Adventures in Underland What Passwords Do When No One Is Watching Paula Januszkiewicz MVP: Enterprise Security, MCT CQURE: CEO, Penetration Tester paula@cqure.pl IDesign: Security Architect http://cqure.pl
Agenda
Tools! Our tools: http://cqure.pl Tools Or: http://stderr.pl/tools Check out the following links: http://www.gentilkiwi.com/ - Benjamin Delpy http://www.ntdsxtract.com/ - Csaba Barta
The Longest Password Ever
How often do you share your password with others?
90 percent of user-generated passwords at risk of being compromised in 2013 [2013] Deloitte Technology Report 75 percent of people use same password for social portal and email [2010] BitDefender Study 6 million passwords stolen hackers may have stolen passwords of 250,000 users hacker group has apparently dumped 453,492 usernames and passwords obtained in plaintext personal data for more than 50 million users was stolen
Conclusions Because solution requires it Because we need to confirm that we are who we are But we do not know how this data is stored
Demo: Introduction File to be a little bit zilla
Agenda
CPAU: Information http://www.joeware.net/freetools/ ID, password and command line in a file so it can be used by normal users
Demo: CPAU Work it, work it baby!
CPAU: Getting the Password Whatever the cryptography is used, let s allow application to use the password Send through the network, stored in logfiles, etc. Loaded in the memory In between operating system mechanisms that can be listened to Security Motto: Know how your app works!
Demo: CPAU get the password now!
CPAU: Waiting for the reaction Application
Dirty Games: Remotely Through the network since Windows 8 You allow somebody to dig into the kernel of your OS Each chunk of your data is exposed Bcdedit /debug ON invisible!
Demo: Debugging over Network Well, well, well
Application Pools Purpose: Assign resources, serve as a security sandbox Their identity is definded in Application Pool settings Processes HTTP and non-http resources They are stored in the encrypted form in applicationhost.config
Demo: Application Pools Getting password from IIS configuration
Demo: Application Pools Encrypt the configuration file
Agenda
Chasing the obvious: NTDS.DIT, SAM The above means: To read the clear text password you need to struggle!
Demo: Offline NTDS.DIT Sharing is caring!
Memory Dumps: For troubleshooting Whatever sensitive was used it is in the memory Used for detect suspicious behavior of processes Saved in %windir% Published carelessly on the public forums
Demo: Memory dumps Sharing is caring!
Services Always need some identity to run the executable! Must be stored locally, especially when domain credentials are used Can be accessed when we impersonate to Local System If you cannot use gmsa, MSA, use subscription for svc_ accounts (naming convention)
Demo: Services Getting password from LSA Secrets
Scheduled Tasks As in case of services password can be revealed Saved in user s Credential Manager User s password can be used to get access to the task s password After changing the password it still runs
Demo: Scheduled Tasks Getting password from LSA Secrets
Data Protection API Password, data blob, entrophy Protects from outsiders when being in offline access Effectively protects users data You need to be able to get access to some of your passwords from the past
Demo: DPAPI Positive scenario first!
Demo: DPAPI Negative scenario last!
Agenda
Passwords: Summary
Thank You! Our tools: http://cqure.pl Tools Or: http://stderr.pl/tools Check out the following links: http://www.gentilkiwi.com/ - Benjamin Delpy http://www.ntdsxtract.com/ - Csaba Barta
Resources http://channel9.msdn.com/events/teched www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn
Wypełnij ankietę i wygraj nagrody! Organizatorzy MTS czytają wszystkie ankiety. Dzięki nim masz realny wpływ na konferencję oraz merytorykę i prelegentów kolejnego MTS. Wystarczy 5 minut Twojego czasu na wypełnienie ankiety! Masz szansę wygrać m.in. wejściówkę na MTS 2014 (24x) oraz inne nagrody. Gdzie i jak? Ankiety dostępne są online na stronie konferencji (mtskonferencja.pl) Można je wypełnić od dziś, aż do 5 listopada 2013
2013 Microsoft Corporation. Wszelkie prawa zastrzeżone. Microsoft, Windows oraz inne nazwy produktów są lub mogą być znakami towarowymi lub zastrzeżonymi znakami towarowymi firmy Microsoft w Stanach Zjednoczonych i innych krajach. Zamieszczone informacje mają charakter wyłącznie informacyjny. FIRMA MICROSOFT NIE UDZIELA ŻADNYCH GWARANCJI (WYRAŻONYCH WPROST LUB DOMYŚLNIE), W TYM TAKŻE USTAWOWEJ RĘKOJMI ZA WADY FIZYCZNE I PRAWNE, CO DO INFORMACJI ZAWARTYCH W TEJ PREZENTACJI.