Authentication - ENSIMAG › images › 2 › 2e › SecurIMAG... · 4.1.3. Kerberos: authentication & service access 27 4MMSR - Network Security - 2010-2011 User / computer Identity

• Description: whether you are in favor or

against it, the Windows NT OS does not let

any IT engineer nor researcher indifferent.

• This week we will focus on the

authentication mechanisms in a

Microsoft environment: SSPI, Kerberos,

NTLM

• Lecturer: Fabien Duchene

Windows security for n00bs | part 2 Authentication

SecurIMAG

2011-05-12

WARNING: SecurIMAG is a security club at Ensimag. Thoughts,

ideas and opinions are not related to Ensimag. The authors

assume no liability including for errors and omissions.

¡¡_ (in)security we trust _!!

Grenoble INP

Ensimag

http://www.car-online.fr/en/spaces/fabien_duchene/



https://ensiwiki.ensimag.fr/index.php/Club_Securite_SecurIMAG

http://www.ensimag.fr/

http://www.ensimag.fr/

Summary

SecurIMAG - Windows security for n00bs | part 1 - Fabien

Duchene - 2011-05-12

• 3. Authentication (Fabien)

• 4. Network (Fabien)

Authentication


Duchene - 2011-05-12

• Winlogon

• SSPI

• AuthZ API

• Identity stores: o Active Directory LDAP

o Security Account Manager

• Authentication protocols o Theory: NSPK

o Kerberos

o LM

o NTLM

• Password Policy

Identity stores


Duchene - 2011-05-12

• Security Account Manager

• Active Directory

Services Account Manager


Duchene - 2011-05-12

• HKLM\SAM

• LOCAL database containing Security Principals: o Users

o Groups

• LSASS.exe (Windows XP, Vista & 7) o On Windows XP - DLL: SAMSRV.DLL

Services Account Manager - visualization


Duchene - 2011-05-12

• Graphically: lusrmgr.msc

Services Account Manager - visualization


Duchene - 2011-05-12

• Command line: C:\Users\alejandr0>net localgroup

Aliases for \\PC-LIG-ALEJ

---------------------------------------

*Administrators

*Backup Operators

*Cryptographic Operators

*Distributed COM Users

*Event Log Readers

*Guests

*HomeUsers

*IIS_IUSRS

*Network Configuration Operators

*Performance Log Users

*Performance Monitor Users

*Power Users

*Remote Desktop Users

*Replicator

*Users

The command completed successfully.

Active Directory


Duchene - 2011-05-12

• LDAP

• Stores objects

ADDS – joining a domain


Duchene - 2011-05-12

WinLogon


Duchene - 2011-05-12

• Names & architecture:

• XP: MSGINA

• Vista,7: CredentialProviders

• Features:

• SAS: Secure Attention Sequence (ctrl+alt+del)

• User profile load

• NTUSER.DAT -> HKEY_Current_User

• Screensaver

• Window station & Desktop protection (RDP)

11

3.4.1.3. Authentification – Windows

XP

• SSPI: permet à des applications d’établir un canal sécurisé

LSA

Winlogon

GINA

Package

d’authentification

Application

SSPI

Negotiate

SSP

Kerberos

SSP

NTLM

SSP

Schannel SSP

Digest

Windows XP

API authentification : SSPI

API carte à puce : PC/SC

API biométrie : BioApi

Security Support

Provider Interface

Authentication – Windows NT 6+

Technical overview of the Microsoft PKI ADCS 2008 R2

Technical overview of the Microsoft PKI ADCS 2008 R2

Windows NT security, Cunsheng Ding HKUST, Hong Kong, CHINA

Impersonation & delegation


Duchene - 2011-05-12

• Impersonation

• Delegation

LM


Duchene - 2011-05-12

• LM hash = 16 bytes

NTLM


Duchene - 2011-05-12

• Identity store: ADDS, SAM

• Challenge-response

• No delegation (credential forwarding)

• Client only authentication

Get the LM / NTLM hash


Duchene - 2011-05-12

• Tools such as pwdump

C:\Windows\system32>pwdump7

Pwdump v7.1 - raw password extractor

Author: Andres Tarasco Acuna

url: http://www.514.es

Administrator:500:NO PASSWORD*********************:31D6CFE0D16AE931B73C59D7E0C089C0:::

Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:::

adm-alejandr0:1001:NO PASSWORD*********************:7F761738135F8792D63143CE3A3ED65F:::

HomeGroupUser$:1002:NO PASSWORD*********************:C203A517500BAEFA571A0FA78767EF63:::

alejandr0:1003:NO PASSWORD*********************:E011DD6FDA2C0954E210726960862FDC:::

SeDebug privilege default permissions


Duchene - 2011-05-12

How does that crap work?


Duchene - 2011-05-12

• Requirements:

• Ability to elevate (ie a member of the local SAM group

Administrtators)

• LSASS (user process ; identity: SYSTEM)

• Method:

• Elevate

• Get the SE_DEBUG privilege in your token

• Inject

• Access the live SAM_SECURITY registry hive

NTLMv2


Duchene - 2011-05-12

AuthZ API


Duchene - 2011-05-12

NSPK


Duchene - 2011-05-12

NPSK - attack


Duchene - 2011-05-12

• Replay attack

Denning, Dorothy E.; Sacco, Giovanni Maria (1981). "Timestamps in key distributed protocols".

Communication of the ACM

https://secure.wikimedia.org/wikipedia/en/wiki/Dorothy_E._Denning

4.1.3. Kerberos

26 4MMSR - Network Security - 2010-2011

• Protocole authentification, autorisation, développé par le MIT (Projet ATHENA), ~ Single-Sign-On

• Version actuelle: v5 RFC4120

• Hypothèse: le réseau peut être non sûr

• Basé sur l’existence d’un tiers de confiance, le KDC (« Key Distribution Center »

• Cryptographie

• principlament symétrique

• éventuellement assymétrique (eg: auth. par carte à puce)

• Déclinaisons:

• MIT Kerberos

• Microsoft Kerberos, Windows NT (>=2000)

• Heimdal Kerberos, Suède

Kerberos & Herakles

(Cerbère & Hercules)

http://www.ietf.org/rfc/rfc4120.txt

http://web.mit.edu/Kerberos/



http://technet.microsoft.com/en-us/library/bb742516.aspx

http://www.h5l.org/

http://www.h5l.org/

http://www.h5l.org/

4.1.3. Kerberos: authentication & service access


User /

computer

Identity provider,

Authentication Server

GC

Service Server

(eg: issuing CA)

Ticket Grantig Service

TGS

1

“I am Mossen. I

need a Ticket to Get

Tickets” (TGT)

Key Distribution Center (KDC)

Here is a TGT you will only

be able to decrypt if you

know the shared secret

(user/comp. pwd)

2 3

I want to access the

“Issuing CA” service.

Here is a proof I

decrypted the TGT

4

Here is a Service Ticket

containing your

information for accessing

the Issuing CA service

UserSID -------------------------

GroupMembershipsSIDs

Service

Ticket 5

6 Service communication

Introduction to the Microsoft PKI ADCS 2008 R2 (2011), Fabien Duchene, Sogeti-ESEC

http://esec.fr.sogeti.com/





4.1.3. Kerberos: authentification du client (1,2)


• Client_ID: Security Principal Name (username, computername…)

• [msg]key: chiffrement de msg avec la clé key

• K_client: hash du mot de passe du client (user/ comp.)

• K_client-TGS: session key generated by the AS

User /

computer

Identity provider,


1 1: Client_ID

2.1: [Client-TGS_Session_key], K_client

2.2: “Ticket-to-Get-Ticket”

[client_ID, client_FQDN, TGT_validity_period, K_client-TGS]K_TGS

2

Knows:

K_client

Knows:

K_client

K_TGS

K_cli-TGS

KDC

4.1.3. Kerberos: accès au service (5,6)


• Client-to-Server ticket: [client_ID,client_FQDN,TCS_validity_period,K_client-svc] K_req_svc

• K_client-SS: session key between the client and the SS

User /

computer

Knows:

K_client

K_client-SS

Service Server

(eg: issuing CA)

6:[timestamp_in_5.2 + 1]K_client-SS : “OK, I can serve you”

6

5 5.1: “Client-to-Server ticket”

5.2: “Authenticator-2”

[Client_ID,timestamp]K_client-SS

7 Is timestamp=timestamp_5.2+1?

If so, I can trust that service

4.1.3. Kerberos – Accès inter-domaine


• Une relation de confiance est établie par le biais d’une

clé partagée entre domaines, grâce à laquelle des

referals tickets (TGT inter-domaine) sont envoyés

corp.ensimag.fr domaine..phelma.fr

User /

comput

er

Service Server

(eg: issuing CA)

TGS 1

2

AS

3

4 5

6

“ TRUSTING domain “

contains ressources/SS “ TRUSTED domain “

contains identities

K_AS(ensimag)-TGS(phelma)

TGT inter-domaine

4.1.3. Kerberos: Smart Card authentication


• Client_ID: Security Principal Name (username, computername…)

• [msg]key: chiffrement de msg avec la clé key

• K_client_pub,K_client_priv: paire de clé assymétrique

• K_client-TGS: session key generated by the AS

User /

computer

Identity provider,


1 1: [Client_ID]K_client_PRIV

2.1: [Client-TGS_Session_key], K_client_PUB

2.2: “Ticket-to-Get-Ticket”

[client_ID, client_FQDN, TGT_validity_period, K_client-TGS]K_TGS

2

Knows:

K_client_PUB

K_client_PRIV

Knows:

K_client_PUB

K_TGS

K_cli-TGS

KDC

4.1.3. Kerberos et Windows: API et appels


Kerberos dependencies


Duchene - 2011-05-12

• OS : Windows ≥ 2000

• TCP/IP

• DNS – DC authorities localization

• Active Directory – autorité

• NTP: clock synchronization

• SPN (Service Principal Names): ressources localization

4.1.3. Kerberos: optimisations


• Optimisations

• Les tickets et le clés de sessions sont en cache sur le client

• Un mécanisme permet d’obtenir des tickets sans avoir à redonner son mot de passe o Ticket-Granting-Ticket (TGT) a faible durée de vie

o Le KDC donne des tickets sur présentation du TGT

• Paramètres par défaut

• Validité TGT=10H

• Validité TGS= 10H

• Différence de 5 minutes MAX entre client, AS, TGS, SS synchronisation NTP

Kerberos threats


Duchene - 2011-05-12

• Threats

• single-point of failure: if only one KDC

• impersonation: if at least one KDC compromised. Any user could be impersonated


Duchene - 2011-05-12

4.1.3. Kerberos – some threats and attacks


Taming the Beast Assess Kerberos-Protected networks, Emmanuel Bouillon, Black-Hat 2009

• KDC spoofing

• Weak cipher

• Replay attacks

• Steal the hash!

• Pass the ticket

http://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-whitepaper.pdf



http://www.blackhat.com/html/bh-europe-09/bh-eu-09-archives.html



Kerberos Attacks


Duchene - 2011-05-12

• KDC spoofing: old PAM_KRB5 implementation (no

authorization)

Weak cipher


Duchene - 2011-05-12

• Cipher: DES (weak) initially used. Negotiation not authenticated

• Get a ticket

• Bruteforce it (assuming the cipher)

• Counter-measure:

• Windows 7: DES disabled for Kerberos authentication

http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx

Replay attack: sniff and resend 5.

KRB_AP_REP


Duchene - 2011-05-12

o KRB_AP_REP: validity duration (generally 5 minutes), source IP

o Service Server stores a cache of requests. Multiple identitical

KRP_AP_REP are ignored

Ticket cache attack (“file” on the client system)


Duchene - 2011-05-12

• Attacks assumptions:

• Debug privilege (by default, only members of the

local SAM Administrators groups are allowed)

• LSASS.exe is a process (user ; SYSTEM)

• Attack goals:

• Get cached hashes

• Method:

Get that hash - method


Duchene - 2011-05-12

• Elevate

• Get the SE_DEBUG privilege in your token

• Inject

Q


Duchene - 2011-05-12

Pass the ticket


Duchene - 2011-05-12

• Pass the Ticket: ability to authenticate on the client. Only Microsoft

implementation is vulnerable and not yet corrected.

Attacking and fixing the Microsoft Windows

Kerberos login service

Tommaso Malgherini and Riccardo Focardi

Universit`a Ca’ Foscari, Venezia

Kerberos – basic hardening


Duchene - 2011-05-12

• Hash computation:

• Stronger cipher (AES-128,256 instead of DES)

Kerberos - Hardening - lifetime


Duchene - 2011-05-12

• Ticket lifetime:

NTLM vs Kerberos: scalability

Client Server

NTLM Authority

Client Server

AD Authority

AS TGS

1 n

n

n

n

Kerberos • Less client-server exchanges

• No real-time server<-> authority exchanges

(only during the SPN registration)

• Scalability

NTLM

Documents

Authentication - ENSIMAG › images › 2 › 2e › SecurIMAG... · 4.1.3. Kerberos: authentication & service access 27 4MMSR - Network Security - 2010-2011 User / computer Identity