Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Download as PPTX, PDF1 like5,843 views
The document outlines various aspects of data encryption and security management by Paula Januszkiewicz, covering techniques such as AES, RSA, and Differential Privacy API (DPAPI). It emphasizes the importance of secure storage of local secrets and the implications of using administrative accounts. Furthermore, it details the processes involved in encryption, key derivation, and the handling of sensitive data within systems like SQL Server and IIS.
![SAM
1. bootkey: classes from HKLMSYSTEMCCSControlLsa +
[class names for: Data, GBG, JD, Skew1] (+arrays’
permutations)
2. F: HKLMSAMSAMDomainsAccount [F – value] string
aqwerty =
“!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%0”;
string anum =
“01234567890123456789012345678901234567890”;
3. rchbootkey: MD5(string created after arytmetic
functions with F, aqwerty, anum, bootkey)
4. hbootkey: RC4(key, data) -> RC4(rchbootkey, F)
5. MD5(…,hbootkey,…) -> RC4(…)-> DES(…, F) to get the
hash (MD4)](https://image.slidesharecdn.com/ignite17cryptofripaulajanuszkiewicz-170929112555/85/Adventures-in-Underland-Is-encryption-solid-as-a-rock-or-a-handful-of-dust-7-320.jpg)
![1. bootkey: klasy z HKLMSYSTEMCCSControlLsa + [class names
for: Data, GBG, JD, Skew1] (+permutacje tablic)
int[] permutationBootKey = new int[] { 0x8, 0x5, 0x4, 0x2,
0xb, 0x9, 0xd, 0x3, 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7 };
2. PolEKList: HKLMSECURITYPolicyPolEKList [default value]
3. lsakey: AES_DECRYPT(key, data) -> AES(bootkey, PolEKList)
4. NL$KM secret: HKLMSECURITYPolicySecretsNL$KM
5. nlkm_decrypted: AES_DECRYPT(lsakey, NL$KM secret)](https://image.slidesharecdn.com/ignite17cryptofripaulajanuszkiewicz-170929112555/85/Adventures-in-Underland-Is-encryption-solid-as-a-rock-or-a-handful-of-dust-9-320.jpg)
![MSDCC2
1.bootkey: classes from HKLMSYSTEMCCSControlLsa + [class
names for: Data, GBG, JD, Skew1] (+arrays’ permutations)
int[] permutationBootKey = new int[] { 0x8, 0x5, 0x4, 0x2,
0xb, 0x9, 0xd, 0x3, 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7
};
2.PolEKList: HKLMSECURITYPolicyPolEKList [default value]
3.lsakey: AES_DECRYPT(key, data) -> AES(bootkey, PolEKList)
4.NL$KM secret: HKLMSECURITYPolicySecretsNL$KM
5.nlkm_decrypted: AES_DECRYPT(lsakey, NL$KM secret)
6.Cache_Entry{id} -> HKLMSECURITYCacheNL${id}
7.cache_entry_decrypted -> AES_DECRYPT(nlkm_decrypted,
Cache_Entry{id})](https://image.slidesharecdn.com/ignite17cryptofripaulajanuszkiewicz-170929112555/85/Adventures-in-Underland-Is-encryption-solid-as-a-rock-or-a-handful-of-dust-19-320.jpg)
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
- 1. Paula Januszkiewicz CQURE: CEO, Penetration Tester / Security Expert CQURE Academy: Trainer MVP: Enterprise Security, MCT Contact: paula@cqure.us | http://cqure.us @paulacqure @CQUREAcademy
- 5. AES256-CBC (data encryption) AES256-CCM (BitLocker) AES256-GCM (DPAPI blobs) AES128-ECB (BitLocker) AES256-XTS (BitLocker) RC4 MD4, MD5, SHA* DES, 3DES RSA 1024, RSA 2048 (used more often) Secret agreement: Diffie-Hellman DPAPI-NG: Key derivation: SP800_108_CTR_HMAC (SHA512), KDF_SP80056A_CONCAT (client)
- 6. The above means: To read the clear text password you need to struggle!
- 7. SAM 1. bootkey: classes from HKLMSYSTEMCCSControlLsa + [class names for: Data, GBG, JD, Skew1] (+arrays’ permutations) 2. F: HKLMSAMSAMDomainsAccount [F – value] string aqwerty = “!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%0”; string anum = “01234567890123456789012345678901234567890”; 3. rchbootkey: MD5(string created after arytmetic functions with F, aqwerty, anum, bootkey) 4. hbootkey: RC4(key, data) -> RC4(rchbootkey, F) 5. MD5(…,hbootkey,…) -> RC4(…)-> DES(…, F) to get the hash (MD4)
- 8. Store configuration in the registry Always need some identity to run the executable! Local Security Authority (LSA) Secrets Must be stored locally, especially when domain credentials are used Can be accessed when we impersonate to Local System Their accounts should be monitored If you cannot use gMSA, MSA, use subscription for svc_ accounts (naming convention) Conclusion: Think twice before using an Administrative account, use gMSA
- 9. 1. bootkey: klasy z HKLMSYSTEMCCSControlLsa + [class names for: Data, GBG, JD, Skew1] (+permutacje tablic) int[] permutationBootKey = new int[] { 0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3, 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7 }; 2. PolEKList: HKLMSECURITYPolicyPolEKList [default value] 3. lsakey: AES_DECRYPT(key, data) -> AES(bootkey, PolEKList) 4. NL$KM secret: HKLMSECURITYPolicySecretsNL$KM 5. nlkm_decrypted: AES_DECRYPT(lsakey, NL$KM secret)
- 10. Based on the following components: Password, data blob, entropy Is not prone to password resets! Protects from outsiders when being in offline access Effectively protects users data Stores the password history You need to be able to get access to some of your passwords from the past Conclusion: OS greatly helps us to protect secrets
- 11. DPAPI (classic) A. MasterKey 1. pwdhash = MD4(password) or SHA1(password) 2. pwdhash_key = HMACSHA1(pwdhash, user_sid) 3. PBKDF2(…, pwdhash_key,…), another elements from the file. Windows 10 no domain: SHA512, AES-256, 8000 rounds 4. Control – HMACSHA512 B. CREDHIST 1. pwdhash = MD4(password) or SHA1(password) 2. pwdhash_key = HMACSHA1(pwdhash, user_sid) 3. PBKDF2(…, pwdhash_key,…), another elements from the file. Windows 10 no domain: SHA512, AES-256, 8000 rounds 4. Control – HMACSHA512 C. DPAPI blob Algorithms are written in the blob itself. DPAPI-NG A. RootKey Algorithms Key derivation function: SP800_108_CTR_HMAC (SHA512) Secret agreement: Diffie-Hellman B. DPAPI blob Key derivation: KDF_SP80056A_CONCAT After getting the key, there is a need for decryption: Key wrap algorithm: RFC3394 (KEK -> CEK) Decryption: AES-256-GCM (CEK, Blob)
- 14. In contrast to the earlier IIS versions, IIS 10.0 is set to use two new Cryptography API: Next Generation (CNG) providers by default: IISWASOnlyCngProvider and IISCngProvider. We still have: IISWASOnlyRsaProvider, AesProvider, IISWasOnlyAesProvider and RsaProtectedConfigurationProvider, DataProtectionConfigurationProvider CNG stores shared private keys in the %ALLUSERSPROFILE%Application DataMicrosoftCryptoKeys Worker Processes (w3wp.exe) Their identity is defined in Application Pool settings Are managed by Windows Process Activation Service that knows how to read secrets Passwords for AppPool identity can be ’decrypted’ even offline They are stored in the encrypted form in applicationHost.config Conclusion: IIS relies it’s security on Machine Keys (Local System)
- 16. TDE how to: 1. Create a master key 2. Create or obtain a certificate protected by the master key 3. Create a database encryption key and protect it by the certificate 4. Set the database to use encryption Transparent Data Encryption (TDE) encrypts SQL Server, Azure SQL Database, and Azure SQL Data Warehouse data files, known as encrypting data at rest. However, in a scenario where the physical media (such as drives or backup tapes) are stolen, a malicious party can just restore or attach the database and browse the data.
- 18. There is actually not much of a difference with XP / 2003! No additional salting. PBKDF2 introduced a new variable: the number of iterations SHA1 with the same salt as before (username).
- 19. MSDCC2 1.bootkey: classes from HKLMSYSTEMCCSControlLsa + [class names for: Data, GBG, JD, Skew1] (+arrays’ permutations) int[] permutationBootKey = new int[] { 0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3, 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7 }; 2.PolEKList: HKLMSECURITYPolicyPolEKList [default value] 3.lsakey: AES_DECRYPT(key, data) -> AES(bootkey, PolEKList) 4.NL$KM secret: HKLMSECURITYPolicySecretsNL$KM 5.nlkm_decrypted: AES_DECRYPT(lsakey, NL$KM secret) 6.Cache_Entry{id} -> HKLMSECURITYCacheNL${id} 7.cache_entry_decrypted -> AES_DECRYPT(nlkm_decrypted, Cache_Entry{id})
- 20. DK = PBKDF2(PRF, Password, Salt, c, dkLen) Microsoft’s implementation: MSDCC2= PBKDF2(HMAC-SHA1, DCC1, username, 10240, 16) Legend
- 22. Replicate Directory Changes All WARNING: “…You will need two credentials, the synchronization account credential that has Replicate Directory Changes/All on the Domain as well as Configuration container…” – OUCH!
- 23. DPAPI-PROTECTED BLOB CLIENT Local LSASS process (local masterkey can’t be decrypted) CryptUnprotectData() DPAPI AD SERVER LSASS process RPC Call BackupKey(masterkey) Decrypted masterkey 01 00 00 00 d0 8c 9d df 01 15 d1 11 8c 7a 00 c0 4f c2 97 eb 01 00 00 00 ...... G$BCKUPKEY_PREFERRED G$BCKUPKEY_940db612-ee8f-4a31-84b3-8f80c25be855 Scenario: offline changed user password or local masterkey can’t be decrypted
- 24. LSASS.EXE MEMORY LSASRV.DLL G$BCKUPKEY_PREFERRED G$BCKUPKEY_940db612-ee8f-4a31-84b3-8f80c25be855 GoldenKey.pfx LSASRV.DLL, LSASS.EXE, etc. PATTERNS (for different versions of modules)
- 26. DomainKey contains some GUID and 256-byte len secret – RSA?? Dude, look in the AD...
- 28. Legend The master password for KeePass files encrypted & stored as cipherText (80 bytes)
- 32. DPAPI-NG A. RootKey Algorithms Key derivation function: SP800_108_CTR_HMAC (SHA512) Secret agreement: Diffie-Hellman B. DPAPI blob Key derivation: KDF_SP80056A_CONCAT After getting the key, there is a need for decryption: Key wrap algorithm: RFC3394 (KEK -> CEK) Decryption: AES-256-GCM (CEK, Blob)
- 33. SID-PROTECTED BLOB CLIENT Local LSASS process NCryptUnprotectSecret() CNGDPAPI AD SERVER LSASS process RPC Call GetKey(SID, L0, L1, L2 params) ACTIVE DIRECTORY RootKey RootKeyData? Group key
- 34. Looks familiar? It should! It’s DPAPI blob! Protection descriptor: LOCAL=user • KEK (Key Encryption Key) stored as DPAPI blob • Forced by protection descriptor LOCAL=user • Key Wrap (RFC3394) contains encrypted CEK (Content Encryption Key) • Data encrypted by CEK
- 37. Tool Description CQMasterKeyAD DPAPIBlobCreator CQDPAPIKeePassDBDecryptor DPAPINGDecrypter CQDPAPIEncDec CQAspNetCoreDecryptData. CQDPAPIExportPFXFromAD CQAspNetCoreMasterKeyCreate CQRDCManDecrypter CQAspNetCoreEncryptData CQDPAPINGPFXDecrypter CQDPAPINGDNCoreMasterKeyDecrypter *CQImpersonateWithSeTcb
- 38. DPAPI SYSTEM is as safe as your offline access and privileged accounts DPAPI USER is safe as your user’s password and domain admin’s intentions Use password manager but rely on your own separate password Almost anything system related can be accessed offline – it is ‘just’ a matter of finding the way
Editor's Notes
- #7: Wrzuciłem na ftp do /MGRZEG/Ignite2017/NTDS.dit kolejny tool do weryfikacji przeddemowej. Opis: https://docs.google.com/document/d/1pXFXI09PcmpYUIfH5aSvpQEbjrH2yMA4dMcH6748mQM/edit?usp=sharing Tool w wersji 32-bit z dołączonym zestawem vcredist dla VS 2015 (dla libesedb). m.
- #9: Jak przechowywane sa hasla
- #14: System user Jak szyfrowane 10214 27 min / 48 min do konca
- #15: Comparing Machine-Level and User-Level RSA Key Containers User-level RSA key containers are stored with the Windows user profile for a particular user and can be used to encrypt and decrypt information for applications that run under that specific user identity. User-level RSA key containers can be useful if you want to ensure that the RSA key information is removed when the Windows user profile is removed. However, because you must be logged in with the specific user account that will make use of the user-level RSA key container in order to encrypt or decrypt protected configuration sections, they are inconvenient to use. Machine-level RSA key containers are available to all users that can log in to a computer, by default, and are the most useful as you can use them to encrypt or decrypt protected configuration sections while logged in with an administrator account. A machine-level RSA key container can be used to protect information for a single application, all the applications on a server, or a group of applications on a server that run under the same user identity. Although machine-level RSA key containers are available to all users, they can be secured with NTFS Access Control Lists (ACLs) so that only required users can access them. Note It is recommended that you only secure sensitive information using protected configuration on file systems formatted using NTFS, so that you can restrict access to encryption key information using ACLs. As there is little benefit from using user-level RSA key containers, it is recommended that you use machine-level RSA key containers when protecting configuration sections using the RsaProtectedConfigurationProvider provider. When you create an RSA key container to protect configuration information for one or more applications, it is recommended that you restrict the access to the machine-level RSA key container using the Aspnet_regiis.exe tool, with the -pa option to add access to the key for a particular identity and the -pr option to remove access to the key. For more information on how to set or determine the identity of an ASP.NET application, see ASP.NET Impersonation. For more information on granting read access to an RSA key container, see Importing and Exporting Protected Configuration RSA Key Containers.
- #16: https://blogs.iis.net/iisteam/cng-data-encryption
- #17: One solution is to encrypt the sensitive data in the database and protect the keys that are used to encrypt the data with a certificate. This prevents anyone without the keys from using the data, but this kind of protection must be planned in advance.
- #19: https://commons.wikimedia.org/wiki/File%3AAtlanta_skyline.jpg
- #26: Jak tylko wygrzebaliśmy numer seryjny klucza w masterach domenowych i znaleźliśmy odpowiedzialny za to obiekt w AD, to pewne było to, że trzeba będzie wyłuskać ten secret z LSASSa. Spróbowałem wtedy jakoś dziwnie i nie udało się, więc zwróciliśmy się do Benjamina z prośbą o pomoc - co skończyło się sporym kawałkiem nowego kodu w mimikatzu. Nie wróciłem już później do tego, ale wystarczyło po prostu wygrzebać secret lsasa korzystając z LsaRetrievePrivateData, co czyniłem wcześniej już w innym toolu - do wygrzebywania sekretów lsassa online, ale tu nie bardzo wiedziałem co i jak. Teraz jednak, już nieco mądrzejszy spróbowałem raz jeszcze i tym razem udało się 'z pierwszego kopa'. Guid właściwego klucza wyciągam z sekretu CN=BCKUPKEY_PREFERRED Secret czyli globalnego sekretu G$BCKUPKEY_PREFERRED a potem po prostu wyciągam sam secret korzystając z rodziny funkcji Lsa*. Tak więc żadne halo, ale jest to odmienne podejście od tego, który jest w mimikatzu i nie znam żadnego innego toola, który by to robił :)
- #37: AES256-CCM – pierwsze 16 bajtow to jest suma kontrolna
- #38: User2 uses the ASP.NET Core DataProtection with DPAPI-NG SID descriptor to create the master key for User1 and then User1 uses the newly created key to protect some sensitive data. After that User2 tries to access that data in three ways: - using his own SID and the same decryption tool as the User1 (fail) - using SE_TCB privilege on local machine and decryption tool (fail) - using SE_TCB privilege on AD controler and decryption tool (success) - using dpapi-ng decryption tool with dpapi--ng rootkey (success)
- #40: Licence: Common