From zero to SYSTEM on full disk encrypted windows system

from zero to system

Nabeel ahmed & tom gilis

on full d isk encrypted windows system

From zero to systemon full disk encrypted windows system

ABOUT US

๏Nabeel Ahmed, Security Researcher

and Penetration Tester, Dimension

Data Belgium

๏ I love to break things =)

๏@NabeelAhmedBE

๏ blog.nabeelahmed.com

๏ Tom Gilis, Security Consultant (and Team

Leader) at Dimension Data Belgium

๏More “boring” stuff like compliancy, …

๏@tgilis

๏Co-organizer of BruCON

2


Inspiration

3


November 2015

4


Ian haken

5

๏ A new way to defeat FDE

๏ Rogue Domain Controller

๏ Poison Credential Cache

๏ Windows Security Feature bypass


Ms15-122

๏ Implements trust relationship before local cache is updated

๏ Works on Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008 up to

2012 (Windows XP, Windows Server 2003, …)

6


Bitlocker

๏ TPM (Trusted Platform Module)

๏ Pre-boot PIN

๏USB Key

7


๏ TPM (Trusted Platform Module)

๏

๏

8

Bitlocker


Bitlocker tpm

9

๏ BitLocker key is stored in TPM

๏ No user interaction when decrypting

the drive

๏ Windows login screen is the first and

only line of defense


Trust relationship?

๏Computer account password is used for trust

๏Randomly generated every 30 days

๏ 2 computer account passwords are stored

๏ Stored in

“HKLM\SECURITY\Policy\Secrets\$machine.ACC”

10


Bypassing the patch

11


Difference

12

Legitimate DC

Rogue DC


Ticket missing

13


SPN

14

SPNs are used to support mutual authentication

between a client application and a service. A service

principal name is associated with an account and an

account can have many service principal names.

– MSDN

SPNs are usually formatted as SERVICE/HOST, but

sometimes they also include a port like

SERVICE/HOST:PORT.


Demo time

15


Kerberos Password change

16

?????????? EXP_PASS


Kerberos Password change

17

?????????? EXP_PASS

NEW_PASS


18

Conclusion

๏Checks if a service ticket (T) has been received

BUT only validates AFTER the password change

๏MS16-014 / CVE-2016-0049

๏ “Suggested workaround” disable local

password caching

๏ Patched on all supported Windows versions


Bluebox

19

๏ Automated exploitation of MS15-122 and MS16-014

๏ Less than 1 minute

๏Written in Python

๏ Portable (Raspberry Pi)

๏ Kudos to Ian Haken (@ianhaken)

๏ https://github.com/JackOfMostTrades/bluebox


WHAT’s NEXT ?

20

๏ Extract any personal data

o Documents, emails, passwords..

๏Requires admin privileges to :

o Retrieve BitLocker Recovery Key (or disable it)

o Install Malware

o Extract data from other users

o …


Trust relationship?

๏ Trust relationship is not always validated

๏Working Active Directory set-up

๏ Any other Windows functionality missing trust validation?

22


PRIVILEGE ESCALATION

23

Will Group Policies work ?

๏ Works on all supported Windows versions

๏ No need for additional (vulnerable) software

๏ No specific configuration requirements


Group Policies

24

User Configuration Computer Configuration

During login (or on refresh) Before login (or on refresh)

User or

SYSTEM PrivilegesSYSTEM Privileges

User account password Machine account password


Group Policies

25

User Configuration Computer Configuration

During login (or on refresh) Before login (or on refresh)

User or

SYSTEM PrivilegesSYSTEM Privileges

User account password Machine account password


Group policies

26


EXAMPLE – CMD AS SYSTEM

27

1. New Group Policy and assign it to the user account

2. Add the following configuration to the policy :

• Download file (e.g. NetCat.exe)

• Run NetCat as SYSTEM

• Connect to service as User

Screenshot Scheduled task GPO


It works!?

28


Why does it work?

29

๏ Client can successfully authenticate against the DC using

his credentials

๏ All encrypted traffic remains intact (SMB,LDAP,RPC)

๏ Assumes that the user credentials are sufficient to

acknowledge trust relationship.

๏ Reported to Microsoft, who acknowledged the vulnerability

but ...


IS it NEW ?

30

๏ Luke Jennings (MWR Labs) demonstrated how you can gain

SYSTEM access through MITM in March 2015

๏ MITM attack against legitimate GPO communication, resulting

two patches (MS15-011 and MS15-014)

๏ Jennings’ conclusion : “Even on Vista/2008 onwards, user

settings group policy can be exploited if you know a user’s

password to conduct a form of privilege escalation to gain

SYSTEM on domain members. Microsoft have shown no

intention thus far of providing a control to protect against this.”


WINDOWS 10 ?

31


WINDOWS 10 ?

32


WIN 7 vs Win 10

33


WIN 7 vs Win 10

34


Relative ID

User SID

35

S-1-5-21-124525095-708259637-1543119021-20937

Domain Security Identifier

IncrementalUses Machine SID

when new domain is

created


Setting the SID

36

๏ Possibilities :

o Setting the Machine SID before the AD is created:

o Windows SysPrep – Generates new “random” SID

o Commercial tools exist

o Off-line edit the NTDS.DIT File

o SAMBA NT4 PDC to AD-DC

Lengthy, complex and prone to errors


mimikatz to the rescue

37


Demo time

38


39

Conclusion

๏ First validates trust with computer account

๏MS16-072 / CVE-2016-3223

๏ Took approx. 8 months to patch and then …


40


Recovering original password

41

๏ (convert .sys to .dmp)

๏ WinDbg

๏ Mimikatz (extract plaintext credentials)

๏ Only Windows 7 and below

Force

Hibernation

Bypass login

screen

Elevate

privileges

Extract

HIBERFIL.SYS

Reset Local

Password Cache


timeline

42


timeline

43


Take aways

44

๏ Trust relationships not always validated

๏ Don’t take physical security for granted

๏ Backwards compatibility makes patching very difficult

๏ Bypassing authentication and escalating privileges without a

single line of code

๏ Kudos to Ian Haken @ianhaken and Benjamin Delpy @gentilwiki

๏ Third time’s a charm?

o November 2015 (MS15-122)

o February 2016 (MS16-014)

o … July 2016 (MS16-???)

@nabeelahmedbe

blog.ahmednabeel.com@tgilis

Technology

From zero to SYSTEM on full disk encrypted windows system