SlideShare a Scribd company logo

rsa_usa_2019_paula_januszkiewicz

Z
ZuzannaKornecka

This document discusses credential security and storing identity. It defines credentials and describes where passwords and hashes are stored on Windows systems, such as the SAM database, LSA secrets, and cached credentials. It warns that credentials relying on keys stored in the registry are only as secure as offline access. The document demonstrates how to extract credentials from these locations and services like IIS. It recommends using a domain controller, gMSA, or MSA to avoid using administrative accounts when possible for more secure credential storage.

Technology
1 of 30
Downloaded 16 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
#RSAC SESSION ID: Paula Januszkiewicz Understand Credential Security: Important Things You Need to Know About Storing Your Identity IDY-W03 CQURE: CEO, Penetration Tester / Security Expert CQURE Academy: Trainer MVP: Enterprise Security, MCT Microsoft Regional Director Contact: paula@cqure.us | http://cqure.us
#RSAC
#RSAC
#RSAC Definition of credentials
#RSAC Bootkey: Class names for keys from HKLMSYSTEMCCSControlLsa SAM/NTDS.dit (MD4 Hashes) C:windowssystem32config C:windowssystem32NTDS MSDCC2 (Cached Logon Data) HKLMSECURITYCache LSA Secrets (Service Accounts) HKLMSECURITYPolicySecrets $MACHINE.ACC (SYSTEM’s Clear Text Password) DPAPI_SYSTEM (Master Keys) HKLMSECURITYPolicySecrets
#RSAC Are ‘cached credentials’ safe?
#RSAC Encrypted Cached Credentials DK = PBKDF2(PRF, Password, Salt, c, dkLen) Microsoft’s implementation: MSDCC2= PBKDF2(HMAC-SHA1, DCC1, username, 10240, 16) Encrypted Cached Credentials: Legend
#RSAC Cached Logons: It used to be like this… The encryption algorithm is RC4. The hash is used to verify authentication is calculated as follows: DCC1 = MD4(MD4(Unicode(password)) . LowerUnicode(username)) is DCC1 = MD4(hashNTLM . LowerUnicode(username)) Before the attacks facilitated by pass-the-hash, we can only rejoice the "salting" by the username. There are a number pre-computed tables for users as Administrator facilitating attacks on these hashes.
#RSAC Cached Logons: Now it is like this! The encryption algorithm is AES128. The hash is used to verify authentication is calculated as follows: MSDCC2 = PBKDF2(HMAC-SHA1, Iterations, DCC1, LowerUnicode(username)) with DCC 1 calculated in the same way as for 2003 / XP. There is actually not much of a difference with XP / 2003! No additional salting. PBKDF2 introduced a new variable: the number of iterations SHA1 with the same salt as before (username).
#RSAC Cached Logons: Iterations The number of iterations in PBKDF2, it is configurable through the registry: HKEY_LOCAL_MACHINESECURITYCache DWORD (32) NL$IterationCount If the number is less than 10240, it is a multiplier by 1024 (20 therefore gives 20480 iterations) If the number is greater than 10240, it is the number of iterations (rounded to 1024)
#RSAC Demo: Cached Credentials
#RSAC Classic Data Protection API Based on the following components: Password, data blob, entropy Is not prone to password resets! Protects from outsiders when being in offline access Effectively protects users data Stores the password history You need to be able to get access to some of your passwords from the past Conclusion:OS greatlyhelpsustoprotectsecrets
#RSAC + getting access to user’s secrets in the domain Demo: Classic DPAPI
#RSAC + Keepass Demo: DPAPI Taken Further
#RSAC When centralization should be done with a bit more awareness Demo: RDG Passwords
#RSAC IIS Structure HTTP.SYS
#RSAC Application Pools Used to group one or more Web Applications Purpose: Assign resources, serve as a security sandbox Use Worker Processes (w3wp.exe) Their identity is defined in Application Pool settings Process requests to the applications Passwords for AppPool identity can be ’decrypted’ even offline They are stored in the encrypted form in applicationHost.config Conclusion: IIS relies it’s securityon Machine Keys(Local System)
#RSAC Getting password from IIS configuration Demo: Application Pools
#RSAC + extracting the data from the registry IISWasKey
#RSAC Services Store configuration in the registry Always need some identity to run the executable! Local Security Authority (LSA) Secrets Must be stored locally, especially when domain credentials are used Can be accessed when we impersonate to Local System Their accounts should be monitored If you cannot use gMSA, MSA, use subscription for svc_ accounts (naming convention) Conclusion: Think twice before using an Administrativeaccount, use gMSA
#RSAC Getting password from LSA Secrets Demo: Services
#RSAC Chasing the obvious: NTDS.DIT, SAM Theabovemeans:Toreadthecleartextpasswordyouneedtostruggle!
#RSAC Hash spree - offline Demo: SAM/NTDS.dit
#RSAC
#RSAC Two AMAZING discoveries! Smart card logon is possible without a smart card Private keys can be extracted from the PFX files without having a password
#RSAC Securing Yourself for a Rainy Day Kerberos Pre-Auth
#RSAC SID-Protected PFX Files… Unprotected DPAPI-NG
#RSAC Credentials Security Takeways Cryptography that relies on keys stored in the registry is as safe as your offline access. We all know that they should log on to the Domain Controllers only. Who are they? Can we trust them? …when extracted. In practice they are as safe as your approach.
Thank you!
#RSAC SESSION ID: Paula Januszkiewicz Understand Credential Security: Important Things You Need to Know About Storing Your Identity IDY-W03 CQURE: CEO, Penetration Tester / Security Expert CQURE Academy: Trainer MVP: Enterprise Security, MCT Microsoft Regional Director Contact: paula@cqure.us | http://cqure.us

More Related Content

PPTX
RSA Conference 2017 session: What System Stores on the Disk Without Telling You
Paula Januszkiewicz
 
PDF
Gartner Security & Risk Management Summit 2018
Paula Januszkiewicz
 
PDF
CQURE_BHAsia19_Paula_Januszkiewicz_slides
ZuzannaKornecka
 
PDF
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth Taking
Paula Januszkiewicz
 
PDF
Dear Hacker: Infrastructure Security Reality Check
Paula Januszkiewicz
 
PPTX
RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...
Paula Januszkiewicz
 
PPTX
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Paula Januszkiewicz
 
PDF
rsa-usa-2019-keynote-paula-januszkiewicz
Paula Januszkiewicz
 
RSA Conference 2017 session: What System Stores on the Disk Without Telling You
Paula Januszkiewicz
 
Gartner Security & Risk Management Summit 2018
Paula Januszkiewicz
 
CQURE_BHAsia19_Paula_Januszkiewicz_slides
ZuzannaKornecka
 
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth Taking
Paula Januszkiewicz
 
Dear Hacker: Infrastructure Security Reality Check
Paula Januszkiewicz
 
RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...
Paula Januszkiewicz
 
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Paula Januszkiewicz
 
rsa-usa-2019-keynote-paula-januszkiewicz
Paula Januszkiewicz
 

What's hot (20)

PDF
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Paula Januszkiewicz
 
PDF
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
Paula Januszkiewicz
 
PDF
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
 
PDF
Hiding secrets in Vault
Neven Rakonić
 
PPTX
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
RootedCON
 
PDF
Insecurity-In-Security version.2 (2011)
Abhishek Kumar
 
PDF
Insecurity-In-Security version.1 (2010)
Abhishek Kumar
 
PDF
Issuing temporary credentials for my sql using hashicorp vault
OlinData
 
PPTX
Vault - Secret and Key Management
Anthony Ikeda
 
PDF
Password (in)security
Enrico Zimuel
 
PDF
Vault 101
Hazzim Anaya
 
PDF
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
David Timothy Strauss
 
PPTX
Lets Encrypt!
Joerg Henning
 
PPTX
Passwords#14 - mimikatz
Benjamin Delpy
 
PDF
HashiCorp's Vault - The Examples
Michał Czeraszkiewicz
 
PDF
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
 
PPTX
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat Security Conference
 
PDF
HashiCorp Vault Plugin Infrastructure
Nicolas Corrarello
 
PDF
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat Security Conference
 
PPTX
Webinar: Securing your data - Mitigating the risks with MongoDB
MongoDB
 
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Paula Januszkiewicz
 
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
Paula Januszkiewicz
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
 
Hiding secrets in Vault
Neven Rakonić
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
RootedCON
 
Insecurity-In-Security version.2 (2011)
Abhishek Kumar
 
Insecurity-In-Security version.1 (2010)
Abhishek Kumar
 
Issuing temporary credentials for my sql using hashicorp vault
OlinData
 
Vault - Secret and Key Management
Anthony Ikeda
 
Password (in)security
Enrico Zimuel
 
Vault 101
Hazzim Anaya
 
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
David Timothy Strauss
 
Lets Encrypt!
Joerg Henning
 
Passwords#14 - mimikatz
Benjamin Delpy
 
HashiCorp's Vault - The Examples
Michał Czeraszkiewicz
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat Security Conference
 
HashiCorp Vault Plugin Infrastructure
Nicolas Corrarello
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat Security Conference
 
Webinar: Securing your data - Mitigating the risks with MongoDB
MongoDB
 
Ad

Similar to rsa_usa_2019_paula_januszkiewicz (20)

PDF
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
BeyondTrust
 
PPT
RSA Secur id for windows
arpit06055
 
PDF
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 
PPT
Windows Security in Operating System
Meghaj Mallick
 
PDF
Windows Security Internals: A Deep Dive into Windows Authentication, Authoriz...
modhaofentibo
 
PDF
Windows Security Internals 1 / converted Edition James Forshaw
soskoxtamkego
 
PDF
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
PPT
Bh Win 03 Rileybollefer
Timothy Bollefer
 
PPS
Microsoft (Data Protection Solutions)
Vinayak Hegde
 
PPTX
Naked and Vulnerable - A Cybersecurity Starter Kit from Camp IT Dec 2016
Ted Wentzel
 
PPTX
Introduccion a la seguridad Windows 7
EAE
 
PPTX
mimikatz @ rmll
Benjamin Delpy
 
PPT
Dominique
Shmulik Avidan
 
PPT
Windows network security
Information Technology
 
PPTX
Operating system security
Ramesh Ogania
 
PDF
The Infosec Revival
scriptjunkie
 
PPTX
Extracting Credentials From Windows
NetSPI
 
PDF
Dakotacon 2017
Blue Teamer
 
PPTX
Securing Windows with Group Policy
Josh Rickard
 
PPTX
[PU&D] - Securing IT Against Modern Threats with Microsoft Cloud Security Tools
Tomasz Poszytek
 
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
BeyondTrust
 
RSA Secur id for windows
arpit06055
 
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 
Windows Security in Operating System
Meghaj Mallick
 
Windows Security Internals: A Deep Dive into Windows Authentication, Authoriz...
modhaofentibo
 
Windows Security Internals 1 / converted Edition James Forshaw
soskoxtamkego
 
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Bh Win 03 Rileybollefer
Timothy Bollefer
 
Microsoft (Data Protection Solutions)
Vinayak Hegde
 
Naked and Vulnerable - A Cybersecurity Starter Kit from Camp IT Dec 2016
Ted Wentzel
 
Introduccion a la seguridad Windows 7
EAE
 
mimikatz @ rmll
Benjamin Delpy
 
Dominique
Shmulik Avidan
 
Windows network security
Information Technology
 
Operating system security
Ramesh Ogania
 
The Infosec Revival
scriptjunkie
 
Extracting Credentials From Windows
NetSPI
 
Dakotacon 2017
Blue Teamer
 
Securing Windows with Group Policy
Josh Rickard
 
[PU&D] - Securing IT Against Modern Threats with Microsoft Cloud Security Tools
Tomasz Poszytek
 
Ad

Recently uploaded (20)

PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
KodekX | Application Modernization Development
KodekX
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Teaching material agriculture food technology
LiaRayya
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 

rsa_usa_2019_paula_januszkiewicz

  • 1. #RSAC SESSION ID: Paula Januszkiewicz Understand Credential Security: Important Things You Need to Know About Storing Your Identity IDY-W03 CQURE: CEO, Penetration Tester / Security Expert CQURE Academy: Trainer MVP: Enterprise Security, MCT Microsoft Regional Director Contact: paula@cqure.us | http://cqure.us
  • 5. #RSAC Bootkey: Class names for keys from HKLMSYSTEMCCSControlLsa SAM/NTDS.dit (MD4 Hashes) C:windowssystem32config C:windowssystem32NTDS MSDCC2 (Cached Logon Data) HKLMSECURITYCache LSA Secrets (Service Accounts) HKLMSECURITYPolicySecrets $MACHINE.ACC (SYSTEM’s Clear Text Password) DPAPI_SYSTEM (Master Keys) HKLMSECURITYPolicySecrets
  • 7. #RSAC Encrypted Cached Credentials DK = PBKDF2(PRF, Password, Salt, c, dkLen) Microsoft’s implementation: MSDCC2= PBKDF2(HMAC-SHA1, DCC1, username, 10240, 16) Encrypted Cached Credentials: Legend
  • 8. #RSAC Cached Logons: It used to be like this… The encryption algorithm is RC4. The hash is used to verify authentication is calculated as follows: DCC1 = MD4(MD4(Unicode(password)) . LowerUnicode(username)) is DCC1 = MD4(hashNTLM . LowerUnicode(username)) Before the attacks facilitated by pass-the-hash, we can only rejoice the "salting" by the username. There are a number pre-computed tables for users as Administrator facilitating attacks on these hashes.
  • 9. #RSAC Cached Logons: Now it is like this! The encryption algorithm is AES128. The hash is used to verify authentication is calculated as follows: MSDCC2 = PBKDF2(HMAC-SHA1, Iterations, DCC1, LowerUnicode(username)) with DCC 1 calculated in the same way as for 2003 / XP. There is actually not much of a difference with XP / 2003! No additional salting. PBKDF2 introduced a new variable: the number of iterations SHA1 with the same salt as before (username).
  • 10. #RSAC Cached Logons: Iterations The number of iterations in PBKDF2, it is configurable through the registry: HKEY_LOCAL_MACHINESECURITYCache DWORD (32) NL$IterationCount If the number is less than 10240, it is a multiplier by 1024 (20 therefore gives 20480 iterations) If the number is greater than 10240, it is the number of iterations (rounded to 1024)
  • 12. #RSAC Classic Data Protection API Based on the following components: Password, data blob, entropy Is not prone to password resets! Protects from outsiders when being in offline access Effectively protects users data Stores the password history You need to be able to get access to some of your passwords from the past Conclusion:OS greatlyhelpsustoprotectsecrets
  • 13. #RSAC + getting access to user’s secrets in the domain Demo: Classic DPAPI
  • 15. #RSAC When centralization should be done with a bit more awareness Demo: RDG Passwords
  • 17. #RSAC Application Pools Used to group one or more Web Applications Purpose: Assign resources, serve as a security sandbox Use Worker Processes (w3wp.exe) Their identity is defined in Application Pool settings Process requests to the applications Passwords for AppPool identity can be ’decrypted’ even offline They are stored in the encrypted form in applicationHost.config Conclusion: IIS relies it’s securityon Machine Keys(Local System)
  • 18. #RSAC Getting password from IIS configuration Demo: Application Pools
  • 19. #RSAC + extracting the data from the registry IISWasKey
  • 20. #RSAC Services Store configuration in the registry Always need some identity to run the executable! Local Security Authority (LSA) Secrets Must be stored locally, especially when domain credentials are used Can be accessed when we impersonate to Local System Their accounts should be monitored If you cannot use gMSA, MSA, use subscription for svc_ accounts (naming convention) Conclusion: Think twice before using an Administrativeaccount, use gMSA
  • 21. #RSAC Getting password from LSA Secrets Demo: Services
  • 22. #RSAC Chasing the obvious: NTDS.DIT, SAM Theabovemeans:Toreadthecleartextpasswordyouneedtostruggle!
  • 23. #RSAC Hash spree - offline Demo: SAM/NTDS.dit
  • 24. #RSAC
  • 25. #RSAC Two AMAZING discoveries! Smart card logon is possible without a smart card Private keys can be extracted from the PFX files without having a password
  • 26. #RSAC Securing Yourself for a Rainy Day Kerberos Pre-Auth
  • 27. #RSAC SID-Protected PFX Files… Unprotected DPAPI-NG
  • 28. #RSAC Credentials Security Takeways Cryptography that relies on keys stored in the registry is as safe as your offline access. We all know that they should log on to the Domain Controllers only. Who are they? Can we trust them? …when extracted. In practice they are as safe as your approach.
  • 30. #RSAC SESSION ID: Paula Januszkiewicz Understand Credential Security: Important Things You Need to Know About Storing Your Identity IDY-W03 CQURE: CEO, Penetration Tester / Security Expert CQURE Academy: Trainer MVP: Enterprise Security, MCT Microsoft Regional Director Contact: paula@cqure.us | http://cqure.us