Windows Passwords Presentation ISSA-UK

  • Published on
    14-Jan-2015

  • View
    126

  • Download
    0

Embed Size (px)

DESCRIPTION

Presentation Slide deck for ISSA-UK evening - "Access Controls : Perhaps we need better"

Transcript

<ul><li> 1. ISSA-UK OCTOBER 2013</li></ul> <p> 2. YOUR SPEAKER - JAMES MCKINLAY INFORMATION SECURITY MANAGER , ASDA IS SECURITY AND AUDIT MANGER, MANCHESTER AIRPORTS GROUP INFORMATION SECURITY TEAM LEADER, HML PART OF SKIPTON BUILDING SOCIETY EASY TO FIND ON LINKEDIN 3. EXEC SUMMARY TAKE BACK CONTROL HASH DUMPS AND HASH CRACKING MAKE SENSATIONAL HEADLINES WITH A BIT OF BACK TO BASICS SECURITY THINKING WE CAN MAKE SURE IT IS NOT OUR COMPANIES IN THE NEWS FOR ALL THE WRONG REASONS WILL LOOK AT PREVENTATIVE AND DETECTIVE CONTROLS WE CAN DEPLOY TO KEEP AHEAD OF THE ATTACKERS 4. IN THE HEADLINES THE ONE THAT GOT MY ATTENTION WAS LINKEDIN JUNE 2012 5. IN THE FORUMS LINKEDIN JUNE 2012 FORUM.INSIDEPRO.COM 6. HTTP://WWW.SKULLSECURITY.ORG/WIKI/ INDEX.PHP/PASSWORDS 7. HTTP://WWW.ADEPTUSMECHANICUS.COM/CODEX/HASHPASS/ 8. TWO PART PROBLEM NONE OF THIS IS NEW ( I FIRST SAW THIS OVER 20 YEARS AGO) 1) ACQUIRE THE HASHES WILL LEAVE EVIDENCE 2) REVERSE THE HASHES ONCE THE DATA IS OUT, THE REST CAN BE DONE OFFLINE (CLASSIC DLP PROBLEM) 9. BUT THEY ARE ENCRYPTED ARENT THEY SYMMETRIC ENCRYPTION PRE SHARED SECRET ASYMMETRIC ENCRYPTION ONE KEY TO LOCK, A DIFFERENT KEY TO UNLOCK ONE-WAY HASHING ALGORITHM SHA1, MD5, NTLM 10. WHAT IS OUT THERE LOTS OF HASH DUMPS COME FROM HACKED WEB FACING APPLICATIONS PASTEBIN, PASTE2, INSIDEPRO, MD5DECRYPTER NOT A LOT OF NTLM ACTIVE DIRECTORY BEING TRADED/DUMPED/DISCUSSED PENTESTERS OFTEN ROOT A DC BUT ARE NOT LEAKING (THIS IS A GOOD THING) 11. WHO REMEMBERS THE INFO-SEC LAW LAW #1: IF A BAD GUY CAN PERSUADE YOU TO RUN HIS PROGRAM ON YOUR COMPUTER, IT'S NOT YOUR COMPUTER ANYMORE LAW #2: IF A BAD GUY CAN ALTER THE OPERATING SYSTEM ON YOUR COMPUTER, IT'S NOT YOUR COMPUTER ANYMORE LAW #5: WEAK PASSWORDS TRUMP STRONG SECURITY HTTP://TECHNET.MICROSOFT.COM/LIBRARY/CC722487.ASPX 12. THE BASICS IT IS SAFE TO ACCEPT THAT IF AN ATTACKER HAS A DOMAIN ADMINISTRATOR USERNAME AND PASSWORD COMBINATION THEY CAN GO ANYWHERE, DO ANYTHING AND COVER THEIR TRACKS. AT THIS STAGE IT IS GAME OVER FOR THE DEFENDERS AND DEPENDING ON THE SKILL LEVEL OF THE ATTACKER, IF YOU FIND THEM, IT WILL BE DOWN TO DETECTIVE CONTROLS AND FORENSIC POST INCIDENT INVESTIGATION. BUT DONT PANIC, WE CAN MAKE IT EXTREMELY DIFFICULT FOR AN ATTACKER TO GET TO THIS STAGE AND EXTREMELY EASY FOR THE DEFENDERS TO KNOW IF IT HAS HAPPENED. GOOD PREVENTATIVE AND DETECTIVE CONTROLS COMBINED WITH GOOD INCIDENT RESPONSE PROCEDURES CAN GIVE YOU CONFIDENCE THAT YOU KNOW WHO DOES WHAT, WHEN AND WHERE WHY IS NOT ALWAYS SO EASY TO UNDERSTAND. 13. NOW WHAT SHOULD WE BE DOING 14. PENTESTING WINDOWS NETWORKS 1) COMPROMISE AN UNPATCHED MACHINE (PREFERABLY A MEMBER SERVER ) 2) PRIV ESC TO LOCAL ADMIN 3) DUMP CACHED CREDENTIALS 4) REVERSE PASSWORD FOR A SERVER SUPPORT TEAM MEMBER OF STAFF 5) SEE IF THEY ARE A DOMAIN ADMIN REPEAT UNTIL YOU GET ONE 6) DUMP THE ACTIVE DIRECTORY HASHES FOR ALL ACCOUNTS ( AND YOU CAN GO ANYWHERE, AS ANYONE AND DO ANYTHING) 15. PROTECTION 101 1) HARDEN YOUR DOMAIN CONTROLLER 2) HARDEN YOUR MEMBER SERVERS 3) HARDEN AND AV YOUR WORKSTATIONS 4) EDUCATE YOUR USERS PCIDSS, SANS CAG 16. WHAT DO WE MEAN BY HARDEN ? CIS BENCHMARKS NIST SP800 SERIES / DISA STIG CPNI GPG GUIDES MICROSOFT SECURITY (THREATS AND COUNTERMEASURES) (SECURING SERVICES) (MANAGE AUDITING AND SECURITY LOG) CORE COMMAND LINE ONLY BUILDS 17. PRINCIPLES 101 LEAST PRIVILEGE DEFENCE IN DEPTH FAIL SAFE ONLY AS STRONG AS THE WEAKEST LINK TONE AT THE TOP KEEP IT SIMPLE SEGREGATE DEFAULT DENY 18. PROTECTION 202 1) HARDEN DC 2) HARDEN/ SEGREGATE ACTIVE DIRECTORY 3) SETUP BREAK GLASS PROCEDURE FOR KEY ACCOUNTS 4) SECURE SERVICES 5) SETUP INCIDENT RESPONSE PROCEDURES FOR COMPROMISED ACCOUNTS 6) SET UP AND TUNE SIEM 6) TEST ALL OF ABOVE THEN PERFORM A PASSWORD AUDIT 19. THINGS TO ELIMINATE LM HASHES IN SECURITY DATABASE SERVICES THAT RUN AS DOMAIN ADMIN (SMS, SCCM, ALTERIS ETC) USERS THAT DO NOT HAVE SEPARATE ACCOUNTS FOR ADMIN DUTIES WHY DO YOU NEED SO MANY - SCHEMA ADMINS, ENTERPRISE ADMINS, DOMAIN ADMINS 20. THINGS YOU DONT NEED TO DO WITHOUT WINDOWS FIREWALL WINDOWS USB STORAGE BLOCKING AUTOMATIC WINDOWS UPDATES ALL CAN BE MANDATORY ALL CAN BE CONTROLLED THROUGH ACTIVE DIRECTORY 21. THINGS TO WATCH OUT FOR WATCH THE SECURITY ( AND SYSTEM) LOGS ON YOUR DC RUN HACKING TOOLS AGAINST YOUR DC LOOK FOR THE EVIDENCE IN YOUR LOGS SET A REAL TIME ALERT IN YOUR LOG MONITORING SOLUTION WHAT DO YOU MEAN YOU DONT MONITOR LOGS OF CRITICAL SERVERS IN REAL TIME !!! 22. HOW DO THEY GET THEM FIRST CATCH YOUR RABBIT - YOU NEED TO GET THE SECURITY DATABASE, THERE ARE MANY WAYS, HERE ARE SOME : FGDUMP POINT AT DOMAIN CONTROLLER IF YOU HAVE ADMIN RIGHTS PWDUMP OLDER VERSION OF FGDUMP ABEL FROM CAIN&amp;ABEL INSTALL ON DOMAIN CONTROLLER IF YOU HAVE ADMIN RIGHTS METERPRETER SCRIPTS IF YOU HAVE ROOTED A DC USING METASPLOIT SAM BACKUP FILES (LOCAL MACHINES) SAM FILES (STOLEN BY LINUX LIVECD) 23. HOW DO THEY CRACK THEM EASY TO USE, WINDOWS GUI, GREAT INTRODUCTION TO CRACKING CAIN &amp; ABEL POWERFUL COMMAND LINE TOOLS WRITTEN FOR SPEED JOHNTHERIPPER / HASHCAT GPU SPECIALS OCLHASHCATPLUS, LATEST COMMUNITY VERSION JTR, CRYPTOHAZE RAINBOW TABLES (OPTCRACK / FREERAINBOWTABLES.ORG / CRYPTOHAZE) INTERNET DATABASES (TMTO.ORG / MD5DECRYPTER.CO.UK) CROWD SOURCING (FORUM POSTS AT INSIDEPRO.COM) DONT LIMIT RESEARCH TO JUST THE INTERNET, DARKNET (TOR HIDDEN SERVICES) 24. WHAT IS OUR EXPOSURE? ENTERPRISE ADMINISTRATOR USER ACCOUNTS DOMAIN ADMINISTRATOR USER ACCOUNTS DOMAIN ADMINISTRATOR SERVICE ACCOUNTS BACKUP TAPES / BACKUP FILES VIRTUAL MACHINE SNAPSHOTS LOCAL ADMINISTRATOR ACCOUNTS ON MACHINES VISITED BY DOMAIN ADMINISTRATORS 25. BEFORE CONDUCTING A PW AUDIT ESTABLISH AND TEST PROCESS FOR SERVICE ACCOUNT PASSWORD RESET ESTABLISH AND TEST THE PROCESS FOR SPECIAL ACCOUNT PASSWORD RESET SET GROUND RULES FOR AUDITOR MONITOR THE PROCESS DESTROY THE HASHES AFTERWRDS 26. PW AUDIT GROUNDWORK NUMBER OF AD OBJECTS THAT REQUIRE A LOGIN NUMBER OF MACHINE ACCOUNTS NUMBER OF DISABLED ACCOUNTS PASSWORD AGE DATA CONVERTED INTO DAYS PASSWORD CHANGE EXCEPTIONS NUMBER OF ACCOUNTS WITH AN EXPIRY DATE SET 27. TIME IS PRECIOUS THANK YOU FOR YOURS </p>