![Page 1: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/1.jpg)
Understand Credential Security: Important Things You Need to Know About Storing Your Identity
Paula JanuszkiewiczCQURE: CEO, Penetration Tester / Security ExpertCQURE Academy: TrainerMVP: Enterprise Security, MCTContact: [email protected] | http://cqure.ushttp://cqureacademy.com
@paulacqure @CQUREAcademy
![Page 2: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/2.jpg)
![Page 4: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/4.jpg)
![Page 5: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/5.jpg)
Definition of credentials
Set of data that allows other party
to believe me when I tell who I am
![Page 6: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/6.jpg)
DataGBGJD
Skew1
Bootkey:Class names for keys from HKLM\SYSTEM\CCS\Control\Lsa SAM/NTDS.dit
(MD4 Hashes)C:\windows\system32\configC:\windows\system32\NTDS
MSDCC2(Cached Logon Data)
HKLM\SECURITY\Cache
LSA Secrets(Service Accounts)
HKLM\SECURITY\Policy\Secrets
$MACHINE.ACC(SYSTEM’s Clear Text Password)
DPAPI_SYSTEM (Master Keys)HKLM\SECURITY\Policy\Secrets
More information: http://cqureacademy.com/blog
![Page 7: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/7.jpg)
Are ‘cached credentials’ safe?
![Page 8: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/8.jpg)
Encrypted Cached CredentialsDK = PBKDF2(PRF, Password, Salt, c, dkLen)
Microsoft’s implementation: MSDCC2=PBKDF2(HMAC-SHA1, DCC1, username, 10240,
16)
Encrypted Cached Credentials:Legend
![Page 9: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/9.jpg)
Cached Logons: It used to be like this…Windows 2003 / XP The encryption algorithm is RC4. The hash is used to verify authentication is calculated as follows: DCC1 = MD4(MD4(Unicode(password)) . LowerUnicode(username)) is DCC1 = MD4(hashNTLM . LowerUnicode(username)) Usage in the attackBefore the attacks facilitated by pass-the-hash, we can only rejoice the "salting" by the username.
There are a number pre-computed tables for users as Administrator facilitating attacks on these hashes.
![Page 10: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/10.jpg)
Cached Logons: Now it is like this! Windows Vista / 2008 +The encryption algorithm is AES128. The hash is used to verify authentication is calculated as follows: MSDCC2 = PBKDF2(HMAC-SHA1, Iterations, DCC1, LowerUnicode(username)) with DCC 1 calculated in the same way as for 2003 / XP.
There is actually not much of a difference with XP / 2003!No additional salting. PBKDF2 introduced a new variable: the number of iterations SHA1 with the same salt as before (username).
Usage in the attack
![Page 11: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/11.jpg)
Cached Logons: IterationsThe number of iterations in PBKDF2, it is configurable through the registry:
HKEY_LOCAL_MACHINE\SECURITY\Cache DWORD (32) NL$IterationCount
If the number is less than 10240, it is a multiplier by 1024 (20 therefore gives 20480 iterations)
If the number is greater than 10240, it is the number of iterations (rounded to 1024)
![Page 12: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/12.jpg)
Demo: Cached Credentials+ getting access to user’s secrets
![Page 13: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/13.jpg)
Classic Data Protection APIBased on the following components:Password, data blob, entropy
Is not prone to password resets! Protects from outsiders when being in offline access Effectively protects users data
Stores the password historyYou need to be able to get access to some of your passwords from the past
Conclusion: OS greatly helps us to protect secrets
![Page 14: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/14.jpg)
Demo: Classic DPAPI+ getting access to user’s secrets in the domain
![Page 15: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/15.jpg)
Demo: DPAPI Taken Further+ Keepass
![Page 16: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/16.jpg)
Demo: RDG PasswordsWhen centralization should be done with a bit more awareness
![Page 17: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/17.jpg)
IIS Structure
HTTP.SYS
Kernel Mode
User Mode
applicationHost.config
WWWPS
W(P)AS
A lot of things going on here,
but not that important for us
now.
w3wp.exe
11 – W
PAS reads the
configuration
22 – W
PAS starts t
he process with some
identity
![Page 18: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/18.jpg)
Application PoolsUsed to group one or more Web ApplicationsPurpose: Assign resources, serve as a security sandbox
Use Worker Processes (w3wp.exe)Their identity is defined in Application Pool settingsProcess requests to the applications
Passwords for AppPool identity can be ’decrypted’ even offlineThey are stored in the encrypted form in applicationHost.config
Conclusion: IIS relies it’s security on Machine Keys (Local System)
![Page 19: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/19.jpg)
Demo: Application PoolsGetting password from IIS configuration
![Page 20: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/20.jpg)
IISWasKey+ extracting the data from the registry
![Page 21: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/21.jpg)
ServicesStore configuration in the registryAlways need some identity to run the executable!
Local Security Authority (LSA) SecretsMust be stored locally, especially when domain credentials are usedCan be accessed when we impersonate to Local System
Their accounts should be monitored If you cannot use gMSA, MSA, use subscription for svc_ accounts (naming convention)
Conclusion: Think twice before using an Administrative account, use gMSA
![Page 22: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/22.jpg)
Demo: ServicesGetting password from LSA Secrets
![Page 23: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/23.jpg)
Chasing the obvious: NTDS.DIT, SAM
The above means: To read the clear text password you need to struggle!
To perform an analysis on NTDS.DIT the following information sources are needed from the domain controller:
NTDS.DITRegistry hives (at least the SYSTEM hive)
SAM, ntds.dit are stored locally on the server’s driveThey do not contain PasswordsThey use MD4 as a way of storing them They are encrypted
![Page 24: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/24.jpg)
Demo: SAM/NTDS.ditHash spree - offline
![Page 25: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/25.jpg)
![Page 26: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/26.jpg)
Two AMAZING discoveries! Kerberos Pre-Authentication
Smart card logon is possible without a smart card
DPAPI-NG: SID Protected PFX Files
Private keys can be extracted from the PFX files without having a password
![Page 27: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/27.jpg)
Kerberos Pre-AuthSecuring Yourself for a Rainy Day
![Page 28: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/28.jpg)
DPAPI-NGSID-Protected PFX Files… Unprotected
![Page 29: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/29.jpg)
Credentials Security TakewaysOffline accessCryptography that relies on keys stored in the registry is as safe as your offline access.Domain AdminsWe all know that they should log on to the Domain Controllers only.Who are they? Can we trust them? Mechanisms are safe…when extracted. In practice they are as safe as your approach.
![Page 31: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/31.jpg)
![Page 33: Microsoft Ignite session: Understand credential security: important things you need to know about storing Your Identity](https://reader030.vdocuments.site/reader030/viewer/2022020718/586e73181a28ab99598b5357/html5/thumbnails/33.jpg)
From your PC or Tablet visit MyIgnite at http://myignite.microsoft.com
From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting https://aka.ms/ignite.mobileapp
Please evaluate this sessionYour feedback is important to us!