security assessment of microsoft directaccess · 14.03.2016 security assessment of microsoft...
TRANSCRIPT
![Page 1: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/1.jpg)
ERNW GmbH.
Security Assessment of Microsoft DirectAccess
By
Ali Hardudi
Supervised by
Prof. Dr. rer. nat. habil. Dirk Westhoff M. Sc. Enno Rey
A thesis for the completion of Master of Science in Communication and Media Engineering CME
![Page 2: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/2.jpg)
ERNW GmbH.
Agenda ¬ Introduction
Objective
A Quick Look into DirectAccess
¬ DirectAccess Lab
¬ Assessment
Scenarios and Attacker
IPv6 Attacks
TLS and IPSEC Default Configuration
¬ Conclusion
14.03.2016 Security Assessment of Microsoft DirectAccess #2
![Page 3: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/3.jpg)
ERNW GmbH.
Introduction
14.03.2016 Security Assessment of Microsoft DirectAccess #3
![Page 4: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/4.jpg)
ERNW GmbH.
Thesis Objective
14.03.2016 Security Assessment of Microsoft DirectAccess #4
¬ Thesis objective Study the DirectAccess
Performing a security evaluation
![Page 5: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/5.jpg)
ERNW GmbH.
Pure IPv6 No user interaction Remote management and administration Bidirectional access Enhanced security features Working over IPv4 Internet infrastructure
14.03.2016 Security Assessment of Microsoft DirectAccess #5
DirectAccess Features
![Page 6: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/6.jpg)
ERNW GmbH.
Not all Windows OS’s are supported
The following options are not always possible: End to End encryption
Force tunneling
Performance degradation when IP-HTTPS tunneling is used
Complex technology
14.03.2016 Security Assessment of Microsoft DirectAccess #6
DirectAccess Limitations
![Page 7: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/7.jpg)
ERNW GmbH.
¬ Active Directory Domain Controller (AD DC).
¬ IPSEC
¬ Public Key Infrastructure (PKI)
¬ HTTPS server as Network Location Service (NLS)
¬ Name Resolution Policy Table (NRPT)
¬ IPv6 tunneling technologies
¬ NAT64/DNS64
¬ Others (e.g. Forefront Unified Access Gateway (UAG), Network Access Protection (NAP))
14.03.2016 Security Assessment of Microsoft DirectAccess #7
IKE, HTTPS, DNS64, ISAKMP, Kerberos, PKI, NTLM, DHCPV6
TCP, UDP
IPv6, IPv6 Tunneling, ICMPv6
IPsec (ESP, AH), NAT64
Figure 1 DirectAccess stack of main protocols
Technologies and Protocols
![Page 8: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/8.jpg)
ERNW GmbH. Security Assessment of Microsoft DirectAccess #8
D ir e c t A c c e s s C lie n t
T L S h a n d s h a k e
D ir e c t A c c e s s S e r v e r
H T T P S s e r v ic e
14.03.2016
Figure 2 DirectAccess connection steps using IP-HTTPS
![Page 9: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/9.jpg)
ERNW GmbH. Security Assessment of Microsoft DirectAccess #9
D ir e c t A c c e s s C lie n t D ir e c t A c c e s s
S e r v e r
H T T P S s e r v ic e
IP -H T T P S t u n n e l
14.03.2016
Figure 2 DirectAccess connection steps using IP-HTTPS
![Page 10: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/10.jpg)
ERNW GmbH. Security Assessment of Microsoft DirectAccess #10
D ir e c t A c c e s s C lie n t D ir e c t A c c e s s
S e r v e r
H T T P S s e r v ic e
IP -H T T P S t u n n e l
C o m p le t e N D p r o t o c o l
14.03.2016
Figure 2 DirectAccess connection steps using IP-HTTPS
![Page 11: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/11.jpg)
ERNW GmbH. Security Assessment of Microsoft DirectAccess #11
D ir e c t A c c e s s C lie n t D ir e c t A c c e s s
S e r v e r
H T T P S s e r v ic e
IP -H T T P S t u n n e l
IP -H T T P S in t e r fa c e
14.03.2016
Figure 2 DirectAccess connection steps using IP-HTTPS
![Page 12: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/12.jpg)
ERNW GmbH. Security Assessment of Microsoft DirectAccess #12
D ir e c t A c c e s s C lie n t D ir e c t A c c e s s
S e r v e r
H T T P S s e r v ic e
IP -H T T P S t u n n e l
N T L M v 2
A u t h e n t ic a t in g a n d B u ild in g t h e IP S E C in f r a s t r u c t u r e t u n n e l
14.03.2016
Figure 2 DirectAccess connection steps using IP-HTTPS
![Page 13: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/13.jpg)
ERNW GmbH. Security Assessment of Microsoft DirectAccess #13
D ir e c t A c c e s s C lie n t D ir e c t A c c e s s
S e r v e r
H T T P S s e r v ic e
IP -H T T P S t u n n e l
IPSEC Infrastructure tunnel
14.03.2016
Figure 2 DirectAccess connection steps using IP-HTTPS
![Page 14: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/14.jpg)
ERNW GmbH. Security Assessment of Microsoft DirectAccess #14
D ir e c t A c c e s s C lie n t D ir e c t A c c e s s
S e r v e r
H T T P S s e r v ic e
IP -H T T P S t u n n e l
IPSEC Infrastructure tunnel
D N S c o n v e r s a t io n
14.03.2016
Figure 2 DirectAccess connection steps using IP-HTTPS
![Page 15: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/15.jpg)
ERNW GmbH. Security Assessment of Microsoft DirectAccess #15
D ir e c t A c c e s s C lie n t D ir e c t A c c e s s
S e r v e r
H T T P S s e r v ic e
IP -H T T P S t u n n e l
IPSEC Infrastructure tunnel
AD DC
14.03.2016
Figure 2 DirectAccess connection steps using IP-HTTPS
![Page 16: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/16.jpg)
ERNW GmbH. Security Assessment of Microsoft DirectAccess #16
D ir e c t A c c e s s C lie n t D ir e c t A c c e s s
S e r v e r
H T T P S s e r v ic e
IP -H T T P S t u n n e l
IPSEC Infrastructure tunnel
AD DC
14.03.2016
Figure 2 DirectAccess connection steps using IP-HTTPS
![Page 17: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/17.jpg)
ERNW GmbH. Security Assessment of Microsoft DirectAccess #17
D ir e c t A c c e s s C lie n t D ir e c t A c c e s s
S e r v e r
H T T P S s e r v ic e
IP -H T T P S t u n n e l
IPSEC Infrastructure tunnel
AD DC
A u t h e n t ic a t in g a n d B u ild in g t h eIP S E C in t r a n e t t u n n e l
K e r b e r o s
14.03.2016
Figure 2 DirectAccess connection steps using IP-HTTPS
![Page 18: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/18.jpg)
ERNW GmbH. Security Assessment of Microsoft DirectAccess #18
D ir e c t A c c e s s C lie n t D ir e c t A c c e s s
S e r v e r
H T T P S s e r v ic e
IP -H T T P S t u n n e l
IPSEC Infrastructure tunnel
AD DC
IPSEC Intranet tunnel
14.03.2016
Figure 2 DirectAccess connection steps using IP-HTTPS
![Page 19: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/19.jpg)
ERNW GmbH. Security Assessment of Microsoft DirectAccess #19
D ir e c t A c c e s s C lie n t D ir e c t A c c e s s
S e r v e r
H T T P S s e r v ic e
IP -H T T P S t u n n e l
IPSEC Infrastructure tunnel
AD DC
IPSEC Intranet tunnel
D N S c o n v e r s a t io n
14.03.2016
Figure 2 DirectAccess connection steps using IP-HTTPS
![Page 20: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/20.jpg)
ERNW GmbH. Security Assessment of Microsoft DirectAccess #20
D ir e c t A c c e s s C lie n t D ir e c t A c c e s s
S e r v e r
H T T P S s e r v ic e
IP -H T T P S t u n n e l
IPSEC Infrastructure tunnel
AD DC
R e s o u r c e s
IPSEC Intranet tunnel
14.03.2016
Figure 2 DirectAccess connection steps using IP-HTTPS
![Page 21: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/21.jpg)
ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess #21
Lab Deployment
![Page 22: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/22.jpg)
ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess #22
Ubuntu 14.04.3 TLS (Attacking computer)
Windows server 2012 R2 (Internet Service Provider (ISP))
Windows server 2012 R2 (AD DC)
Windows server 2012 R2 (DirectAccess server)
Windows 8.1 Enterprise (DirectAccess client)
Windows server 2012 R2 (Internal resources)
Windows server 2012 R2 (Certificate Authority)
Cisco Catalyst 2950 series
Windows server 2012 R2 (Host VM)
Figure 3 DirectAccess lab components
![Page 23: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/23.jpg)
ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess #23
Ubuntu 14.04.3 TLS (Attacking computer)
Windows server 2012 R2 (Internet Service Provider (ISP))
Windows server 2012 R2 (AD DC)
Windows server 2012 R2 (DirectAccess server)
Windows 8.1 Enterprise (DirectAccess client)
Windows server 2012 R2 (Internal resources)
Windows server 2012 R2 (Certificate Authority)
Cisco Catalyst 2950 series
Windows server 2012 R2 (Host VM)
Figure 3 DirectAccess lab components
![Page 24: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/24.jpg)
ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess #24
Ubuntu 14.04.3 TLS (Attacking computer)
Windows server 2012 R2 (Internet Service Provider (ISP))
Windows server 2012 R2 (AD DC)
Windows server 2012 R2 (DirectAccess server)
Windows 8.1 Enterprise (DirectAccess client)
Windows server 2012 R2 (Internal resources)
Windows server 2012 R2 (Certificate Authority)
Cisco Catalyst 2950 series
Windows server 2012 R2 (Host VM)
Figure 3 DirectAccess lab components
![Page 25: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/25.jpg)
ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess #25
Ubuntu 14.04.3 TLS (Attacking computer)
Windows server 2012 R2 (Internet Service Provider (ISP))
Windows server 2012 R2 (AD DC)
Windows server 2012 R2 (DirectAccess server)
Windows 8.1 Enterprise (DirectAccess client)
Windows server 2012 R2 (Internal resources)
Windows server 2012 R2 (Certificate Authority)
Cisco Catalyst 2950 series
Windows server 2012 R2 (Host VM)
Figure 3 DirectAccess lab components
![Page 26: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/26.jpg)
ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess #26
Ubuntu 14.04.3 TLS (Attacking computer)
Windows server 2012 R2 (Internet Service Provider (ISP))
Windows server 2012 R2 (AD DC)
Windows server 2012 R2 (DirectAccess server)
Windows 8.1 Enterprise (DirectAccess client)
Windows server 2012 R2 (Internal resources)
Windows server 2012 R2 (Certificate Authority)
Cisco Catalyst 2950 series
Windows server 2012 R2 (Host VM)
IP-HTTPS Interface
Figure 3 DirectAccess lab components
![Page 27: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/27.jpg)
ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess #27
Ubuntu 14.04.3 TLS (Attacking computer)
Windows server 2012 R2 (Internet Service Provider (ISP))
Windows server 2012 R2 (AD DC)
Windows server 2012 R2 (DirectAccess server)
Windows 8.1 Enterprise (DirectAccess client)
Windows server 2012 R2 (Internal resources)
Windows server 2012 R2 (Certificate Authority)
Cisco Catalyst 2950 series
Windows server 2012 R2 (Host VM)
Figure 3 DirectAccess lab components
![Page 28: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/28.jpg)
ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess #28
Ubuntu 14.04.3 TLS (Attacking computer)
Windows server 2012 R2 (Internet Service Provider (ISP))
Windows server 2012 R2 (AD DC)
Windows server 2012 R2 (DirectAccess server)
Windows 8.1 Enterprise (DirectAccess client)
Windows server 2012 R2 (Internal resources)
Windows server 2012 R2 (Certificate Authority)
Cisco Catalyst 2950 series
Windows server 2012 R2 (Host VM)
Figure 3 DirectAccess lab components
![Page 29: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/29.jpg)
ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess #29
Ubuntu 14.04.3 TLS (Attacking computer)
Windows server 2012 R2 (Internet Service Provider (ISP))
Windows server 2012 R2 (AD DC)
Windows server 2012 R2 (DirectAccess server)
Windows 8.1 Enterprise (DirectAccess client)
Windows server 2012 R2 (Internal resources)
Windows server 2012 R2 (Certificate Authority)
Cisco Catalyst 2950 series
Windows server 2012 R2 (Host VM)
Figure 3 DirectAccess lab components
![Page 30: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/30.jpg)
ERNW GmbH.
Full access model
DirectAccess server is an edge topology
The DirectAccess computers are assigned to a security group
The IPv6 tunneling is IP-HTTPS
All the certificates are issued by the corpnet Certificate Authority (CA)
IPSEC Encapsulated Security Payload (ESP) protocol tunnel mode
Windows 8.1 uses Null cipher suites for IP-HTTPS
14.03.2016 Security Assessment of Microsoft DirectAccess #30
DirectAccess configuration
Figure 4 Screenshot for the configuration panel of DirectAccess
![Page 31: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/31.jpg)
ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess #31
Figure 5 DirectAccess lab topology
![Page 32: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/32.jpg)
ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess #32
Assessment
![Page 33: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/33.jpg)
ERNW GmbH.
Scenarios and Attacker
¬ Two different scenarios were assessed:
IP-HTTPS default configuration
Authenticated IP-HTTPS
¬ Attacker knowledge and capabilities:
URL/IP of the DirectAccess server
Compromised or a trusted certificate
Position of attacker is remotely settled or within the local subnet of the client
14.03.2016 Security Assessment of Microsoft DirectAccess #33
![Page 34: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/34.jpg)
ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess #34
D ir e c t A c c e s s S e r v e r
A D D C
N L SH T T P S s e r v ic e
H T T P S s e r v ic e
In t r a n e tU n a u t h e n t ic a t e d IP -H T T P S t u n n e l
D ir e c t A c c e s s c lie n t
IC M P v 6
A t t a c k e r
A t t a c k e r c a n e s t a b lis h t h is t u n n e l w it h o u t a u t h e n t ic a t io n
A t t a c k e r c a n u t i l iz e s o m e t y p e s o f IC M P v 6 p a c k e t s
R e s o u r c e s
IP S E C in f r a s t r u c t u r e t u n n e l
IP S E C in t r a n e t t u n n e l
IC M P v 6 t r a v e ls o u t s id e t h e IP S E C t u n n e ls
C e r t if ic a t e A u t h o r it yN T L M v 2
K e r b e r o s
In t e r n e t
Figure 6 IP-HTTPS default configuration scenario
![Page 35: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/35.jpg)
ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess #35
¬ The IP-HTTPS tunnel was established
¬ The internal servers were reachable using ICMPv6 echo request
IP-HTTPS using Python
Figure 7 Using Ubuntu and Python IP-HTTPS interface to connect to the DirectAccess server
![Page 36: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/36.jpg)
ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess #36
¬ The IP-HTTPS tunnel was established
¬ The internal servers were reachable using ICMPv6 echo request
IP-HTTPS using Python
Figure 8 Python IP-HTTPS was configured with IPv6 addresses
![Page 37: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/37.jpg)
ERNW GmbH.
Performed Attacks
14.03.2016 Security Assessment of Microsoft DirectAccess #37
The unauthenticated IP-HTTPS:
¬ Packets with multicast destination addresses are not forwarded
¬ Packets with unicast addresses are not forwarded
¬ Server replies on behalf of clients, if a client wants to configure an address that is already configured
L Attack Attacker position
1 Scan alive hosts using Ping scan
Local or remote
2 Scan for alive DA clients using Duplicate Address Local or remote
3 Send packets with spoofed IPv6 addresses Local or remote
4 Denial of Service against IP-HTTPS tunnel
Local or remote
5 Neighbor Cache exhaustion Local or remote
6 MITM using a trusted certificate Local or remote
7 MITM by relaying IPSEC packets via attacker’s computer
Local
Table 1 Attacks that were performed on the unauthenticated IP-HTTPS tunnel
![Page 38: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/38.jpg)
ERNW GmbH.
spoofing attack
14.03.2016 Security Assessment of Microsoft DirectAccess #38
Figure 9 A packet with a spoofed source address
![Page 39: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/39.jpg)
ERNW GmbH.
spoofing attack
14.03.2016 Security Assessment of Microsoft DirectAccess #39
Figure10 DirectAccess server replied to the spoofed address
![Page 40: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/40.jpg)
ERNW GmbH.
spoofing attack
14.03.2016 Security Assessment of Microsoft DirectAccess #40
Figure10 DirectAccess server replied to the spoofed address
![Page 41: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/41.jpg)
ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess #41
¬ Windows server 2012 uses RFC 7048 “Neighbor Unreachability Detection Is Too Impatient”
¬ Unreachable state is maintained for a cache entry (CE)
Neighbor Cache Exhaustion
Figure11 DirectAccess server neighbor cache
![Page 42: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/42.jpg)
ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess #42
Scan Connected DirectAccess Clients
Figure12 Clients IPv6 enumeration using Duplicate Address Detection
![Page 43: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/43.jpg)
ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess #43
Scan Connected DirectAccess Clients
Figure13 DirectAccess server replied on behalf of the existing DirectAccess client
![Page 44: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/44.jpg)
ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess #44
D ir e c t A c c e s s S e r v e r
A D D C
N L SH T T P S s e r v ic e
H T T P S s e r v ic e
In t r a n e t
In t e r n e t
A u t h e n t ic a t e d IP -H T T P S t u n n e l
IC M P v 6
A t t a c k e r
A t t a c k e r e s t a b lis h e s t h e IP -H T T P S t u n n e l u s in g a
s t o le n / t r u s t e d c e r t if ic a t eA t t a c k e r c a n u t i l iz e s o m e t y p e s o f IC M P v 6 p a c k e t s
R e s o u r c e s
IP S E C in f r a s t r u c t u r e t u n n e l
IP S E C in t r a n e t t u n n e l
IC M P V 6 p a c k e t s f r o m t h e a t t a c k e r c a n r e a c h D ir e c t A c c e s s c l ie n t / s
C e r t if ic a t e A u t h o r it y
D ir e c t A c c e s s c lie n t
N T L M v 2K e r b e r o s
Figure 14 Authenticated IP-HTTPS scenario
![Page 45: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/45.jpg)
ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess #45
¬ Almost all types of packets are accepted by the DirectAccess
¬ Null cipher suites can not be used any more
DA client certificate was extracted using mimikatz
Authenticated IP-HTTPS
Figure 15 Configuring IP-HTTPS server component to use authentication
![Page 46: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/46.jpg)
ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess #46
¬ Almost all types of packets are accepted by the DirectAccess
¬ Null cipher suites can not be used any more
DA client certificate was extracted using mimikatz
Authenticated IP-HTTPS
Figure 16 Using certificate mapping to finish configuring authentication on IP-HTTPS tunnel
![Page 47: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/47.jpg)
ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess #47
¬ Almost all types of packets are accepted by the DirectAccess
¬ Null cipher suites can not be used any more
DA client certificate was extracted using mimikatz
Authenticated IP-HTTPS
Figure 17 Packets where received by Python IP-HTTPS interface on Ubuntu
![Page 48: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/48.jpg)
ERNW GmbH.
Performed Attacks
14.03.2016 Security Assessment of Microsoft DirectAccess #48
¬ All the authenticated IP-HTTPS connections are trusted
¬ The only packets that are not forwarded those which have unspecified IPv6 source address “::”
L Attack Attacker position
1 Scan for alive DirectAccess clients using Ping scan Local or remote
2 Scan DirectAccess clients for open ports
Local or remote
3 DoS against DirectAccess clients by sending fake Router
Advertisement (RA) with randomized prefixes
Local or remote
4 Hijacking IPSEC packets that are sent to the client and cause a DoS
Local or remote
5
DoS DirectAccess client, by sending unsolicited Neighbor Solicitation (NS) with the IPv6 of the
DirectAccess server as a source address
Local or remote
Table 2 Attacks that were performed on the authenticated IP-HTTPS tunnel
![Page 49: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/49.jpg)
ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess #49
DoS with Fake RA
Figure 18 Part of the addresses that were configured after receiving a fake RA with randomized prefixes
![Page 50: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/50.jpg)
ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess #50
A u t h e n t ic a t e d IP -H T T P S tu n n e l
D ir e c t A c c e s s S e r v e r
H T T P S s e r v ic e
D ir e c t A c c e s s c lie n t
N T L M v 2K e r b e r o s
A u t h e n t ic a t e d IP -H T T P S tu n n e l
IPSEC NS NA IPSEC
N t im e s S p o o fe d N A
Figure 19 Hijacking the IPSEC downstream traffic
![Page 51: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/51.jpg)
ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess #51
MITM The IP-HTTPS Traffic
Figure 20 The attacking machine received IPSEC packets after a DirectAccess client was switched off
![Page 52: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/52.jpg)
ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess #52
MITM The IP-HTTPS Traffic
Figure 21 Sending spoofed NA’s to the DirectAccess server and hijacking the connection from server to the client
![Page 53: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/53.jpg)
ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess #53
¬ Spoof the server RA
¬ Set the Router Preference flag with high priority
¬ Set all Route Information (RFC 4191) options with high priority
¬ Use the same advertised Prefix Information
MITM The IP-HTTPS Traffic
Figure 22 Router Advertisement (RA) sent by DirectAccess server
![Page 54: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/54.jpg)
ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess #54
L A N
D ir e c t A c c e s s S e r v e r
H T T P S s e r v ic e
In t e r n e t
A C C E S S P o in t
IP -H T T P S t u n n e l
IP -H T T P S t u n n e l
Fake RA
Figure 23 MITM on the local subnet
NS IPSEC
D ir e c t A c c e s s c lie n t
N T L M v 2K e r b e r o s
![Page 55: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/55.jpg)
ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess #55
Source: https://www.schneier.com/essays/archives/1999/11/a_plea_for_simplicit.html
![Page 56: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/56.jpg)
ERNW GmbH.
Conclusion ¬ DirectAccess is a relatively new technology that offers the corpnet users a
flexible, an always-on and an automatic access to the internal resources.
¬ The security assessment process showed that IP-HTTPS is a very critical component, which could be utilized by attackers to perform many IPv6 attacks on both DirectAccess client and server.
¬ The Thesis also pointed out the necessity of reviewing the configuration of both TLS and IPSEC protocol.
¬ The infrastructure tunnel and the 6to4 tunneling represent very attractive sources of attacks.
14.03.2016 Security Assessment of Microsoft DirectAccess #56
![Page 57: Security Assessment of Microsoft DirectAccess · 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012](https://reader030.vdocuments.us/reader030/viewer/2022040112/5e6e8d537f31a114b9263909/html5/thumbnails/57.jpg)
ERNW GmbH. #57
© 2016 Ali Hardudi. All rights reserved.
Security Assessment of Microsoft DirectAccess 14.03.2016