Securing your SAP Database with AIX Encrypted File System ...
From zero to SYSTEM on full disk encrypted windows system
-
Upload
nabeel-ahmed -
Category
Technology
-
view
5.784 -
download
1
Transcript of From zero to SYSTEM on full disk encrypted windows system
from zero to system
Nabeel ahmed & tom gilis
on full d isk encrypted windows system
From zero to systemon full disk encrypted windows system
ABOUT US
๏Nabeel Ahmed, Security Researcher
and Penetration Tester, Dimension
Data Belgium
๏ I love to break things =)
๏@NabeelAhmedBE
๏ blog.nabeelahmed.com
๏ Tom Gilis, Security Consultant (and Team
Leader) at Dimension Data Belgium
๏More “boring” stuff like compliancy, …
๏@tgilis
๏Co-organizer of BruCON
2
From zero to systemon full disk encrypted windows system
Inspiration
3
From zero to systemon full disk encrypted windows system
November 2015
4
From zero to systemon full disk encrypted windows system
Ian haken
5
๏ A new way to defeat FDE
๏ Rogue Domain Controller
๏ Poison Credential Cache
๏ Windows Security Feature bypass
From zero to systemon full disk encrypted windows system
Ms15-122
๏ Implements trust relationship before local cache is updated
๏ Works on Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008 up to
2012 (Windows XP, Windows Server 2003, …)
6
From zero to systemon full disk encrypted windows system
Bitlocker
๏ TPM (Trusted Platform Module)
๏ Pre-boot PIN
๏USB Key
7
From zero to systemon full disk encrypted windows system
๏ TPM (Trusted Platform Module)
๏
๏
8
Bitlocker
From zero to systemon full disk encrypted windows system
Bitlocker tpm
9
๏ BitLocker key is stored in TPM
๏ No user interaction when decrypting
the drive
๏ Windows login screen is the first and
only line of defense
From zero to systemon full disk encrypted windows system
Trust relationship?
๏Computer account password is used for trust
๏Randomly generated every 30 days
๏ 2 computer account passwords are stored
๏ Stored in
“HKLM\SECURITY\Policy\Secrets\$machine.ACC”
10
From zero to systemon full disk encrypted windows system
Bypassing the patch
11
From zero to systemon full disk encrypted windows system
Difference
12
Legitimate DC
Rogue DC
From zero to systemon full disk encrypted windows system
Ticket missing
13
From zero to systemon full disk encrypted windows system
SPN
14
SPNs are used to support mutual authentication
between a client application and a service. A service
principal name is associated with an account and an
account can have many service principal names.
– MSDN
SPNs are usually formatted as SERVICE/HOST, but
sometimes they also include a port like
SERVICE/HOST:PORT.
From zero to systemon full disk encrypted windows system
Demo time
15
From zero to systemon full disk encrypted windows system
Kerberos Password change
16
?????????? EXP_PASS
From zero to systemon full disk encrypted windows system
Kerberos Password change
17
?????????? EXP_PASS
NEW_PASS
From zero to systemon full disk encrypted windows system
18
Conclusion
๏Checks if a service ticket (T) has been received
BUT only validates AFTER the password change
๏MS16-014 / CVE-2016-0049
๏ “Suggested workaround” disable local
password caching
๏ Patched on all supported Windows versions
From zero to systemon full disk encrypted windows system
Bluebox
19
๏ Automated exploitation of MS15-122 and MS16-014
๏ Less than 1 minute
๏Written in Python
๏ Portable (Raspberry Pi)
๏ Kudos to Ian Haken (@ianhaken)
๏ https://github.com/JackOfMostTrades/bluebox
From zero to systemon full disk encrypted windows system
WHAT’s NEXT ?
20
๏ Extract any personal data
o Documents, emails, passwords..
๏Requires admin privileges to :
o Retrieve BitLocker Recovery Key (or disable it)
o Install Malware
o Extract data from other users
o …
From zero to systemon full disk encrypted windows system
Trust relationship?
๏ Trust relationship is not always validated
๏Working Active Directory set-up
๏ Any other Windows functionality missing trust validation?
22
From zero to systemon full disk encrypted windows system
PRIVILEGE ESCALATION
23
Will Group Policies work ?
๏ Works on all supported Windows versions
๏ No need for additional (vulnerable) software
๏ No specific configuration requirements
From zero to systemon full disk encrypted windows system
Group Policies
24
User Configuration Computer Configuration
During login (or on refresh) Before login (or on refresh)
User or
SYSTEM PrivilegesSYSTEM Privileges
User account password Machine account password
From zero to systemon full disk encrypted windows system
Group Policies
25
User Configuration Computer Configuration
During login (or on refresh) Before login (or on refresh)
User or
SYSTEM PrivilegesSYSTEM Privileges
User account password Machine account password
From zero to systemon full disk encrypted windows system
Group policies
26
From zero to systemon full disk encrypted windows system
EXAMPLE – CMD AS SYSTEM
27
1. New Group Policy and assign it to the user account
2. Add the following configuration to the policy :
• Download file (e.g. NetCat.exe)
• Run NetCat as SYSTEM
• Connect to service as User
Screenshot Scheduled task GPO
From zero to systemon full disk encrypted windows system
It works!?
28
From zero to systemon full disk encrypted windows system
Why does it work?
29
๏ Client can successfully authenticate against the DC using
his credentials
๏ All encrypted traffic remains intact (SMB,LDAP,RPC)
๏ Assumes that the user credentials are sufficient to
acknowledge trust relationship.
๏ Reported to Microsoft, who acknowledged the vulnerability
but ...
From zero to systemon full disk encrypted windows system
IS it NEW ?
30
๏ Luke Jennings (MWR Labs) demonstrated how you can gain
SYSTEM access through MITM in March 2015
๏ MITM attack against legitimate GPO communication, resulting
two patches (MS15-011 and MS15-014)
๏ Jennings’ conclusion : “Even on Vista/2008 onwards, user
settings group policy can be exploited if you know a user’s
password to conduct a form of privilege escalation to gain
SYSTEM on domain members. Microsoft have shown no
intention thus far of providing a control to protect against this.”
From zero to systemon full disk encrypted windows system
WINDOWS 10 ?
31
From zero to systemon full disk encrypted windows system
WINDOWS 10 ?
32
From zero to systemon full disk encrypted windows system
WIN 7 vs Win 10
33
From zero to systemon full disk encrypted windows system
WIN 7 vs Win 10
34
From zero to systemon full disk encrypted windows system
Relative ID
User SID
35
S-1-5-21-124525095-708259637-1543119021-20937
Domain Security Identifier
IncrementalUses Machine SID
when new domain is
created
From zero to systemon full disk encrypted windows system
Setting the SID
36
๏ Possibilities :
o Setting the Machine SID before the AD is created:
o Windows SysPrep – Generates new “random” SID
o Commercial tools exist
o Off-line edit the NTDS.DIT File
o SAMBA NT4 PDC to AD-DC
Lengthy, complex and prone to errors
From zero to systemon full disk encrypted windows system
mimikatz to the rescue
37
From zero to systemon full disk encrypted windows system
Demo time
38
From zero to systemon full disk encrypted windows system
39
Conclusion
๏ First validates trust with computer account
๏MS16-072 / CVE-2016-3223
๏ Took approx. 8 months to patch and then …
From zero to systemon full disk encrypted windows system
40
From zero to systemon full disk encrypted windows system
Recovering original password
41
๏ (convert .sys to .dmp)
๏ WinDbg
๏ Mimikatz (extract plaintext credentials)
๏ Only Windows 7 and below
Force
Hibernation
Bypass login
screen
Elevate
privileges
Extract
HIBERFIL.SYS
Reset Local
Password Cache
From zero to systemon full disk encrypted windows system
timeline
42
From zero to systemon full disk encrypted windows system
timeline
43
From zero to systemon full disk encrypted windows system
Take aways
44
๏ Trust relationships not always validated
๏ Don’t take physical security for granted
๏ Backwards compatibility makes patching very difficult
๏ Bypassing authentication and escalating privileges without a
single line of code
๏ Kudos to Ian Haken @ianhaken and Benjamin Delpy @gentilwiki
๏ Third time’s a charm?
o November 2015 (MS15-122)
o February 2016 (MS16-014)
o … July 2016 (MS16-???)
@nabeelahmedbe
blog.ahmednabeel.com@tgilis