advertisement

Windows Passwords Presentation ISSA-UK

0 %
100 %
advertisement
Information about Windows Passwords Presentation ISSA-UK
Technology

Published on February 15, 2014

Author: infosecresearch

Source: slideshare.net

Description

Presentation Slide deck for ISSA-UK evening - "Access Controls : Perhaps we need better"
advertisement

ISSA-UK OCTOBER 2013

YOUR SPEAKER - JAMES MCKINLAY • INFORMATION SECURITY MANAGER , ASDA • IS SECURITY AND AUDIT MANGER, MANCHESTER AIRPORTS GROUP • INFORMATION SECURITY TEAM LEADER, HML PART OF SKIPTON BUILDING SOCIETY • EASY TO FIND ON LINKEDIN

EXEC SUMMARY – TAKE BACK CONTROL • HASH DUMPS AND HASH CRACKING MAKE SENSATIONAL HEADLINES • WITH A BIT OF “BACK TO BASICS” SECURITY THINKING WE CAN MAKE SURE IT IS NOT OUR COMPANIES IN THE NEWS FOR ALL THE WRONG REASONS • WILL LOOK AT PREVENTATIVE AND DETECTIVE CONTROLS WE CAN DEPLOY TO KEEP AHEAD OF THE ATTACKERS

IN THE HEADLINES • THE ONE THAT GOT MY ATTENTION WAS • LINKEDIN JUNE 2012

IN THE FORUMS • LINKEDIN JUNE 2012 • FORUM.INSIDEPRO.COM

HTTP://WWW.SKULLSECURITY.ORG/WIKI/ INDEX.PHP/PASSWORDS

HTTP://WWW.ADEPTUSMECHANICUS.COM/CODEX/HASHPASS/

TWO PART PROBLEM • NONE OF THIS IS NEW – ( I FIRST SAW THIS OVER 20 YEARS AGO) • 1) ACQUIRE THE HASHES • WILL LEAVE EVIDENCE • 2) REVERSE THE HASHES • ONCE THE DATA IS OUT, THE REST CAN BE DONE OFFLINE – (CLASSIC DLP PROBLEM)

BUT THEY ARE ENCRYPTED AREN’T THEY • SYMMETRIC ENCRYPTION • PRE SHARED SECRET • ASYMMETRIC ENCRYPTION • ONE KEY TO LOCK, A DIFFERENT KEY TO UNLOCK • ONE-WAY HASHING ALGORITHM • SHA1, MD5, NTLM

WHAT IS OUT THERE • LOTS OF HASH DUMPS COME FROM HACKED WEB FACING APPLICATIONS • PASTEBIN, PASTE2, INSIDEPRO, MD5DECRYPTER • NOT A LOT OF NTLM ACTIVE DIRECTORY BEING TRADED/DUMPED/DISCUSSED • PENTESTERS OFTEN “ROOT” A DC BUT ARE NOT LEAKING (THIS IS A GOOD THING)

WHO REMEMBERS THE INFO-SEC LAW • LAW #1: IF A BAD GUY CAN PERSUADE YOU TO RUN HIS PROGRAM ON YOUR COMPUTER, IT'S NOT YOUR COMPUTER ANYMORE • LAW #2: IF A BAD GUY CAN ALTER THE OPERATING SYSTEM ON YOUR COMPUTER, IT'S NOT YOUR COMPUTER ANYMORE • LAW #5: WEAK PASSWORDS TRUMP STRONG SECURITY • HTTP://TECHNET.MICROSOFT.COM/LIBRARY/CC722487.ASPX

THE BASICS • IT IS SAFE TO ACCEPT THAT IF AN ATTACKER HAS A DOMAIN ADMINISTRATOR USERNAME AND PASSWORD COMBINATION THEY CAN GO ANYWHERE, DO ANYTHING AND COVER THEIR TRACKS. AT THIS STAGE IT IS “GAME OVER” FOR THE DEFENDERS AND DEPENDING ON THE SKILL LEVEL OF THE ATTACKER, IF YOU FIND THEM, IT WILL BE DOWN TO DETECTIVE CONTROLS AND FORENSIC POST INCIDENT INVESTIGATION. • BUT DON’T PANIC, WE CAN MAKE IT EXTREMELY DIFFICULT FOR AN ATTACKER TO GET TO THIS STAGE AND EXTREMELY EASY FOR THE DEFENDERS TO KNOW IF IT HAS HAPPENED. GOOD PREVENTATIVE AND DETECTIVE CONTROLS COMBINED WITH GOOD INCIDENT RESPONSE PROCEDURES CAN GIVE YOU CONFIDENCE THAT YOU KNOW WHO DOES WHAT, WHEN AND WHERE – WHY IS NOT ALWAYS SO EASY TO UNDERSTAND.

NOW WHAT SHOULD WE BE DOING

PENTESTING WINDOWS NETWORKS • 1) COMPROMISE AN UNPATCHED MACHINE (PREFERABLY A MEMBER SERVER ) • 2) “PRIV ESC” TO LOCAL ADMIN • 3) DUMP CACHED CREDENTIALS • 4) REVERSE PASSWORD FOR A SERVER SUPPORT TEAM MEMBER OF STAFF • 5) SEE IF THEY ARE A DOMAIN ADMIN – REPEAT UNTIL YOU GET ONE • 6) DUMP THE ACTIVE DIRECTORY HASHES FOR ALL ACCOUNTS ( AND YOU CAN GO ANYWHERE, AS ANYONE AND DO ANYTHING)

PROTECTION 101 • 1) HARDEN YOUR DOMAIN CONTROLLER • 2) HARDEN YOUR MEMBER SERVERS • 3) HARDEN AND AV YOUR WORKSTATIONS • 4) EDUCATE YOUR USERS • PCIDSS, SANS CAG

WHAT DO WE MEAN BY “HARDEN” ? • CIS BENCHMARKS • NIST SP800 SERIES / DISA STIG • CPNI – GPG GUIDES • MICROSOFT SECURITY • (THREATS AND COUNTERMEASURES) • (SECURING SERVICES) • (MANAGE AUDITING AND SECURITY LOG) • “CORE” COMMAND LINE ONLY BUILDS

PRINCIPLES 101 • LEAST PRIVILEGE • DEFENCE IN DEPTH • FAIL SAFE • ONLY AS STRONG AS THE WEAKEST LINK • TONE AT THE TOP • KEEP IT SIMPLE • SEGREGATE • DEFAULT DENY

PROTECTION 202 • 1) HARDEN DC • 2) HARDEN/ SEGREGATE ACTIVE DIRECTORY • 3) SETUP “BREAK GLASS” PROCEDURE FOR KEY ACCOUNTS • 4) SECURE SERVICES • 5) SETUP INCIDENT RESPONSE PROCEDURES FOR COMPROMISED ACCOUNTS • 6) SET UP AND TUNE SIEM • 6) TEST ALL OF ABOVE THEN PERFORM A PASSWORD AUDIT

THINGS TO ELIMINATE • LM HASHES IN SECURITY DATABASE • SERVICES THAT RUN AS DOMAIN ADMIN (SMS, SCCM, ALTERIS ETC) • USERS THAT DO NOT HAVE SEPARATE ACCOUNTS FOR ADMIN DUTIES • WHY DO YOU NEED SO MANY - SCHEMA ADMINS, ENTERPRISE ADMINS, DOMAIN ADMINS

THINGS YOU DON’T NEED TO DO WITHOUT • WINDOWS FIREWALL • WINDOWS USB STORAGE BLOCKING • AUTOMATIC WINDOWS UPDATES • ALL CAN BE “MANDATORY” • ALL CAN BE CONTROLLED THROUGH ACTIVE DIRECTORY

THINGS TO WATCH OUT FOR • WATCH THE SECURITY ( AND SYSTEM) LOGS ON YOUR DC • RUN HACKING TOOLS AGAINST YOUR DC • LOOK FOR THE EVIDENCE IN YOUR LOGS • SET A REAL TIME ALERT IN YOUR LOG MONITORING SOLUTION • WHAT DO YOU MEAN YOU DON’T MONITOR LOGS OF CRITICAL SERVERS IN REAL TIME !!!

HOW DO THEY GET THEM • FIRST CATCH YOUR RABBIT - YOU NEED TO GET THE SECURITY DATABASE, THERE ARE MANY WAYS, HERE ARE SOME : • FGDUMP – POINT AT DOMAIN CONTROLLER IF YOU HAVE ADMIN RIGHTS • PWDUMP – OLDER VERSION OF FGDUMP • ABEL FROM CAIN&ABEL – INSTALL ON DOMAIN CONTROLLER IF YOU HAVE ADMIN RIGHTS • METERPRETER SCRIPTS IF YOU HAVE “ROOTED” A DC USING METASPLOIT • SAM BACKUP FILES (LOCAL MACHINES) • SAM FILES (STOLEN BY LINUX LIVECD)

HOW DO THEY CRACK THEM • EASY TO USE, WINDOWS GUI, GREAT INTRODUCTION TO CRACKING – CAIN & ABEL • POWERFUL COMMAND LINE TOOLS WRITTEN FOR SPEED – JOHNTHERIPPER / HASHCAT • GPU SPECIALS OCLHASHCATPLUS, LATEST COMMUNITY VERSION JTR, CRYPTOHAZE • RAINBOW TABLES (OPTCRACK / FREERAINBOWTABLES.ORG / CRYPTOHAZE) • INTERNET DATABASES (TMTO.ORG / MD5DECRYPTER.CO.UK) • CROWD SOURCING (FORUM POSTS AT INSIDEPRO.COM) • DON’T LIMIT RESEARCH TO JUST THE “INTERNET”, DARKNET (TOR HIDDEN SERVICES)

WHAT IS OUR EXPOSURE? • ENTERPRISE ADMINISTRATOR USER ACCOUNTS • DOMAIN ADMINISTRATOR USER ACCOUNTS • DOMAIN ADMINISTRATOR SERVICE ACCOUNTS • BACKUP TAPES / BACKUP FILES • VIRTUAL MACHINE SNAPSHOTS • LOCAL ADMINISTRATOR ACCOUNTS ON MACHINES VISITED BY DOMAIN ADMINISTRATORS

BEFORE CONDUCTING A PW AUDIT • ESTABLISH AND TEST PROCESS FOR SERVICE ACCOUNT PASSWORD RESET • ESTABLISH AND TEST THE PROCESS FOR SPECIAL ACCOUNT PASSWORD RESET • SET GROUND RULES FOR AUDITOR • MONITOR THE PROCESS • DESTROY THE HASHES AFTERWRDS

PW AUDIT GROUNDWORK • NUMBER OF AD OBJECTS THAT REQUIRE A LOGIN • NUMBER OF MACHINE ACCOUNTS • NUMBER OF DISABLED ACCOUNTS • PASSWORD AGE DATA CONVERTED INTO DAYS • PASSWORD CHANGE EXCEPTIONS • NUMBER OF ACCOUNTS WITH AN EXPIRY DATE SET

TIME IS PRECIOUS • THANK YOU FOR YOURS

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

Password Recovery Software

Password Recovery Software : Find. Decrypt. ... Passware software recovers or resets passwords for Windows, Word , Excel, QuickBooks, Access, ...
Read more

windows xp password reset PowerPoint PPT Presentations

windows xp password reset PowerPoint PPT Presentations . All Time Show ... Using Stellar Phoenix Windows Password Recovery Tool, ...
Read more

FORGOT WINDOWS PASSWORD PowerPoint PPT Presentations

View Forgot Windows Password presentations online, ... FORGOT WINDOWS PASSWORD PowerPoint ... How to reset Windows 10 password if you forgot or lost ...
Read more

PPT - How windows store passwords PowerPoint Presentation

how windows store passwords PowerPoint PPT ... of security for the storage of the passwords.. - PowerPoint PPT Presentation. ... Windows Passwords: ...
Read more

Windows Presentation Foundation (WPF) 4.5 Kurs - Windows ...

... Windows Presentation Foundation Seminar, Windows Presentation Foundation Training, ... Forgot Password? Neu auf ppedv.de? Register × ...
Read more

Opening password protected PowerPoint presentation

There are multiple ways to protect a PowerPoint presentation. ... I found this website and it was able to recover the password for my ppt presentation!
Read more

Office Remove or Change Password for Multiple PowerPoint ...

Remove or Change Password for Multiple PowerPoint Presentations ... password, PowerPoint presentations, ... Windows 10 ...
Read more

Password Protect Your PowerPoint Slides | PowerPoint Ninja

Password Protect Your PowerPoint Slides. ... Nothing can be more painful than seeing your carefully designed PowerPoint presentation being ... Password to ...
Read more

Encrypt with Password: PowerPoint 2010 for Windows

Encrypt with Password: PowerPoint 2010 for Windows. ... The password protected presentation is more safer to share ...
Read more