From zero to SYSTEM on full disk encrypted windows system

From zero to SYSTEM on full disk encrypted windows system

• 1.
  from zero tosystem Nabeel ahmed & tom gilis on full disk encrypted windows system
• 2.
  From zero tosystem on full disk encrypted windows system ABOUT US ๏ Nabeel Ahmed, Security Researcher and Penetration Tester, Dimension Data Belgium ๏ I love to break things =) ๏ @NabeelAhmedBE ๏ blog.nabeelahmed.com ๏ Tom Gilis, Security Consultant (and Team Leader) at Dimension Data Belgium ๏More “boring” stuff like compliancy, …  ๏@tgilis ๏Co-organizer of BruCON 2
• 3.
  From zero tosystem on full disk encrypted windows system Inspiration 3
• 4.
  From zero tosystem on full disk encrypted windows system November 2015 4
• 5.
  From zero tosystem on full disk encrypted windows system Ian haken 5 ๏ A new way to defeat FDE ๏ Rogue Domain Controller ๏ Poison Credential Cache ๏ Windows Security Feature bypass
• 6.
  From zero tosystem on full disk encrypted windows system Ms15-122 ๏ Implements trust relationship before local cache is updated ๏ Works on Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008 up to 2012 (Windows XP, Windows Server 2003, …) 6
• 7.
  From zero tosystem on full disk encrypted windows system Bitlocker ๏ TPM (Trusted Platform Module) ๏ Pre-boot PIN ๏ USB Key 7
• 8.
  From zero tosystem on full disk encrypted windows system ๏ TPM (Trusted Platform Module) ๏ ๏ 8 Bitlocker
• 9.
  From zero tosystem on full disk encrypted windows system Bitlocker tpm 9 ๏ BitLocker key is stored in TPM ๏ No user interaction when decrypting the drive ๏ Windows login screen is the first and only line of defense
• 10.
  From zero tosystem on full disk encrypted windows system Trust relationship? ๏ Computer account password is used for trust ๏ Randomly generated every 30 days ๏ 2 computer account passwords are stored ๏ Stored in “HKLMSECURITYPolicySecrets$machine.ACC” 10
• 11.
  From zero tosystem on full disk encrypted windows system Bypassing the patch 11
• 12.
  From zero tosystem on full disk encrypted windows system Difference 12 Legitimate DC Rogue DC
• 13.
  From zero tosystem on full disk encrypted windows system Ticket missing 13
• 14.
  From zero tosystem on full disk encrypted windows system SPN 14 SPNs are used to support mutual authentication between a client application and a service. A service principal name is associated with an account and an account can have many service principal names. – MSDN SPNs are usually formatted as SERVICE/HOST, but sometimes they also include a port like SERVICE/HOST:PORT.
• 15.
  From zero tosystem on full disk encrypted windows system Demo time 15
• 16.
  From zero tosystem on full disk encrypted windows system Kerberos Password change 16 ?????????? EXP_PASS
• 17.
  From zero tosystem on full disk encrypted windows system Kerberos Password change 17 ?????????? EXP_PASS NEW_PASS
• 18.
  From zero tosystem on full disk encrypted windows system 18 Conclusion ๏ Checks if a service ticket (T) has been received BUT only validates AFTER the password change ๏ MS16-014 / CVE-2016-0049 ๏ “Suggested workaround” disable local password caching ๏ Patched on all supported Windows versions
• 19.
  From zero tosystem on full disk encrypted windows system Bluebox 19 ๏ Automated exploitation of MS15-122 and MS16-014 ๏ Less than 1 minute ๏ Written in Python  ๏ Portable (Raspberry Pi) ๏ Kudos to Ian Haken (@ianhaken) ๏ https://github.com/JackOfMostTrades/bluebox
• 20.
  From zero tosystem on full disk encrypted windows system WHAT’s NEXT ? 20 ๏ Extract any personal data o Documents, emails, passwords.. ๏ Requires admin privileges to : o Retrieve BitLocker Recovery Key (or disable it) o Install Malware o Extract data from other users o …
• 21.
  From zero tosystem on full disk encrypted windows system Trust relationship? ๏ Trust relationship is not always validated ๏ Working Active Directory set-up ๏ Any other Windows functionality missing trust validation? 22
• 22.
  From zero tosystem on full disk encrypted windows system PRIVILEGE ESCALATION 23 Will Group Policies work ? ๏ Works on all supported Windows versions ๏ No need for additional (vulnerable) software ๏ No specific configuration requirements
• 23.
  From zero tosystem on full disk encrypted windows system Group Policies 24 User Configuration Computer Configuration During login (or on refresh) Before login (or on refresh) User or SYSTEM Privileges SYSTEM Privileges User account password Machine account password
• 24.
  From zero tosystem on full disk encrypted windows system Group Policies 25 User Configuration Computer Configuration During login (or on refresh) Before login (or on refresh) User or SYSTEM Privileges SYSTEM Privileges User account password Machine account password
• 25.
  From zero tosystem on full disk encrypted windows system Group policies 26
• 26.
  From zero tosystem on full disk encrypted windows system EXAMPLE – CMD AS SYSTEM 27 1. New Group Policy and assign it to the user account 2. Add the following configuration to the policy : • Download file (e.g. NetCat.exe) • Run NetCat as SYSTEM • Connect to service as User Screenshot Scheduled task GPO
• 27.
  From zero tosystem on full disk encrypted windows system It works!? 28
• 28.
  From zero tosystem on full disk encrypted windows system Why does it work? 29 ๏ Client can successfully authenticate against the DC using his credentials ๏ All encrypted traffic remains intact (SMB,LDAP,RPC) ๏ Assumes that the user credentials are sufficient to acknowledge trust relationship. ๏ Reported to Microsoft, who acknowledged the vulnerability but ...
• 29.
  From zero tosystem on full disk encrypted windows system IS it NEW ? 30 ๏ Luke Jennings (MWR Labs) demonstrated how you can gain SYSTEM access through MITM in March 2015 ๏ MITM attack against legitimate GPO communication, resulting two patches (MS15-011 and MS15-014) ๏ Jennings’ conclusion : “Even on Vista/2008 onwards, user settings group policy can be exploited if you know a user’s password to conduct a form of privilege escalation to gain SYSTEM on domain members. Microsoft have shown no intention thus far of providing a control to protect against this.”
• 30.
  From zero tosystem on full disk encrypted windows system WINDOWS 10 ? 31
• 31.
  From zero tosystem on full disk encrypted windows system WINDOWS 10 ? 32
• 32.
  From zero tosystem on full disk encrypted windows system WIN 7 vs Win 10 33
• 33.
  From zero tosystem on full disk encrypted windows system WIN 7 vs Win 10 34
• 34.
  From zero tosystem on full disk encrypted windows system Relative ID User SID 35 S-1-5-21-124525095-708259637-1543119021-20937 Domain Security Identifier Incremental Uses Machine SID when new domain is created
• 35.
  From zero tosystem on full disk encrypted windows system Setting the SID 36 ๏ Possibilities : o Setting the Machine SID before the AD is created: o Windows SysPrep – Generates new “random” SID o Commercial tools exist o Off-line edit the NTDS.DIT File o SAMBA NT4 PDC to AD-DC Lengthy, complex and prone to errors
• 36.
  From zero tosystem on full disk encrypted windows system mimikatz to the rescue 37
• 37.
  From zero tosystem on full disk encrypted windows system Demo time 38
• 38.
  From zero tosystem on full disk encrypted windows system 39 Conclusion ๏ First validates trust with computer account ๏ MS16-072 / CVE-2016-3223 ๏ Took approx. 8 months to patch and then …
• 39.
  From zero tosystem on full disk encrypted windows system 40
• 40.
  From zero tosystem on full disk encrypted windows system Recovering original password 41 ๏ (convert .sys to .dmp) ๏ WinDbg ๏ Mimikatz (extract plaintext credentials) ๏ Only Windows 7 and below Force Hibernation Bypass login screen Elevate privileges Extract HIBERFIL.SYS Reset Local Password Cache
• 41.
  From zero tosystem on full disk encrypted windows system timeline 42
• 42.
  From zero tosystem on full disk encrypted windows system timeline 43
• 43.
  From zero tosystem on full disk encrypted windows system Take aways 44 ๏ Trust relationships not always validated ๏ Don’t take physical security for granted ๏ Backwards compatibility makes patching very difficult ๏ Bypassing authentication and escalating privileges without a single line of code ๏ Kudos to Ian Haken @ianhaken and Benjamin Delpy @gentilwiki ๏ Third time’s a charm? o November 2015 (MS15-122) o February 2016 (MS16-014) o … July 2016  (MS16-???) @nabeelahmedbe blog.ahmednabeel.com @tgilis