There was an error in this gadget

Wednesday, November 18, 2015

Windows XP Password Encryption and How Tools Like Mimikatz Work

Summary:  Microsoft states that they encrypt passwords in memory with "reversible encryption”.  However, we know that this encryption is easy to overcome as the operating system itself allows for decryption to occur when tools are allowed access to the memory storage locations and automatically retrieve, and the operating system automatically decrypts, the encrypted password.  Mimikatz accomplishes “cleartext” password retrieval by invoking a windows sub module called “LsaUnprotectMemory”, which is available to the Mimikatz and other credential harvesting programs when they have access to the debug features of Windows. 

Suggested Mitigation: If we remove the wdigest and tspkg support in Windows XP (and later versions of Windows) and limit access to the debug function that allows for the system call that enables the reverse decryption of the encrypted kerberos, wdigest, and tspkg password entries, then we essentially have mitigated most of the risk.

Windows Authentication FAQ:
Q:  Does Windows store credential information in memory?
A:  Yes, Windows stores multiple copies of credential information in the LSASS (Local Security Authority Subsystem Service) portion of memory for each authentication protocol used on the system.  In a typical XP system there are authentication protocols for wdigest (older IE6 based), tspkg (Terminal Services), and Kerberos (normal Windows authentication) services.  In all there could be up to 5 copies of windows credentials for each user logged into a system stored in LSASS.

Q:  Does Windows Encrypt Passwords in Memory?
A:  Yes.  All Windows credentials stored in LSASS are encrypted – but in a “reversible” way.

"Note: Windows operating systems never store any plaintext credentials in memory or on disk, only reversibly encrypted credentials. When later access to the plaintext forms of the credentials are required, Windows stores the passwords in encrypted form that can only be decrypted by the operating system to provide access in authorized circumstances.”

So, technically it is encrypted, but it is the decryption process, which is embedded in the OS that allows mimikatz and other credential harvesting tools to work.  This feature cannot be disabled or isolated in XP (it is how the operating system works) and the best approach I’ve found so far is to limit the debug mode of the local users (including Administrator and SYSTEM) and domain users and removing support for the other, less commonly needed, credential handling protocols; wdigest and tspkg.  

Q: How do tools like Mimikatz and Windows Credential Editor extract “cleartext” passwords from systems?
A: By taking advantage of a flaw in Microsoft OS that allows the automatic decryption of passwords in memory.

Specifically, when tools like Mimikatz and Windows Credential Editor (WCE) are used to extract “cleartext” passwords from a Windows operating system they do it by establishing a session in LSASS (the area where authentication is brokered and credentials are stored in Windows) and:
  • Query the LSASS process for active (or recorded since last reboot) logon sessions in the memory.  The commands used for this is lsasrv!LogonSessionList & lsasrv!LogonSessionListCount, included in the query results are the LUID's (locally unique identifier) generated by the Operating system to represent the various forms of authentication and users logged into the system.
  • The output information is searched and the various authentication protocols (wdigest, kerberos, tspkg, etc.) are parsed out.
  • The output of that search is queried for User identifiers, tokens, and “reversably encrypted” password values.
  • The tools use a Windows LSASS command called LsaUnprotectMemory, which automatically calls a windows LSASS function called LsaEncryptMemory, which has access to the symmetric encryption keys (also stored in memory), to automatically decrypt the data that the tool gathered.
  • The result is “cleartext” passwords.

The encryption used for each authentication protocol vary, but in Windows XP they are going to be based a combination of RC4 and DESx.  In newer Windows operating systems 3DES and AES are utilized.   This is a minor point because in un-patched and unsupported versions of Windows (as is Windows XP), there is no separate subsystems where authentication and decryption occurs, the keys are kept in the same memory as the encrypted files.  It’s like sending a .zip file along with the password.

Q: Are Token Authenticators more secure?
A: For the most part.  Although token values and PIN codes are stored in LSASS, they have a much shorter time to live as they change constantly and the credential will only be valid as long as the login session remains logged in.  PIN Codes are exposed, which means physical security of the token devices is critical.

Q: How about certificate based authentication?
A: Not as secure as tokens.  Although the same vulnerability exists for SmartCards, it is not a password that is stored but and NT Hash value of the certificate that is stored (along with the plaintext PIN), from the article:
    "If the user logs on to Windows using a smartcard, LSA will not store a plaintext password, but it will store the corresponding NT hash value for the account and the plaintext PIN for the smartcard. If the account attribute for smartcard required for interactive logon is enabled, a random NT hash value is automatically generated for the account instead of the original password hash. This password hash that is automatically generated when the attribute is set does not change.”

    In “Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques" from Microsoft (attached), on page 75.

    "Will using smartcard logons mitigate the risk of the problem? 

    No, not significantly. While smartcard logons can enhance security to mitigate credential theft by removing the need for a user to know their account password, underlying password hashes and Kerberos tickets can still be stolen and re-used for network connections” 

    To mitigate this threat, the toggling off and on of the “Smartcard Required” user attribute changes the NT hash value.

    Monday, October 26, 2015

    Mitigation against Mimikatz, WCE, PTH, PTT, Etc.

    Mimikatz and Active Directory Kerberos Attacks

    Nice Overview of Mimikatz and the many ways it can be used to steal, mimic, create, and bypass credential management in Windows.

    Password-Stealing Tool Targets Windows; Evades Antivirus

    To protect against pass the hash attacks, Microsoft recommended two methods that aren’t viable or practical, from’s perspective:
    • Implement smart card authentication (smart cards are expensive and difficult to deploy throughout an enterprise)
    • Remove the weaker encryption algorithm from the systems (this requires removing its use throughout the enterprise, which can prevent users from accessing older systems)

    Malware Lateral Movement: A Primer

    What can you do to detect and contain the threat actors creeping around in the dark space of your network?
    First, you need to be able to shine a light into that dark space and get visibility into what you are missing. Below are some recommendations that will help you do just that:
    • Gathering Threat Intelligence about the tools, tactics and procedures of the malicious actors and their campaigns
    • Have a threat analytics platform to identify and consolidate the information that will give your analyst the ability to do more proactive hunting for these types of techniques 
    • Proactively perform forensics and sweeping of endpoints for indicators of compromise 
    • Harden the devices that are on your network by removing any non-required applications or services and preforming proactive application and system configuration management and logging 
    • Implement tighter controls and proactive monitoring of credentials and applications, utilizing whitelisting and multifactor authentication methods. 
    • Perform data exfiltration identification and monitoring by utilizing full packet analysis and monitoring tools.

    Pass-the-Ticket Countermeasures 

    In general, Pass-the-Ticket exploits can’t be blocked by standard cyber security defenses because compromised tickets aren’t invalidated when local or domain passwords are changed. And while multifactor authentication is typically a sound verification practice, Pass-the-Ticket exploits bypass it altogether.
    Instead, protecting against Pass-the-Ticket requires a different approach on the part of IT. Here are three steps in a Pass-the-Ticket defense process:
    1. Stabilize the IT Environment: As stated above, Pass-the-Ticket attacks exploit the default authentication in Windows domains, allowing hackers to impersonate users or processes to gain lateral movement on a network. To counter this attack, you need to reduce the attack surface of your network. That involves enforcing frequent,  automated credentials updates and secure escalation to impede lateral movement. Start by removing weak, shared local administrator logins. Replace them with cryptographically complex and unique credentials that are frequently changed. And then audit access to the credentials.
    1. Enforce Secure Privileged Escalation: Further reduce your attack surface by minimizing the presence of highly privileged logins that attackers can use to gain control of your network. Consider a privileged identity management solution that grants users delegated privileged access, and gives authorized administrators temporary membership in pre-defined groups with elevated privileges. These measures limit the ability of cyber attackers to access additional network resources after they’ve exploited a computer or impersonated a user through Pass-the-Ticket.
    1. Rapid Remediation Process: Establish, in advance, a process to remove attackers’ access to compromised systems. This can be accomplished through a system that changes passwords twice on potentially compromised machines. The two password resets force immediate replication of changed credentials everywhere on the domain to block the use of compromised tickets.The password resets can be used in conjunction with automatic, chained reboots of managed machines after user escalation, or after changes to systems are implemented using escalated credentials. Privileged access management vendor Lieberman Software calls this process a Security DoubleTap™. It clears the system memory of hashes and passwords on compromised machines to curtail further access.

    Lieberman Software’s Security Double-Tap™ Defeats Golden Ticket Cyber Attacks

    While PTH is a more widely known threat, the related PTT attack is just as dangerous. PTT attacks target Kerberos, the default authentication protocol in Windows domains. These attacks exploit Kerberos by hacking the server that stores a secret key protecting authentication. Once the attacker obtains this secret key, he gains unrestricted access throughout the IT environment – essentially a “Golden Ticket”. The attacks are launched using tools freely available online, such as WCE and Mimikatz.  

    Removing Pass-the-Ticket Access from Compromised Machines

    ERPM now provides an automated double password reset specifically designed to combat the Golden Ticket attack. The two password resets – a Security Double-Tap - force rapid replication of the changed credentials throughout the domain, to block the use of compromised accounts. In conjunction with this process, ERPM can also force an automatic chained reboot of target system to clear memory of hashes and passwords, and prevent memory scraping.  

    Practical Attacks Against Multifactor

    "Multifactor authentication will keep the bad guys out" is the hue and cry of hardeners everywhere, so what is the pen-tester to do? This talk will present a variety of practical attacks against multifactor authentication, ranging from basic configuration oversights to attack strategies that might work forever even if they configure it right. Multiple technologies will be presented. Many people trust their MFA implicitly, as if it's a magic talisman of keeping hackers out, but there is much a pen-tester can do (and thus, much the other kind of hacker can do), and it's important to discuss and illustrate the risks. This talk should be useful for you if you're a pen-tester, but also if you are a defender trying to get the most out of your MFA.

    Dumping WDigest Creds with Meterpreter Mimikatz/Kiwi in Windows 8.1

    The Windows patch that corrects the wdigest issue of storing passwords in clear text, and how to bypass it.

    Microsoft’s Local Administrator Password Solution (LAPS)

    Microsoft networks remain amongst the most vulnerable and exploited due to the way in which Active Directory is typically deployed: A base image is created with a standard local administrator password, which is duplicated on all workstations in the environment.  When an attacker compromises any workstation, the local administrator password hash can be obtained and used to access every other workstation using the classic Active Directory exploit Pass-the-Hash (PtH). This methodology is described in detail in FireEye/Mandiant M-Trends 2015 case studies.  
    On May 1 Microsoft released a new tool, Local Administrator Password Solution (Security  Advisory 3062591), which provides a solution to the Pass-the-Hash exploit. Local Administrator Password Solution (LAPS) changes each local administrator password to a unique value, preventing reuse. LAPS also provides complementary end-user software to  manage local administrative accounts from a centralized server.

    Why You Want Two-factor Authentication

    Most importantly, 2FA is a tool to ameliorate the security pandemic that is the password. Password re-use, weak password complexity, and insecure credential storage are the harbingers of doom for corporate networks. If you’ve never had the pleasure of using Mimikatz then give it a whirl and enjoy the sinking feeling in your stomach as you realize how your passwords are rarely adequately secured. Even if you use a password manager with long, unique passwords for everything that you log into, you stand to benefit by requiring 2FA as well. 

    Thursday, January 21, 2010

    Geek Squad Has A Great Video on 5 Tips to Protect Your Kids Online

    Just a quick post:  From homework to video games, school-aged children are connected to the online world now more than ever. In this 2 Minute Miracle video Geek Squad Agents Josh Musicant and Eric Irish offer five simple tips to protect your children online.  They cover the following tips:

    1.  Use a trusted filtering software software: Cyber Patrol, Norton, and Spysweeper
    2.  Maximize your current software.  MS Windows and MAC OS controls.
    3.  Use of your wireless router.  Blocking websites and protecting the Access Point
    4.  Controlling what kids access via online gaming by using the rating system.
    5.  Social networking.  Keep the computer in a place where you can watch your kids online.

    I posted a guide to protect your kids online HERE.

    Wednesday, December 30, 2009

    Who's Behind All this Hacking - Pt. 1 - Organized Crime

    Who would want to break into my home computer?
    Intruders (also referred to as hackers, attackers, or crackers) may not care about your identity. Often they want to gain control of your computer so they can use it to launch attacks on other computer systems.  Having control of your computer gives them the ability to hide their true location as they launch attacks, often against high-profile computer systems such as government or financial systems. Even if you have a computer connected to the Internet only to play the latest games or to send email to friends and family, your computer may be a target.  Intruders may be able to watch all your actions on the computer, or cause damage to your computer by reformatting your hard drive or changing your data.

    Many of today's intruders are sponsored by organized crime and most of the exploits we're seeing are geared to gaining control of many thousands of machines at a time through which your computer becomes part of an online neighborhood of sorts.  Once control is gained your computer can be bought and sold to the highest bidder.  Your system becomes a commodity, not unlike our own homes. In fact, this online transaction is often referred to as buying and selling  "Electronic Real Estate."  Today it is estimated that many millions of computers are part of this underground market and that there are whole "armies" of computers, under someone else's control, ready to wage cyber war against countries, organizations, and other online communities.

    Organized Crime Hacking Intel Sheet
    Motivation:  Support illegal/underground activities, cartels, & other activities like; human trafficking, drug trade, terrorism, bank/credit fraud.
    Funding: Funded primarily with illegal sources (stolen credit card info, personal info, selling hacked computer bot networks.) Often government involvement is “two-way”.
    Capabilities: Well funded/staffed efforts underway, mostly geared towards theft of financial information of direct targets, communication with actors, transfer of monies, and the masking of activities.
    Advanced Hacking Techniques.  Infected websites, malware development, botnet creation, system cracking, USB flash drive infections, hard disk encryption cracking.
    Data Harvesting Capacity.  Open source data gathering and correlation, system cracking and data extraction, use of keyloggers, password stealers, data capturing services, and website redirection.
    Use traditional espionage techniques with hacking.  A majority of today’s botnets are designed and maintained by organized crime.  It is estimated that up to 75% of computers are infected with a virus.  Most virus’ today come from organized crime.

    I believe that it is NOW time to take our systems back. We need to do all we can to seize control of our systems and provide a barrier between our systems and those intent on taking them from us.  This really is a primary purpose of this site.  I want to give you the tools, links and practices that will help you fight the bad guys.

    Sunday, December 27, 2009

    Talk to Your Neighbors About Their Open Wireless Access Point

    I've run into this several times; We've done all we can to secure our Wireless Access Point, we've added WEP or WPA, setup MAC address restrictions, etc., only to be circumvented by the fact that our neighbor's Access Point is wide open.  There are a couple of reasons for this:
    • Some folks don't care. 
    • They like wide open access, it\'s easy and they want to offer the world their internet connection. 
    • They don't know how to secure it. 
    • I'm sure that this is the most common problem. 
    • It's just too confusing, difficult, etc..
    • They have other intentions. 
    A little known fact is that once a computer accesses the inside of someone's network, it becomes vulnerable to whatever is happening on that network. The traffic from all machines can be captured, operating system vulnerabilities can be exploited, and your kids (or you) can become targeted by them.  The most significant problem is that your kids are not using the infrastructure you should be providing.  You've secured yours, you've locked it down, and you control it.  - They are basically "sneaking" out the window at night - using a window that someone else provided.

    What should you do?
    • You should find your neighbors wireless access points yourself, and talk to them about the open ones you've found.  If you have a hard time figuring out who they are, you can detect it yourself with a number of tools. One in particular is NetStumbler which can be used to scan your immediate area. With NetStumbler, you can get a signal strength meter - the stronger the signal, the closer you are.  Just use it to find the open access points..  
    • Look at your kids computers, and the wireless preferences, most of the time you'll see profiles for wireless points they've accessed.  If some of these match up with the ones you found in the neighborhood, it's time for a conversation.  
    • Remind your kids to use the internet connection you've provided. If you suspect that they are still using your neighbors connection; speak with your neighbor and let them know that their connection is being used and by whom. You probably would want to highly encourage them to secure the point.  
    It pays to know what's going on in you neighborhood. Who's providing points of interest for your kids.  It's kind of an electronic neighborhood watch

    Tuesday, December 15, 2009

    Great Online Safety Guide for Families

    Ran across this today.  It's a great source for online safety information for families.  It covers such areas:
    Different Age Levels - Elementary School Children (ages 5-7), Tween Children (8-12), Teens (13-17), and college age and beyond.
    Basic Subjects - Safe browsing, Protecting passwords, wireless networks, parental control software, and online faves.
    Specific Risks - Internet Predators, Plagiarism and cheating, Cyber bullying and stalking, Filesharing & music/video downloading, Private information & ID theft, Social networking sites, Porn, gambling, racism, Teen online privacy, Email and instant messaging, blogging, Viruses, Worms, Spyware, and digital photography.

    It's well written and is a great resource for families.  It has a great resource section too..

    A must read for any family with kids on the Internet.....

    CLICK HERE for the Guide

    Friday, December 4, 2009

    Presentation: Combat Readiness In the IT Infrastructure

    I've given this presentation at several security events in the past few months.  My primary objective in the presentation is to:

    1.  Make folks aware of the current threats in Information Security
    2.  Describe a botnet attack
    3.  Discuss an Information Security Implementation Methodology that works

    I've received excellent feedback and am distributing it just in case other's may find the information useful.  Please submit comments regarding it.  I plan on recording the next session, so a youtube video will be forthcoming.

    The Link for the PDF is >>>HERE<<<