Pentesting Windows Domains Active Directory security model and weaknesses weaknesses 2017-01-09 | Jean J ean MARSAULT MARSAULT
AGENDA
/
01
Introduction
/
02
The Active Active Direc Di rectory tory model & Windows domains
/
03
Pentesting Windows domains for fun and profit
/
04
Conclusions
confidential |
© WAVESTONE
2
/
01
Introduction
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
C:\> whoami Jean MARSAULT MARSAULT - EURECOM 2014 - Security track Pentester & consultant consu ltant at Wavestone (formerly known as Solucom) Digital forensics & incident response res ponse with the CERT-W @iansus iansus on: iansus on: Root-me Root-me,, w3challs, Newbiecontest, etc ask me if interested
confidential |
© WAVESTONE
4
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Microsoft Windows history /
User-oriented operating User-oriented operating system: easy to use, no n o technical knowledge k nowledge needed
/
Up to 80% coverage coverage of large corporations’ information information system sy stem
/
›
Workstations:: Windows XP, Workstations XP, Windows 7, Windows 8.1, Windows 10
›
Servers:: Wind Servers Windows ows Serv Server er 2003, 2008R2, 2012R2, 2016
Brief history of of user u ser versions:
1.x / 2.x - 1989
3.x - 199 3
2007
2001
2009
2012
2015 confidential |
© WAVESTONE
5
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Microsoft Windows – Windows – use use cases
Personal use / /
“Home editio edition” n”
Company use /
Cheaper
/
Fewer security features
/
Fewer configuration parameters
Two separate OS branches branches:: ›
Workstations
›
Servers
/
More expensive
/
Best security features
/
More customizable c ustomizable
/
Able to join or create a Windows domain
Today we will will focus on this case
confidential |
© WAVESTONE
6
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Some vocabulary – vocabulary – Windows Windows specific compon components ents Filesystem Registry
/
NTFS
/
Discretionary access Discretionary control lists (DACL)
Users and groups
/
In-memory database with ACL when OS is up
/
Every user and and group gets a security identifier (SID)
/
Stored on the filesystem when the OS is is po powered wered off
/
SIDs are used in DACL
/
/
Used for configu co nfiguration ration storage at user or machine scop e
SIDs allow allow comp lex group group / user architecture by inclusio inclusion n
Services
Processes / /
/
Process list is similar to Unix Access tokens to perform operations Integrity levels to secure Integrity inter-process inter -process actions
Remote use /
/
Remote procedur p rocedure e call (RPC) for service inter interaction action Simple Message Block (SMB) for remote file access
/
Similar to daemons on Unix Similar systems
/
Can be schedu sc heduled led to start at bo ot
/
User account used can be configured
/
Remote Desktop Proto col Protocol (RDP (RDP) ) for remote GUI access (~ ssh -X) confidential |
© WAVESTONE
7
/
02.1
The Active Active Directory Dir ectory model model & Windows domains Before joining a domain
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
User accounts and groups
/
Each account and group is mapped to a Security Identifier (SID) ›
/
e.g. S-1-5-21-3669152439-339947406-2872813669-500
Default accounts: accounts: ›
User account: account: Administrato Administratorr, Guest Guest
›
Service accounts: accounts: SYSTEM, Local Service, Local network, etc
/
Default groups: groups: Local administrators, Remote desktop users, users , etc
/
Groups can include other other groups and / or users, through SIDs
/
SIDs are used in Discretionary Access Control Lists (DAC (DACL), L), which are a complex combination combination of:
/
›
Fine-grain rights segmentatio segmentation n
›
Order allow allow / deny attribution attri bution of these t hese rights to user user or group gro up SIDs
Some accounts have high privileges and are ideal targets for privilege escalation: escalation: › ›
SYSTEM is equivalent equivalent to root Administratorr (SID XXX Administrato XXXX X-500) and members members of t he he “Local “Local administrators” group group can can become SYSTEM without password
confidential |
© WAVESTONE
9
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
User password storage sto rage
/
/
/
Windows has been using two hash functions to store passwords: ›
LM (Lan Manager) hash function, function , known to t o be weak and now deprec deprecated ated (Windows stores st ores only LM("")) LM(""))
›
NTLM hash hash func function tion,, based on MD4 and still used used in i n the most recent versions of the OS
Accounts’ NTLM hashes are stored in the registry (in-memory while powered on) in the Security Account Manager (SAM) hive:
When powered-off, this this hive is locate located d under C:\Windows\System32\config\sam confidential |
© WAVESTONE
10
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Why Windows Windows domains?
Computers outside domains exhibit the following following drawbacks in a company environment: /
They can’t can’t be be managed on a large scale s cale except with with handmade han dmade scripts
/
Local administrator administrator users have h ave full control over their workstati workstation on
/
The system is not n ot natively compatible with with centraliz centralized ed Identity Access Management M anagement (IAM) (IAM),, including: › ›
Centralized employees employees and resources resources directories Enterprise Public Key Infrastructure (PKI) and smartcards
Information Systems require the abili ability ty to act on the whole system syste m at once, which is not possible on such workstations workstati ons
confidential |
© WAVESTONE
11
/
02.2
The Active Active Directory Dir ectory model model & Windows domains Sneak peak of Windows domains
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
The hidden truth behind Active Directory
/
Windows servers can be configured to take many roles roles:: DNS server s erver,, network share, sh are, Certification Authority Au thority,, etc
/
One of of these roles roles is the “ the “ Active Active Directo Directory ry” ” and and has a central cen tral place in Windows domains
/
/
Active Directo Directory ry (AD) is Microsoft’s Microsoft’s implementation of the Lightweight Directory Access Protocol (LDAP), which allows: ›
Maintaining a centralized centralized directory director y of users, users, groups, resources, resources, etc
› ›
Implementing centralized au Implementing authenticatio thentication n mec mechanisms hanisms Building Bu ilding the base of o f many features features that can be used in Windows domains
The Active Active Directory stores users, users , computers, etc as objects objects,, which: ›
Follow a predefined schema, schema, also stored in the Active Directory
›
Define a number of properties as dictated by t he object schema
confidential |
© WAVESTONE
13
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Finally defining defining “Windows domain”
A “domain “domain” ” is the name given to a collection of: /
Windows servers (running on Windows Server S erver 20xx)
/
Windows workstations (running on Windows Vista, 7, 7, 8.x, 10, etc)
/
One or or more servers hosting a centraliz centralized ed Active Directo Directory ry service: the domain controllers, controllers, used for: › ›
Centralized authentication Centralized Centralized authorization Centralized
exposes
Domain controller
Active Dir Directory ectory
confidential |
© WAVESTONE
14
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
What can we do with it?
/
Centralized identity management management and authentication authentication:: ›
Domain user user accounts working on any domain workstation workst ation / server in addition to local lo cal accounts accounts
›
One password to rule rule t hem all
›
Account is either \ (local) or \ (domain)
/
Access to to centraliz centralized ed resources resources,, including:
/
/
›
File sharing servers (network shares)
›
Enterprise PKI (enabling smartcard logon): logon): Certification Authorities, Authoriti es, CRL distri distribution bution points, OCSP responders, etc
Centralized management management:: ›
Domain administr administrators ators can can defined Group Gr oup Policy Objects Objects (GPO) or Group Policy Preferences Preferences (GPP)
›
They will apply to a every object in an admin-defined subset subset of users / computers computers
›
It allows large scale configuration of the workstations workst ations and servers, servers, on-the-fly propagation of new parameters
›
Group policy cannot cannot be permanently overridden, even by local lo cal administrators
Easy creation of role-defined servers, servers, for example: › ›
DNS servers servers (FQDN is set as a property propert y of the computer computer object) Web servers relying on the t he domain users users identit identity y and rights confidential |
© WAVESTONE
15
/
02.3
The Active Active Directory Dir ectory model model & Windows domains Authentication on Windows domains
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Domain users users password storage
/
Domain users use centralized centralized authentication authentication to log on to domain computers
/
Password storage must mus t be centralized
/
NTLM hashes are stored in the “ the “ntds.dit” file present pres ent on domain controlle controllers rs
confidential |
© WAVESTONE
17
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Standard Standar d authentication on domains
??? KIWI\Benjamin OK Workstation
Domain controll co ntroller er (DC)
/
The DC only knows my NTLM hash and not my password pass word
/
What is sent by the workstatio workstation n to the DC so I can be authenticate au thenticated? d? ›
Password to be hashe hashed? d? No No
›
NTLM Hash? Hash? No
This would be sensitive sensiti ve information sent over the network We need a way of proving the knowledge of the password without sending it
confidential |
© WAVESTONE
18
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Introducing the NTLM challenge/response protocol
/ /
The goal of this authentication protocol protocol is to prove the knowledge of the NTLM hash of my password pass word You Yo u would be able to prove your knowledge of the password itself itself but the DC does not know it Authentication tion Request Request Authentica
Random challe challenge nge Response
Authentication Authentica tion granted granted
/
Example of NTLMv1 NTLMv1:: › ›
[NTLM + padding] split into K1 , K2 and K3 R = DES(C, K1) | DES(C, K2) | DES(C, K3)
Password = waza123 waza1234 4
NTLM =
NTLM =
CC36CF…46158B1A
R = B50F926D
CC 6CF…46 58B A
C = A4FE815C OK
R = B50F926D confidential |
© WAVESTONE
19
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Advance Adv anced d authen authentication tication with Kerberos Kerberos
/
Kerberos is an authenticati authentication on protocol designed by the MIT in the 80s
/
It relies on tickets distributed by the Kerberos Distribution Center (role often born by the DC) and consumed by b y target servers. Some vocabulary: ›
TGT = Ticket Granting TGT G ranting Ticket Ticket
›
TGS = Ticket Granting Granti ng Service, which generates Service Tickets
›
Service server, server, consuming consuming these tickets
Authentication Authen tication + request for TGT Service Servic e ticket: h
[email protected] TGT
Service server
DC Authentication Authenti cation OK
10.0.1.1 [KDC]
10.0.1.2
TGT + request for TGS Service:
[email protected] [email protected] Service Servic e ticket:
[email protected] h
[email protected]
User 10.0.0.2
confidential |
© WAVESTONE
20
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Authentication: Authe ntication: specific cases
/
/
Computers can be configured to cache domain credentials in the registry in the event the the DC cannot can not be reached ›
Usually Usua lly laptops, less frequently frequently workstatio wo rkstations ns
›
Usually Usua lly not servers
›
Storage format format use used d is is “ “mscachev2 mscachev2””, hard to break, but can still st ill be beaten by dictionaries dicti onaries on weak passwords: »
DCC1 = MD4(NTLM MD4(NTLM | | username)
»
DCC2 = PBKDF2(HMAC_SHA1 PBKDF2(HMAC_SHA1, , 10240 iterations, text = DCC1, salt = username)
Users can rely on other authenticati authentication on methods including: ›
Smartcard logon: the correct PIN unlocks access to the t he NTLM hash which is then used used to generate a Kerberos TGT
›
Windows Hello: Hello: use of biometric features (smile, etc) to unlock access to the hash
confidential |
© WAVESTONE
21
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Introducing Introduc ing Mimikatz
/
Windows authentication relies on credentials providers: providers: ›
They cache cache credentials (optionally (opti onally encrypted) encrypted) t o provide with Single Sign-On (SSO) Sign-On (SSO) capabilit capabilities ies
›
The OS must be able to decrypt encrypted encrypted credentials in a t ranspare ransparent nt way way for the use userr
›
Credentials include: include: cleartext passwords, NTLM hashes, Kerberos TGT & TGS
›
These credentials credentials are present in the t he memory of the lsass.exe process process
/
Benjamin “ Benjamin “gentilkiwi gentilkiwi” ” Delpy Delpy has developed the “ the “Mimikatz Mimikatz” ” tool toolss which runs with with local admin privileges and: and: ›
Requests Requ ests t he he “ “SE_DEBUG ” privilege and queries the lsass.exe process pro cess memory memory
›
Relies on Windows API to t o decrypt encrypted credentials
›
Prints out credentials credentials for fo r accounts accounts that logged on the computer computer since its it s last shutdown
confidential |
© WAVESTONE
22
/
03
Pentesting Windows domains for fun and profit
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Technical terms
Some interesting interesting domain users and groups: /
DOMAIN\Domains Admins: domain group which is included included in every server and workstation workst ation local administr administrators ators group group
/
DOMAIN\Administrator: defau default lt domain administrator account account include included d in the “Doma the “Domain in Admins” Admins” group group
/
DOMAIN\krbtgt: domain use userr whose NTLM hash is used to t o digitally sign Kerberos Kerberos tickets t ickets
Some useful vocabulary: /
Group Policy Objects (GPO): user or computer configuration elements set on the DC that frequently apply to the computers in the domain
/
Rootie: action of taking a flipped Rootie: fli pped selfie selfie while becoming a “Domain a “Domain Admins” Admins” member member in an unauthorized way
confidential |
© WAVESTONE
24
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Mission briefing
Exploit
Post-exploit DOMAIN
Hash dumping
Authentication
bypass
Pivoting and lateral movement
Domain Admin Adm in
Ticket forgery
You Yo u Local privilege escalation
etc
confidential |
© WAVESTONE
25
/
03.1
Pentesting Windows domains for fun and profit Authentication bypass and local privilege pri vilege escalation technics tec hnics
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Attack – Attack – Pre Pre-logon logon SYSTEM shell using “Utilman “ Utilman” ”
/
Utilman.exe Utilman.exe is a small executable giving the “Ease of access” menu
/
As it can be launch launched ed pre-logon, it executes using the SYSTEM account
/
/
You can open a shell using the SYSTEM account You by clicking a butto bu tton! n!
/
You can add local administrator You administrator accounts from this console
Mounting the disk from a live live USB allows allows replacing Utilman.exe by cmd.exe
confidential |
© WAVESTONE
27
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Mitigation – Mitigation – Pre Pre-logon logon SYSTEM shell using “Utilman “ Utilman” ”
/ /
Attacker Att acker managed to tamper with system executables Potentially Potentia lly more damage could come from mounting windows disk: ›
Changing SAM / MsCachev2 entries entri es
›
Replacing local local credential providers DLL libraries (see mimilib)
/
If the disk is encrypted encrypted,, access to it from a live USB system is is prevented prev ented
/
Most used solutio s olution n is now Bitlocker, Bitlocker, provided (not free) by Microsoft, others others exist (T (Truecrypt ruecrypt / Veracrypt)
/
Relies on the Trusted Platform Module (integrate (integrated d chip with secret protection protection and caller access control)
/
Unencrypted Microsoft system partition partition accesses the TPM, optionally optionally asking for the user PIN, and retrieves the
/
/
decryption keys Access to the disk goes through Bitl Bitlocker ocker subs subsystem ystem
Decryption keys can be recovered from memory dumps, dumps , and utilities utilities such suc h as bdemount allow mounting encrypted volumes when provided the keys confidential |
© WAVESTONE
28
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Attack – Attack – Easy Easy CVE exploit – exploit – ex example ample with MS16-032
/
One of of many exploits exploits against Windows, with with some pluses: ›
Directly opens SYSTEM SYSTEM shell
›
PowerShell-based, PowerShell -based, no executable executable neede needed d => harder to t o block or detect
›
Only requirement requirement is having at least a 2-core 2 -core processor
confidential |
© WAVESTONE
29
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Attack – Attack – Advanced Advanced CVE exploit – exploit – rogue rogue domain controller
/ /
Attacker Att acker has no account on the the target target system, and disk may be encrypted (wit (without hout user PIN though) Original exploi exploitt in 2015 2015:: use a fake domain controller controller,, set a fake password pass word on the the target user as expired ›
The lock screen screen will wi ll accept accept t he fake password
›
It will ask ask the t he user user to set a new one
›
This will poison the MsCachev2 MsCachev2 local database
› ›
/
As long as the real real DC D C is unreacha unreachable, ble, au authenticatio thentication n will be granted on the computer computer Relies on Kerberos, but tickets are verified after a fter password change and cache cache poisoning
This was only auth bypas bypass, s, privilege escalation escalation presented by Belgium researchers @Hack in Paris 2K16: 2K16: ›
›
Remember GPO GPO?? »
User and computer computer configuration elements
» »
Can impact predefined Windows parameters Some elements, for example company-specific, require a script to be executed
»
For computer computer configuration, scripts execute as SYSTEM
Set a GPO launc launching hing cmd.exe cmd.exe on target system »
Quite easy on Windows 7
»
Required harder work with domain SIDs on Windows 10 but still a success
confidential |
© WAVESTONE
30
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Mitigation – Mitigation – CVE CVE exploit
/
Both examples relied relied on the exploi exploitati tation on of public vulnerabiliti v ulnerabilities es that have been patched
/
The main mitigation mitigation strategy is the IT golden rule: keep your systems up-to-date up-to-date
/
Other hardening solutions can be used to increase protecti p rotection on against 0-days: ›
›
Executable whitelisting – whitelisting – Appl Appl ocker ocker,, restrictions restrictio ns on: »
Executable Execut able digital signature
» »
Executable location (C:\Windows\, C:\Program Files\, etc) Executable checksum
Endpoint Detection Response (EDR) – (EDR) – next next gen antivirus »
Can handle fileless malware
»
Rely on statistical / behavioral online shared databases (threat Intelligence)
»
Work in real-time rather than with scheduled scans
confidential |
© WAVESTONE
31
/
03.2
Pentesting Windows domains for fun and profit Pivoting and lateral movement – movement – Pass-the-*
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Lateral movement – movement – Context Context and objectives
/
Context: ›
You have suc successfu cessfully lly compromise compromised d a workstation workst ation
›
You are (at (at least) local administrator on the workstation
›
Butt none of Bu o f the accounts accounts you can can t arget on the workstation workst ation is Domain Admin… Admin…
/
Objectives: ›
Identify Domain Domain Admin accounts
›
Identify workstations they have logged on to recently
›
Identify domain accounts accounts t hat are local administrators on these workstations workstatio ns
›
If you have compromised one of these accounts, the loop is over
›
Else repeat repeat searching for workstations wor kstations these domain domain account account that are local administrators have logged on to
/
Pretty hard to to do by hand, especiall esp ecially y on large domains domains (~100K (~100K ws and servers, servers , ~50K ~50K users)
/
Hopefully,, some tools Hopefully tools might help you y ou identify iden tify the critical paths to Domain Admin accounts: accounts: › ›
AD Contr Control ol Path Path (ADCP): (ADCP): French French t ool developed by ANSSI Bloodhound:: recent Bloodhound recent PowerShell Po werShell tool that identify live sessions on workstations workstatio ns and servers
confidential |
© WAVESTONE
33
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Obvious first – first – Pass-the-Pass Pass-the-Pass
/
/
Pass-the-Pass? ›
On older systems, passwords are stored sto red in a reversible encrypted way in memory
›
If you manage manage to steal the t he encrypted password, you can can ask the system to t o decrypt decrypt this for you
How do I get the pass? › › › ›
The answer is Mimikatz Mimikatz As a local admin, you are are able to ask for SE_DEBUG_PRIVILEGE (~ ptrace )
sekurlsa::logonPasswords injects in lsass.exe m memory emory and grabs the t he cleartext password of logged-in users You can also dump dump the lsass.exe memory in the Task Manager and use this dump offline
confidential |
© WAVESTONE
34
PRAY DEMO DEMO TIME! GODS!
confidential |
© WAVESTONE
35
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Pass-the-Pass Pa ss-the-Pass mitigation mitigati on
/
Only applicable to Windows >= 7 and Windows Server Server >= 2008 R2
/
Enabled by default in:
/
/
›
Windows 8.1 +
›
Windows Server Server 2012 20 12 R2 +
Disabled by default (and requires a Microsoft KB to be enabled) in: ›
Windows 7 / Windows 8
›
Windows Server Server 2008 R2 / Windows Server Server 2012
Registry key “ HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest” › › ›
Value name Value name is “UseLogonCredential ” 1 means insecure insecure 0 means secure
/
On Windows Windows 7, acts as an added level of protection
/
On Windows Windows 8.1, can be used u sed to downgrade the level of protectio protection n , only requires user session unlock confidential |
© WAVESTONE
36
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Who needs passwords anyway, Pass-the-Hash is here!
/
/
Pass-the-Hash? ›
Remember Reme mber that t hat password might might no longer be stored sto red in a reversible r eversible way in memory memory
›
However,, NTLM hashes However hashes still are in order for SSO to t o work
›
NTLMv1/NTLMv2 NTLMv1/NTL Mv2 authenticatio authentication n protocol prot ocol only requires requires you t o prove knowledge of the NTLM hash
›
It become becomess possible to impersonate impersonate the user user if you steal his NTLM hash
How do I get the hash? ›
Still Mimikatz Mimikatz
›
sekurlsa::logonPasswords injects in lsass.exe m memory emory and grabs the t he NTLM hashes of logged-in users
›
/
Also works offline with the memory memory dump dump of lsass.exe
How do I use it? ›
Answer is still stil l Mimikatz (but (but tool toolss suc such h as CrackMapExec CrackMapExec,, impac i mpacket ket or Metasploit work too)
›
System program “runas ” allows you to run programs as as other users users
›
When you know the workstation workstatio n won’t be able to verify the t he credentials, credentials, use “ /netonly ” to load them in the process pro cess memory memory and have have them t hem used used (and verified) on the network only
›
sekurlsa::pth uses the same technics, but only loads the NTLM N TLM hash instead of the user’s user’s password p assword
confidential |
© WAVESTONE
37
DEMO TIME!
confidential |
© WAVESTONE
38
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Pass-the-Hash mitigations
/
/
Hashes cannot be removed from memory without altering some s ome SSO features ›
Started with Microsoft AD functional functional level 2012 R2
›
Domain group “Protected “Protected users” users” becomes available available
›
Domains in this thi s group won’t use NTLM (Kerberos only) only)
›
Therefore, NTLM hashes are not present in memory anymore
›
But, Bu t, users cannot perform perfor m NTLMv1 / NTLMv2 NTLMv2 authentication wit hout manu manually ally entering their password each time ti me
Or can they? Introducing Credential Guard and Virtual Secure Mode (VSM) ›
Started with Windows Windows 10
›
If enabled, enabled, Windows adopts a new architecture, architecture, based on hypervision (~ virtual vi rtual machines)
confidential |
© WAVESTONE
39
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Pass-the-Hash mitigations – mitigations – focus focus on VSM
confidential |
© WAVESTONE
40
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Pass-the-Hash mitigations
/
/
Hashes cannot be removed from memory without altering some s ome SSO features ›
Started with Microsoft AD functional functional level 2012 R2
›
Domain group “Protected “Protected users” users” becomes available available
›
Domains in this thi s group won’t use NTLM (Kerberos only) only)
›
Therefore, NTLM hashes are not present in memory anymore
›
But, Bu t, users cannot perform perfor m NTLMv1 / NTLMv2 NTLMv2 authentication wit hout manu manually ally entering their password each time ti me
Or can they? Introducing Credential Guard and Virtual Secure Mode (VSM) ›
Started with Windows Windows 10
›
If enabled, enabled, Windows adopts a new architecture, architecture, based on hypervision (~ virtual vi rtual machines)
›
Credentials are no longer stored in the t he useruser-OS’ OS’ Lsass memory
› ›
›
Authenticated transaction requ requests ests between the user user OS and the secu secure re OS No possibilit possibility y of hijacking the secure secure OS from the user OS due to Kernel Kernel Code C ode Integrity
But only available availa ble for Windows Windows 10 Enterprise version, version , not even for Windows Server due to t o additional layer of hypervision
confidential |
© WAVESTONE
41
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
No hash? All your tickets are belong to us! Pass-the-Ticket
/
Pass-the-Ticket ›
Remember Kerberos?
›
This time aim for the Ticket-Granting-Ticket the Ticket-Granting-Ticket (TGT) and Ticket-Granting-Service Ticket-Granting-Service (TGS) (TGS)
›
Only drawback: drawback: TGT default default lifespan is 10 hours and default max lifetime li fetime is 7 days
/
How do I get the hash?
/
›
M******z M******z
›
sekurlsa::tickets /export injects in lsass.exe m memory emory,, grabs the TG* of use users rs and exports them in .kirbi files
›
Still works offline with the memory memory dum dump p of lsass.exe
How do I use it? ›
Answer rema remains ins Mimikatz
›
Injects ticket in the current current use userr Kerbe Kerberos ros tickets t ickets database, database, even even if not meant for him/her him/her
›
Can be used used transparently in Windows
›
Let’s see for ourserlves!
confidential |
© WAVESTONE
42
DEMO TIME!
confidential |
© WAVESTONE
43
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Pass-thePa ss-the-Ticket Ticket mitigations
/
Use of Windows 10 Virtual Secure Mode (with Mode (with the limi limitati tations ons previously mentioned)
/
Use of domain d omain enforced behavioral control mechanisms, such s uch as EDR (not (not there yet)
/
No other software mitigations available, because: › ›
/
SSO features features are deeply int egrated within Windows Active Directory core features Administrative Administrati ve acc accounts ounts (or SYSTEM) have full control contro l over the OS processes processes
You Yo u can apply Microsoft official best security practices (1), which includes: includes: ›
Use separate accounts for daily and administrative tasks
›
Use dedicated hardened hardened workstations workstat ions for t he administrative administrative accounts accounts
›
Restrict these accou accounts nts from logging lo gging in on lower trusts servers and workstati on
› ›
Deny remote access to workstations workst ations with local privileged accounts accounts Use remote remote administrative administr ative solutions, such such as Microsoft Manageme Management nt Console (MMC) or WinRM WinRM,, that do not cache credentials
›
Use unique passwords on workstations wor kstations and servers servers for local administrators (Microsoft (Microsoft LAPS) LAPS)
›
Do not allow Internet browsing for privileged privi leged accounts accounts
›
Remove standard standard users users from the Local A dministrators group
(1) https://download.microsoft.com.../mitigating
pass-the-hash (pth) attacks and other credential theft techniques_english.pdf confidential |
© WAVESTONE
44
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Other domain-related domain-related attacks
/
/
Overpass-the-Hash ›
The idea is to rely on the t he NTLM hash
›
Hash is not used used for process creation with sekurlsa::ptt
›
Rather used used to t o ask for a valid Kerberos TGT for the target to be injected in i n the attacker’s attacker’s session session
›
Some other user user signature keys (RC4=NTLM or AES256) can can be used used as well
MS14-068 vulnerability (kudos to @Bidord @Bidord,, ex-EURECOM ex-EURECOM student) s tudent) ›
Kerberos Kerbe ros tickets include a field containing user privileges (group memberships) and attributes (PAC PAC))
›
This field is signed with the highest-privil highest -privileged eged domain account account secrets (krbtgt krbtgt))
›
Unti l an Until an official path was proposed, propo sed, signature algorithms included hash-functions (not HMAC) which do not rely on the knowledge of a secret
›
/
Any domain domain user user was able to forge a valid Kerbe Kerberos ros ticket ti cket (TGT preferred) which included any group membership (Domain Admins, Enterprise Admins, etc)
Pass-the-Cache ›
Unix systems systems support Kerberos and can can “join” “jo in” domains domains too! t oo!
›
However, Kerbe Kerberos ros tickets t ickets are are stored st ored in cache files in /tmp
› ›
These tickets are cache cache Kerbe Kerberos ros tickets, t ickets, but but can be injected as well in Windows sessions Exploiting Exploit ing MS14-0 MS14-068 68 on Linux Linux generates generates a cache Kerberos ticket ti cket to be used used on Windows confidential |
© WAVESTONE
45
/
03.3
Pentesting Windows domains for fun and profit Ticket forgery and more
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Post-exploitation Post -exploitation of Windows domains exam examples ples
/
From this this point, p oint, the attacker has access to the whole wh ole database of domain user and service accounts NTLM hashes through throug h the the ntds.dit database
/
Further basic exploitation exploitation include:
/
›
Password cracking (John t he Ripper, Ripper, L0pthCrack, L0pthCr ack, oclhashcat, oclhashcat, etc)
›
Large-scale data theft
›
User impersonation using Microsoft Enterprise Enterpri se PKI: arbitr arbitrary ary generation generation of smartcard logon and logon and digit digital al signature certificates
The attacker attacker also has access to the krbtgt krbtgt NTLM NTLM hash, hash, which means he is able to forge any an y Kerberos ticket ticket,, including properties beyond what the KDC KDC offers: ›
“Golden” ticket: Domain Admin TGT TGT valid for 10 years years (customizable) (customizable)
›
“Silver” ticket: Domain Admin TGS valid for any any service by any server server in the domain domain
/
Complementing credential Complementing cred ential provider libraries on the DCs to include the “skeleton “ skeleton key” key”, granting gran ting access to all the user accounts, using us ing either its its current password or a domain-wide password defined by the attacker
/
Exploiting Exploit ing trust trus t relationsh relationships ips between domains domains to access: access : ›
Children domains
›
Misconfigured Misconfigu red relationships to some of the company’s associa associates tes and service providers’ domains domains
confidential |
© WAVESTONE
47
/
04
Conclusions
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
What did we learn so far?
/
Microsoft Windows Windows is an user-oriented OS, OS, suited for company use
/
If not frequently freq uently updated, the OS may be exposed to multiple easy -to-ex -to-exploit ploit vulnerabilities
/
Active Directory allo allows ws centralization of resources resources and authentication authentication mechanisms
/
The deeply-integrated SSO mechanism also carries design vulnerabilit vu lnerabilities ies
/
Some of of them can be mitigated by customizi customizing ng parameters or using the most recent versions of the OS
/
However,, some of them require However req uire the application app lication of best security secu rity practices to be mitigated
confidential |
© WAVESTONE
49
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
General mitigation guidelines recap
/
Use separate accounts for daily and administrative tasks
/
Use dedicated hardened workstations for the administrative accounts
/
Restrict these these accounts from logging in on lower trusts servers and an d workstation workstation
/
Deny remote access to workstations with with local privileged accounts
/
Use remote remote administrative solutions, such as Microsoft Management Console (MMC) or WinRM WinRM,, that do not cache credentials on the remote target
/
Use unique passwords on workstations workstations and servers for local administrators (Microsoft (Microsoft LAPS) LAPS)
/
Do not allow Internet In ternet browsing browsing for privileged accounts
/
Remove standard users from the Local Local Administrators group
confidential |
© WAVESTONE
50
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Focus on detection
/ /
Not all of the attacks we mentioned before have mitigatio mitigations ns Attackers Att ackers may discover and exploi exploitt 0-days on your Informati Inf ormation on System
/
But, hopefully, hopefully, Windows has h as integrated logging features which are highly high ly customizable customizable
/
We can centralize centralize,, backup backup,, analyze analyze and and correlate correlate logs in the company’s SIEM (doesn’t anyone have one?) one?)
/
Some commercializ commercialized ed specific products, produ cts, such as Microsoft Advanced Threat Analysis (A (ATA TA)) focus on the analysis an alysis of the DC logs (basic version) and workstati workstations ons / servers logs (advanced version) v ersion) to to detect: detect: › › ›
/
Pass-the-* Abnormal use userr and service behavior behavior Etc
However, any contribution to the research community is appreciated , some examples: ›
Detection of the lsass process process local l ocal mem memory ory exploitati exploitation on
›
Monitor the KDCs tickets database to detect forged fo rged tickets (Golden, Silver, Silver, MS14-068) MS14- 068)
›
Build Bu ild behavioral and statistical statisti cal models of user user and services to t o detect out-of-the-norm out-o f-the-norm activit activity y
›
Real-time evalu evaluation ation of the system state st ate with clean clean reference states st ates
›
Etc.
confidential |
© WAVESTONE
51
PENTESTING WINDOWS DOMAINS - ACTIVE DIRECTORY SECURITY MODEL AND WEAKNESSES
Going further
/
Students have access to free copies of Windows OSes (Home, (Home, Professional, Server editions)
/
Build your own lab and and test things!
/
Legal Windows Windows domain pentest exist online
/
For example: “Bluebox “ Bluebox pentest” pentest” realistic challenge on Root-Me Root-Me (110 pts) ›
Server intrusion leveraging web vulnerabiliti vulnerabilities es
›
Local privilege escalation escalation using misconfigured misconfigured “some “something” thing”
›
Lateral moveme movement nt using credential credential t heft
›
Domain compromise
›
User impersonation impersonation using Kerbe Kerberos ros
/
However, never try it on servers you do not own if not specifically asked asked to, after having signed the appropriate documents with their owner
/
Unsolicited security audits are illegal ill egal,, and will amount amoun t to 3-year jail time and 75.000 to 150.000 € € fines fines
/
Even if some servers s ervers expose the Remote Remote Desktop port (or (or worse) on on the Internet confidential |
© WAVESTONE
52
Questions?
