Date post: | 08-Feb-2017 |
Category: |
Software |
Upload: | beyondtrust |
View: | 116 times |
Download: | 2 times |
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching
Paula JanuszkiewiczCQURE: Director of Consulting,; Security ExpertCQURE Academy: TrainerMVP: Enterprise Securitywww.cqureacademy.com
@CQUREAcademy
CONSULTING
Hacking Live Workshop 2017
Used to group one or more Web Applications
Purpose: Assign resources, serve as a security sandbox
Use Worker Processes (w3wp.exe)
Their identity is defined in Application Pool settings
Process requests to the applications
Passwords for AppPool identity can be ’decrypted’ even offline
They are stored in the encrypted form in applicationHost.config
Conclusion: IIS relies it’s security on Machine Keys (Local System)
Demo: Application Pools
Demo: IISWasKey
Class names for keys from HKLM\SYSTEM\CCS\Control\Lsa
HKLM\SECURITY\Cache
HKLM\SECURITY\Policy\Secrets
HKLM\SECURITY\Policy\Secrets
Store configuration in the registry
Always need some identity to run the executable!
Local Security Authority (LSA) Secrets
Must be stored locally, especially when domain credentials are used
Can be accessed when we impersonate to Local System
Their accounts should be monitored
If you cannot use gMSA, MSA, use subscription for svc_ accounts (naming convention)
Conclusion: Think twice before using an Administrative account, use gMSA
Demo: Services
The above means:
To read the clear text password you need to struggle!
Demo: SAM/NTDS.dit
Are ‘cached credentials’ safe?
DK = PBKDF2(PRF, Password, Salt, c, dkLen)
Microsoft’s implementation: MSDCC2=
PBKDF2(HMAC-SHA1, DCC1, username, 10240, 16)
Legend
Before the attacks facilitated by pass-the-hash, we can only
rejoice the "salting" by the username.
There are a number pre-computed tables for users as
Administrator facilitating attacks on these hashes.
There is actually not much of a difference with XP / 2003!
No additional salting.
PBKDF2 introduced a new variable: the number of
iterations SHA1 with the same salt as before (username).
The number of iterations in PBKDF2, it is
configurable through the registry:
HKEY_LOCAL_MACHINE\SECURITY\Cache
DWORD (32) NL$IterationCount
If the number is less than 10240, it is a multiplier
by 1024 (20 therefore gives 20480 iterations)
If the number is greater than 10240, it is the
number of iterations (rounded to 1024)
Demo: Cached Credentials
Based on the following components:
Password, data blob, entropy
Is not prone to password resets!
Protects from outsiders when being in offline access
Effectively protects users data
Stores the password history
You need to be able to get access to some of your passwords from the past
Conclusion: OS greatly helps us to protect secrets
Demo: Classic DPAPI
Demo: DPAPI Taken Further
Demo: RDG Passwords
1.
2.
3.
Location Plaintext passwords
(Reversibly
encrypted)
NT Hash LM Hash TGT Windows logon
cached password
verifiers
Security Accounts Manager (SAM)
database
- Yes Maybe1 - -
Local Security Authority
Subsystem (LSASS) process
memory
Yes Yes Yes Yes -
Active Directory Database - Yes Maybe1 - -
The Credential Manager
(CredMan) store
Maybe2 - - - -
LSA Secrets in the registry Service Accounts,
Scheduled Tasks, etc.
Computer
Account
- - -
HKLM\Security - - - - Yes
Windows 10 with VSM enabled - Yes / No3 Yes/ No3 No4 -
DPAPI-NG
PowerBroker Password Safe
v6.2
Martin Cannard – Product Manager
Comprehensive Security Management
► Secure and automate the process for managing privileged account passwords and keys
► Control how people, services, applications and scripts access managed credentials
► Auto-logon users onto RDP, SSH sessions and apps, without revealing the password
► Record all user and administrator activity (with keystrokes) in a comprehensive audit trail
► Alert in real-time as passwords, and keys are released, and session activity is started
► Monitor session activity in real-time, and immediately lock/terminate suspicious activity
► Block & Alert when SSH commands are entered during privileged sessions
Privileged Password Management
People Services A2A
Privileged
Session
Management
SSH Key
Management
Native desktop tool (MSTSC/PuTTY etc.) connects
to Password Safe which proxies connection through
to requested resource
Protected ResourcesUser authenticates to Password Safe and requests
session to protected resource
RDP/SSH session is proxied through the Password
Safe applianceHTTPS RDP / SSH
RDP / SSH
Password
SafeProxyProxy
Privileged Session Management
Differentiator:
Adaptive Workflow Control
Adaptive Workflow Control
• Day
• Date
• Time
• Who
• What
• Where
Differentiator:
Included API Cache
(no extra cost)
API for Passwords / Sessions / Onboarding
SessionRelease
PasswordRelease
Password SafeAppliance
API
APICache
PasswordRelease
Host/Account Provisioning
Local Area Connection
Locahost Connection
PasswordRelease
PasswordRelease
APICache
PasswordRelease
Locahost Connection
Differentiator:
Controlling Application Access
Automatic Login to ESXi example
Browser
RDP Client
ESXRDP (4489) RDP (3389)
User selects vSphere application
and credentials
vSphere RemoteApp
CredentialCheckout
Credential Management
UserStore
Session Recording / Logging
HTTPS
Automatic Login to Unix/Linux Applications
Typical Use Cases
• Jump host in DMZ
• Menu-driven Apps
• Backup Scripts
• Role-based Apps
Browser
RDP Client
SSH (22) SSH (22)
User selects SSH application and
credentials
SSH Application
CredentialCheckout
Session Recording / Logging
HTTPS
Differentiator:
Reporting & Analytics
Actionable Reporting
Advanced Threat Analytics
What makes Password Safe different?
• Adaptive workflow control to evaluate and intelligently route based on the
who, what, where, and when of the request
• Full network scanning capabilities with built-in auto-onboard capabilities
• Integrated data warehouse and analytics capability
• Smart Rules for building permission sets dynamically according to data
pulled back from scans
• Session management / live monitoring at NO ADDITIONAL COST
• Clean, uncluttered, and intuitive HTML5 interface for end users
Market Validation
• Leader: Forrester PIM Wave, Q3 2016
− Top-ranked Current Offering (product) among all 10
vendors reviewed
− “BeyondTrust excels with its privileged session
management capabilities.”
− “BeyondTrust […] provides the machine learning and
predictive behavior analytics capabilities.”
• Leadership
− Gartner: “BeyondTrust is a representative vendor for all
five key PAM solution categories.”
− OVUM: “BeyondTrust […] provides an integrated, one-
stop approach to PAM… one of only a small band of
PAM providers offering end-to-end coverage.”
− SC Magazine: “Recommended product.”
− … and more from IDC, KuppingerCole, TechNavio, 451Research,
Frost & Sullivan and Forrester
DEMO
Poll
Q&A
Thank you for attending!