Windows security for n00bs part 2 Authentication

45 

Loading....

Loading....

Loading....

Loading....

Loading....

Full text

(1)

Description:

whether you are in favor or

against it, the Windows NT OS does not let

any IT engineer nor researcher indifferent.

This week we will focus on the

authentication

mechanisms

in

a

Microsoft environment: SSPI, Kerberos,

NTLM

Lecturer:

Fabien Duchene

Windows security for n00bs | part 2

Authentication

SecurIMAG

2011-05-12

WARNING:

SecurIMAG is a security club at Ensimag. Thoughts,

ideas and opinions are not related to Ensimag. The authors

assume no liability including for errors and omissions.

¡¡_ (in)security we trust _!!

Grenoble INP

(2)

Summary

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

3. Authentication

(Fabien)

4. Network

(Fabien)

(3)

Authentication

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

Winlogon

SSPI

AuthZ API

Identity stores:

o

Active Directory LDAP

o

Security Account Manager

Authentication protocols

o

Theory: NSPK

o

Kerberos

o

LM

o

NTLM

Password Policy

(4)

Identity stores

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

• Security Account Manager

• Active Directory

(5)

Services Account Manager

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

• HKLM\SAM

• LOCAL database containing Security Principals:

o

Users

o

Groups

LSASS.exe (Windows XP, Vista & 7)

(6)

Services Account Manager - visualization

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

(7)

Services Account Manager - visualization

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

• Command line:

C:\Users\alejandr0>net localgroup

Aliases for \\PC-LIG-ALEJ

---

*Administrators

*Backup Operators

*Cryptographic Operators

*Distributed COM Users

*Event Log Readers

*Guests

*HomeUsers

*IIS_IUSRS

*Network Configuration Operators

*Performance Log Users

*Performance Monitor Users

*Power Users

*Remote Desktop Users

*Replicator

*Users

(8)

Active Directory

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

• LDAP

(9)

ADDS – joining a domain

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

(10)

WinLogon

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

• Names & architecture:

XP: MSGINA

Vista,7: CredentialProviders

Features

:

SAS: Secure Attention Sequence (ctrl+alt+del)

User profile load

NTUSER.DAT -> HKEY_Current_User

Screensaver

(11)

11

3.4.1.3. Authentification – Windows

XP

• SSPI:

permet à des applications d’établir un canal sécurisé

LSA

Winlogon

GINA

Package

d’authentification

Application

SSPI

Negotiate

SSP

Kerberos

SSP

NTLM

SSP

Schannel

Digest

SSP

Windows XP

API authentification : SSPI

API carte à puce : PC/SC

API biométrie : BioApi

Security Support

Provider Interface

(12)

Authentication

– Windows NT 6+

(13)

Technical overview of the Microsoft PKI ADCS 2008 R2

(14)

Impersonation & delegation

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

• Impersonation

• Delegation

(15)

LM

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

(16)

NTLM

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

• Identity store: ADDS, SAM

• Challenge-response

• No delegation (credential forwarding)

• Client only authentication

(17)

Get the LM / NTLM hash

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

• Tools such as

pwdump

C:\Windows\system32>pwdump7

Pwdump v7.1 - raw password extractor

Author: Andres Tarasco Acuna

url: http://www.514.es

Administrator:500:NO PASSWORD*********************:31D6CFE0D16AE931B73C59D7E0C089C0:::

Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:::

adm-alejandr0:1001:NO PASSWORD*********************:7F761738135F8792D63143CE3A3ED65F:::

HomeGroupUser$:1002:NO PASSWORD*********************:C203A517500BAEFA571A0FA78767EF63:::

alejandr0:1003:NO PASSWORD*********************:E011DD6FDA2C0954E210726960862FDC:::

(18)

SeDebug privilege default permissions

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

(19)

How does that crap work?

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

Requirements:

Ability to elevate (ie a member of the local SAM group

Administrtators)

LSASS (user process ; identity: SYSTEM)

Method:

Elevate

Get the SE_DEBUG privilege in your token

Inject

(20)

NTLMv2

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

(21)

AuthZ API

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

(22)

NSPK

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

(23)

NPSK - attack

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

• Replay attack

Denning, Dorothy E.

; Sacco, Giovanni Maria (1981). "Timestamps in key distributed protocols".

(24)

4.1.3. Kerberos

26

4MMSR - Network Security - 2010-2011

Protocole authentification,

autorisation, développé par le MIT

(Projet ATHENA), ~ Single-Sign-On

• Version actuelle: v5

RFC4120

• Hypothèse: le réseau peut être non sûr

• Basé sur l

existence d

un

tiers de

confiance

, le KDC (« Key Distribution

Center »

Cryptographie

principlament

symétrique

éventuellement

assymétrique

(eg:

auth. par carte à puce)

Déclinaisons

:

MIT Kerberos

Microsoft Kerberos

, Windows NT

(>=2000)

Heimdal Kerberos

, Suède

Kerberos & Herakles

(Cerbère & Hercules)

(25)

4.1.3. Kerberos: authentication & service access

27

4MMSR - Network Security - 2010-2011

User

/

computer

Identity provider,

Authentication Server

GC

Service Server

(eg: issuing CA)

Ticket Grantig Service

TGS

1

“I am Mossen. I

need a Ticket to Get

Tickets”

(TGT)

Key Distribution Center (KDC)

Here is a TGT

you will only

be able to decrypt if you

know the

shared secret

(user/comp. pwd)

2

3

I want to access the

Issuing CA” service

.

Here is a proof I

decrypted the TGT

4

Here is a

Service Ticket

containing your

information for accessing

the

Issuing CA service

UserSID

---

GroupMembershipsSIDs

Service

Ticket

5

6

Service communication

(26)

4.1.3. Kerberos: authentification du client (1,2)

28

4MMSR - Network Security - 2010-2011

Client_ID:

Security Principal Name (username, computername…)

[msg]

key

: chiffrement de msg avec la clé key

K_

client

: hash du mot de passe du client (user/ comp.)

K_client-TGS

: session key generated by the AS

User

/

computer

Identity provider,

Authentication Server

1

1: Client_ID

2.1:

[Client-TGS_Session_key], K_client

2.2: “Ticket-to-Get-Ticket”

[client_ID, client_FQDN, TGT_validity_period, K_client-TGS]K_TGS

2

Knows:

K_client

Knows:

K_client

K_TGS

K_cli-TGS

KDC

(27)

4.1.3. Kerberos: accès au service (5,6)

29

4MMSR - Network Security - 2010-2011

Client-to-Server ticket:

[client_ID,client_FQDN,TCS_validity_period,K_client-svc] K_req_svc

K_client-SS

: session key between the client and the SS

User

/

computer

Knows:

K_client

K_client-SS

Service Server

(eg: issuing CA)

6:[timestamp_in_5.2 + 1]K_client-SS : “OK, I can serve you”

6

5

5.1: “Client-to-Server ticket”

5.2: “Authenticator-2”

[Client_ID,timestamp]K_client-SS

7

Is timestamp=timestamp_5.2+1?

(28)

4.1.3. Kerberos – Accès inter-domaine

30

4MMSR - Network Security - 2010-2011

• Une relation de confiance est établie par le biais d’une

clé partagée

entre domaines, grâce à laquelle des

referals tickets (TGT inter-domaine)

sont envoyés

corp.ensi

mag.fr

dom

aine..phe

lma.fr

User

/

comput

er

Service Server

(eg: issuing CA)

TGS

1

2

AS

3

4

5

6

“ TRUSTING domain “

contains ressources/SS

“ TRUSTED domain “

contains identities

K_AS(ensimag)-TGS(phelma)

(29)

4.1.3. Kerberos: Smart Card authentication

31

4MMSR - Network Security - 2010-2011

Client_ID:

Security Principal Name (username, computername…)

[msg]

key

: chiffrement de msg avec la clé key

K_

client_pub,K_client_priv: paire de clé assymétrique

K_client-TGS

: session key generated by the AS

User

/

computer

Identity provider,

Authentication Server

1

1: [Client_ID]

K_client_PRIV

2.1:

[Client-TGS_Session_key

], K_client_PUB

2.2: “Ticket-to-Get-Ticket”

[client_ID, client_FQDN, TGT_validity_period, K_client-TGS]K_TGS

2

Knows:

K_client_PUB

K_client_PRIV

Knows:

K_client_PUB

K_TGS

K_cli-TGS

KDC

(30)

4.1.3. Kerberos et Windows: API et appels

(31)

Kerberos dependencies

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

• OS : Windows ≥ 2000

• TCP/IP

• DNS – DC authorities localization

• Active Directory – autorité

• NTP: clock synchronization

(32)

4.1.3. Kerberos:

optimisations

34

4MMSR - Network Security - 2010-2011

Optimisations

Les tickets et le clés de sessions sont

en cache sur le client

Un mécanisme permet d

obtenir des tickets sans avoir à redonner

son mot de passe

o

Ticket-Granting-Ticket (TGT) a faible durée de vie

o

Le KDC donne des tickets sur présentation du TGT

Paramètres par défaut

Validité TGT=10H

Validité TGS= 10H

Différence de 5 minutes MAX entre client, AS, TGS, SS

(33)

Kerberos threats

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

Threats

single-point of failure

: if only one KDC

impersonation

: if at least one KDC compromised. Any user

could be impersonated

(34)

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

(35)

4.1.3. Kerberos – some threats and attacks

37

4MMSR - Network Security - 2010-2011

Taming the Beast Assess Kerberos-Protected networks, Emmanuel Bouillon, Black-Hat 2009

KDC spoofing

Weak cipher

Replay attacks

Steal the hash!

(36)

Kerberos Attacks

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

KDC spoofing

: old PAM_KRB5 implementation (no

authorization)

(37)

Weak cipher

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

Cipher

: DES (weak) initially used. Negotiation not authenticated

Get a ticket

Bruteforce it (assuming the cipher)

• Counter-measure:

(38)

Replay attack: sniff and resend 5.

KRB_AP_REP

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

o

KRB_AP_REP: validity duration (generally 5 minutes), source IP

o

Service Server stores a cache of requests. Multiple identitical

KRP_AP_REP are ignored

(39)

Ticket cache attack (“file” on the client system)

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

Attacks assumptions

:

Debug privilege

(by default, only members of the

local SAM Administrators groups are allowed)

LSASS.exe is a process (user ; SYSTEM)

Attack goals:

Get cached hashes

(40)

Get that hash - method

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

• Elevate

• Get the SE_DEBUG privilege in your token

• Inject

(41)

Q

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

(42)

Pass the ticket

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

Pass the Ticket

: ability to authenticate on the client. Only Microsoft

implementation is vulnerable and not yet corrected.

Attacking and fixing the Microsoft Windows

Kerberos login service

Tommaso Malgherini and Riccardo Focardi

Universit`a Ca’ Foscari, Venezia

(43)

Kerberos – basic hardening

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

• Hash computation:

(44)

Kerberos - Hardening - lifetime

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

(45)

NTLM vs Kerberos: scalability

Client

Server

NTLM Authority

Client

Server

AD Authority

AS

TGS

1

n

n

n

n

Kerberos

• Less client-server exchanges

• No real-time server<-> authority exchanges

(only during the SPN registration)

Scalability

Figure

Updating...