Windows security for n00bs part 2 Authentication

•

Description:

whether you are in favor or

against it, the Windows NT OS does not let

any IT engineer nor researcher indifferent.

•

This week we will focus on the

authentication

mechanisms

in

a

Microsoft environment: SSPI, Kerberos,

NTLM

•

Lecturer:

Fabien Duchene

Windows security for n00bs | part 2

Authentication

SecurIMAG

2011-05-12

WARNING:

SecurIMAG is a security club at Ensimag. Thoughts,

ideas and opinions are not related to Ensimag. The authors

assume no liability including for errors and omissions.

¡¡_ (in)security we trust _!!

Grenoble INP

Summary

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

•

3. Authentication

(Fabien)

•

4. Network

(Fabien)

Authentication

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

•

Winlogon

•

SSPI

•

AuthZ API

•

Identity stores:

o

Active Directory LDAP

o

Security Account Manager

•

Authentication protocols

o

Theory: NSPK

o

Kerberos

o

LM

o

NTLM

•

Password Policy

Identity stores

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

• Security Account Manager

• Active Directory

Services Account Manager

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

• HKLM\SAM

• LOCAL database containing Security Principals:

o

Users

o

Groups

•

LSASS.exe (Windows XP, Vista & 7)

Services Account Manager - visualization

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

Services Account Manager - visualization

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

• Command line:

C:\Users\alejandr0>net localgroup

Aliases for \\PC-LIG-ALEJ

---

*Administrators

*Backup Operators

*Cryptographic Operators

*Distributed COM Users

*Event Log Readers

*Guests

*HomeUsers

*IIS_IUSRS

*Network Configuration Operators

*Performance Log Users

*Performance Monitor Users

*Power Users

*Remote Desktop Users

*Replicator

*Users

Active Directory

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

• LDAP

ADDS – joining a domain

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

WinLogon

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

• Names & architecture:

•

XP: MSGINA

•

Vista,7: CredentialProviders

•

Features

:

•

SAS: Secure Attention Sequence (ctrl+alt+del)

•

User profile load

•

NTUSER.DAT -> HKEY_Current_User

•

Screensaver

11

3.4.1.3. Authentification – Windows

XP

• SSPI:

permet à des applications d’établir un canal sécurisé

LSA

Winlogon

GINA

Package

d’authentification

Application

SSPI

Negotiate

SSP

Kerberos

SSP

NTLM

SSP

Schannel

_Digest

SSP

Windows XP

API authentification : SSPI

API carte à puce : PC/SC

API biométrie : BioApi

Security Support

Provider Interface

Authentication

– Windows NT 6+

Technical overview of the Microsoft PKI ADCS 2008 R2

Impersonation & delegation

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

• Impersonation

• Delegation

LM

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

NTLM

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

• Identity store: ADDS, SAM

• Challenge-response

• No delegation (credential forwarding)

• Client only authentication

Get the LM / NTLM hash

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

• Tools such as

pwdump

C:\Windows\system32>pwdump7

Pwdump v7.1 - raw password extractor

Author: Andres Tarasco Acuna

url: http://www.514.es

Administrator:500:NO PASSWORD*********************:31D6CFE0D16AE931B73C59D7E0C089C0:::

Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:::

adm-alejandr0:1001:NO PASSWORD*********************:7F761738135F8792D63143CE3A3ED65F:::

HomeGroupUser$:1002:NO PASSWORD*********************:C203A517500BAEFA571A0FA78767EF63:::

alejandr0:1003:NO PASSWORD*********************:E011DD6FDA2C0954E210726960862FDC:::

SeDebug privilege default permissions

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

How does that crap work?

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

•

Requirements:

•

Ability to elevate (ie a member of the local SAM group

Administrtators)

•

LSASS (user process ; identity: SYSTEM)

•

Method:

•

Elevate

•

Get the SE_DEBUG privilege in your token

•

Inject

NTLMv2

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

AuthZ API

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

NSPK

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

NPSK - attack

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

• Replay attack

Denning, Dorothy E.

; Sacco, Giovanni Maria (1981). "Timestamps in key distributed protocols".

4.1.3. Kerberos

26

4MMSR - Network Security - 2010-2011

•

Protocole authentification,

autorisation, développé par le MIT

(Projet ATHENA), ~ Single-Sign-On

• Version actuelle: v5

RFC4120

• Hypothèse: le réseau peut être non sûr

• Basé sur l

’

_{existence d}

’

_un

_{tiers de}

confiance

, le KDC (« Key Distribution

Center »

•

Cryptographie

•

principlament

symétrique

•

éventuellement

assymétrique

(eg:

auth. par carte à puce)

•

Déclinaisons

:

•

MIT Kerberos

•

Microsoft Kerberos

, Windows NT

(>=2000)

•

Heimdal Kerberos

, Suède

Kerberos & Herakles

(Cerbère & Hercules)

4.1.3. Kerberos: authentication & service access

27

4MMSR - Network Security - 2010-2011

User

/

computer

Identity provider,

Authentication Server

GC

Service Server

(eg: issuing CA)

Ticket Grantig Service

TGS

1

“I am Mossen. I

need a Ticket to Get

Tickets”

(TGT)

Key Distribution Center (KDC)

Here is a TGT

you will only

be able to decrypt if you

know the

shared secret

(user/comp. pwd)

2

3

I want to access the

“

Issuing CA” service

.

Here is a proof I

decrypted the TGT

4

Here is a

Service Ticket

containing your

information for accessing

the

Issuing CA service

UserSID

---

GroupMembershipsSIDs

Service

Ticket

5

6

Service communication

4.1.3. Kerberos: authentification du client (1,2)

28

4MMSR - Network Security - 2010-2011

•

Client_ID:

Security Principal Name (username, computername…)

•

[msg]

key

: chiffrement de msg avec la clé key

•

K_

client

: hash du mot de passe du client (user/ comp.)

•

K_client-TGS

: session key generated by the AS

User

/

computer

Identity provider,

Authentication Server

1

1: Client_ID

2.1:

[Client-TGS_Session_key], K_client

2.2: “Ticket-to-Get-Ticket”

[client_ID, client_FQDN, TGT_validity_period, K_client-TGS]K_TGS

2

Knows:

K_client

Knows:

K_client

K_TGS

K_cli-TGS

KDC

4.1.3. Kerberos: accès au service (5,6)

29

4MMSR - Network Security - 2010-2011

•

Client-to-Server ticket:

[client_ID,client_FQDN,TCS_validity_period,K_client-svc] K_req_svc

•

K_client-SS

: session key between the client and the SS

User

/

computer

Knows:

K_client

K_client-SS

Service Server

(eg: issuing CA)

6:[timestamp_in_5.2 + 1]K_client-SS : “OK, I can serve you”

6

5

5.1: “Client-to-Server ticket”

5.2: “Authenticator-2”

[Client_ID,timestamp]K_client-SS

7

Is timestamp=timestamp_5.2+1?

4.1.3. Kerberos – Accès inter-domaine

30

4MMSR - Network Security - 2010-2011

• Une relation de confiance est établie par le biais d’une

clé partagée

entre domaines, grâce à laquelle des

referals tickets (TGT inter-domaine)

sont envoyés

corp.ensi

mag.fr

dom

aine..phe

lma.fr

User

/

comput

er

Service Server

(eg: issuing CA)

TGS

1

2

AS

3

4

5

6

“ TRUSTING domain “

contains ressources/SS

“ TRUSTED domain “

_{contains identities}

K_AS(ensimag)-TGS(phelma)

4.1.3. Kerberos: Smart Card authentication

31

4MMSR - Network Security - 2010-2011

•

Client_ID:

Security Principal Name (username, computername…)

•

[msg]

key

: chiffrement de msg avec la clé key

•

K_

client_pub,K_client_priv: paire de clé assymétrique

•

K_client-TGS

: session key generated by the AS

User

/

computer

Identity provider,

Authentication Server

1

1: [Client_ID]

K_client_PRIV

2.1:

[Client-TGS_Session_key

], K_client_PUB

2.2: “Ticket-to-Get-Ticket”

[client_ID, client_FQDN, TGT_validity_period, K_client-TGS]K_TGS

2

Knows:

K_client_PUB

K_client_PRIV

Knows:

K_client_PUB

K_TGS

K_cli-TGS

KDC

4.1.3. Kerberos et Windows: API et appels

Kerberos dependencies

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

• OS : Windows ≥ 2000

• TCP/IP

• DNS – DC authorities localization

• Active Directory – autorité

• NTP: clock synchronization

4.1.3. Kerberos:

optimisations

34

4MMSR - Network Security - 2010-2011

•

Optimisations

•

Les tickets et le clés de sessions sont

en cache sur le client

•

Un mécanisme permet d

’

obtenir des tickets sans avoir à redonner

son mot de passe

o

Ticket-Granting-Ticket (TGT) a faible durée de vie

o

Le KDC donne des tickets sur présentation du TGT

•

Paramètres par défaut

•

Validité TGT=10H

•

Validité TGS= 10H

•

Différence de 5 minutes MAX entre client, AS, TGS, SS



Kerberos threats

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

•

Threats

•

single-point of failure

: if only one KDC

•

impersonation

: if at least one KDC compromised. Any user

could be impersonated

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

4.1.3. Kerberos – some threats and attacks

37

4MMSR - Network Security - 2010-2011

Taming the Beast Assess Kerberos-Protected networks, Emmanuel Bouillon, Black-Hat 2009

•

KDC spoofing

•

Weak cipher

•

Replay attacks

•

Steal the hash!

Kerberos Attacks

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

•

KDC spoofing

: old PAM_KRB5 implementation (no

authorization)

Weak cipher

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

•

Cipher

: DES (weak) initially used. Negotiation not authenticated

•

Get a ticket

•

Bruteforce it (assuming the cipher)

• Counter-measure:

Replay attack: sniff and resend 5.

KRB_AP_REP

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

o

KRB_AP_REP: validity duration (generally 5 minutes), source IP

o

Service Server stores a cache of requests. Multiple identitical

KRP_AP_REP are ignored

Ticket cache attack (“file” on the client system)

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

•

Attacks assumptions

:

•

Debug privilege

(by default, only members of the

local SAM Administrators groups are allowed)

•

LSASS.exe is a process (user ; SYSTEM)

•

Attack goals:

•

Get cached hashes

Get that hash - method

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

• Elevate

• Get the SE_DEBUG privilege in your token

• Inject

Q

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

Pass the ticket

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

•

Pass the Ticket

: ability to authenticate on the client. Only Microsoft

implementation is vulnerable and not yet corrected.

Attacking and fixing the Microsoft Windows

Kerberos login service

Tommaso Malgherini and Riccardo Focardi

Universit`a Ca’ Foscari, Venezia

Kerberos – basic hardening

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

• Hash computation:

Kerberos - Hardening - lifetime

SecurIMAG - Windows security for n00bs | part 1 - Fabien Duchene - 2011-05-12

NTLM vs Kerberos: scalability

Client

Server

NTLM Authority

Client

Server

AD Authority

AS

TGS

1

n

n

n

n

Kerberos

• Less client-server exchanges

• No real-time server<-> authority exchanges

(only during the SPN registration)

•

Scalability