fgdump 3.0: a first look - toorcon 2011

fgdump 3.0: A First LookOctober 9, 2011

Dave “fizzgig” RussellFizzgig[at]foofus[dot]net

Lightning Round – No Time for Chit Chat

• Dave “fizzgig” Russell• Pete “bokojan” Arzamendi• Work at 403 Labs, a full service info-sec

shop who is nice enough to support ongoing development of the tool

• Neither of us do as much pen testing these days, forensics keeps us busy

• Look us up for consulting and PCI

Background on fgdump

• Originally written in 2005, shortly after pwdump6 (a product of the Ballmer effect)– pwdump3e didn’t like DEP, so I decided to fix

it and created pwdump6– Got really sick of McAfee locking up boxes

• Largely replaced pwdump6 – but (at least up until now), was a wrapper

• Handles pwdump, cachedump and protected storage dumps

Background on fgdump

• When Vista/Server 2008 came out, the game changed– Different storage and encryption were used

for passwords and cached credentials– Pwdump portion continued to work fine…– Cachedump was broken– Promised to fix last year at Toorcon

• Has some advantages like multi-threading and easy multiple target support

Quick Primer on Hashes

• Two sets of stored credentials: regular and cached

• Cached creds exist once you have connected to a domain

• Regular credentials have a weak LM hash and stronger NTLM hash– LM disabled by default Vista and later

• Cached creds are salted and encrypted much better

A Crash Course in Cred Theft

• pwdump6/fgdump (prior to 3) made use of DLL injection into the LSASS process– LSASS has access to encrypted passwords– Needed to be SYSTEM, easily handled by

creating a service, which defaults to running as SYSTEM

– Highly susceptible to programming flaws (perish the thought) and AV stupidity

– If pwdump/fgdump crashes on a target, down goes LSASS, forced reboot 60 seconds later

This is Bad

• Clients hated rebooting DCs• Stabilized over time, but was always a risk• Not particularly fast, nor stealthy• Communication occurred back to the

executing client over named pipes• Constantly needing to change signatures

to stay ahead of AV– Very interesting to see just how bad

signature-based AV sucks though

There is a Better Way!

• Mao [at] oxid[dot]it shed some light on pulling things right out of the registry, metasploit module also helped

• Both cached and regular creds can be extracted this way

• The process is somewhat complicated – involves getting the machine’s bootkey and NL$KM secret first, then decrypting the entries

Early Success

• fgdump3 was written to take advantage of this – regular creds were no problem!

• Cached creds pre-Vista – no problem!• Vista changed the encryption method for

cached creds, as well as some other subtle bits – problem

• Took a VERY long time to sort out what was going on, someone else beat me to it

But We Made It!

• Finally got cached decryption working!• Too bad the registry keys we wanted didn’t

allow read permission for administrators– Bokojan to the rescue!

• Wanted to time release to coincide with other features

fgdump3 Design Goals

• “No upload” method of pulling large amounts of creds from an enterprise

• Improved speed for large systems• Bypass AV easier• Less noisy• More manageable for multiple-run

engagements• Recognize the growing internal password

audit needs

Beta is Finally Out!

• Support for all current OSes (not yet tested on Windows 8) – 32- and 64-bit

• Grabs regular creds and cached creds• Defaults to registry extraction, can be

overridden (no upload needed for this method)

• For DCs, credentials are not stored in the registry; fgdump detects this and reverts to old-style DLL injection for these

More Features

• Resistant to “problems”– Registry permissions need to be changed, we

track this and spit out the original DACL if we couldn’t change it back

• Ability to put all output into a folder, nice for multiple runs

• Injection method should be MUCH faster (anecdotally, two to 10 times as fast)

• More AV detection support

About Registry Changes

• Bokojan figured out how to make it work– Also responsible for updated AV and domain

controller detection!

• Sets rights to HKLM\Security such that Administrators have permission to enumerate subkeys and read values

• Automatically reverts the DACLs back to where they belong after we’re done

Not Perfect Yet

• Changing registry permissions is SLOW– Reg keys default to SYSTEM-only, we are not

running as SYSTEM, only admin– Need to force inheritance of permission

changes down to all subkeys and values in the tree

• Like to come up with a cleaner way to manage permission changes, or a “non-uploady” way to run as SYSTEM

Optimizing for Your Use

• For internal audits: consider changing the HKLM\Security registry key to allow read and enumerate subkey access to Administrator(s)

• For large numbers of systems, depends on the network link– Trial and error – use the “-R” flag to force old

injection method and compare

Now Available on fgdump.com

• Using a new website – www.fgdump.com• Best email is still fizzgig[at]foofus[dot]net

for right now• Version is 3.0.0-BETA1• Expect perhaps one more beta and a

release candidate prior to “official” release as it helps work out kinks such that sensitive environments can feel comfortable about using

Would Love Real World Feedback

• This is a BETA version! Use with caution• Pay particular attention to registry

permissions• Speed comparisons would be helpful• Any unusual behavior• Broken hashes (pretty unlikely hopefully)• Looking for pen test and enterprise info

Thanks!• Bokojan: all the coding and actually forcing me to

finally release a new version• 403 Labs: time to work on this, a fun weekend in San

Diego• Foofus folks: the original inspiration for the tool!• Soaring Moe!: some early updates to pwdump6,

particularly 64-bit stuff• Ross Geerlings: performance improvements to

pwdump6• Kevin Mitnick: the mention in Ghost in the Wires• All the users, especially those who provided feedback