43 Login as Guest Guest A85666C E19 E23AEEDAB77E108 Username: Guest MSV1_0.dll Samsrv.dll 0x1F5 HKLM\SAM\SAM\Domains \Account\Users\0 1F5 HKLM\SAM
44 Login as Guest Guest A85666C E19 E23AEEDAB77E108 Username: Guest MSV1_0.dll Samsrv.dll 0x1F5 HKLM\SAM\SAM\Domains \Account\Users\0 1F5 A85666C E19 E23AEEDAB77E108 Restrictions RID Copy: 0x1F5 HKLM\SAM
45 Login as Guest Guest A85666C E19 E23AEEDAB77E108 Username: Guest MSV1_0.dll Samsrv.dll 0x1F5 HKLM\SAM\SAM\Domains \Account\Users\0 1F5 A85666C E19 E23AEEDAB77E108 Restrictions RID Copy: 0x1F5 A85666C E19 E23AEEDAB77E108 Restrictions RID Copy: 0x1F5 HKLM\SAM
46 Login as Guest (Case 1) GET OUTTA HERE!!!
47 Login as Guest (Case 1) GET OUTTA HERE!!! GUEST Account <0x1F5> cannot log on to this machine.
48 Login as Guest (Case 2) WELCOME guest Here s your Access token
49 Login as Guest (Case 2) Not but could be better!
50 What if? What would happen if the RID COPY is changed to another value?
51 What if? What would happen if the RID COPY is changed to another value? RID(Administrator) = d = 0x1F4
52 Login as Guest (the comeback) Guest A85666C E19 E23AEEDAB77E108 MSV1_0.dll Samsrv.dll Corrupted HKLM\SAM
53 Login as Guest (the comeback) Guest A85666C E19 E23AEEDAB77E108 Username: Guest MSV1_0.dll Samsrv.dll Corrupted HKLM\SAM
54 Login as Guest (the comeback) Guest A85666C E19 E23AEEDAB77E108 Username: Guest 0x1F5 MSV1_0.dll Samsrv.dll Corrupted HKLM\SAM
55 Login as Guest (the comeback) Guest A85666C E19 E23AEEDAB77E108 Username: Guest MSV1_0.dll Samsrv.dll 0x1F5 HKLM\SAM\SAM\Domains \Account\Users\0 1F5 Corrupted HKLM\SAM
56 Login as Guest (the comeback) Guest A85666C E19 E23AEEDAB77E108 Username: Guest MSV1_0.dll Samsrv.dll 0x1F5 HKLM\SAM\SAM\Domains \Account\Users\0 1F5 A85666C E19 E23AEEDAB77E108 Restrictions RID Copy: 0x1F4 Corrupted HKLM\SAM
57 Login as Guest (the comeback) Guest A85666C E19 E23AEEDAB77E108 Username: Guest 0x1F5 MSV1_0.dll Logon Process continues Samsrv.dll HKLM\SAM\SAM\Domains \Account\Users\0 1F5 A85666C E19 E23AEEDAB77E108 Restrictions A85666C E19 E23AEEDAB77E108 Restrictions Corrupted HKLM\SAM RID Copy: 0x1F4 RID Copy: 0x1F4
58 Login as Guest (the comeback) MSV1_0 checks the account restrictions provided from SAMSRV. A85666C E19 E23AEEDAB77E108 Restrictions RID Copy: 0x1F4 If allowed, then compares: MSV1_0.dll SAMSRV response password hash VS User entered hashed password
59 Login as Guest (the comeback) MSV1_0 checks the account restrictions provided from SAMSRV. A85666C E19 E23AEEDAB77E108 Restrictions RID Copy: 0x1F4 If allowed, then compares: MSV1_0.dll SAMSRV response password hash Hash will be the VS same User entered hashed password
60 Login as Guest (the comeback) Password: OK RID: 0x1F4 LUID LSASS MSV1_0.dll
61 Login as Guest (the comeback) Token source Impersonation type Token ID Authentication ID Modified ID Expiration Time Session ID Flags Logon session (LUID) Mandatory Policy Administrators Default DACL SID Creates the Access Token with RID 500 LSASS Password: OK RID: 0x1F4 LUID MSV1_0.dll Group 1 SID Group n SID Restricted SID 1 Restricted SID n Privilege 1 Privilege n
62 Login as Guest (the comeback) Token source Impersonation type Token ID Authentication ID Modified ID Expiration Time Session ID Flags Logon session (LUID) Mandatory Policy Administrators Default DACL SID Group 1 SID Group n SID Restricted SID 1 Restricted SID n Privilege 1 Privilege n RID HIJACKING Password: OK Before Creates the Access Token with RID 500 LSASS RID: 0x1F4 After LUID MSV1_0.dll
63 Login as Guest WELCOME guest Here s your Access token
64 Login as Guest ACCESS GRANTED TOKEN
65 SECURITY ISSUES 0x01. SAMSRV does not check if the RID associated with the user is consistent to the RID COPY. 0x02. LSASS does not corroborate the RID with the username before creating the access token. 0x03. LSASS never looks for RID inconsistencies during the user s session.
66 Agenda 0x01. Exposing the RID Hijacking Attack. 0x02. Windows Logon in a nutshell. 0x03. Hijacking the RID. 0x04. Demo. 0x05. Conclusions.
67 Demonstration USER Windows 10 VICTIM Kali Linux ATTACKER Guest Unprivileged Interactive PsExec RDP
68 Agenda 0x01. Exposing the RID Hijacking Attack. 0x02. Windows Logon in a nutshell. 0x03. Hijacking the RID. 0x04. Demo. 0x05. Conclusions.
69 Conclusions
70 References Russinovich, Mark. Solomon, David A. Ionescu, Alex. Windows Internals. 6 th Edition. 3. Scambray, Joel. McClure, Stuart. Hacking Exposed: Windows Security Secrets & Solutions. 3 rd Edition
Outline. Security. Security Ratings. TCSEC Rating Levels. Key Requirements for C2. Met B-Level Requirements
Outline Ausgewählte Betriebssysteme Institut Betriebssysteme Fakultät Informatik Ratings System Components 2 Ratings TCSEC Rating Levels National Computer Center (NCSC) part of US Department of Defense
More informationSecurity. Outline. Security Ratings. Ausgewählte Betriebssysteme Institut Betriebssysteme Fakultät Informatik
Ausgewählte Betriebssysteme Institut Betriebssysteme Fakultät Informatik Outline Ratings System Components Logon Object (File) Access Impersonation Auditing 2 Ratings National Computer Center (NCSC) part
More informationRoadmap for This Lecture
Windows Security 2 Roadmap for This Lecture Windows Security Features Components of the Security System Protecting Objects Security Descriptors and Access Control Lists Auditing and Impersonation Privileges
More informationUseful Hacking Series
Useful Hacking Series Welcome to the Useful Hacking Series, in this series of 20 Episodes our world-renowned penetration tester/international speaker will share with you the top useful tips used during
More informationActive Directory Attacks and Detection
Active Directory Attacks and Detection #Whoami Working as an Information Security Executive Blog : www.akijosberryblog.wordpress.com You can follow me on Twitter: @AkiJos This talk is Based on Tim Madin
More informationServer. Client LSA. Winlogon LSA. Library SAM SAM. Local logon NTLM. NTLM/Kerberos. EIT060 - Computer Security 2
Local and Domain Logon User accounts and groups Access tokens Objects and security descriptors The Register Some features in Windows 7 and Windows 8 Windows XP evolved from Windows 2000 Windows 10, 8,
More informationHow Windows Security Really Works?
Sami Laiho Senior Technical Fellow, MVP Adminize.com / Win-fu.com sami@adminize.com BLOG.WIN-FU.COM @samilaiho How Windows Security Really Works? Configuration Manager Sami Laiho Senior Technical Fellow
More informationActive Directory Attacks and Detection
Active Directory Attacks and Detection #Whoami Working as an Information Security Executive Blog : www.akijosberryblog.wordpress.com You can follow me on Twitter: @AkiJos Lab Setup AJLAB.COM: 2 Domain
More informationLast mile authentication problem
Last mile authentication problem Exploiting the missing link in end-to-end secure communication DEF CON 26 Our team Sid Rao Doctoral Candidate Aalto University Finland Thanh Bui Doctoral Candidate Aalto
More informationCS 290 Host-based Security and Malware. Christopher Kruegel
CS 290 Host-based Security and Malware Christopher Kruegel chris@cs.ucsb.edu Windows Windows > 90 % of all computers run Windows when dealing with security issues, it is important to have (some) knowledge
More informationAn Analysis of Local Security Authority Subsystem
An Analysis of Local Security Authority Subsystem Shailendra Nigam Computer Science & Engineering Department DIET, Kharar Mohali(Punjab) India. Sandeep Kaur Computer Science & Engineering Department BBSBEC,
More informationPass-the-Hash Attacks
Pass-the-Hash Attacks Mgr. Michael Grafnetter www.dsinternals.com Agenda PtH Attack Anatomy Mitigation Proactive Reactive Windows 10 + Windows Server 2016 Microsoft Advanced Threat Analytics PtH Attack
More informationWindows Hash Reinjection Using GSECDUMP and MSVCTL By Deron Grzetich
Windows Hash Reinjection Using GSECDUMP and MSVCTL By Deron Grzetich Intro The objective of this exercise is to prove that gsecdump and msvctl actually work as prescribed. These tools can be used to reinject
More informationUnix, History
Operating systems Examples from Unix, VMS, Windows NT on user authentication, memory protection and file and object protection. Trusted Operating Systems, example from PitBull Unix, History Unix, History
More informationPass-the-Hash Attacks. Michael Grafnetter
Pass-the-Hash Attacks Michael Grafnetter www.dsinternals.com Agenda PtH Attack Anatomy Mitigation Proactive Reactive Windows 10 + Windows Server 2016 PtH History and Future 1988 Microsoft releases Lan
More informationServer Tailgating A Chosen- Plaintext Attack on RDP. - Eyal Karni - Yaron Zinar - Roman Blachman
Server Tailgating A Chosen- Plaintext Attack on RDP - Eyal Karni - Yaron Zinar - Roman Blachman Speaker Info Eyal Karni Security Researcher @ Preempt Yaron Zinar Lead Security Researcher @ Preempt Roman
More information29 March 2017 SECURITY SERVER INSTALLATION GUIDE
29 March 2017 SECURITY SERVER INSTALLATION GUIDE Contents 1. Introduction... 2 1.1 Assumptions... 2 1.2 Prerequisites... 2 2. Required setups prior the Security Server Installation... 3 1.1 Create domain
More informationAttacking and Defending Active Directory July, 2017
Attacking and Defending Active Directory July, 2017 About: Adam Steed - @aboy 20 years of experience in IAM, working for financial, websites, and healthcare organizations Associate Director Protiviti Security
More informationPassword Changer User Guide
Active@ Password Changer User Guide Copyright 1999-2017, LSOFT TECHNOLOGIES INC. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative
More informationConfigure advanced audit policies
7 LESSON Configuring Advanced Audit Policies 70-411 EXAM OBJECTIVE Objective 2.4 Configure advanced audit policies. This objective may include but is not limited to: implement auditing using Group Policy
More informationManaging User Roles and Users in LMS
7 CHAPTER This chapter explains the following: Managing Roles Managing Users Managing Roles A role is a collection of privileges that dictate the type of system access you have. The Manage User Roles workflow
More informationLogin und Authentifizierung
Login und Authentifizierung security aspects Confidentiality: data should not be read by unauthorized parties. Integrity: data should not be changed by unauthorized parties. Availability: data should be
More informationNetwork Security: Kerberos. Tuomas Aura
Network Security: Kerberos Tuomas Aura Kerberos authentication Outline Kerberos in Windows domains 2 Kerberos authentication 3 Kerberos Shared-key protocol for user login authentication Uses passwords
More informationComputers Gone Rogue. Abusing Computer Accounts to Gain Control in an Active Directory Environment. Marina Simakov & Itai Grady
Computers Gone Rogue Abusing Computer Accounts to Gain Control in an Active Directory Environment Marina Simakov & Itai Grady Motivation Credentials are a high value target for attackers No need for 0-day
More informationMAN-IN-THE-MACHINE: EXPLOIT ILL-SECURE COMMUNICATION INSIDE THE COMPUTER
MAN-IN-THE-MACHINE: EXPLOIT ILL-SECURE COMMUNICATION INSIDE THE COMPUTER Thanh Bui*, Siddharth Rao*, Markku Antikainen, Viswanathan Bojan*, Tuomas Aura* *Aalto University, Finland University of Helsinki,
More informationPerceptive Matching Engine
Perceptive Matching Engine Installation and Setup Guide Version: 1.0.x Written by: Product Development, R&D Date: March 2018 2018 Hyland Software, Inc. and its affiliates. Table of Contents Overview...
More information10 Active Directory Misconfigurations That Lead to Total Compromise Austin, TX 201 W 5th St.
10 Active Directory Misconfigurations That Lead to Total Compromise hello@javelin-networks.com +1-888-867-5179 Austin, TX 201 W 5th St. 1. Group Policy Preferences Visible Passwords Group Policy Preferences
More informationHacking Our Way to Better Security: Lessons from a Web Application Penetration Test. Tyler Rasmussen Mercer Engineer Research Center
Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test Tyler Rasmussen Mercer Engineer Research Center About Me Cybersecurity Engineering Intern @ MERC Senior IT/Cybersecurity
More informationSingle Sign-On Showdown
Single Sign-On Showdown ADFS vs Pass-Through Authentication Max Fritz Solutions Architect SADA Systems #ITDEVCONNECTIONS Azure AD Identity Sync & Auth Timeline 2009 2012 DirSync becomes Azure AD Sync 2013
More informationActive Directory Attacks and Detection Part -II
Active Directory Attacks and Detection Part -II #Whoami Working as an Information Security Executive Blog : www.akijosberryblog.wordpress.com You can follow me on Twitter: @AkiJos Key Takeaways How to
More informationActive Directory Validation - User Guide
2017-02-10 Orckestra, Europe Nygårdsvej 16 DK-2100 Copenhagen Phone +45 3915 7600 www.orckestra.com Contents 1 INTRODUCTION... 3 1.1 Who Should Read This Guide? 3 1.2 Getting Started 4 2 CREATING A CMS
More informationSecuring ArcGIS Services
Federal GIS Conference 2014 February 10 11, 2014 Washington DC Securing ArcGIS Services James Cardona Agenda Security in the context of ArcGIS for Server Background concepts Access Securing web services
More informationManaging WCS User Accounts
CHAPTER 7 This chapter describes how to manage WCS user accounts. It contains these sections: Adding WCS User Accounts, page 7-2 Changing Passwords, page 7-3 Deleting WCS User Accounts, page 7-3 Creating
More informationA Taste of SANS SEC 560: Adventures in High-Value Pen Testing
All Rights Reserved 1 Network Penetration Testing and Ethical Hacking A Taste of SANS SEC 560: Adventures in High-Value Pen Testing SANS Security 560 Copyright 2015, All Rights Reserved Version 2Q15 All
More informationKerio Migration Guide
IceWarp Unified Communications Kerio Migration Guide Version 12.0 Kerio Migration Guide 2 Contents Kerio Migration Guide... 4 For Windows Operation Systems Pre-Migration... 4 Migration... 8 GUI... 9 Command
More informationUser Inputs for Installation, Reinstallation, and Upgrade
APPENDIXA User Inputs for Installation, Reinstallation, and Upgrade This appendix provides information on the user inputs during Service Monitor installation, reinstallation, and upgrade. This appendix
More informationOperating system security
Operating system security Tuomas Aura T-110.4206 Information security technology Aalto University, autumn 2011 Outline Access control models in operating systems: 1. Unix 2. Windows Acknowledgements: This
More informationn Describe the CEH hacking methodology and system hacking steps n Describe methods used to gain access to systems
Outline n Describe the CEH hacking methodology and system hacking steps n Describe methods used to gain access to systems n Describe methods used to escalate privileges Chapter #5: n Describe methods used
More informationHunting Lateral Movement with Windows Events Logs. SANS Threat Hunting Summit 2018 Mauricio
Hunting Lateral Movement with Windows Events Logs SANS Threat Hunting Summit 2018 Mauricio Velazco @mvelazco $whoami Peruvian Recovering pentester, threat management lead @mvelazco Derbycon, Bsides, Defcon
More informationRadius, LDAP, Radius, Kerberos used in Authenticating Users
CSCD 303 Lecture 5 Fall 2018 Radius, LDAP, Radius, Kerberos used in Authenticating Users Kerberos Authentication and Authorization Previously Said that identification, authentication and authorization
More informationIS 2150 / TEL 2810 Information Security and Privacy
IS 2150 / TEL 2810 Information Security and Privacy James Joshi Professor, SIS Access Control OS Security Overview Lecture 2, Sept 6, 2016 1 Objectives Understand the basics of access control model Access
More informationA Survey of Access Control Policies. Amanda Crowell
A Survey of Access Control Policies Amanda Crowell What is Access Control? Policies and mechanisms that determine how data and resources can be accessed on a system. The Players Subjects Objects Semi-objects
More informationIProtect Basic Installation Manual. (Distributed)
IProtect Basic Installation Manual INDEX (Distributed) 1. IIS Enable 2..Net Installation Procedure 3. SQL server express installation procedure 4. SQL management studio installation procedure 5. SAP crystal
More informationSTRS OHIO F5 Access Client Setup for ChromeBook Systems User Guide
STRS OHIO F5 Access Client Setup for ChromeBook Systems User Guide For assistance, please contact the ITS Service Desk at x4357 or 227-8633. Table of Contents First Time Use of Remote Access... 1 F5 Access
More informationNAVAL POSTGRADUATE SCHOOL Monterey, California THESIS WINDOWS XP OPERATING SYSTEM SECURITY ANALYSIS
NAVAL POSTGRADUATE SCHOOL Monterey, California THESIS WINDOWS XP OPERATING SYSTEM SECURITY ANALYSIS by Meftun Goktepe September 2002 Thesis Advisor: Second Reader: Richard Harkins Cynthia Irvine Approved
More informationCombating Common Web App Authentication Threats
Security PS Combating Common Web App Authentication Threats Bruce K. Marshall, CISSP, NSA-IAM Senior Security Consultant bmarshall@securityps.com Key Topics Key Presentation Topics Understanding Web App
More informationOperating system security models
Operating system security models Unix security model Windows security model MEELIS ROOS 1 General Unix model Everything is a file under a virtual root diretory Files Directories Sockets Devices... Objects
More informationInstallation procedure of Naso CC for Grandstream UCM 61xx/6510
Installation procedure of Naso CC for Grandstream UCM 61xx/6510 Server requirements: Server: Operating system: Windows 7, 8, 8.1, 2008R2, 2012, 2012 R2 Minimum 4GB RAM Network card Processor minimum Core
More informationHands-On Ethical Hacking and Network Defense Chapter 6 Enumeration
Hands-On Ethical Hacking and Network Defense Chapter 6 Enumeration Modified 2-22-14 Objectives Describe the enumeration step of security testing Enumerate Microsoft OS targets Enumerate NetWare OS targets
More informationPost-Exploitation with WCE v1.2
Post-Exploitation with WCE v1.2 Pass-the-Hash. Pass-the-ticket & more Date: 01-07-2011 Author: Hernan Ochoa Windows Authentication h1 = LMHash( pwd1 ) h2 = NTHash( pwd1 ) SAM
More informationCross-realm trusts with FreeIPA v3
Cross-realm trusts with FreeIPA v3 Alexander Bokovoy, Andreas Scheider Alexander Bokovoy about:me Member of Samba Team since 2003 Principal Software Engineer, Red Hat FreeIPA project Andreas Schneider
More informationBITSInject. Control your BITS, get SYSTEM. Dor Azouri Security
BITSInject Control your BITS, get SYSTEM Dor Azouri Security Researcher @SafeBreach Background Intelligent Transfer Service 2 A couple more bits about BITS Available since 2001 (Windows XP) Most known
More informationWhat you need to know about Windows Security
DEV 213 What you need to know about Windows Security Whil Hentzen Hentzenwerke Corp. Who Am I? Software Developer: Hentzenwerke Corp. (17 yrs) Editor, FoxTalk Author (6 books) Publisher, The Essentials
More informationHands-On Ethical Hacking and Network Defense Chapter 6 Enumeration
Hands-On Ethical Hacking and Network Defense Chapter 6 Enumeration Modified 1-11-17 Objectives Describe the enumeration step of security testing Enumerate Microsoft OS targets Enumerate *NIX OS targets
More informationKeywords: Pass the Hash, PtH, NTLM hash, Windows authentication, credential security
Pass the Hash Defense: Analysis of Strategies to Mitigate Weaknesses in Microsoft NTLM Authentication Andrew Coates and Stephanie Sanders Department of Computer Science and Electrical Engineering University
More informationMobile Secure Management Platform
Mobile Secure Management Platform Mobile Automation Security Analysis White Paper Document Revision 5.1 Document ID: MLMS security white paper 5.1.2.doc July 2, 2003 Prepared by: Revision History VERSION/RELEASE
More informationArcGIS for Server: Security
DevSummit DC February 11, 2015 Washington, DC Michael Sarhan Esri msarhan@esri.com Agenda Review Basic Security Workflow - ArcGIS Server Roles and Identity Stores - Authentication - Authorization: Securing
More informationStamp Out Hash Corrup/on, Crack All the Things!
Stamp Out Hash Corrup/on, Crack All the Things! Ryan Reynolds Manager, Crowe Horwath Pentester TwiAer: @reynoldsrb Jonathan Claudius SpiderLabs Security Researcher, Trustwave Vulnerability Research TwiAer:
More informationHacking in the Attack Kill Chain
Hacking in the Attack Kill Chain Håkan Nohre, Consulting Systems Engineer, GIAC GPEN #9666, CISSP #76731 Erkan Djafer, Consulting Systems Engineer, CISSP #535930 Chung-wai Lee, Cyber Security Partner Account
More informationEvent Log 101. What is Event Log? Windows version of syslog.
Event Log Analysis Event Log 101 What is Event Log? Windows version of syslog. Where are these artifacts located in? %SystemRoot%\System32\winevt\Logs %SystemRoot% is C:\Windows typically. 2 Event Log
More informationPROCEDURES FOR THE UPDATE VERSION OF SIREV
Documentation PROCEDURES FOR THE UPDATE VERSION OF SIREV 2016 Softvoyage - All Rights Reserved This manual is the propriety of Softvoyage Inc., and it may not be copied or reproduced, in whole or in part,
More informationNetworks: Access Management Windows NT Server Class Notes # 10 Administration October 24, 2003
Networks: Access Management Windows NT Server Class Notes # 10 Administration October 24, 2003 In Windows NT server, the user manager for domains is the primary administrative tool for managing user accounts,
More informationWindows authentication methods and pitfalls
Windows authentication methods and pitfalls hashes and protocols vulnerabilities attacks 1996-2013 - P. Veríssimo All rights reserved. Reproduction only by permission 1 EXAMPLE: Windows authentication
More informationHands-On Ethical Hacking and Network Defense Chapter 6 Enumeration
Hands-On Ethical Hacking and Network Defense Chapter 6 Enumeration Updated 3-3-18 Objectives Describe the enumeration step of security testing Enumerate Microsoft OS targets Enumerate *NIX OS targets Introduction
More informationManaging External Identity Sources
CHAPTER 5 The Cisco Identity Services Engine (Cisco ISE) integrates with external identity sources to validate credentials in user authentication functions, and to retrieve group information and other
More information<Insert Picture Here> Active Directory and Windows Security Integration with Oracle Database
1 Active Directory and Windows Security Integration with Oracle Database Santanu Datta ` Christian Shay Mark Wilcox Sr. Director Principal Product Manager Principal Product Manager
More informationInterested in learning more about security? Windows Logon Forensics. Copyright SANS Institute Author Retains Full Rights
Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Windows
More informationChime for Lync High Availability Setup
Chime for Lync High Availability Setup Spring 2017 Copyright and Disclaimer This document, as well as the software described in it, is furnished under license of the Instant Technologies Software Evaluation
More informationRicoh Managed File Transfer (MFT) User Guide
Ricoh Managed File Transfer (MFT) User Guide -- TABLE OF CONTENTS 1 ACCESSING THE SITE... 3 1.1. WHAT IS RICOH MFT... 3 1.2. SUPPORTED BROWSERS... 3 1.3. LOG IN... 3 1.4. NAVIGATION... 4 1.5. FORGOTTEN
More informationMULTI FACTOR AUTHENTICATION USING THE NETOP PORTAL. 31 January 2017
MULTI FACTOR AUTHENTICATION USING THE NETOP PORTAL 31 January 2017 Contents 1 Introduction... 2 1.1 Prerequisite for configuring the multi-factor authentication:... 2 1.1.1 On the Guest side... 2 1.1.2
More informationA Process is No One: Hunting for Token Manipulation. Jared Atkinson & Robby Winchester
Jared Atkinson Robert Winchester A Process is No One: Hunting for Token Manipulation Jared Atkinson & Robby Winchester @jaredcatkinson Adversary Detection Technical Lead @ SpecterOps Developer: PowerForensics
More informationStop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico
1 Stop sweating the password and learn to love public key cryptography Chris Streeks Solutions Engineer, Yubico Stop Sweating the Password! 2 Agenda Introduction The modern state of Phishing How to become
More information10 Ways Credit Unions Get PWNED
10 Ways Credit Unions Get PWNED NASCUS 2017 Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor. Intro I am going to share with
More informationTPM v.s. Embedded Board. James Y
TPM v.s. Embedded Board James Y What Is A Trusted Platform Module? (TPM 1.2) TPM 1.2 on the Enano-8523 that: How Safe is your INFORMATION? Protects secrets from attackers Performs cryptographic functions
More informationRED IM Integration with Bomgar Privileged Access
RED IM Integration with Bomgar Privileged Access 2018 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the
More informationCan Delete Shared Folder Windows 7 In User. Password >>>CLICK HERE<<<
Can Delete Shared Folder Windows 7 In User Password Later versions of Windows (Vista, 7, 8 and 8.1) have the Security tab visible at In Windows XP Home Edition, you can still make your own user profile
More informationConfiguring Remote Access using the RDS Gateway
Configuring Remote Access using the RDS Gateway Author: AC, SNE Contents Introduction... 3 Pre-requisites... 3 Supported Operating Systems... 3 Installing the I.T. Services Certificate Authority Root Certificate...
More informationOverview of Professional Quest Technologies
Overview of Professional Quest Technologies Professional Quest Web Architecture Professional Quest's utilizes a number of industry standard components in its web architecture. Server Web Pages For the
More informationOracle Database Security and Audit. Authentication and authorization
Copyright 2014, Oracle Database Security and Audit Beyond Checklists Authentication and authorization Copyright 2014, Learning objectives Understand authentication Understand authorization Understand the
More informationThe Important Details Of Windows Authentication
The Important Details Of Stefan Metzmacher Samba Team / SerNet 2017-05-04 https://samba.org/~metze/presentations/2017/sambaxp/ (2/1) Topics Windows Domains, Forests and Trusts Netlogon
More informationSecuring ArcGIS for Server. David Cordes, Raj Padmanabhan
Securing ArcGIS for Server David Cordes, Raj Padmanabhan Agenda Security in the context of ArcGIS for Server User and Role Considerations Identity Stores Authentication Securing web services Protecting
More information13241 Woodland Park Road, Suite 400 Herndon, VA USA A U T H O R : E X O S T A R D ATE: M A R C H V E R S I O N : 3.
SECURE ACCESS MAN AG E R FIRST TIME LOGIN GUIDE A U T H O R : E X O S T A R D ATE: M A R C H 2 0 1 5 V E R S I O N : 3.0 1 S E C U R E A CCESS M A N A G E R SECURE ACCESS MANAGER OVERVIEW... 3 SUMMARY...
More informationLab E2: bypassing authentication and resetting passwords
Lab E2: bypassing authentication and resetting passwords TTM4175 September 7, 2015 The purpose of this lab is to learn about techniques for bypassing the authentication and access control of Windows and
More informationTECHNICAL NOTE UWW & CLEARPASS HOW-TO: CONFIGURE UNIFIED WIRELESS WITH CLEARPASS. Version 2
HOW-TO: CONFIGURE UNIFIED WIRELESS WITH CLEARPASS Version 2 CONTENTS Introduction... 7 Background information... 7 Requirements... 7 Network diagram... 7 VLANs... 8 Switch configuration... 8 Initial setup...
More informationDesktop LP - Connect Guide. Version 2.1 February 2016
Version 2.1 February 2016 Desktop LP - Connect Guide Copyright 2016 iwebgate. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system,
More informationBojan Ždrnja, CISSP, GCIA, GCIH, GWAPT INFIGO IS
Laterally pwning Windows Bojan Ždrnja, CISSP, GCIA, GCIH, GWAPT Bojan.Zdrnja@infigo.hr INFIGO IS http://www.infigo.hr Who am I? Senior information security consultant at INFIGO IS Penetration testing (all
More informationThese selected protocol definitions are extremely helpful in learning the
Appendix B Protocol Definitions These selected protocol definitions are extremely helpful in learning the finer points of network protocols. This information is exposed under Network Monitor s Display
More informationManually Unlock User Account Windows 7 Standard
Manually Unlock User Account Windows 7 Standard This is an available way to unlock Windows 7 ultimate password by using USB and user. Here's how to create a User Account in Windows 8 and Windows 7: how
More informationContents Overview... 2 Part I Connecting to the VPN via Windows OS Accessing the Site with the View Client Installing...
CSEC 640 Lab Access Contents Overview... 2 Part I Connecting to the VPN via Windows OS... 2 Accessing the Site with the View Client... 2 Installing... 3 Launching Your Client... 4 Part II Windows Access
More informationUse offense to inform defense. Find flaws before the bad guys do.
Use offense to inform defense. Find flaws before the bad guys do. Copyright SANS Institute Author Retains Full Rights This paper is from the SANS Penetration Testing site. Reposting is not permited without
More informationBerner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2
Table of Contents Hacking Web Sites Broken Authentication Emmanuel Benoist Spring Term 2018 Introduction Examples of Attacks Brute Force Session Spotting Replay Attack Session Fixation Attack Session Hijacking
More information3) Click the Screen Sharing option and click connect to establish the session
Preliminary steps before starting the experiment: 1) Click the Launch button to start the experiment. 2) Click OK to create a new session 3) Click the Screen Sharing option and click connect to establish
More informationPROXY Pro Web Console Operations v10.0. User Guide October 2017
PROXY Pro Web Console Operations v10.0 User Guide October 2017 Table of contents 1. Intro and Overview...5 Web Console Landing Page...6 Definitions...7 Account Users...9 Common Header Fields...10 Menu
More informationExtending Security Functions for Windows NT/2000/XP
Abstract Extending Security Functions for Windows NT/2000/XP Ing. Martin Kákona martin.kakona@i.cz S.ICZ a. s., J. Š. Baara 40, České Budějovice, Czech Republic The paper describes the possibilities of
More informationWe ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?
We ve seen: Protection: ACLs, Capabilities, and More Some cryptographic techniques Encryption, hashing, types of keys,... Some kinds of attacks Viruses, worms, DoS,... And a distributed authorization and
More informationWindows Authentication With Multiple Domains and Forests
Windows Authentication With Multiple Domains and Forests Stefan Metzmacher Samba Team / SerNet 2017-09-13 Check for updates: https://samba.org/~metze/presentations/2017/sdc/ Update from
More informationWindows Authentication With Multiple Domains and Forests
Windows Authentication With Multiple Domains and Forests Stefan Metzmacher Samba Team / SerNet 2017-09-13 Check for updates: https://samba.org/~metze/presentations/2017/sdc/ Update from
More informationWindows Access Control List (ACL) 2
What do we have in this session? Windows Access Control List (ACL) 2 1. Access Control Lists (ACLs) 2. Object-specific ACEs 3. Trustees 4. Access Rights and Access Masks 5. ACCESS_MASK 6. Access Mask format
More informationRemote Desktop Services
Remote Desktop Services AMERICAN INSTITUTES FOR RESEARCH AIR REMOTE DESKTOP SERVICES (RDS) GUIDE Overview Welcome to! can be accessed from a Windows computer, a Mac, and even a mobile device; such as an
More informationMicrosoft Unified Access Gateway 2010
RSA SecurID Ready Implementation Guide Partner Information Last Modified: March 26, 2013 Product Information Partner Name Web Site Product Name Version & Platform Product Description Microsoft www.microsoft.com
More information