Passwords Everywhere
GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker |[email protected] | www.sevecek.com |
Take care of your passwords
People use the same passwords for different services• AD network, mobile phone, credit card PIN, facebook, e-
shops, free-mail, … People type their passwords on unknown computers Passwords travel over network unencrypted Somebody else is your computer administrator Computers store passwords often in full form
Hardware keyloggers
Easy soldier
Different service = different password?
Do you thing the databases of facebook, google+, gmail, microsoft, alza, seznam, … are encrypted?• nonsense
What do you thing the Indians do when bored?• are they surfing your email, or facebook?
What do you thing is the first thing a virus is going to do after infection?• list all user accounts• touch anything in your network with your current password
User Account Control (UAC)
Locally limits Administrators group membership Does nothing over network
It matters only for a BFU on a single machine It does not affect administrative accounts
Windows authentication seems secure
Kerberos, Kerberos, Kerberos, sometimes NTLM Encrypted network transport
• AES, mutual authentication, rekeying, etc.
Passwords are in memory
Internet Explorer
Outlook LyncCtrl-Alt-Del
LSASS
ISClient
plaintext password
Server
Passwords are in LSASS memory
Internet Explorer
OutlookLync
Local LSASS
ServerLSASS
Kerberos
NTLMIS
Client
plaintext password
Who can steal passwords from LSASS
Local Administrators• Debug privilege is just the only necessary to break into
LSASS memory
Basic authentication
HTTP Basic authentication• used veeeeery often even on intranets• mostly BFU accounts
LDAP Simple bind• used veeeeery often by third-party NAS, VPN, VoIP,
gateways, routers, VMWare console, etc.• often administrative accounts
RDP• used extreeeeemely often• extreeeeemely often administrative accounts
Server
Passwords are in LSASS memory
Internet Explorer
OutlookLync
ServerLSASS
plain-textIS
Client
MSTSC
plaintext password
VPN
Passwords are stored in full form
IIS application pools Services Scheduled tasks
After attack, change your password!
Really? Password filter on DC or on local SAM database
Good password
Long at least 12 characters All four types of characters (a-z, A-Z, 0-9, #$%^…)
• 80% passwords are alfa-numeric Never reuse the same password for critical services
• not too much change necessary
Password locking?
Do not exagerate• 6 characters complex password• 75 trials per one lock• for 1 minute• = 3 300 years
Cracking from local/AD hashes (non-cache)
MD4 hashes• brute-force 8 characters complex
1 CPU = 25 years 10 GPUs = 15 days
• rainbow-table 8 characters complex = minutes = 120 GB
Every character makes it 80x more difficult 12 characters complex password is unbreakable
• at least for non-NSA mortals
Cracking from network trace and password cache No use for rainbow-table
• MD4 salted Only brute-force possible
What to remember
Never type a password on an unknown computer Accessing remote machines with RDP sends there
your password Disable all HTTP Basic and LDAP Simple bind
authentications Use smart cards instead
Where to read more
http://www.sevecek.com/Lists/Categories/Category.aspx?CategoryId=17&Name=(Anti)hacking
http://www.sevecek.com/Lists/Posts/Post.aspx?ID=145
NASHLEDANOU
GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS
na kurzech v počítačové škole GOPAS, a.s.
GOC171 - Active Directory TroubleshootingGOC172 - Kerberos TroubleshootingGOC173 - Enterprise PKI DeploymentGOC175 - Administering Security