SlideShare uma empresa Scribd logo

Wce12 uba ampliasecurity_eng

F
fangjiafu
Tecnologia
1 de 56
Baixar para ler offline
Post-Exploitation with WCE v1.2 Pass-the-Hash. Pass-the-ticket & more… Date: 01-07-2011 Author: Hernan Ochoa <hernan@ampliasecurity.com>
Windows Authentication h1 = LMHash(“pwd1”) SAM Database h2 = NTHash(“pwd1”) User Hash LM Hash NT cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. … … … Network • The cleartext password is not sent • The NTLM protocol is used
NTLM Authentication lmhash = LMHash(“pwd1”) nthash = NTHash(“pwd1”) Init connection Responds C = challenge random Sends cgarcia, R SAM Database R = f(lmhash/nthash, C) User Hash LM Hash NT cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. R’ = f(SAM[lmhash/nthash], C) … … … R’ == R => Access Granted R’ <> R => Access Denied
pre-Pass-the-Hash Attacks • After compromising a Windows box… – ‘ Dump’ the SAM • pwdump3/3e/4/5/6/7,fgdump,etc – Administrator:500:0102030405060708090A0B0C0D0E0F10:1020 30405060708090A0B0C0D0E0F10 – Crack/Brute-Force hashes to obtain cleartext password • Takes time.. (e.g.: pentest time is limited) • No guarantee the password will be obtained • Rainbow tables were not widely used – Less computing power, storage, etc – Still, not the answer to everything
Pass-The-Hash Technique Published by Paul Ashton in 1997 http://www.securityfocus.com/bid/233/discuss
Pass-the-hash Technique lmhash = LMHash(“pwd1”) nthash = NTHash(“pwd1”) Init connection Responds C = challenge random Sends cgarcia, R SAM Database R = f(lmhash/nthash, C) User Hash LM Hash NT cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. • Cleartext password is not needed for NTLM auth … … … • Only lmhash/nthash are needed • No need to crack/brute-force R’ = f(SAM[lmhash/nthash], C) • Just use the hashes directly R’ == R => Access Granted R’ <> R => Access Denied
Pass-the-hash: ‘exploitation’ • Modified Smbclient (SAMBA) – smbclient //192.168.1.120/c$ -U Administrator -p 4ECC0E7568976B7EAAD3B435B51404EE:551E3B3 215FFD87F5E037B3E3523D5F6 • Samba-TNG • Many 3rd-party SMB+NTLM stacks – Python, Ruby, Java, etc
3rd-party SMB+NTLM stacks: Limitations • Limited and partial functionality • Always running behind Windows – New functionality has to be implemented, some by reverse engineering • Complex, requires time and effort • Cannot use native Windows applications – They ask for username and cleartext password, not hashes…
Enter, Windows Credentials Editor...
What is WCE? • Tool to manipulate Windows logon sessions – Add, list, delete, modify – Obtain credentials associated with logon sessions – Pass-the-hash (NTLM) – Pass-the-ticket (Kerberos)
Pre-WCE/Pass-the-hash attacks • Without WCE.. – Crack/Brute-force hashes to obtain cleartext password – Crack/Brute-force ´encrypted´ hashes (C,R->NTLM) to obtain cleartext password – Use 3rd-party SMB+NTLM stacks, w/limited and partial functionality – More difficult/not possible to do pass-the-hash while pivoting among Windows boxes
Post-WCE/Pass-the-hash attacks • With WCE… – Do Pass-the-hash directly with the hashes • No need to attempt to crack/brute-force hashes • Will be able to use them even if you cannot crack them – 3rd-party SMB+NTLM stacks problems eliminated – Easier to do Pass-the-hash while pivoting among Windows boxes
Demo #1 WCE: Pass-the-hash
WCE: ‘Steal’ Credentials from memory • New ´attack´ implemented by WCE – It is not Pass-the-hash, it´s another technique.. – Sometimes the two are confused, but they are not the same.. • Allows you to obtain usernames and NTLM hashes stored in memory
WCE: ‘Steal’ Credentials from memory • Why are they in memory? • NTLM auth package • SSO cgarcia pwd1 Network
WCE: ‘Steal’ Credentials from memory When are they stored in memory? • Interactive logon sessions at the console • Remote logon sessions via RDP • RunAs • Windows Services running under specific user accounts • Windows APIs used by applications • Etc.
WCE: ‘Steal’ Credentials from memory When are they stored in memory? • Interactive logon sessions at the console cgarcia pwd1
WCE: ‘Steal’ Credentials from memory When are they stored in memory? • Remote logon sessions via RDP Network
WCE: ‘Steal’ Credentials from memory When are they stored in memory? • RunAs
WCE: ‘Steal’ Credentials from memory When are they stored in memory? • Windows Services
WCE: ‘Steal’ Credentials from memory When are they stored in memory? • Windows APIs used by applications Example:
WCE: ‘Steal’ Credentials from memory • WCE can obtain the LM Hash.. – By default, nowadays, Windows does not store the LM hash in the SAM • It is weak; “easy” to crack
WCE: ‘Steal’ Credentials from memory • WCE can obtain the LM Hash from memory – Windows generates and stores the hashes in memory, including the LM hash • Interactive sessions • Others previously mentioned – Possible to crack it and obtain cleartext password to use in places where NTLM is not the auth method
WCE: ‘Steal’ Credentials from memory Example: The LM Hash is not in the SAM Pwdump output The LM Hash is in memory WCE output
WCE: ‘Steal’ Credentials from memory When are they NOT stored in memory? • Network Logons – The hashes never reach the remote server Init Connection Responds C = challenge random Sends cgarcia, R
WCE: ‘Steal’ Credentials from memory Post-explotation attack scenario Attacker compromises remote Windows box • Run WCE to obtain credentials stored in memory • Use those hashes to do Pass-The-Hash with WCE
Demo #2 WCE: ‘Steal’ credentials from memory
WCE: ‘Steal’ Credentials from memory Especially interesting in Windows Domain Environments Domain Controller (DC) Domain User Hash LM Hash NT User SAM cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. … … … Domain User Backups Server Domain User
WCE: ‘Steal’ Credentials from memory WITHOUT WCE.. Domain Controller (DC) Domain User Hash LM Hash NT User SAM cgarcia A6BCD.. B0FD1.. SAM ajuarez B90DF.. CCDF.. User Hash LM Hash NT … … … Administ FDDE.. CCDH1.. rador Guest AABCD.. FFD4F.. Domain User Backups Server Attacker • Attacker owns remote Windows box • Only has access to local SAM.. • No Domain Users there, not very useful…
WCE: ‘Steal’ Credentials from memory WITH WCE.. Domain Domain:Admi Controller (DC) Domain nistrator:CDB User Hash LM Hash NT User 70D9EDA812 SAM cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. DBF:C9DF712 … … … D09D7DF1C Domain User Backups Server Attacker • Attacker owns Backups server • Obtains credentials from memory.. • Probably will find Domain Users there.. • Can possibly compromise the whole domain!
WCE: ‘Steal’ Credentials from memory Typical Scenario Domain Controller (DC) Domain Administrator Domain User Backups Server Attacker
WCE: ‘Steal’ Credentials from memory Typical Scenario Domain:Admi nistrator:CDB Domain 70D9EDA812 Controller (DC) Domain DBF:C9DF712 Administrator D09D7DF1C Domain User Backups Server Attacker
WCE: ‘Steal’ Credentials from memory Typical Scenario Domain:Admi nistrator:CDB Domain 70D9EDA812 Controller(DC) Domain DBF:C9DF712 Administrator D09D7DF1C Domain User Backups Server Attacker • WCE ‘steals’ the Domain Administrator Credentials!
WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials • When you RDP to a remote box, you leave the NTLM hashes of your password in the remote server´s memory • NTLM hashes are equivalent to the cleartext password (pass-the-hash+wce) • So, we could say you are leaving there your password…
WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials • Even when using pass-through authentication • Credentials (user+domain+hashes) are stored in Domain Controller • But when you use RDP, they are also left in the memory of the remote Windows box you are RDPing to! • Be careful where you are RDPing to…
WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials • Attacker on the remote Windows box can obtain credentials from memory • Local Administrator • Regular Domain User w/local admin privs • Attacker that owns less secured box, regular users are more vulnerable • Etc.
WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials: Example Domain Controller (DC) Domain User Hash LM Hash NT Administrator SAM cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. … … … Domain User Domain User Workstation Attacker
WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials: Example Domain Controller (DC) Domain User Hash LM Hash NT Administrator SAM cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. … … … Domain User Domain User Workstation Attacker
WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials: Example Domain:Admi nistrator:CDB Domain 70D9EDA812 Controller (DC) DBF:C9DF712 Domain User Hash LM Hash NT D09D7DF1C Administrator SAM cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. … … … Domain User Domain User Workstation Attacker
WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials: Example Domain Controller (DC) Domain User Hash LM Hash NT Administrator SAM cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. … … … Domain User Domain:Admi Domain User nistrator:CDB Workstation 70D9EDA812 Attacker DBF:C9DF712 D09D7DF1C
WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials: Example Domain Controller (DC) Domain User Hash LM Hash NT Administrator SAM cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. … … … Domain User Domain:Admi Domain User nistrator:CDB Workstation 70D9EDA812 Attacker DBF:C9DF712 D09D7DF1C
WCE: ‘Steal’ Credentials from memory RDP: Disconnect != Log Off
WCE: ‘Steal’ Credentials from memory RDP: Disconnect != Log Off
WCE: ‘Steal’ Credentials from memory RDP: Disconnect != Log Off
WCE: ‘Steal’ Credentials from memory RDP: Disconnect != Log Off • ´Disconnect´ leaves NTLM hashes in memory • The Logon session is not terminated • ´Log Off´ terminates the logon session • Hashes are erased from memory • Always ´Log Off´! • Users tend to just ´Disconnect´… • Including Administrators..
WCE: ‘Steal’ Credentials from memory Zombie Logon Sessions
WCE: ‘Steal’ Credentials from memory Bug: Zombie Logon Sessions! Domain Controller (DC) Domain Administrator Domain User Backups Server Attacker Day 1
WCE: ‘Steal’ Credentials from memory Bug: Zombie Logon Sessions! Domain:Admi nistrator:CDB Domain 70D9EDA812 Controller (DC) Domain DBF:C9DF712 Administrator D09D7DF1C Domain User Backups Server Attacker Day 1
WCE: ‘Steal’ Credentials from memory Bug: Zombie Logon Sessions! Domain:Admi nistrator:CDB Domain 70D9EDA812 Controller (DC) Domain DBF:C9DF712 Administrator D09D7DF1C Domain User • Administrator logs off, Backups Server disconnects, finished what he/she was Attacker doing.. Day 1
WCE: ‘Steal’ Credentials from memory Bug: Zombie Logon Sessions! Domain:Admi nistrator:CDB Domain 70D9EDA812 Controller (DC) Domain DBF:C9DF712 Administrator D09D7DF1C Domain BUG! User Windows does not erase from memory NTLM Backups Server hashes! Attacker Day 1
WCE: ‘Steal’ Credentials from memory Bug: Zombie Logon Sessions! Domain:Admi nistrator:CDB Domain 70D9EDA812 Controller (DC) Domain DBF:C9DF712 Administrator D09D7DF1C Domain User Backups Server Attacker Day 31.. ~ A month later..
WCE: Pass-the-Ticket (Kerberos) • New attack implemented by WCE v1.2 – First and only tool that implements this AFAIK • Post-exploitation • Equivalent to Pass-The-Hash for NTLM • You can ‘steal’ Kerberos TGT/tickets & use them in other Windows and *Unix boxes
WCE: Pass-the-Ticket (Kerberos) • ´Stolen´ tickets can be used to access remote services – Example: SMB shares • The TGT (Ticket Granting Ticket) can be used to create new tickets – Gain access to more services / computers
Conclusions • WCE brings new post-exploitation techniques – Pass-the-Hash (NTLM) – Steal NTLM from memory – Pass-the-ticket (Kerberos) • Useful for pentests • You need to know them to defend yourself – Not just to attack..
More information • “WCE Internals” Presentation – RootedCon 2011; Madrid, España – More technical details about implementation http://www.ampliasecurity.com/research/WCE_ Internals_RootedCon2011_ampliasecurity.pdf
Questions? Thank you! hernan@ampliasecurity.com @hernano @ampliasecurity www.ampliasecurity.com

Recomendados

BlueHat v18 || Hardening hyper-v through offensive security research
BlueHat v18 || Hardening hyper-v through offensive security researchBlueHat v18 || Hardening hyper-v through offensive security research
BlueHat v18 || Hardening hyper-v through offensive security researchBlueHat Security Conference
 
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...BlueHat Security Conference
 
Porting Xen Paravirtualization to MIPS Architecture
Porting Xen Paravirtualization to MIPS ArchitecturePorting Xen Paravirtualization to MIPS Architecture
Porting Xen Paravirtualization to MIPS ArchitectureThe Linux Foundation
 
IBM Ported Tools for z/OS: OpenSSH User's Guide
IBM Ported Tools for z/OS: OpenSSH User's GuideIBM Ported Tools for z/OS: OpenSSH User's Guide
IBM Ported Tools for z/OS: OpenSSH User's GuideIBM India Smarter Computing
 
Nested Virtual Machines and Proxies
Nested Virtual Machines and Proxies Nested Virtual Machines and Proxies
Nested Virtual Machines and Proxies Kuniyasu Suzaki
 
A Deep Dive into Apache Cassandra for .NET Developers
A Deep Dive into Apache Cassandra for .NET DevelopersA Deep Dive into Apache Cassandra for .NET Developers
A Deep Dive into Apache Cassandra for .NET DevelopersLuke Tillman
 
Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...
Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...
Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...Priyanka Aash
 
Santorini island. 2
Santorini island. 2Santorini island. 2
Santorini island. 2Nikos
 

Recomendados

BlueHat v18 || Hardening hyper-v through offensive security research
BlueHat v18 || Hardening hyper-v through offensive security researchBlueHat v18 || Hardening hyper-v through offensive security research
BlueHat v18 || Hardening hyper-v through offensive security researchBlueHat Security Conference
 
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...BlueHat Security Conference
 
Porting Xen Paravirtualization to MIPS Architecture
Porting Xen Paravirtualization to MIPS ArchitecturePorting Xen Paravirtualization to MIPS Architecture
Porting Xen Paravirtualization to MIPS ArchitectureThe Linux Foundation
 
IBM Ported Tools for z/OS: OpenSSH User's Guide
IBM Ported Tools for z/OS: OpenSSH User's GuideIBM Ported Tools for z/OS: OpenSSH User's Guide
IBM Ported Tools for z/OS: OpenSSH User's GuideIBM India Smarter Computing
 
Nested Virtual Machines and Proxies
Nested Virtual Machines and Proxies Nested Virtual Machines and Proxies
Nested Virtual Machines and Proxies Kuniyasu Suzaki
 
A Deep Dive into Apache Cassandra for .NET Developers
A Deep Dive into Apache Cassandra for .NET DevelopersA Deep Dive into Apache Cassandra for .NET Developers
A Deep Dive into Apache Cassandra for .NET DevelopersLuke Tillman
 
Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...
Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...
Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...Priyanka Aash
 
Santorini island. 2
Santorini island. 2Santorini island. 2
Santorini island. 2Nikos
 
Wce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityWce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityfangjiafu
 
Cursor injection
Cursor injectionCursor injection
Cursor injectionfangjiafu
 
Bypass dbms assert
Bypass dbms assertBypass dbms assert
Bypass dbms assertfangjiafu
 
Oss forensics fosscomm_2011
Oss forensics fosscomm_2011Oss forensics fosscomm_2011
Oss forensics fosscomm_2011fangjiafu
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101fangjiafu
 
Etude Statistique d'un mois de Vulnérabilités en Afrique
Etude Statistique d'un mois de Vulnérabilités en AfriqueEtude Statistique d'un mois de Vulnérabilités en Afrique
Etude Statistique d'un mois de Vulnérabilités en AfriqueValdes Nzalli
 
Cam cybersec fgi_reseaux_sociaux_et_securite_version_1.1
Cam cybersec fgi_reseaux_sociaux_et_securite_version_1.1Cam cybersec fgi_reseaux_sociaux_et_securite_version_1.1
Cam cybersec fgi_reseaux_sociaux_et_securite_version_1.1Valdes Nzalli
 
Pénétration de l'Internet en Afrique : Qu'en est-il des équipements ?
Pénétration de l'Internet en Afrique : Qu'en est-il des équipements ?Pénétration de l'Internet en Afrique : Qu'en est-il des équipements ?
Pénétration de l'Internet en Afrique : Qu'en est-il des équipements ?Valdes Nzalli
 
Collaboration Between Infosec Community and CERT Teams : Project Sonar case
Collaboration Between Infosec Community and CERT Teams : Project Sonar caseCollaboration Between Infosec Community and CERT Teams : Project Sonar case
Collaboration Between Infosec Community and CERT Teams : Project Sonar caseValdes Nzalli
 
Internet et Vie Privée Analyse des comportements en Afrique après PRISM
Internet et Vie Privée Analyse des comportements en Afrique après PRISMInternet et Vie Privée Analyse des comportements en Afrique après PRISM
Internet et Vie Privée Analyse des comportements en Afrique après PRISMValdes Nzalli
 
Understanding and selecting_dsp_final
Understanding and selecting_dsp_finalUnderstanding and selecting_dsp_final
Understanding and selecting_dsp_finalfangjiafu
 
Ddos analizi
Ddos analiziDdos analizi
Ddos analizifangjiafu
 
Abusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get itAbusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get itE Hacking
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Nate Lawson
 
Bh usa-01-kaminsky
Bh usa-01-kaminskyBh usa-01-kaminsky
Bh usa-01-kaminskyDan Kaminsky
 
2011 10-19
2011 10-192011 10-19
2011 10-19Yaoyao Wang
 
Windows Malware Techniques
Windows Malware TechniquesWindows Malware Techniques
Windows Malware TechniquesLee C
 
2016-tcpkali-websocket
2016-tcpkali-websocket2016-tcpkali-websocket
2016-tcpkali-websocketLev Walkin
 
NTLM
NTLMNTLM
NTLMGuang Ying Yuan
 
Post Metasploitation
Post MetasploitationPost Metasploitation
Post Metasploitationegypt
 
Virtualization Primer for Java Developers
Virtualization Primer for Java DevelopersVirtualization Primer for Java Developers
Virtualization Primer for Java DevelopersRichard McDougall
 

Mais conteúdo relacionado

Destaque

Wce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityWce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityfangjiafu
 
Cursor injection
Cursor injectionCursor injection
Cursor injectionfangjiafu
 
Bypass dbms assert
Bypass dbms assertBypass dbms assert
Bypass dbms assertfangjiafu
 
Oss forensics fosscomm_2011
Oss forensics fosscomm_2011Oss forensics fosscomm_2011
Oss forensics fosscomm_2011fangjiafu
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101fangjiafu
 
Etude Statistique d'un mois de Vulnérabilités en Afrique
Etude Statistique d'un mois de Vulnérabilités en AfriqueEtude Statistique d'un mois de Vulnérabilités en Afrique
Etude Statistique d'un mois de Vulnérabilités en AfriqueValdes Nzalli
 
Cam cybersec fgi_reseaux_sociaux_et_securite_version_1.1
Cam cybersec fgi_reseaux_sociaux_et_securite_version_1.1Cam cybersec fgi_reseaux_sociaux_et_securite_version_1.1
Cam cybersec fgi_reseaux_sociaux_et_securite_version_1.1Valdes Nzalli
 
Pénétration de l'Internet en Afrique : Qu'en est-il des équipements ?
Pénétration de l'Internet en Afrique : Qu'en est-il des équipements ?Pénétration de l'Internet en Afrique : Qu'en est-il des équipements ?
Pénétration de l'Internet en Afrique : Qu'en est-il des équipements ?Valdes Nzalli
 
Collaboration Between Infosec Community and CERT Teams : Project Sonar case
Collaboration Between Infosec Community and CERT Teams : Project Sonar caseCollaboration Between Infosec Community and CERT Teams : Project Sonar case
Collaboration Between Infosec Community and CERT Teams : Project Sonar caseValdes Nzalli
 
Internet et Vie Privée Analyse des comportements en Afrique après PRISM
Internet et Vie Privée Analyse des comportements en Afrique après PRISMInternet et Vie Privée Analyse des comportements en Afrique après PRISM
Internet et Vie Privée Analyse des comportements en Afrique après PRISMValdes Nzalli
 
Understanding and selecting_dsp_final
Understanding and selecting_dsp_finalUnderstanding and selecting_dsp_final
Understanding and selecting_dsp_finalfangjiafu
 
Ddos analizi
Ddos analiziDdos analizi
Ddos analizifangjiafu
 

Destaque (12)

Wce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityWce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurity
 
Cursor injection
Cursor injectionCursor injection
Cursor injection
 
Bypass dbms assert
Bypass dbms assertBypass dbms assert
Bypass dbms assert
 
Oss forensics fosscomm_2011
Oss forensics fosscomm_2011Oss forensics fosscomm_2011
Oss forensics fosscomm_2011
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101
 
Etude Statistique d'un mois de Vulnérabilités en Afrique
Etude Statistique d'un mois de Vulnérabilités en AfriqueEtude Statistique d'un mois de Vulnérabilités en Afrique
Etude Statistique d'un mois de Vulnérabilités en Afrique
 
Cam cybersec fgi_reseaux_sociaux_et_securite_version_1.1
Cam cybersec fgi_reseaux_sociaux_et_securite_version_1.1Cam cybersec fgi_reseaux_sociaux_et_securite_version_1.1
Cam cybersec fgi_reseaux_sociaux_et_securite_version_1.1
 
Pénétration de l'Internet en Afrique : Qu'en est-il des équipements ?
Pénétration de l'Internet en Afrique : Qu'en est-il des équipements ?Pénétration de l'Internet en Afrique : Qu'en est-il des équipements ?
Pénétration de l'Internet en Afrique : Qu'en est-il des équipements ?
 
Collaboration Between Infosec Community and CERT Teams : Project Sonar case
Collaboration Between Infosec Community and CERT Teams : Project Sonar caseCollaboration Between Infosec Community and CERT Teams : Project Sonar case
Collaboration Between Infosec Community and CERT Teams : Project Sonar case
 
Internet et Vie Privée Analyse des comportements en Afrique après PRISM
Internet et Vie Privée Analyse des comportements en Afrique après PRISMInternet et Vie Privée Analyse des comportements en Afrique après PRISM
Internet et Vie Privée Analyse des comportements en Afrique après PRISM
 
Understanding and selecting_dsp_final
Understanding and selecting_dsp_finalUnderstanding and selecting_dsp_final
Understanding and selecting_dsp_final
 
Ddos analizi
Ddos analiziDdos analizi
Ddos analizi
 

Semelhante a Wce12 uba ampliasecurity_eng

Abusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get itAbusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get itE Hacking
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Nate Lawson
 
Bh usa-01-kaminsky
Bh usa-01-kaminskyBh usa-01-kaminsky
Bh usa-01-kaminskyDan Kaminsky
 
Windows Malware Techniques
Windows Malware TechniquesWindows Malware Techniques
Windows Malware TechniquesLee C
 
2016-tcpkali-websocket
2016-tcpkali-websocket2016-tcpkali-websocket
2016-tcpkali-websocketLev Walkin
 
Post Metasploitation
Post MetasploitationPost Metasploitation
Post Metasploitationegypt
 
Virtualization Primer for Java Developers
Virtualization Primer for Java DevelopersVirtualization Primer for Java Developers
Virtualization Primer for Java DevelopersRichard McDougall
 
Tatu: ssh as a service
Tatu: ssh as a serviceTatu: ssh as a service
Tatu: ssh as a servicePino deCandia
 
Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Nate Lawson
 
8.SSL encryption.ppt
8.SSL encryption.ppt8.SSL encryption.ppt
8.SSL encryption.pptNoName261177
 
イマドキなNetwork/IO
イマドキなNetwork/IOイマドキなNetwork/IO
イマドキなNetwork/IOTakuya ASADA
 
Cassandra Performance and Scalability on AWS
Cassandra Performance and Scalability on AWSCassandra Performance and Scalability on AWS
Cassandra Performance and Scalability on AWSAdrian Cockcroft
 
Windsor: Domain 0 Disaggregation for XenServer and XCP
Windsor: Domain 0 Disaggregation for XenServer and XCP Windsor: Domain 0 Disaggregation for XenServer and XCP
Windsor: Domain 0 Disaggregation for XenServer and XCPThe Linux Foundation
 
Playing CTFs for Fun & Profit
Playing CTFs for Fun & ProfitPlaying CTFs for Fun & Profit
Playing CTFs for Fun & Profitimpdefined
 
In the Wake of Kerberoast
In the Wake of KerberoastIn the Wake of Kerberoast
In the Wake of Kerberoastken_kitahara
 

Semelhante a Wce12 uba ampliasecurity_eng (20)

Abusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get itAbusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get it
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
 
Bh usa-01-kaminsky
Bh usa-01-kaminskyBh usa-01-kaminsky
Bh usa-01-kaminsky
 
2011 10-19
2011 10-192011 10-19
2011 10-19
 
Windows Malware Techniques
Windows Malware TechniquesWindows Malware Techniques
Windows Malware Techniques
 
2016-tcpkali-websocket
2016-tcpkali-websocket2016-tcpkali-websocket
2016-tcpkali-websocket
 
NTLM
NTLMNTLM
NTLM
 
Post Metasploitation
Post MetasploitationPost Metasploitation
Post Metasploitation
 
Virtualization Primer for Java Developers
Virtualization Primer for Java DevelopersVirtualization Primer for Java Developers
Virtualization Primer for Java Developers
 
Tatu: ssh as a service
Tatu: ssh as a serviceTatu: ssh as a service
Tatu: ssh as a service
 
Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)
 
8.SSL encryption.ppt
8.SSL encryption.ppt8.SSL encryption.ppt
8.SSL encryption.ppt
 
イマドキなNetwork/IO
イマドキなNetwork/IOイマドキなNetwork/IO
イマドキなNetwork/IO
 
Xen and Apache cloudstack
Xen and Apache cloudstack Xen and Apache cloudstack
Xen and Apache cloudstack
 
Cassandra Performance and Scalability on AWS
Cassandra Performance and Scalability on AWSCassandra Performance and Scalability on AWS
Cassandra Performance and Scalability on AWS
 
Windsor: Domain 0 Disaggregation for XenServer and XCP
Windsor: Domain 0 Disaggregation for XenServer and XCP Windsor: Domain 0 Disaggregation for XenServer and XCP
Windsor: Domain 0 Disaggregation for XenServer and XCP
 
Playing CTFs for Fun & Profit
Playing CTFs for Fun & ProfitPlaying CTFs for Fun & Profit
Playing CTFs for Fun & Profit
 
Intro To Hacking
Intro To HackingIntro To Hacking
Intro To Hacking
 
In the Wake of Kerberoast
In the Wake of KerberoastIn the Wake of Kerberoast
In the Wake of Kerberoast
 

Mais de fangjiafu

Create user to_sysdba
Create user to_sysdbaCreate user to_sysdba
Create user to_sysdbafangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
Layer 7 ddos
Layer 7 ddosLayer 7 ddos
Layer 7 ddosfangjiafu
 
Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02fangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
Proper passwordhashing
Proper passwordhashingProper passwordhashing
Proper passwordhashingfangjiafu
 
Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰fangjiafu
 
2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronization2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronizationfangjiafu
 
Network security
Network securityNetwork security
Network securityfangjiafu
 
Cloud computing security
Cloud computing securityCloud computing security
Cloud computing securityfangjiafu
 
Layer one 2011-sam-bowne-layer-7-dos
Layer one 2011-sam-bowne-layer-7-dosLayer one 2011-sam-bowne-layer-7-dos
Layer one 2011-sam-bowne-layer-7-dosfangjiafu
 
Sqlmap readme
Sqlmap readmeSqlmap readme
Sqlmap readmefangjiafu
 

Mais de fangjiafu (20)

Create user to_sysdba
Create user to_sysdbaCreate user to_sysdba
Create user to_sysdba
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Layer 7 ddos
Layer 7 ddosLayer 7 ddos
Layer 7 ddos
 
Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02
 
Crypto hlug
Crypto hlugCrypto hlug
Crypto hlug
 
Fp
FpFp
Fp
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Rr 7944
Rr 7944Rr 7944
Rr 7944
 
Proper passwordhashing
Proper passwordhashingProper passwordhashing
Proper passwordhashing
 
Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰
 
Oech03
Oech03Oech03
Oech03
 
2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronization2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronization
 
Unit07
Unit07Unit07
Unit07
 
Unit05
Unit05Unit05
Unit05
 
Network security
Network securityNetwork security
Network security
 
Ids
IdsIds
Ids
 
Cloud computing security
Cloud computing securityCloud computing security
Cloud computing security
 
Layer one 2011-sam-bowne-layer-7-dos
Layer one 2011-sam-bowne-layer-7-dosLayer one 2011-sam-bowne-layer-7-dos
Layer one 2011-sam-bowne-layer-7-dos
 
Sqlmap readme
Sqlmap readmeSqlmap readme
Sqlmap readme
 
Wisr2011 en
Wisr2011 enWisr2011 en
Wisr2011 en
 

Último

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Último (20)

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Wce12 uba ampliasecurity_eng

  • 1. Post-Exploitation with WCE v1.2 Pass-the-Hash. Pass-the-ticket & more… Date: 01-07-2011 Author: Hernan Ochoa <hernan@ampliasecurity.com>
  • 2. Windows Authentication h1 = LMHash(“pwd1”) SAM Database h2 = NTHash(“pwd1”) User Hash LM Hash NT cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. … … … Network • The cleartext password is not sent • The NTLM protocol is used
  • 3. NTLM Authentication lmhash = LMHash(“pwd1”) nthash = NTHash(“pwd1”) Init connection Responds C = challenge random Sends cgarcia, R SAM Database R = f(lmhash/nthash, C) User Hash LM Hash NT cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. R’ = f(SAM[lmhash/nthash], C) … … … R’ == R => Access Granted R’ <> R => Access Denied
  • 4. pre-Pass-the-Hash Attacks • After compromising a Windows box… – ‘ Dump’ the SAM • pwdump3/3e/4/5/6/7,fgdump,etc – Administrator:500:0102030405060708090A0B0C0D0E0F10:1020 30405060708090A0B0C0D0E0F10 – Crack/Brute-Force hashes to obtain cleartext password • Takes time.. (e.g.: pentest time is limited) • No guarantee the password will be obtained • Rainbow tables were not widely used – Less computing power, storage, etc – Still, not the answer to everything
  • 5. Pass-The-Hash Technique Published by Paul Ashton in 1997 http://www.securityfocus.com/bid/233/discuss
  • 6. Pass-the-hash Technique lmhash = LMHash(“pwd1”) nthash = NTHash(“pwd1”) Init connection Responds C = challenge random Sends cgarcia, R SAM Database R = f(lmhash/nthash, C) User Hash LM Hash NT cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. • Cleartext password is not needed for NTLM auth … … … • Only lmhash/nthash are needed • No need to crack/brute-force R’ = f(SAM[lmhash/nthash], C) • Just use the hashes directly R’ == R => Access Granted R’ <> R => Access Denied
  • 7. Pass-the-hash: ‘exploitation’ • Modified Smbclient (SAMBA) – smbclient //192.168.1.120/c$ -U Administrator -p 4ECC0E7568976B7EAAD3B435B51404EE:551E3B3 215FFD87F5E037B3E3523D5F6 • Samba-TNG • Many 3rd-party SMB+NTLM stacks – Python, Ruby, Java, etc
  • 8. 3rd-party SMB+NTLM stacks: Limitations • Limited and partial functionality • Always running behind Windows – New functionality has to be implemented, some by reverse engineering • Complex, requires time and effort • Cannot use native Windows applications – They ask for username and cleartext password, not hashes…
  • 10. What is WCE? • Tool to manipulate Windows logon sessions – Add, list, delete, modify – Obtain credentials associated with logon sessions – Pass-the-hash (NTLM) – Pass-the-ticket (Kerberos)
  • 11. Pre-WCE/Pass-the-hash attacks • Without WCE.. – Crack/Brute-force hashes to obtain cleartext password – Crack/Brute-force ´encrypted´ hashes (C,R->NTLM) to obtain cleartext password – Use 3rd-party SMB+NTLM stacks, w/limited and partial functionality – More difficult/not possible to do pass-the-hash while pivoting among Windows boxes
  • 12. Post-WCE/Pass-the-hash attacks • With WCE… – Do Pass-the-hash directly with the hashes • No need to attempt to crack/brute-force hashes • Will be able to use them even if you cannot crack them – 3rd-party SMB+NTLM stacks problems eliminated – Easier to do Pass-the-hash while pivoting among Windows boxes
  • 14. WCE: ‘Steal’ Credentials from memory • New ´attack´ implemented by WCE – It is not Pass-the-hash, it´s another technique.. – Sometimes the two are confused, but they are not the same.. • Allows you to obtain usernames and NTLM hashes stored in memory
  • 15. WCE: ‘Steal’ Credentials from memory • Why are they in memory? • NTLM auth package • SSO cgarcia pwd1 Network
  • 16. WCE: ‘Steal’ Credentials from memory When are they stored in memory? • Interactive logon sessions at the console • Remote logon sessions via RDP • RunAs • Windows Services running under specific user accounts • Windows APIs used by applications • Etc.
  • 17. WCE: ‘Steal’ Credentials from memory When are they stored in memory? • Interactive logon sessions at the console cgarcia pwd1
  • 18. WCE: ‘Steal’ Credentials from memory When are they stored in memory? • Remote logon sessions via RDP Network
  • 19. WCE: ‘Steal’ Credentials from memory When are they stored in memory? • RunAs
  • 20. WCE: ‘Steal’ Credentials from memory When are they stored in memory? • Windows Services
  • 21. WCE: ‘Steal’ Credentials from memory When are they stored in memory? • Windows APIs used by applications Example:
  • 22. WCE: ‘Steal’ Credentials from memory • WCE can obtain the LM Hash.. – By default, nowadays, Windows does not store the LM hash in the SAM • It is weak; “easy” to crack
  • 23. WCE: ‘Steal’ Credentials from memory • WCE can obtain the LM Hash from memory – Windows generates and stores the hashes in memory, including the LM hash • Interactive sessions • Others previously mentioned – Possible to crack it and obtain cleartext password to use in places where NTLM is not the auth method
  • 24. WCE: ‘Steal’ Credentials from memory Example: The LM Hash is not in the SAM Pwdump output The LM Hash is in memory WCE output
  • 25. WCE: ‘Steal’ Credentials from memory When are they NOT stored in memory? • Network Logons – The hashes never reach the remote server Init Connection Responds C = challenge random Sends cgarcia, R
  • 26. WCE: ‘Steal’ Credentials from memory Post-explotation attack scenario Attacker compromises remote Windows box • Run WCE to obtain credentials stored in memory • Use those hashes to do Pass-The-Hash with WCE
  • 27. Demo #2 WCE: ‘Steal’ credentials from memory
  • 28. WCE: ‘Steal’ Credentials from memory Especially interesting in Windows Domain Environments Domain Controller (DC) Domain User Hash LM Hash NT User SAM cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. … … … Domain User Backups Server Domain User
  • 29. WCE: ‘Steal’ Credentials from memory WITHOUT WCE.. Domain Controller (DC) Domain User Hash LM Hash NT User SAM cgarcia A6BCD.. B0FD1.. SAM ajuarez B90DF.. CCDF.. User Hash LM Hash NT … … … Administ FDDE.. CCDH1.. rador Guest AABCD.. FFD4F.. Domain User Backups Server Attacker • Attacker owns remote Windows box • Only has access to local SAM.. • No Domain Users there, not very useful…
  • 30. WCE: ‘Steal’ Credentials from memory WITH WCE.. Domain Domain:Admi Controller (DC) Domain nistrator:CDB User Hash LM Hash NT User 70D9EDA812 SAM cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. DBF:C9DF712 … … … D09D7DF1C Domain User Backups Server Attacker • Attacker owns Backups server • Obtains credentials from memory.. • Probably will find Domain Users there.. • Can possibly compromise the whole domain!
  • 31. WCE: ‘Steal’ Credentials from memory Typical Scenario Domain Controller (DC) Domain Administrator Domain User Backups Server Attacker
  • 32. WCE: ‘Steal’ Credentials from memory Typical Scenario Domain:Admi nistrator:CDB Domain 70D9EDA812 Controller (DC) Domain DBF:C9DF712 Administrator D09D7DF1C Domain User Backups Server Attacker
  • 33. WCE: ‘Steal’ Credentials from memory Typical Scenario Domain:Admi nistrator:CDB Domain 70D9EDA812 Controller(DC) Domain DBF:C9DF712 Administrator D09D7DF1C Domain User Backups Server Attacker • WCE ‘steals’ the Domain Administrator Credentials!
  • 34. WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials • When you RDP to a remote box, you leave the NTLM hashes of your password in the remote server´s memory • NTLM hashes are equivalent to the cleartext password (pass-the-hash+wce) • So, we could say you are leaving there your password…
  • 35. WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials • Even when using pass-through authentication • Credentials (user+domain+hashes) are stored in Domain Controller • But when you use RDP, they are also left in the memory of the remote Windows box you are RDPing to! • Be careful where you are RDPing to…
  • 36. WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials • Attacker on the remote Windows box can obtain credentials from memory • Local Administrator • Regular Domain User w/local admin privs • Attacker that owns less secured box, regular users are more vulnerable • Etc.
  • 37. WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials: Example Domain Controller (DC) Domain User Hash LM Hash NT Administrator SAM cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. … … … Domain User Domain User Workstation Attacker
  • 38. WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials: Example Domain Controller (DC) Domain User Hash LM Hash NT Administrator SAM cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. … … … Domain User Domain User Workstation Attacker
  • 39. WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials: Example Domain:Admi nistrator:CDB Domain 70D9EDA812 Controller (DC) DBF:C9DF712 Domain User Hash LM Hash NT D09D7DF1C Administrator SAM cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. … … … Domain User Domain User Workstation Attacker
  • 40. WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials: Example Domain Controller (DC) Domain User Hash LM Hash NT Administrator SAM cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. … … … Domain User Domain:Admi Domain User nistrator:CDB Workstation 70D9EDA812 Attacker DBF:C9DF712 D09D7DF1C
  • 41. WCE: ‘Steal’ Credentials from memory RDP ´exposes´ credentials: Example Domain Controller (DC) Domain User Hash LM Hash NT Administrator SAM cgarcia A6BCD.. B0FD1.. ajuarez B90DF.. CCDF.. … … … Domain User Domain:Admi Domain User nistrator:CDB Workstation 70D9EDA812 Attacker DBF:C9DF712 D09D7DF1C
  • 42. WCE: ‘Steal’ Credentials from memory RDP: Disconnect != Log Off
  • 43. WCE: ‘Steal’ Credentials from memory RDP: Disconnect != Log Off
  • 44. WCE: ‘Steal’ Credentials from memory RDP: Disconnect != Log Off
  • 45. WCE: ‘Steal’ Credentials from memory RDP: Disconnect != Log Off • ´Disconnect´ leaves NTLM hashes in memory • The Logon session is not terminated • ´Log Off´ terminates the logon session • Hashes are erased from memory • Always ´Log Off´! • Users tend to just ´Disconnect´… • Including Administrators..
  • 46. WCE: ‘Steal’ Credentials from memory Zombie Logon Sessions
  • 47. WCE: ‘Steal’ Credentials from memory Bug: Zombie Logon Sessions! Domain Controller (DC) Domain Administrator Domain User Backups Server Attacker Day 1
  • 48. WCE: ‘Steal’ Credentials from memory Bug: Zombie Logon Sessions! Domain:Admi nistrator:CDB Domain 70D9EDA812 Controller (DC) Domain DBF:C9DF712 Administrator D09D7DF1C Domain User Backups Server Attacker Day 1
  • 49. WCE: ‘Steal’ Credentials from memory Bug: Zombie Logon Sessions! Domain:Admi nistrator:CDB Domain 70D9EDA812 Controller (DC) Domain DBF:C9DF712 Administrator D09D7DF1C Domain User • Administrator logs off, Backups Server disconnects, finished what he/she was Attacker doing.. Day 1
  • 50. WCE: ‘Steal’ Credentials from memory Bug: Zombie Logon Sessions! Domain:Admi nistrator:CDB Domain 70D9EDA812 Controller (DC) Domain DBF:C9DF712 Administrator D09D7DF1C Domain BUG! User Windows does not erase from memory NTLM Backups Server hashes! Attacker Day 1
  • 51. WCE: ‘Steal’ Credentials from memory Bug: Zombie Logon Sessions! Domain:Admi nistrator:CDB Domain 70D9EDA812 Controller (DC) Domain DBF:C9DF712 Administrator D09D7DF1C Domain User Backups Server Attacker Day 31.. ~ A month later..
  • 52. WCE: Pass-the-Ticket (Kerberos) • New attack implemented by WCE v1.2 – First and only tool that implements this AFAIK • Post-exploitation • Equivalent to Pass-The-Hash for NTLM • You can ‘steal’ Kerberos TGT/tickets & use them in other Windows and *Unix boxes
  • 53. WCE: Pass-the-Ticket (Kerberos) • ´Stolen´ tickets can be used to access remote services – Example: SMB shares • The TGT (Ticket Granting Ticket) can be used to create new tickets – Gain access to more services / computers
  • 54. Conclusions • WCE brings new post-exploitation techniques – Pass-the-Hash (NTLM) – Steal NTLM from memory – Pass-the-ticket (Kerberos) • Useful for pentests • You need to know them to defend yourself – Not just to attack..
  • 55. More information • “WCE Internals” Presentation – RootedCon 2011; Madrid, España – More technical details about implementation http://www.ampliasecurity.com/research/WCE_ Internals_RootedCon2011_ampliasecurity.pdf
  • 56. Questions? Thank you! hernan@ampliasecurity.com @hernano @ampliasecurity www.ampliasecurity.com