guest lecture - windows security countermeasure: aslr © 2013 sec consult unternehmensberatung gmbh...

Version: 1.0

Date: 17.01.2018

Author: R. Freingruber

Responsible: R. Freingruber

Confidentiality Class: Public

Guest Lecture -

Windows Security

© 2013 SEC Consult Unternehmensberatung GmbH

All rights reserved

Title: Windows Security| Responsible: R. Freingruber

Version / Date: V1.0 / 01-2018] | Confidentiality Class: Public


All rights reserved

Lecturer

• René Freingruber ([email protected])

• Twitter: @ReneFreingruber

• Student in Bachelor (Technical University Vienna)

• Lecturer at FH St. Pölten & Johannes Kepler University• Reverse Engineering & Exploit Development courses

• Security Consultant at SEC Consult• Reverse Engineering / exploit development / fuzzing

• Trainer: Secure C/C++, Reversing, Windows Hardening and Red Teaming

• Social Engineering / Client Hardening / Internal Audits / Web Pentesting

• Previously spoke at:• CanSecWest, 31C3, DeepSec, NorthSec, RuxCon, ToorCon, ZeroNights,

Bsides Vienna, QuBit, Hacktivity, IT-SeCX, DSS ITSEC, OWASP Chapter

• Lightning Talks: Hack.lu, Recon, Hacktivity

mailto:[email protected]

https://twitter.com/renefreingruber


All rights reserved




All rights reserved

WE ARE HIRING

Source: http://www.globalresearch.ca/wp-content/uploads/2015/06/unclesam-we-want-you.jpg

• SEC Consult is hiring!

• Lots of interesting projects in an

international leading security company

• Experienced team with a passion to hack

systems ☺

• Contact: [email protected]

• Just talk to me directly after the talk!


Memory Corruptions


All rights reserved




All rights reserved

Classic buffer overflow

High address(e.g. 0xc0000000)Old Values

Stackgrowsdownwards Old EIP (RET)

Arg3: 0x00000006

Arg2: 0x00000005

Arg1: 0x00000063

Old EBP (SFP)EBP

-4(%EBP)

-8(%EBP)

buf[4-7]

buf[0-3]

ESP

STACK before BOF

Write direction

New RET address

Shellcode

NOP Sled(= 0x90909090...)

EBPPadding

(e.g.: 0x414141...)

STACK after BOF

EIPafterret-Instr.

Executionpath

Hardcodedaddress

6


All rights reserved




All rights reserved

Protections today

7

We have to bypass all

these mitigation

techniques!

No protection mechanism

is 100% bullet proof, all

can be bypassed in some

special situations

The most difficult part is to

bypass ASLR and DEP

together


All rights reserved




All rights reserved

Countermeasure: ASLR

High address

NOT STATIC

New RET address

Shellcode

NOP Sled(= 0x90909090...)

EBPPadding

(e.g.: 0x414141...)

STACK after BOF

Hardcodedaddress

8


All rights reserved




All rights reserved


• Address space layout randomization

• Randomizes:

• Start address of the stack (local variables, function arguments, ..)

• Start address of the heap (dynamically allocated variables)

• Start address of the code segments

• Address of PEB (process environment block)

• Address of TEB (thread environment block)

• Returned addresses of VirtualAlloc (since Windows 8.1)

• ....

• Security heavily depends on number of randomized bits

• 64-bit provides much more security than 32-bit!

9


All rights reserved




All rights reserved


• There are many ways to bypass ASLR!

• Use an information leak vulnerable

• For local 32-bit applications it‘s possible to brute-force

• Use not randomized segments (heap, VirtualAlloc() returned memory, ...) ; mostly fixed these days

• Partial Overwrites (ASLR randomizes the upper bits, just overwrite the lower bits to jump to another code)

• Use a module which does not support ASLR (that‘s why you should not have java 6 installed!)

10


All rights reserved




All rights reserved

11



All rights reserved




All rights reserved

Example .ANI exploit

• Two vulnerabilities:

• MS05-002

• MS07-17

• Can be trigger via Firefox, Internet Explorer, ….

• E.g. code for Internet Explorer:

<html>

<body style=”CURSOR:

url(‘127.0.0.1/exploit.ani’)”</body>

</html>


All rights reserved




All rights reserved


• “Anih size” typically 0x24, in the exploit above 120 (0x78)

• Overwrites return address with 0x0d0d0d0d

• Use heap-spray to store shellcode at 0x0d0d0d0d


All rights reserved




All rights reserved

Attack technique: Heap Spray

• Idea: Allocate many many strings until every possible memory

address stores the string ...

• Then 0x0d0d0d0d must also store the string and ASLR is

bypassed


All rights reserved




All rights reserved

Attack technique: Before Heap Spray


All rights reserved




All rights reserved

Before Heap Spray


All rights reserved




All rights reserved

After Heap Spray


All rights reserved




All rights reserved

gap


• Return address was overwritten with 0x0d0d0d0d

• 0x0d0d0d0d must point to a location marked as

„good“ to make the exploit working!

• If 0x0d0d0d0d points to „bad“ the application will

crash

-12(%EBP)

0x0d0d0d0d……

0x0d0d0d0d

Shellcode

gap

0x0d0d0d0d……

0x0d0d0d0d

Shellcode

gap

0x0d0d0d0d……

0x0d0d0d0d

Shellcode

gap

0x0d0d0d0d……

0x0d0d0d0d

Shellcode

Good

Bad

Good

Bad

Good

Bad

Good

Bad


All rights reserved




All rights reserved


• Return address was overwritten with 0x0d0d0d0d

• Dump of memory after heap spray:


All rights reserved




All rights reserved


• Execution will start executing „OR EAX, 0x0d0d0d0d“ until:

NOP sled

Break for

debugging

Start of

shellcode


All rights reserved




All rights reserved

EMET

• EMET = Microsoft Enhanced Mitigation Experience Toolkit

• Target address gets often reused

• There are just some possible addresses such as 0x0d0d0d0d

• Many exploit developers just copy&paste heap spray code (including the target address)

• EMET‘s HeapSpray protection

• Just preallocates all these target addresses

• Exploit code can‘t spray shellcode to these locations

• Addresses: 0x0a040a04; 0x0a0a0a0a; 0x0b0b0b0b; 0x0c0c0c0c; 0x0d0d0d0d; 0x0e0e0e0e; 0x04040404; 0x05050505; 0x06060606; 0x07070707; 0x08080808; 0x09090909; 0x20202020; 0x14141414


All rights reserved




All rights reserved

Countermeasure: DEP

24

High address(e.g. 0xc0000000)

New RET address

Shellcode

NOP Sled(= 0x90909090...)

EBPPadding

(e.g.: 0x414141...)

STACK after BOF

Hardcodedaddress

NOT EXECUTABLE


All rights reserved




All rights reserved

Countermeasure: DEP

25

• Data Execution Prevention

• Idea: Data on the stack must not be executable (because it

contains data and not code), thus mark it as not executable

• Attacker can‘t execute his own code because his own code

is stored as data and thus not executable

• Bypass techniques:

• Return2libc

• ROP (Return Oriented Programming)


All rights reserved




All rights reserved

26

Countermeasure: DEP


All rights reserved




All rights reserved

Bypass DEP

27

• ROP = Return Oriented Programming

• Idea: Reuse / abuse already existing code

• New code can be build be chaining small already existing

code-gadgets together

• Two approaches:

• Write a ROP chain to disable DEP

• Write complete shellcode in ROP


All rights reserved




All rights reserved

Attack technique: Return Oriented Programming

28

New RET address0x0d0d0d0d

Shellcode

NOP Sled(= 0x0d0d0d0d...)

ESP

Padding(e.g.: 0x0d0d0d...)

• Let‘s look again at the stack after the function returned to the

manipulated return address:


All rights reserved




All rights reserved


29

• Jump to already existing code to bypass ASLR:

• Jump to the middle of the above instruction:

• Important: Corresponding module must be compiled with

ASLR off because otherwise „JMP ESP“ would always be at

another address


All rights reserved




All rights reserved


30

New RET address0x7cb3c1f6

ShellcodeESP

Padding(e.g.: 0x414141...)

• The new attack:

• Another method to bypass ASLR!

• But: With DEP enabled it‘s still not possible to execute the

shellcode....


All rights reserved




All rights reserved


31

RET: Gadget 1

ESP

• ROP extends this technique to build the complete

shellcode with existing code (so called gadgets!)

EAX: 0x41414141

Gadget 2

ESI: 0x42424242

Padding(e.g.: 0x414141...)

EBP: 0x43434343

Gadget 3

ESP

ESP


All rights reserved




All rights reserved

Attack technique: ROP

32

• Typically the ROP chain calls a method to disable DEP

• Then the real shellcode can be executed

• Examples of functions which can be called:

• VirtualAlloc

• VirtualProtect

• SetProcessDEPPolicy

• NtSetInformationProcess

• HeapCreate

• LoadLibrary (E.g.: library from attacker via UNC path)


All rights reserved




All rights reserved

VirtualProtect() to disable DEP

33

Source: http://opensecuritytraining.info/


All rights reserved




All rights reserved

EMET

• End of life: July 31, 2018

• Every time a „critical function“ (e.g. VirtualProtectEx) gets called it applies

extra checks (but EMET contains many other protections as well)

• Examples:

• Caller / SimExecFlow

• Check if function was called and not returned into (e.g. Check the

instruction in front of the return address)

• MemProt

• Prevent functions (e.g. VirtualProtectEx) from making the stack

executable

• StackProt

• Check if the stack pointer (ESP) points to the stack (or if it was shifted

away)


All rights reserved




All rights reserved

Windows 10 Exploit Protection

• Windows 10 implements functionality of EMET per default!


All rights reserved




All rights reserved

Windows 10 Exploit Protection


All rights reserved




All rights reserved

39

Mitigations on a modern Windows system

(incomplete list!)

• ASLR – Address Space Layout Randomization (kASLR in kernel)

• DEP – Data Execution Protection

• Stack Cookies, Variable Reordering (/GS)

• Heap Protections• safe unlinking, heap cookies, header encoding, isolated heap, delayed

free, MemGC, memprot, ....

• Virtual Table Guard (VTGuard)

• Control Flow Guard (CFG) / Return Flow Guard (RFG)

• Exception Handling• SafeSEH, SEHOP, software DEP, XOR register values

• Sandboxes (Mandatory Integrity Level)

• EMET / Windows10 Exploit Protection• EAF, EAF+, Caller, SimExecFlow, LoadLib, Memprot, HeapSpray,

NullPage, ...

• ACG (Arbitrary Code Guard) / CIG (Code Integrity Guard)

• SMEP / SMAP (Don‘t access user space from kernel space)

• Patchguard / Kernel-Mode Code Signing


All rights reserved




All rights reserved

40

Microsoft vulnerability classes distribution

Source: Exploitation Trends: From Potential Risk to Actual Risk


All rights reserved




All rights reserved

41


Source: Windows 10 Mitigation Improvements, Microsoft


All rights reserved




All rights reserved

42


Source: Windows 10 Mitigation Improvements, Microsoft

More vulnerabilities are found, but less exploits are developed

(mitigation techniques make exploit development really hard!)

User Account Control (UAC)


All rights reserved




All rights reserved

44

UAC – User Account Control

• Introduced with Microsoft Windows Vista

• What UAC does?

• Create two access tokes for the user

• Standard user access token

• Full Adminstrator access token

• Credential Prompt

• Consent Prompt


All rights reserved




All rights reserved

45


• Several possibilities exist to bypass UAC

• Public ones only work if UAC is used in default settings


All rights reserved




All rights reserved

46


• Example, start cmd as normal user, command: whoami /all


All rights reserved




All rights reserved

47


• Example, start cmd as normal user, command: whoami /all


All rights reserved




All rights reserved

48


• Now the same, but we start cmd.exe with right click start as

administrator:


All rights reserved




All rights reserved

49


• Now the same, but we start cmd.exe with right click start as

administrator:


All rights reserved




All rights reserved

50

Sandboxes

• This is also how sandboxes work:

• The “unstrusted” chrome process cannot access e.g. the file system

Even if we find a vulnerability in the DOM parser / JS implementation / … we are still inside an untrusted process!

Sandbox escape (another vulnerability) is required to escape!


All rights reserved




All rights reserved

51

Abusing privileges

• Some privileges can directly be used to escalate to SYSTEM access!

• SeImpersonatePrivilege

• SeAssignPrimaryPrivilege

• SeTcbPrivilege

• SeBackupPrivilege

• SeRestorePrivilege

• SeCreateTokenPrivilege

• SeLoadDriverPrivilege

• SeTakeOwnershipPrivilege

• SeDebugPrivilege

• Check the following link for an in-depth explanation

• https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/

• Privileges can be used in kernel exploits to avoid the requirement of getting code execution! Flipping a single bit is enough to change privileges of your own process!

https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/


All rights reserved




All rights reserved

52

Abusing privileges

• Many Microsoft services do not run as local SYSTEM, instead they

run as “local service”

• Idea: If the service is compromised because of a vulnerability, the

attacker does not instantly owns SYSTEM privileges

• Problem: Most services have privileges which can easily be abused…


All rights reserved




All rights reserved

53

Abusing privileges

• Example: WPAD Service has SeImpersonatePrivilege

• Can be exploited with “token stealing” and then impersonating that

token with SeImpersonatePrivilege

• Exploit code: https://bugs.chromium.org/p/project-

zero/issues/detail?id=1383#c5

• Other example: Steam had SeDebugPrivilege…

Source: https://googleprojectzero.blogspot.co.at/2017/12/apacolypse-now-exploiting-windows-10-in_18.html

https://bugs.chromium.org/p/project-zero/issues/detail?id=1383#c5


All rights reserved




All rights reserved

54

Back to UAC…

• Situation: Large number of UAC prompts

• Microsoft’s solution: special privileges

• Elevated processes without UAC prompt

• http://withinwindows.com/2009/02/05/list-of-windows-7-beta-build-

7000-auto-elevated-binaries/

http://withinwindows.com/2009/02/05/list-of-windows-7-beta-build-7000-auto-elevated-binaries/


All rights reserved




All rights reserved

55

Back to UAC…

• Situation: Large number of UAC prompts

• Microsoft’s solution: special privileges

• Elevated processes without UAC prompt

• http://withinwindows.com/2009/02/05/list-of-windows-7-beta-build-

7000-auto-elevated-binaries/

• Processes can create certain elevated COM objects without

UAC prompt

• Process can tell the object to perform „admin“-actions

• Granted to almost every Microsoft executable

(e.g. notepad.exe, calc.exe)

• Elevated COM objects, which can be created without a UAC

prompt

http://withinwindows.com/2009/02/05/list-of-windows-7-beta-build-7000-auto-elevated-binaries/


All rights reserved




All rights reserved

56


Create folders in system32 by using the OpenFile dialog


All rights reserved




All rights reserved

57


Root cause:

• Automatic silent evaluation

• Signed by Microsoft

• Located in „secure“ directories (e.g. Windows\System32)


All rights reserved




All rights reserved

58



All rights reserved




All rights reserved

59

Different types of UAC bypasses

• There are a lot of „GUI“ bypasses which are really simple (but

you typically don‘t have a GUI as attacker, but they should

show the general problem here…)

• Try it at home yourself!

• *.msc bypasses e.g. start „gpedit.msc“ (no UAC prompt)


All rights reserved




All rights reserved

60



All rights reserved




All rights reserved

61


• Search for „*.*“ to get rid of the .txt filter ( See .exe files)

• Right click on „cmd.exe“

• Start as administrator

• No UAC prompt


All rights reserved




All rights reserved

62



All rights reserved




All rights reserved

63


• Taskmanager

• Start task manager (no UAC prompt)

• File Start process


All rights reserved




All rights reserved

64


Bypassuac.exe Notepad.exe1) openProcess() to attach

2) VirtualAllocEx() to create memory

3) WriteProcessMemory() to write DLL

4) CreateRemoteThread() to execute DLL

Normal user privileges

Privileges to

create files in

UAC protected

folders without

prompting for

UAC dialog (via

COM objects ;

only Windows

signed binaries

can use the

COM objects)

5) Starts

running


All rights reserved




All rights reserved

65


Other secure

directory

(e.g. System32)

Secure directory

Priviledges to create files in

UAC protected folders without

prompting for UAC dialogTypically loads

Second

Malicious

DLL

6) Use priviledges of notepad.exe

To write to the „secure“ directory

Injected DLL to notepad.exeSysprep.exe (autoelevate = true)

Now loads


All rights reserved




All rights reserved

66


1. Inject code into an autoelevated process

• DLL preloading attacks

• Differences in the way how the DLL is placed in the secure

directory

• Leo Davidson „sysprep“

• Inject code into explorer.exe

• Code uses COM objects to store the DLL

• Target examples:

• Sysprep.exe with cryptbase.dll, shcore.dll, dbgcore.dll, ...

• Setupsqm.exe with wdscore.dll


All rights reserved




All rights reserved

67

Wusa method

• WUSA (Windows Update standalone installer) method was

used by Carberp – leaked banking trojaner

• wusa uses auto-elevated COM objects to write files, it could

therefore write into system32 without an UAC prompt

• Makecab malicios.dll malicios.tmp

• Wusa malicios.tmp extract:C:\Windows\System32\

• Finally fixed in Windows 10…


All rights reserved




All rights reserved

68


2. Silent redirect execution of an autoelevated process

• Application Compatibility Shim RedirectEXE method

• Shims are used to make old applications compatible with

new operating systems

Application

Shim

Windows


All rights reserved




All rights reserved

69


2. Silent redirect execution of an autoelevated process

• Application Compatibility Shim RedirectEXE method

• Shims are used to make old applications compatible with new

operating systems

• Examples of Shim rules:

• redirectExe

• EmulateHeap

• DisableNX

• “In Memory Fix”

• EMET also use Shims to implement protections

• Generate a Shim (.sdb file) with a redirectExe rule (x86 only)

• Redirect execution of an autoelevated process to own

executable (sdbinst.exe redirect.sdb)

• Signature file will not be redirected…..


All rights reserved




All rights reserved

70


3. Disable UAC via undocumented functions

• Simda Malware used ISecurityEditor COM object

• Undocumented function to make registry writeable

• Examples

• Change the UAC settings in the registry

• Attacker can add a VerifierDLL for an autoelevated application

to inject code


All rights reserved




All rights reserved

71


4. Trick users to confirm UAC prompt

• E.g. spawn UAC prompts until user accepts it

• Clickjacking (not possible with secure desktop)

• Technicaly not really interesting for us...

5. Many other techniques, check:

• https://github.com/hfiref0x/UACME

• Currently implements 44 different UAC bypasses…

• “UAC is dead for 2996 days”, message from 3.10.2017

• Good way to learn more about unknown Windows features…

https://github.com/hfiref0x/UACME


All rights reserved




All rights reserved

UAC – Code-Injection Issue

What can we do against it? UAC – Policy settings

(but that could also be bypassed… UAC is just broken)

72

Password attacks


All rights reserved




All rights reserved

74

Password attacks

• Windows does not store your cleartext password on disk

• Store hashes instead

• However, cleartext password is in memory!

• Different types of hashes

• NT Hashes (new hash for local accounts)

• LM Hashes (old hash for local accounts)

• Domain Cached Credentials (DCC) (domain accounts

cached on a workstation if PC is not connected to domain)

• LSA secrets (e.g. service account passwords)

• Credential Manager store (applications can store

passwords here)

• Kerberos shared secrets (on DC)


All rights reserved




All rights reserved

75

Password attacks

• Lan Manager LM Hash

• Very weak! (disabled per default since Server 2008 / Vista)

• You should not use LM hashes anymore

• How it works

• Convert input to upper case letter

• Max. length is 14 (shorter inputs are padded with nullbyte)

• Split the password into two 7-byte inputs

• Use both inputs as DES key to encrypt two times the string

„KGS!@#$%“

• Concatenate both 8 byte results

• Rainbowtables can crack LM hashes in seconds

• Ophcrack

• NT Hash also crackable, but it‘s harder!


All rights reserved




All rights reserved

76

Password attacks

Source: http://tricks-collections.com/crack-windows-xp-vista-password/


All rights reserved




All rights reserved

Password Length vs. GPU Cracking

• offline password bruteforce attack speed:

• ~41.800M passwords/second (against NTLM hashes)

less than 1-2 days for all possible passwords with a length up to

8 characters (ASCII)

77


All rights reserved




All rights reserved

Password Length vs. Rainbowtables

78

Publicly available rainbowtables for NT hashes ($)


All rights reserved




All rights reserved

LSA Secrets

• If you configure to run a service or scheduled task with a special user account, the credentials are stored in the LSA cache

The cleartext credentials can be extracted from registry

This gave me so many times domain admin….

79


All rights reserved




All rights reserved

LSA Secrets

Clear text password of a domain admin user… ( Privilege

escalation from local admin to domain admin)

Credential guard (see later slides) does not protect LSA secrets!

80


All rights reserved




All rights reserved

Dumping plaintext passwords

• We can steal stored clear text credentials from services, scheduled tasks, and so on from LSA cache and we can steal NTLM hashes (for pass-the-hash) (and some other type of credentials). However, we can also steal clear text credentials from currently logged in users!

• Local Security Authority Subsystem (LSASS) process memory contains:

• Kerberos keys (RC4/NTHash, AES128/AES256)

• Kerberos tickets (TGT and service tickets)

• NT Hashes

• (LM Hashes)

• Plaintext passwords

• (Smartcard PINs)

81


All rights reserved




All rights reserved

Dumping plaintext passwords

• Dump password

with mimikatz

82


All rights reserved




All rights reserved

Microsoft Prevention

• Protected Process Light• Special process flags which can mark the process as protected

• Even administrators can’t access the process anymore

• Problem: A kernel driver can disable the protection and an administrator can load a kernel driver… (partially mitigated in latest Windows 10 with driver signature enforcement)

• Also some other bypass techniques from google project zero…

• Disabled Wdigest authentication (KB2871997)• Idea: Without wdigest authentication cleartext credentials are

not required (and will not be stored in memory)

• Problem: Wdigest authentication can easily be re-enabled by an attacker….

• reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

• Other protections: RDP restricted admin mode (but this enables pass the hash attacks) and protected users group

83


All rights reserved




All rights reserved

84

Process protection

Source:

https://twitter.com/gen

tilkiwi/status/38191385

0737487872

Disables „Protected

Process Light“ flag of

lsass.exe


All rights reserved




All rights reserved

OS Layers

85

Source: Breaking Modern OS Defenses with Firmware Attacks


All rights reserved




All rights reserved

Virtualization Based Security

86



All rights reserved




All rights reserved

OS Layers

87



All rights reserved




All rights reserved

Mitigating Credential Theft Attacks

Windows 10 Feature: Isolated User Mode

88

Before Windows 10:

Source: Seth Moore, Microsoft


All rights reserved




All rights reserved

Mitigating Credential Theft Attacks

Windows 10 Feature: Isolated User Mode

89

Source: Seth Moore, Microsoft


All rights reserved




All rights reserved

90

Credential Guard and DMA Protection

• Credential Guard:

• LSASS process split into two processes

• LSASS.exe Interactes with LSAISO

• LSAISO.exe Stores the hashes, tickets, …

• Even if we become SYSTEM privileges on a system we can‘textract hashes or tickets because they are stored in theisolated world which we can‘t access!

• However, we can just patch lsass.exe to log all credentialswhen a user logs in….

• Result: Attacker still gets the same information, he just has towait longer…

• Device Guard also part of VBS on Windows 10

• Will be discussed later


All rights reserved




All rights reserved

91

Credential Guard and DMA Protection

• DMA Protection:

• Firewire, Thunderbold, PCIe, … can access the physical

RAM memory via DMA (Direct Memory Access)!

• Start the laptop until it‘s locked in Windows login screen.

• Connect laptop via Firewire to your own system and use

DMA to overwrite the password-check function of Microsoft to

always return true

• Use any password to login!

• This also works if system is encrypted with BitLocker in

transparent mode!

• Check: https://github.com/ufrisk/pcileech

• DMA Protection tries to prevent this, however, it can only do

this as soon as Windows is loaded! During UEFI initialization

it can still be vulnerable!

https://github.com/ufrisk/pcileech

NTLM & Kerberos


All rights reserved




All rights reserved

93

NTLMv1 / NTLMv2

• Another problem is the NTLM protocol• NTLM procotol is not the same as the NTLM hash!

• We previously discussed the NT & LM hash (NTLM hash)

• Now we speak about the NTLM protocol, which is also often called NetNTLMv1, NetNTLMv2, NTLMv1, NTLMv2

• Compared to Kerberos, NTLM is a weaker authentication protocol

• Main problems of NTLM protocol from security perspectiv:1. Cleartext password is NOT required to authenticate we can

authenticate by just knowing the NTLM hash (Pass-the-Hash)

2. We can force a client to authenticate against us we can sniff the NetNTLM hash and start offline bruteforcing it

3. We can relay an authenticate (NTLM relaying)

• Recommendation to read: https://digital-forensics.sans.org/blog/2012/09/18/protecting-privileged-domain-accounts-network-authentication-in-depth

https://digital-forensics.sans.org/blog/2012/09/18/protecting-privileged-domain-accounts-network-authentication-in-depth


All rights reserved




All rights reserved

NTLMv2

94

Source: Microsoft


All rights reserved




All rights reserved

What is the Pass-The-Hash attack? (PTH)

• Published by Paul Ashton in 1997

• Exploits the fact that only the password hash is required to

complete a NTLM authentication (password is not required)

• Every service/application supporting NTLM authentication is

vulnerable to pass-the-hash attacks

• Microsoft does not recommend to use NTLM for applications

• Side note: Since a patch this only works with the build-in

administrator or domain users which are local administrators

95


All rights reserved




All rights reserved

96

Pass-the-Hash attack

We hacked system 10.0.50.170 because of a vulnerability

• Nowadays we use MS17_010 instead of MS08_064

We obtained local admin hash and can use it to compromise other systems


All rights reserved




All rights reserved

97


System 10.0.50.160 contains another vulnerability (HFS)

Hashdump is currently not working because shell is 32-bit


All rights reserved




All rights reserved

98


Migrate into 64 bit process (PID 448)

Now we can hashdump again Same administrator hash!


All rights reserved




All rights reserved

99


We can spawn shells in the domain using the hash!


All rights reserved




All rights reserved

10

0

Mimikatz

We can also start mimikatz to get cleartext credentials of

domain users


All rights reserved




All rights reserved

10

1

Mimikatz

Check where the user can connect and own these systems…


All rights reserved




All rights reserved

10

2

Responder

• If a client connects to us, we can get a challenge + response

pair We can offline bruteforce it to obtain the clear text

password (+ we get his username. We already identified real

hackers using this technique with a callback document…)

• Victim (10.0.50.20, domain admin ckadmin):

• Attacker (10.0.50.150, running responder.py):


All rights reserved




All rights reserved

10

3

Responder

We need a way to force a victim to connect to us…

• Responder already includes several “poisoners” which

always respond with our IP for LLMNR, NetBios or DNS

queries…

• We can add images / sub docs in word, pdf, e-mail, …

• Many other techniques: ARP spoofing, WPAD, IPv6 DNS

injection, …


All rights reserved




All rights reserved

10

4

Responder

• Example: I opened my browser on the victim and entered

garbage:


All rights reserved




All rights reserved

10

5

Responder

• Example: Attacker is spoofing LLMNR answers which point to

the attackers IP


All rights reserved




All rights reserved

10

6

Responder

• But it also works if on a system currently no user is logged in…. (This

is the machine account, you can see this on the $ after the name in

WKSTN-50$):

• Important: This hash can’t be used for pass-the-hash (it’s a NTLMv2 /

Net-NTLMv2 hash. It’s the solution for the server & client challenge

calculated with the NTLM hash. If you know the NTLM hash you can

calculate the Net-NTLM hash, that’s why pass-the-hash works!)


All rights reserved




All rights reserved

10

7

NTLM Relay Attack

We can bruteforce this hash, but we can’t pass it. However,

we can relay it (one time)!

Source: https://pen-testing.sans.org/blog/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python


All rights reserved




All rights reserved

10

8

NTLM Relay Attack

NTLM Relay: This attack is from 2001 and still works (!)

• Relaying the hash back to the same system is prevented by MS08-068

• But we can relay it to a different system (which has SMB signing off which is the default for client systems – backward compatibility ☺)

• This attack only works with local administrative users / domain admins (NTLM relay would work with any user, but the method how we get code execution works just with admins)

• We can cross-protocol relay the hash from HTTP NTLM to LDAPS NTLM on the domain controller (LDAP Signing is per default off) Send a domain admin an e-mail with a link, if he opens it, we NTLM relay to LDAPS to add a new domain admin…


All rights reserved




All rights reserved

10

9

NTLM Relay Attack

Create a list of possible targets (SMB Signing off):

Target all systems (except DC – Domain Controller):


All rights reserved




All rights reserved

110

NTLM Relay Attack

Use responder to force victims to connect to us and receive

shells / hashes (ntlmrelayx.py output):

Use the hash for pass-the-hash or we can also directly tell

ntlmrelayx.py to execute a command via the –c argument.


All rights reserved




All rights reserved

111

NTLMv1 vs. NTLMv2

• NTLMv1 (DES-based)

• Vulnerable to rainbow table attacks

• No mutual authentication

• No relay attack protection

• ~34.454.000K passwords/second (single CPU)

• NTLMv2 (MD4-based)

• Not vulnerable to rainbow table attacks (client also creates a random challenge)

• Introduces mutual authentication

• Relay attack protection (only with EPA – Extended Protection for Authentication, partially with SMB and LDAP Signing)

• ~4.585K passwords/second (single CPU)


All rights reserved




All rights reserved

Kerberos

Source: https://dfirblog.wordpress.com/2015/12/13/protecting-windows-networks-kerberos-attacks/


All rights reserved




All rights reserved

113

How Kerberos works

• Kerberos works with symmetric encryption

• Previous picture is not 100% correct (it’s simplified)

• Message 2 which contains the TGT is encrypted with the “krbtgt” user account hash (a special domain user).

• (Message 2 also contains a session key which is encrypted with Jon’s secret message.)

• If the TGT would be encrypted with Jon’s password, Jon could just modify the TGT…. (this would break the complete security concept)

• The AS (Authentication Service) knows that Jon is really Jon because message 1 contains a timestamp encrypted by Jon with his hash.

• The ticket from message 4 is encrypted with the hash of the target service Jon can’t modify it but the service can read and handle it.


All rights reserved




All rights reserved

114

Kerberos Attacks

• Many different attacks, here I just list the most useful ones

• Kerberoasting• Request a ticket for a service, ticket is encrypted with the

password of the service account, we can start offline bruteforcing the ticket to obtain the service password!

• Using the service password we can create arbitrary service tickets (e.g. with more privileges). This is called a „silver ticket“ attack.

• Golden ticket• If we already compromised a domain, we can dump the krbtgt

hash, using it we can create our own TGT tickets (domain persistence!)

• Pass the ticket• Similar to pass-the-hash attacks, we can use mimikatz to steal

tickets and inject them on another computer

• E.g.: use the ticket to change the password of a user accwithout knowing the clear text password (we can also PTH here)

• Avoid port scanning: setspn –Q */*


All rights reserved




All rights reserved

115

Kerberoasting

• Step 1: Check the accounts which have an SPN (Service

Principal Name) set (where you can request a ticket)


All rights reserved




All rights reserved

116

Kerberoasting

• Step 2: Request a ticket for the SPN (with weak RC4 type)


All rights reserved




All rights reserved

117

Kerberoasting

• Step 3: Use mimikatz to dump the ticket


All rights reserved




All rights reserved

118

Kerberoasting

• Step 4: Start offline bruteforcing


All rights reserved




All rights reserved

119

Golden ticket

• As soon as we have a domain admin acc, we can “add a

faked“ domain controller (our own system) and synchronize

the password hashes with the real domain controller….

• We ask for the krbtgt user hash


All rights reserved




All rights reserved

12

0

Golden ticket

• We can use the hash to create arbitrary tickets! (e.g. also for

non existing user accounts which should be domain admin)

• We can use the ticket anytime for DCSync to get again

hashes for new users


All rights reserved




All rights reserved

12

1

Some useful commands in Windows domain

• Get user account information (e.g. last pw set):

net user /domain *userName*

• Get domain account names

net group /domain "Domain Admins"

net group /domain "Enterprise Admins“

• Get password policy

net accounts /domain

• Get firewall rules

netsh firewall show config


All rights reserved




All rights reserved

12

2

Some useful commands in Windows domain

• Installed AntiVirus solution (in PowerShell)

Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct

• Installed patches:

wmic qfe get Caption,Description,HotFixID,InstalledOn

• Get Domain controller IP:

[System.Directoryservices.Activedirectory.Domain]::GetCurrentDomain()

• Extract cleartext wlan passwords:

netsh wlan export profile folder=. key=clear


All rights reserved




All rights reserved

12

3

Domain recon

• Phineas Fisher: „The best tool these days for

understanding windows networks is PowerView”

• Bloodhound: Based on PowerView, visualize the

network!

• https://github.com/BloodHoundAD/BloodHound/wiki/

• Modified version of PowerView queries the information

• Queries users, computers, relationships, sessions and

display them in a graph

https://github.com/BloodHoundAD/BloodHound/wiki/

Application Whitelisting


All rights reserved




All rights reserved

12

7


• Idea• Servers - few applications (webserver, database server, anti virus

product, ...)

• Applications change very rarely

• Prevent the execution of other applications

• This prevents the execution of „unwanted applications“ (viruses,

malware, applications from hackers, and so on)


All rights reserved




All rights reserved

12

8


• Main field of application

• Systems in critical infrastructures (e.g. SCADA

environments)

• Important company systems / servers

• Workstations with high security requirements (administrative

workstations)

• Kiosk systems

• ....


All rights reserved




All rights reserved

12

9


• Solutions:

• Microsoft AppLocker

• McAfee Application Control (Solidcore)

• Bit9 Parity Suite

• CoreTrace Bouncer

• Lumension Application Control

• SignaCert Enterprise Trust Services


All rights reserved




All rights reserved

13

0

Bypassing Application Whitelisting

• Problem: We cannot execute our own application

• Solution: Abuse installed / whitelisted applications Find a whitelisted application which can be used to execute code

Should be whitelisted on all systems

• Windows specific executables

• Executables installed by common 3rd party tools (e.g. Office)


All rights reserved




All rights reserved

13

1

PowerShell

• Pentesters best friend – PowerShell

• Available since Microsoft Windows Vista

• Whitelisted per default

• Can be used to invoke shellcode (even if powershell

scripts are disabled)!


All rights reserved




All rights reserved

13

3

PowerShell

• Example with some obfuscation (powershell –ver 2):

• Windows ignores ^

• Environment variables can be „removed“ with :~0,-Lenght

• Argument 2 can also be written as 0000000002.0000

Above payload starts PowerShell in version 2 (disabled security features like logging or AMSI)


All rights reserved




All rights reserved

13

5

PowerShell examples

• Which PowerShell script do we start?

• Have a look at PowerSploit!

• „PowerSploit is a collection of Microsoft PowerShell modules

that can be used to aid penetration testers during all phases

of an assessment.“

• https://github.com/mattifestation/PowerSploit

• Examples: DllInjection, PE-File Injection, Invoke Shellcode,

Keylogging, Portscan, Mimikatz, …

https://github.com/mattifestation/PowerSploit


All rights reserved




All rights reserved

13

6

AMSI

• Antimalware Scan Interface AMSI

• Security feature in Windows 10

• Interface for AntiVirus products to scan scripts

• PowerShell, VBScript, JScript

• Every invoked code is passed to the the AV

• PowerShell without powershell.exe is useless

• Diskless execution is useless

• Code obfuscation not so effective

• In general good idea, but many AV‘s don‘t support it…

• AV‘s currently supporting it: Microsoft Defender, AVG, ESET


All rights reserved




All rights reserved

13

7

AMSI

• Many public bypasses, e.g.: bypass from Matt Gaeber:• Access the (private) variable „amsiInitFailed“ from AmsiUtils class

via reflection and change it to true…

• Similiar technique works also to disable logging (however, we can

disable logging also be injecting into the service and suspending all

threads…)


All rights reserved




All rights reserved

14

0


• What if we don‘t have such a possibility?

• Attack scenario

• Send victim a file

• Victim opens/starts the file

• Victim is infected

• Typically this is not possible

• .exe, .dll, .bat, .com, and many many many more are

checked and blocked!

• However, we have to find some others...


All rights reserved




All rights reserved

14

3


• Another attack possibility are file shortcuts!

• Just create a shortcut to the required application (e.g.

PowerShell)

• Pass arguments inside shortcut

• With Microsoft explorer we are limited to MAX_PATH

• Use Microsoft API to create shortcut


All rights reserved




All rights reserved

14

8

Bypassing AppLocker

• Attack vector: Microsoft Office

• Macro, embedded OLE object, DDE , EPS/RTF exploits, responder image / openDoc, …

• Basically the same as Java applets• We can start applications Launch PowerShell

• We can inject shellcode Full code Execution

• Useful tool - shellcode2vbscript• Written by Didier Stevens

• http://blog.didierstevens.com/2009/05/06/shellcode-2-vbscript/

• Modify script to work against 64-bit systems

• Long LongPtr

• Use PtrSafe in front of function definition

http://blog.didierstevens.com/2009/05/06/shellcode-2-vbscript/


All rights reserved




All rights reserved

14

9

Bypassing AppLocker

• OLE attack:

Double click will start

the embedded script.

Source: The current Thread Landscape,

Modern Defenses & Effective Detection,

Sean Metcalf


All rights reserved




All rights reserved

15

0

Bypassing AppLocker

Source:

https://securingtomorrow.mcafee.co

m/mcafee-labs/dropping-files-temp-

folder-raises-security-concerns/

https://securingtomorrow.mcafee.com/mcafee-labs/dropping-files-temp-folder-raises-security-concerns/


All rights reserved




All rights reserved

15

1

• CVE-2018-0802

• OLE is nowadays also used to drop the malware to disk

before a memory corruption exploit starts it automatically.

• Example: CVE-2018-0802

• https://github.com/rxwx/CVE-2018-

0802/blob/master/packager_exec_CVE-2018-0802.py

• Blog posts with details:

• https://research.checkpoint.com/another-office-equation-

rce-vulnerability/

• https://embedi.com/blog/skeleton-closet-ms-office-

vulnerability-you-didnt-know-about/

https://github.com/rxwx/CVE-2018-0802/blob/master/packager_exec_CVE-2018-0802.py

https://research.checkpoint.com/another-office-equation-rce-vulnerability/

https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about/


All rights reserved




All rights reserved

15

2

Bypassing AppLocker

Equation Editor was compiled in 2000, is a standalone application called by Word.

Memory Corruption protections from Word are not active for it (it basically has no memory corruption protections enabled…)

Vanilla stack based buffer overflow Used in real-world

Source: https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about/


All rights reserved




All rights reserved

15

4

Bypassing AppLocker

• Problem: This whitelists everything in C:\window\*

• Standard users can write to several locations there

• E.g.: C:\windows\Tasks\ is writeable!


All rights reserved




All rights reserved

15

7

Bypassing AppLocker

• Alternate Data Streams can store data, executables and

libraries

• Internally they are used to store if a file was downloaded

from the internet


All rights reserved




All rights reserved

16

1

Bypassing AppLocker

• Or execute libraries…

• We can use it to bypass the AppLocker rule

• DLLs in C:\Windows\* must be executeable

• ADS appears to be in a different folder…


All rights reserved




All rights reserved

16

3

Some more NTFS tricks

• On windows non-admin users can‘t create file links,

however, they can create folder links (directory junktions)

• Please note: That‘s not the same as .lnk files

• Check AVGater: Let your AntiVirus detect your file in

folder x It‘s moved into quarantine. Remove x and

create the directory junction x pointing to system32. Click

restore in the AntiVirus quarantine AntiVirus will copy

the file to system32 with it’s own privileges (SYSTEM

privileges) privilege escalation

• https://bogner.sh/2017/11/avgater-getting-local-admin-by-

abusing-the-anti-virus-quarantine/

https://bogner.sh/2017/11/avgater-getting-local-admin-by-abusing-the-anti-virus-quarantine/


All rights reserved




All rights reserved

16

4

Bypassing AppLocker

• And there are also lots of pre-installed applications which will

take your code and run it inside it‘s own process…

• Bypasses Application Whitelisting because code is executed

in the whitelisted application

• Bypasses also reputation based endpoint protection systems

• Current list contains 44 different techniques….

• https://github.com/api0cradle/UltimateAppLockerByPassList

https://github.com/api0cradle/UltimateAppLockerByPassList


All rights reserved




All rights reserved

16

5

Bypassing AppLocker

• Dropping mimikatz.exe on a victim can trigger all type of alerts

(AV, IDS, IPS, Endpoint Protection system, …), so let the

Microsoft signed msbuild.exe dump the LSASS process for us…


All rights reserved




All rights reserved

16

6

Device Guard

• Microsoft Device Guard

• Similiar concept to AppLocker, but based on hardware

features and stronger

• Based on „virtualisation based security“ feature

• Windows 10 Enterprise

• Minimum UEFI version 2.3.1

• X64 architecture

• Also puts powershell in Constrained Language mode

• Aim: Run only signed code

Conclusion


All rights reserved




All rights reserved

16

8

Conclusion

• Windows 10 has a pretty good level of security

• Memory corruption exploitation became a lot harder over the last years (at least if all protections are enabled and you don’t have script execution)

• Windows security is not as bad as it’s reputation

• However, there are still many design flaws because of backward compatibility!


All rights reserved




All rights reserved

WE ARE HIRING

Source: http://www.globalresearch.ca/wp-content/uploads/2015/06/unclesam-we-want-you.jpg

• SEC Consult is hiring!

• Lots of interesting projects in an

international leading security company

• Experienced team with a passion to hack

systems ☺

• Contact: [email protected]

• Just talk to me directly after the talk!



All rights reserved




All rights reserved

Contact

170

Germany

SEC Consult Unternehmensberatung Deutschland GmbH

Ullsteinstraße 118 Turm B/8 Stock

12109 Berlin

Tel +49 30 30807283

Email [email protected]

LITAUEN

UAB Critical Security, a SEC Consult company

Sauletekio al. 15-311

10224 Vilnius

Tel +370 5 2195535


RUSSIA

CJCS Security Monitor

5th Donskoy proyezd, 15, Bldg. 6

119334, Moskau

Tel +7 495 662 1414


SINGAPORE

SEC Consult Singapore PTE. LTD

4 Battery Road

#25-01 Bank of China Building

Singapur (049908)


CANADA

i-SEC Consult Inc.

100 René-Lévesque West, Suite 2500

Montréal (Quebec) H3B 5C9


AUSTRIA

SEC Consult Unternehmensberatung GmbH

Komarigasse 14/1

2700 Wiener Neustadt

Tel +43 1 890 30 43 0


THAILAND

SEC Consult (Thailand) Co.,Ltd.

29/1 Piyaplace Langsuan Building 16th Floor, 16B

Soi Langsuan, Ploen Chit Road

Lumpini, Patumwan | Bangkok 10330


www.sec-consult.com

Switzerland

SEC Consult (Schweiz) AG

Turbinenstrasse 28

8005 Zürich

Tel +41 44 271 777 0 | Fax +43 1 890 30 43 15


AustriaSEC Consult Unternehmensberatung GmbH

Mooslackengasse 17

1190 Wien

Tel +43 1 890 30 43 0 | Fax +43 1 890 30 43 15


http://www.sec-consult.com/

guest lecture - windows security countermeasure: aslr © 2013 sec consult unternehmensberatung gmbh...

Documents