Pass-the-Hash II: The Wrath of Hardware - RSA … ID: #RSAC Nathan Ide. Pass-the-Hash II: The Wrath...
Transcript of Pass-the-Hash II: The Wrath of Hardware - RSA … ID: #RSAC Nathan Ide. Pass-the-Hash II: The Wrath...
![Page 1: Pass-the-Hash II: The Wrath of Hardware - RSA … ID: #RSAC Nathan Ide. Pass-the-Hash II: The Wrath of Hardware. HTA-R03. Principal Software Engineering Lead. Microsoft, Windows security](https://reader033.fdocuments.net/reader033/viewer/2022050902/5aa5b43a7f8b9a7c1a8dc4b4/html5/thumbnails/1.jpg)
SESSION ID:
#RSAC
Nathan Ide
Pass-the-Hash II: The Wrath of Hardware
HTA-R03
Principal Software Engineering LeadMicrosoft, Windows security
![Page 2: Pass-the-Hash II: The Wrath of Hardware - RSA … ID: #RSAC Nathan Ide. Pass-the-Hash II: The Wrath of Hardware. HTA-R03. Principal Software Engineering Lead. Microsoft, Windows security](https://reader033.fdocuments.net/reader033/viewer/2022050902/5aa5b43a7f8b9a7c1a8dc4b4/html5/thumbnails/2.jpg)
#RSAC
Pop Quiz, Hot Shot Which would you stop:
Largest bank heist in history Theft of customer PII Politically-motivated
hacking
Good news! You don’t need to choose. All exploit AD Single Sign-On (SSO)
2
![Page 3: Pass-the-Hash II: The Wrath of Hardware - RSA … ID: #RSAC Nathan Ide. Pass-the-Hash II: The Wrath of Hardware. HTA-R03. Principal Software Engineering Lead. Microsoft, Windows security](https://reader033.fdocuments.net/reader033/viewer/2022050902/5aa5b43a7f8b9a7c1a8dc4b4/html5/thumbnails/3.jpg)
#RSAC
User: AlicePassword hash: C9D…
Single-Sign On, Explained
Alice’s Desktop
User: Alice
Password: a1b2c
Alice’s User SessionUser: AlicePassword hash: C9D…
File Server
1
2
3
Alice’s User Session4
1. Alice enters username and password2. PC creates Alice’s user session3. PC proves knowledge of Alice’s hash to Server4. Server creates a session for Alice
3
![Page 4: Pass-the-Hash II: The Wrath of Hardware - RSA … ID: #RSAC Nathan Ide. Pass-the-Hash II: The Wrath of Hardware. HTA-R03. Principal Software Engineering Lead. Microsoft, Windows security](https://reader033.fdocuments.net/reader033/viewer/2022050902/5aa5b43a7f8b9a7c1a8dc4b4/html5/thumbnails/4.jpg)
#RSAC
Bob_Laptop
User: BobNT: A3D7…
Pass-the-Hash Technique
Alice_PC
User: AliceNT: 4F3D…
Carol_Tablet
User: CarolNT: 238D…
HR_Vids
APT-ONERecon
Compromise
Escalate
Foothold
User: Bob
User: CarolUser: Alice
4
![Page 5: Pass-the-Hash II: The Wrath of Hardware - RSA … ID: #RSAC Nathan Ide. Pass-the-Hash II: The Wrath of Hardware. HTA-R03. Principal Software Engineering Lead. Microsoft, Windows security](https://reader033.fdocuments.net/reader033/viewer/2022050902/5aa5b43a7f8b9a7c1a8dc4b4/html5/thumbnails/5.jpg)
#RSAC
The Future! (if you can get there) New protocols learn from these attacks
NAS, printers, software, hardware rely on NTLM & Kerberos
Security or compatibility, choose one
Unless …
5
![Page 6: Pass-the-Hash II: The Wrath of Hardware - RSA … ID: #RSAC Nathan Ide. Pass-the-Hash II: The Wrath of Hardware. HTA-R03. Principal Software Engineering Lead. Microsoft, Windows security](https://reader033.fdocuments.net/reader033/viewer/2022050902/5aa5b43a7f8b9a7c1a8dc4b4/html5/thumbnails/6.jpg)
#RSACBringing new security promises to old protocols
6
![Page 7: Pass-the-Hash II: The Wrath of Hardware - RSA … ID: #RSAC Nathan Ide. Pass-the-Hash II: The Wrath of Hardware. HTA-R03. Principal Software Engineering Lead. Microsoft, Windows security](https://reader033.fdocuments.net/reader033/viewer/2022050902/5aa5b43a7f8b9a7c1a8dc4b4/html5/thumbnails/7.jpg)
#RSAC
Physical Token Theft
7
![Page 8: Pass-the-Hash II: The Wrath of Hardware - RSA … ID: #RSAC Nathan Ide. Pass-the-Hash II: The Wrath of Hardware. HTA-R03. Principal Software Engineering Lead. Microsoft, Windows security](https://reader033.fdocuments.net/reader033/viewer/2022050902/5aa5b43a7f8b9a7c1a8dc4b4/html5/thumbnails/8.jpg)
#RSAC
Alice’s Laptop
Local Security Authority (LSASS)NTLM
Kerberos
Digital Token Theft
Credential Store
NTOWF: C9DF4E56A2…
Ticket Granting Ticket
Service TicketService TicketService Ticket
Service Ticket
Password: a1b2c
User: Alice“Credential footprint”
8
![Page 9: Pass-the-Hash II: The Wrath of Hardware - RSA … ID: #RSAC Nathan Ide. Pass-the-Hash II: The Wrath of Hardware. HTA-R03. Principal Software Engineering Lead. Microsoft, Windows security](https://reader033.fdocuments.net/reader033/viewer/2022050902/5aa5b43a7f8b9a7c1a8dc4b4/html5/thumbnails/9.jpg)
#RSAC
Token Theft - Demo
9
![Page 10: Pass-the-Hash II: The Wrath of Hardware - RSA … ID: #RSAC Nathan Ide. Pass-the-Hash II: The Wrath of Hardware. HTA-R03. Principal Software Engineering Lead. Microsoft, Windows security](https://reader033.fdocuments.net/reader033/viewer/2022050902/5aa5b43a7f8b9a7c1a8dc4b4/html5/thumbnails/10.jpg)
#RSAC
Current Defenses
Binding to devices with silos/policies Theft still possible on restricted machines
Reduced credential footprint SSO means attacker still has something to steal
Process/Kernel code signing Eliminates polymorphism, but requires A/V signatures
![Page 11: Pass-the-Hash II: The Wrath of Hardware - RSA … ID: #RSAC Nathan Ide. Pass-the-Hash II: The Wrath of Hardware. HTA-R03. Principal Software Engineering Lead. Microsoft, Windows security](https://reader033.fdocuments.net/reader033/viewer/2022050902/5aa5b43a7f8b9a7c1a8dc4b4/html5/thumbnails/11.jpg)
#RSAC
Servicing frequency & definition of “Old”
Monthly <3 Years 5 Years >5 Years
Client Devices Domain Controller Servers LOB tools
AppliancesACLs
DC
Client
Server
NAS
1
2
OS Patches
11
![Page 12: Pass-the-Hash II: The Wrath of Hardware - RSA … ID: #RSAC Nathan Ide. Pass-the-Hash II: The Wrath of Hardware. HTA-R03. Principal Software Engineering Lead. Microsoft, Windows security](https://reader033.fdocuments.net/reader033/viewer/2022050902/5aa5b43a7f8b9a7c1a8dc4b4/html5/thumbnails/12.jpg)
#RSAC
New technique
Use hardware virtualization “Isolated User Mode” (IUM) provides
strong isolation boundary Strict signing - doesn’t host device
drivers Building block for all security
promises
High Level OS (HLOS)
Hypervisor
Isolated User Mode (IUM)
LSASS LSAIso
12
![Page 13: Pass-the-Hash II: The Wrath of Hardware - RSA … ID: #RSAC Nathan Ide. Pass-the-Hash II: The Wrath of Hardware. HTA-R03. Principal Software Engineering Lead. Microsoft, Windows security](https://reader033.fdocuments.net/reader033/viewer/2022050902/5aa5b43a7f8b9a7c1a8dc4b4/html5/thumbnails/13.jpg)
#RSAC
10,000’ Architecture
Windows 10 has IUM with builtin NTLM and Kerberos support
High Level OS (HLOS)
Hypervisor
Isolated User Mode (IUM)
LSASSNTLM
Kerberos
IUM secretsLSAIsoNTLM support
Kerberos support
Clear secrets
Boot Persistent
13
![Page 14: Pass-the-Hash II: The Wrath of Hardware - RSA … ID: #RSAC Nathan Ide. Pass-the-Hash II: The Wrath of Hardware. HTA-R03. Principal Software Engineering Lead. Microsoft, Windows security](https://reader033.fdocuments.net/reader033/viewer/2022050902/5aa5b43a7f8b9a7c1a8dc4b4/html5/thumbnails/14.jpg)
#RSAC
IUM login flowLSASSNTLM
KerberosKerb key TGT
Hypervisor
Password: a1b2c
User: Alice
IUMNTLM
Kerberos
NTOWF: C9DF4E56…
TGT key File server
Domain Controller
NTOWF: C9DF4E56…
Kerb key
Alice’s User Session
14
![Page 15: Pass-the-Hash II: The Wrath of Hardware - RSA … ID: #RSAC Nathan Ide. Pass-the-Hash II: The Wrath of Hardware. HTA-R03. Principal Software Engineering Lead. Microsoft, Windows security](https://reader033.fdocuments.net/reader033/viewer/2022050902/5aa5b43a7f8b9a7c1a8dc4b4/html5/thumbnails/15.jpg)
#RSAC
IUM - Demo
15
![Page 16: Pass-the-Hash II: The Wrath of Hardware - RSA … ID: #RSAC Nathan Ide. Pass-the-Hash II: The Wrath of Hardware. HTA-R03. Principal Software Engineering Lead. Microsoft, Windows security](https://reader033.fdocuments.net/reader033/viewer/2022050902/5aa5b43a7f8b9a7c1a8dc4b4/html5/thumbnails/16.jpg)
#RSAC
Cred Theft Law of Physics #1
Credential theft begins with hostile administrator
If user credential comes from keyboard, it’s compromised
LSASSNTLM
KerberosKerb key TGT
Hypervisor
Password: a1b2c
User: Alice
IUMNTLM
Kerberos
NTOWF: C9DF4E56…
TGT key
NTOWF: C9DF4E56…
Kerb key
16
![Page 17: Pass-the-Hash II: The Wrath of Hardware - RSA … ID: #RSAC Nathan Ide. Pass-the-Hash II: The Wrath of Hardware. HTA-R03. Principal Software Engineering Lead. Microsoft, Windows security](https://reader033.fdocuments.net/reader033/viewer/2022050902/5aa5b43a7f8b9a7c1a8dc4b4/html5/thumbnails/17.jpg)
#RSAC
Strong cred support in NTLM, Kerberos
Symmetric secret auth used to be “good enough”
Hardware bound asymmetric auth stops phishing In AD since Win2000 Uses PKINIT Kerberos extension Supports Diffie-Hellman key exchange
But, NTLM password based protocol! DC sends you hash
17
![Page 18: Pass-the-Hash II: The Wrath of Hardware - RSA … ID: #RSAC Nathan Ide. Pass-the-Hash II: The Wrath of Hardware. HTA-R03. Principal Software Engineering Lead. Microsoft, Windows security](https://reader033.fdocuments.net/reader033/viewer/2022050902/5aa5b43a7f8b9a7c1a8dc4b4/html5/thumbnails/18.jpg)
#RSAC
IUM Smartcard integration
PIN: 1234
User: Alice
File server
Domain Controller
Alice’s User Session
LSASSNTLM
KerberosTGT
Hypervisor
IUMNTLM
KerberosTGT key
NTOWF: C9DF4E56…
Kerb keyDH key
PKINIT request
TGTTGT key NTOWF
18
![Page 19: Pass-the-Hash II: The Wrath of Hardware - RSA … ID: #RSAC Nathan Ide. Pass-the-Hash II: The Wrath of Hardware. HTA-R03. Principal Software Engineering Lead. Microsoft, Windows security](https://reader033.fdocuments.net/reader033/viewer/2022050902/5aa5b43a7f8b9a7c1a8dc4b4/html5/thumbnails/19.jpg)
#RSACSmartcard authentication in IUM - Demo
![Page 20: Pass-the-Hash II: The Wrath of Hardware - RSA … ID: #RSAC Nathan Ide. Pass-the-Hash II: The Wrath of Hardware. HTA-R03. Principal Software Engineering Lead. Microsoft, Windows security](https://reader033.fdocuments.net/reader033/viewer/2022050902/5aa5b43a7f8b9a7c1a8dc4b4/html5/thumbnails/20.jpg)
#RSAC
Cred Theft Law of Physics #2
Costs favor attacker Shipping is expensive Deploying is expensive
Devices owned by (compromised) HLOS
What forces the Smartcard to use IUM?
Need to bind user accounts to IUM!
PIN: 1234
User: Alice
LSASSNTLM
Kerberos
Hypervisor
IUMNTLM
Kerberos
DH keyDH key
NTOWF NTOWF
![Page 21: Pass-the-Hash II: The Wrath of Hardware - RSA … ID: #RSAC Nathan Ide. Pass-the-Hash II: The Wrath of Hardware. HTA-R03. Principal Software Engineering Lead. Microsoft, Windows security](https://reader033.fdocuments.net/reader033/viewer/2022050902/5aa5b43a7f8b9a7c1a8dc4b4/html5/thumbnails/21.jpg)
#RSACIUM Credential Binding -Demo
21
![Page 22: Pass-the-Hash II: The Wrath of Hardware - RSA … ID: #RSAC Nathan Ide. Pass-the-Hash II: The Wrath of Hardware. HTA-R03. Principal Software Engineering Lead. Microsoft, Windows security](https://reader033.fdocuments.net/reader033/viewer/2022050902/5aa5b43a7f8b9a7c1a8dc4b4/html5/thumbnails/22.jpg)
#RSAC
Attacking IUM
Extraction is not the only way to get data
IUM is oracle Susceptible to sidechannel and
brute force attacks Must restrict oracle crypto
MS-CHAPv2, NTLMv1 blocked Smartcards restricted to DHE exchange New trust boundary – firmware, IUM, hardware
![Page 23: Pass-the-Hash II: The Wrath of Hardware - RSA … ID: #RSAC Nathan Ide. Pass-the-Hash II: The Wrath of Hardware. HTA-R03. Principal Software Engineering Lead. Microsoft, Windows security](https://reader033.fdocuments.net/reader033/viewer/2022050902/5aa5b43a7f8b9a7c1a8dc4b4/html5/thumbnails/23.jpg)
#RSAC
Putting it together …
IUM-bound machine key …
Armors hardware-bound user key …
Retrieves TGT and encrypted NTLM hash …
Decrypted in IUM
NTLM SSO without extractable NTLM hash!
TGTTGT key NTOWF
Isolated User Mode (IUM)
LSAIso
![Page 24: Pass-the-Hash II: The Wrath of Hardware - RSA … ID: #RSAC Nathan Ide. Pass-the-Hash II: The Wrath of Hardware. HTA-R03. Principal Software Engineering Lead. Microsoft, Windows security](https://reader033.fdocuments.net/reader033/viewer/2022050902/5aa5b43a7f8b9a7c1a8dc4b4/html5/thumbnails/24.jpg)
#RSAC
Apply
Hardware-backed credential theft defenses don’t require starting over Eliminate weak protocols – MSCHAPv2, NTLMv1 Migrate users to hardware credentials Update hardware and software specs to IUM-compatible devices
You can try demos at home with the Win10 April preview
Get educated on other Credential Theft mitigations http://www.microsoft.com/pth
24