Post on 14-Jan-2015
description
ISSA-UK OCTOBER 2013
YOUR SPEAKER - JAMES MCKINLAY
• INFORMATION SECURITY MANAGER , ASDA
• IS SECURITY AND AUDIT MANGER, MANCHESTER AIRPORTS GROUP
• INFORMATION SECURITY TEAM LEADER, HML PART OF SKIPTON BUILDING SOCIETY
• EASY TO FIND ON LINKEDIN
EXEC SUMMARY – TAKE BACK CONTROL
• HASH DUMPS AND HASH CRACKING MAKE SENSATIONAL HEADLINES
• WITH A BIT OF “BACK TO BASICS” SECURITY THINKING WE CAN MAKE SURE IT IS NOT OUR COMPANIES IN THE
NEWS FOR ALL THE WRONG REASONS
• WILL LOOK AT PREVENTATIVE AND DETECTIVE CONTROLS WE CAN DEPLOY TO KEEP AHEAD OF THE ATTACKERS
IN THE HEADLINES
• THE ONE THAT GOT MY ATTENTION WAS
• LINKEDIN JUNE 2012
IN THE FORUMS
• LINKEDIN JUNE 2012
• FORUM.INSIDEPRO.COM
HTTP://WWW.SKULLSECURITY.ORG/WIKI/INDEX.PHP/PASSWORDS
HTTP://WWW.ADEPTUS-MECHANICUS.COM/CODEX/HASHPASS/
TWO PART PROBLEM
• NONE OF THIS IS NEW – ( I FIRST SAW THIS OVER 20 YEARS AGO)
• 1) ACQUIRE THE HASHES
• WILL LEAVE EVIDENCE
• 2) REVERSE THE HASHES
• ONCE THE DATA IS OUT, THE REST CAN BE DONE OFFLINE – (CLASSIC DLP PROBLEM)
BUT THEY ARE ENCRYPTED AREN’T THEY
• SYMMETRIC ENCRYPTION
• PRE SHARED SECRET
• ASYMMETRIC ENCRYPTION
• ONE KEY TO LOCK, A DIFFERENT KEY TO UNLOCK
• ONE-WAY HASHING ALGORITHM
• SHA1, MD5, NTLM
WHAT IS OUT THERE
• LOTS OF HASH DUMPS COME FROM HACKED WEB FACING APPLICATIONS
• PASTEBIN, PASTE2, INSIDEPRO, MD5DECRYPTER
• NOT A LOT OF NTLM ACTIVE DIRECTORY BEING TRADED/DUMPED/DISCUSSED
• PENTESTERS OFTEN “ROOT” A DC BUT ARE NOT LEAKING (THIS IS A GOOD THING)
WHO REMEMBERS THE INFO-SEC LAW
• LAW #1: IF A BAD GUY CAN PERSUADE YOU TO RUN HIS PROGRAM ON YOUR COMPUTER, IT'S NOT YOUR
COMPUTER ANYMORE
• LAW #2: IF A BAD GUY CAN ALTER THE OPERATING SYSTEM ON YOUR COMPUTER, IT'S NOT YOUR
COMPUTER ANYMORE
• LAW #5: WEAK PASSWORDS TRUMP STRONG SECURITY
• HTTP://TECHNET.MICROSOFT.COM/LIBRARY/CC722487.ASPX
THE BASICS
• IT IS SAFE TO ACCEPT THAT IF AN ATTACKER HAS A DOMAIN ADMINISTRATOR USERNAME AND PASSWORD
COMBINATION THEY CAN GO ANYWHERE, DO ANYTHING AND COVER THEIR TRACKS. AT THIS STAGE IT IS “GAME
OVER” FOR THE DEFENDERS AND DEPENDING ON THE SKILL LEVEL OF THE ATTACKER, IF YOU FIND THEM, IT WILL
BE DOWN TO DETECTIVE CONTROLS AND FORENSIC POST INCIDENT INVESTIGATION.
• BUT DON’T PANIC, WE CAN MAKE IT EXTREMELY DIFFICULT FOR AN ATTACKER TO GET TO THIS STAGE AND
EXTREMELY EASY FOR THE DEFENDERS TO KNOW IF IT HAS HAPPENED. GOOD PREVENTATIVE AND DETECTIVE
CONTROLS COMBINED WITH GOOD INCIDENT RESPONSE PROCEDURES CAN GIVE YOU CONFIDENCE THAT YOU
KNOW WHO DOES WHAT, WHEN AND WHERE – WHY IS NOT ALWAYS SO EASY TO UNDERSTAND.
NOW WHAT SHOULD WE BE DOING
PENTESTING WINDOWS NETWORKS
• 1) COMPROMISE AN UNPATCHED MACHINE (PREFERABLY A MEMBER SERVER )
• 2) “PRIV ESC” TO LOCAL ADMIN
• 3) DUMP CACHED CREDENTIALS
• 4) REVERSE PASSWORD FOR A SERVER SUPPORT TEAM MEMBER OF STAFF
• 5) SEE IF THEY ARE A DOMAIN ADMIN – REPEAT UNTIL YOU GET ONE
• 6) DUMP THE ACTIVE DIRECTORY HASHES FOR ALL ACCOUNTS ( AND YOU CAN GO ANYWHERE, AS ANYONE
AND DO ANYTHING)
PROTECTION 101
• 1) HARDEN YOUR DOMAIN CONTROLLER
• 2) HARDEN YOUR MEMBER SERVERS
• 3) HARDEN AND AV YOUR WORKSTATIONS
• 4) EDUCATE YOUR USERS
• PCIDSS, SANS CAG
WHAT DO WE MEAN BY “HARDEN” ?
• CIS BENCHMARKS
• NIST SP800 SERIES / DISA STIG
• CPNI – GPG GUIDES
• MICROSOFT SECURITY
• (THREATS AND COUNTERMEASURES)
• (SECURING SERVICES)
• (MANAGE AUDITING AND SECURITY LOG)
• “CORE” COMMAND LINE ONLY BUILDS
PRINCIPLES 101
• LEAST PRIVILEGE
• DEFENCE IN DEPTH
• FAIL SAFE
• ONLY AS STRONG AS THE WEAKEST LINK
• TONE AT THE TOP
• KEEP IT SIMPLE
• SEGREGATE
• DEFAULT DENY
PROTECTION 202 • 1) HARDEN DC
• 2) HARDEN/ SEGREGATE ACTIVE DIRECTORY
• 3) SETUP “BREAK GLASS” PROCEDURE FOR KEY ACCOUNTS
• 4) SECURE SERVICES
• 5) SETUP INCIDENT RESPONSE PROCEDURES FOR COMPROMISED ACCOUNTS
• 6) SET UP AND TUNE SIEM
• 6) TEST ALL OF ABOVE THEN PERFORM A PASSWORD AUDIT
THINGS TO ELIMINATE
• LM HASHES IN SECURITY DATABASE
• SERVICES THAT RUN AS DOMAIN ADMIN (SMS, SCCM, ALTERIS ETC)
• USERS THAT DO NOT HAVE SEPARATE ACCOUNTS FOR ADMIN DUTIES
• WHY DO YOU NEED SO MANY - SCHEMA ADMINS, ENTERPRISE ADMINS, DOMAIN ADMINS
THINGS YOU DON’T NEED TO DO WITHOUT
• WINDOWS FIREWALL
• WINDOWS USB STORAGE BLOCKING
• AUTOMATIC WINDOWS UPDATES
• ALL CAN BE “MANDATORY”
• ALL CAN BE CONTROLLED THROUGH ACTIVE DIRECTORY
THINGS TO WATCH OUT FOR
• WATCH THE SECURITY ( AND SYSTEM) LOGS ON YOUR DC
• RUN HACKING TOOLS AGAINST YOUR DC
• LOOK FOR THE EVIDENCE IN YOUR LOGS
• SET A REAL TIME ALERT IN YOUR LOG MONITORING SOLUTION
• WHAT DO YOU MEAN YOU DON’T MONITOR LOGS OF CRITICAL SERVERS IN REAL TIME !!!
HOW DO THEY GET THEM
• FIRST CATCH YOUR RABBIT - YOU NEED TO GET THE SECURITY DATABASE, THERE ARE MANY WAYS, HERE
ARE SOME :
• FGDUMP – POINT AT DOMAIN CONTROLLER IF YOU HAVE ADMIN RIGHTS
• PWDUMP – OLDER VERSION OF FGDUMP
• ABEL FROM CAIN&ABEL – INSTALL ON DOMAIN CONTROLLER IF YOU HAVE ADMIN RIGHTS
• METERPRETER SCRIPTS IF YOU HAVE “ROOTED” A DC USING METASPLOIT
• SAM BACKUP FILES (LOCAL MACHINES)
• SAM FILES (STOLEN BY LINUX LIVECD)
HOW DO THEY CRACK THEM
• EASY TO USE, WINDOWS GUI, GREAT INTRODUCTION TO CRACKING – CAIN & ABEL
• POWERFUL COMMAND LINE TOOLS WRITTEN FOR SPEED – JOHNTHERIPPER / HASHCAT
• GPU SPECIALS OCLHASHCATPLUS, LATEST COMMUNITY VERSION JTR, CRYPTOHAZE
• RAINBOW TABLES (OPTCRACK / FREERAINBOWTABLES.ORG / CRYPTOHAZE)
• INTERNET DATABASES (TMTO.ORG / MD5DECRYPTER.CO.UK)
• CROWD SOURCING (FORUM POSTS AT INSIDEPRO.COM)
• DON’T LIMIT RESEARCH TO JUST THE “INTERNET”, DARKNET (TOR HIDDEN SERVICES)
WHAT IS OUR EXPOSURE?
• ENTERPRISE ADMINISTRATOR USER ACCOUNTS
• DOMAIN ADMINISTRATOR USER ACCOUNTS
• DOMAIN ADMINISTRATOR SERVICE ACCOUNTS
• BACKUP TAPES / BACKUP FILES
• VIRTUAL MACHINE SNAPSHOTS
• LOCAL ADMINISTRATOR ACCOUNTS ON MACHINES VISITED BY DOMAIN ADMINISTRATORS
BEFORE CONDUCTING A PW AUDIT
• ESTABLISH AND TEST PROCESS FOR SERVICE ACCOUNT PASSWORD RESET
• ESTABLISH AND TEST THE PROCESS FOR SPECIAL ACCOUNT PASSWORD RESET
• SET GROUND RULES FOR AUDITOR
• MONITOR THE PROCESS
• DESTROY THE HASHES AFTERWRDS
PW AUDIT GROUNDWORK
• NUMBER OF AD OBJECTS THAT REQUIRE A LOGIN
• NUMBER OF MACHINE ACCOUNTS
• NUMBER OF DISABLED ACCOUNTS
• PASSWORD AGE DATA CONVERTED INTO DAYS
• PASSWORD CHANGE EXCEPTIONS
• NUMBER OF ACCOUNTS WITH AN EXPIRY DATE SET
TIME IS PRECIOUS
• THANK YOU FOR YOURS