eyes wide shut: what do your passwords do when no one is watching?

48
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching Paula Januszkiewicz CQURE: Director of Consulting,; Security Expert CQURE Academy: Trainer MVP: Enterprise Security www.cqureacademy.com @CQUREAcademy CONSULTING

Upload: beyondtrust

Post on 08-Feb-2017

118 views

Category:

Software


2 download

TRANSCRIPT

Page 1: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Eyes Wide Shut: What Do Your Passwords Do When No One is Watching

Paula JanuszkiewiczCQURE: Director of Consulting,; Security ExpertCQURE Academy: TrainerMVP: Enterprise Securitywww.cqureacademy.com

@CQUREAcademy

CONSULTING

Page 2: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Page 3: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Hacking Live Workshop 2017

Page 4: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Page 5: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Page 6: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Page 7: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Used to group one or more Web Applications

Purpose: Assign resources, serve as a security sandbox

Use Worker Processes (w3wp.exe)

Their identity is defined in Application Pool settings

Process requests to the applications

Passwords for AppPool identity can be ’decrypted’ even offline

They are stored in the encrypted form in applicationHost.config

Conclusion: IIS relies it’s security on Machine Keys (Local System)

Page 8: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Demo: Application Pools

Page 9: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Demo: IISWasKey

Page 10: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Class names for keys from HKLM\SYSTEM\CCS\Control\Lsa

HKLM\SECURITY\Cache

HKLM\SECURITY\Policy\Secrets

HKLM\SECURITY\Policy\Secrets

Page 11: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Store configuration in the registry

Always need some identity to run the executable!

Local Security Authority (LSA) Secrets

Must be stored locally, especially when domain credentials are used

Can be accessed when we impersonate to Local System

Their accounts should be monitored

If you cannot use gMSA, MSA, use subscription for svc_ accounts (naming convention)

Conclusion: Think twice before using an Administrative account, use gMSA

Page 12: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Demo: Services

Page 13: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

The above means:

To read the clear text password you need to struggle!

Page 14: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Demo: SAM/NTDS.dit

Page 15: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Are ‘cached credentials’ safe?

Page 16: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

DK = PBKDF2(PRF, Password, Salt, c, dkLen)

Microsoft’s implementation: MSDCC2=

PBKDF2(HMAC-SHA1, DCC1, username, 10240, 16)

Legend

Page 17: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Before the attacks facilitated by pass-the-hash, we can only

rejoice the "salting" by the username.

There are a number pre-computed tables for users as

Administrator facilitating attacks on these hashes.

Page 18: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

There is actually not much of a difference with XP / 2003!

No additional salting.

PBKDF2 introduced a new variable: the number of

iterations SHA1 with the same salt as before (username).

Page 19: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

The number of iterations in PBKDF2, it is

configurable through the registry:

HKEY_LOCAL_MACHINE\SECURITY\Cache

DWORD (32) NL$IterationCount

If the number is less than 10240, it is a multiplier

by 1024 (20 therefore gives 20480 iterations)

If the number is greater than 10240, it is the

number of iterations (rounded to 1024)

Page 20: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Demo: Cached Credentials

Page 21: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Based on the following components:

Password, data blob, entropy

Is not prone to password resets!

Protects from outsiders when being in offline access

Effectively protects users data

Stores the password history

You need to be able to get access to some of your passwords from the past

Conclusion: OS greatly helps us to protect secrets

Page 22: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Demo: Classic DPAPI

Page 23: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Demo: DPAPI Taken Further

Page 24: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Demo: RDG Passwords

Page 25: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

1.

2.

3.

Location Plaintext passwords

(Reversibly

encrypted)

NT Hash LM Hash TGT Windows logon

cached password

verifiers

Security Accounts Manager (SAM)

database

- Yes Maybe1 - -

Local Security Authority

Subsystem (LSASS) process

memory

Yes Yes Yes Yes -

Active Directory Database - Yes Maybe1 - -

The Credential Manager

(CredMan) store

Maybe2 - - - -

LSA Secrets in the registry Service Accounts,

Scheduled Tasks, etc.

Computer

Account

- - -

HKLM\Security - - - - Yes

Windows 10 with VSM enabled - Yes / No3 Yes/ No3 No4 -

Page 26: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Page 27: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

DPAPI-NG

Page 28: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Page 29: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Page 30: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Page 31: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

PowerBroker Password Safe

v6.2

Martin Cannard – Product Manager

Page 32: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Comprehensive Security Management

► Secure and automate the process for managing privileged account passwords and keys

► Control how people, services, applications and scripts access managed credentials

► Auto-logon users onto RDP, SSH sessions and apps, without revealing the password

► Record all user and administrator activity (with keystrokes) in a comprehensive audit trail

► Alert in real-time as passwords, and keys are released, and session activity is started

► Monitor session activity in real-time, and immediately lock/terminate suspicious activity

► Block & Alert when SSH commands are entered during privileged sessions

Privileged Password Management

People Services A2A

Privileged

Session

Management

SSH Key

Management

Page 33: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Native desktop tool (MSTSC/PuTTY etc.) connects

to Password Safe which proxies connection through

to requested resource

Protected ResourcesUser authenticates to Password Safe and requests

session to protected resource

RDP/SSH session is proxied through the Password

Safe applianceHTTPS RDP / SSH

RDP / SSH

Password

SafeProxyProxy

Privileged Session Management

Page 34: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Differentiator:

Adaptive Workflow Control

Page 35: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Adaptive Workflow Control

• Day

• Date

• Time

• Who

• What

• Where

Page 36: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Differentiator:

Included API Cache

(no extra cost)

Page 37: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

API for Passwords / Sessions / Onboarding

SessionRelease

PasswordRelease

Password SafeAppliance

API

APICache

PasswordRelease

Host/Account Provisioning

Local Area Connection

Locahost Connection

PasswordRelease

PasswordRelease

APICache

PasswordRelease

Locahost Connection

Page 38: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Differentiator:

Controlling Application Access

Page 39: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Automatic Login to ESXi example

Browser

RDP Client

ESXRDP (4489) RDP (3389)

User selects vSphere application

and credentials

vSphere RemoteApp

CredentialCheckout

Credential Management

UserStore

Session Recording / Logging

HTTPS

Page 40: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Automatic Login to Unix/Linux Applications

Typical Use Cases

• Jump host in DMZ

• Menu-driven Apps

• Backup Scripts

• Role-based Apps

Browser

RDP Client

SSH (22) SSH (22)

User selects SSH application and

credentials

SSH Application

CredentialCheckout

Session Recording / Logging

HTTPS

Page 41: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Differentiator:

Reporting & Analytics

Page 42: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Actionable Reporting

Page 43: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Advanced Threat Analytics

Page 44: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

What makes Password Safe different?

• Adaptive workflow control to evaluate and intelligently route based on the

who, what, where, and when of the request

• Full network scanning capabilities with built-in auto-onboard capabilities

• Integrated data warehouse and analytics capability

• Smart Rules for building permission sets dynamically according to data

pulled back from scans

• Session management / live monitoring at NO ADDITIONAL COST

• Clean, uncluttered, and intuitive HTML5 interface for end users

Page 45: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Market Validation

• Leader: Forrester PIM Wave, Q3 2016

− Top-ranked Current Offering (product) among all 10

vendors reviewed

− “BeyondTrust excels with its privileged session

management capabilities.”

− “BeyondTrust […] provides the machine learning and

predictive behavior analytics capabilities.”

• Leadership

− Gartner: “BeyondTrust is a representative vendor for all

five key PAM solution categories.”

− OVUM: “BeyondTrust […] provides an integrated, one-

stop approach to PAM… one of only a small band of

PAM providers offering end-to-end coverage.”

− SC Magazine: “Recommended product.”

− … and more from IDC, KuppingerCole, TechNavio, 451Research,

Frost & Sullivan and Forrester

Page 46: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

DEMO

Page 47: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Poll

Page 48: Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Q&A

Thank you for attending!