Passwords Everywhere

GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS

Ing. Ondřej Ševeček | GOPAS a.s. |

MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker |

ondrej@sevecek.com | www.sevecek.com |

Take care of your passwords

People use the same passwords for different services• AD network, mobile phone, credit card PIN, facebook, e-

shops, free-mail, …

People type their passwords on unknown computers Passwords travel over network unencrypted Somebody else is your computer administrator Computers store passwords often in full form

Hardware keyloggers

Easy soldier

Different service = different password?

Do you thing the databases of facebook, google+, gmail, microsoft, alza, seznam, … are encrypted?• nonsense

What do you thing the Indians do when bored?• are they surfing your email, or facebook?

What do you thing is the first thing a virus is going to do after infection?• list all user accounts• touch anything in your network with your current password

User Account Control (UAC)

Locally limits Administrators group membership Does nothing over network

It matters only for a BFU on a single machine It does not affect administrative accounts

Windows authentication seems secure

Kerberos, Kerberos, Kerberos, sometimes NTLM Encrypted network transport

• AES, mutual authentication, rekeying, etc.

Passwords are in memory

Internet Explorer

Outlook LyncCtrl-Alt-Del

LSASS

ISClient

plaintext password

Server

Passwords are in LSASS memory

Internet Explorer

OutlookLync

Local LSASS

ServerLSASS

Kerberos

NTLMIS

Client

plaintext password

Who can steal passwords from LSASS

Local Administrators• Debug privilege is just the only necessary to break into

LSASS memory

Basic authentication

HTTP Basic authentication• used veeeeery often even on intranets• mostly BFU accounts

LDAP Simple bind• used veeeeery often by third-party NAS, VPN, VoIP,

gateways, routers, VMWare console, etc.• often administrative accounts

RDP• used extreeeeemely often• extreeeeemely often administrative accounts

Server

Passwords are in LSASS memory

Internet Explorer

OutlookLync

ServerLSASS

plain-textIS

Client

MSTSC

plaintext password

VPN

Passwords are stored in full form

IIS application pools Services Scheduled tasks

After attack, change your password!

Really? Password filter on DC or on local SAM database

Good password

Long at least 12 characters All four types of characters (a-z, A-Z, 0-9, #$%^…)

• 80% passwords are alfa-numeric

Never reuse the same password for critical services• not too much change necessary

Password locking?

Do not exagerate• 6 characters complex password• 75 trials per one lock• for 1 minute• = 3 300 years

Cracking from local/AD hashes (non-cache)

MD4 hashes• brute-force 8 characters complex

1 CPU = 25 years 10 GPUs = 15 days

• rainbow-table 8 characters complex = minutes = 120 GB

Every character makes it 80x more difficult 12 characters complex password is unbreakable

• at least for non-NSA mortals

Cracking from network trace and password cache

No use for rainbow-table • MD4 salted

Only brute-force possible

What to remember

Never type a password on an unknown computer Accessing remote machines with RDP sends there

your password Disable all HTTP Basic and LDAP Simple bind

authentications Use smart cards instead

Where to read more

http://www.sevecek.com/Lists/Categories/Category.aspx?CategoryId=17&Name=(Anti)hacking

http://www.sevecek.com/Lists/Posts/Post.aspx?ID=145

NASHLEDANOU

GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS

na kurzech v počítačové škole GOPAS, a.s.

GOC171 - Active Directory Troubleshooting

GOC172 - Kerberos Troubleshooting

GOC173 - Enterprise PKI Deployment

GOC175 - Administering Security