Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exposing the Secrets of Windows Credential Provider Presented By: Subrat Sarkar Give me your password.

Published byBryce Preston Modified over 8 years ago

Similar presentations

Presentation on theme: "Exposing the Secrets of Windows Credential Provider Presented By: Subrat Sarkar Give me your password."— Presentation transcript:

1 Exposing the Secrets of Windows Credential Provider Presented By: Subrat Sarkar Give me your password

2 Common Methods to Steal Password Reading registry hives - LM and NT password hashes for local accounts are stored in the Security Accounts Manager (SAM) database file. Injecting into LSASS - inject code into the existing LSASS process, so the code is able to call the necessary functions to read memory structure. Reading LSASS’s memory - recovering credentials from a memory dump file is supported in mimikatz. Decoding NTDS.DIT - LM and NT hashes for Active Directory domain accounts are stored in the Active Directory database file, NTDS.DIT

3 Windows 7 Authentication Architecture

4 Logon Authentication Interactive Logon Local Logon: A local logon requires that the user have a user account in the SAM on the local computer. Domain Logon: A domain logon requires that the user have a user account in the domain’s Active Directory. Network Logon

5 Interactive Local Logon

6 Interactive Domain Logon

7 Windows Interactive Logon Architecture

8 Windows Interactive Logon Component ComponentDescription WinlogonProvides interactive logon infrastructure. Logon UIProvides interactive UI rendering. Credential providers (password and smart card)Describes credential information and serializing credentials. LSAProcesses logon credentials. Authentication packagesIncludes NTLM and Kerberos. Communicates with server authentication packages to authenticate users.

9 Windows Credential Providers LogonUI enumerates all of the credential providers registered under - HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers DLL should Implement following 2 COM Interfaces – 1.ICredentialProviderCredential 2.ICredentialProvider ICredentialProviderCredential::GetSerialization

10 Live Demo

11 Disable Credential Provider Method 1: Using Group Policy. Open local Group Policy editor, navigate to Computer Configuration -> Administrative Templates - > System -> Logon, and then find the policy Exclude credential providers on the right side. Right Click Exclude credential providers, click Edit, click Enabled and enters the comma-separated CLSID which to exclude multiple credential providers during authentication. Click OK to save the changes. Method 2: Using Registry. Open Registry Editor, then Navigate to the registry keyHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Cr edential Providers Right click on the CLSID of the provider, select New -> DWORD (32-bit) Value, then enter the value name to Disabled, after that modify the value data to 1. The provider will be disabled on the next session which is created during log off, switch user, or reboot. SysInternal - AutoRuns

12 Reference https://msdn.microsoft.com/en-us/magazine/cc163489.aspx https://technet.microsoft.com/en-us/library/dn169016(v=ws.10).aspx https://technet.microsoft.com/en-us/library/cc780095(v=ws.10).aspx https://technet.microsoft.com/en-us/library/dn169029(v=ws.10).aspx https://msdn.microsoft.com/en- us/library/windows/desktop/bb648647(v=vs.85).aspx https://msdn.microsoft.com/en- us/library/windows/desktop/bb648647(v=vs.85).aspx https://technet.microsoft.com/en-us/library/ff404303(v=ws.10).aspx https://technet.microsoft.com/en-us/library/dn169014(v=ws.10).aspx https://technet.microsoft.com/en-us/library/cc780332(v=ws.10).aspx https://social.technet.microsoft.com/Forums/windows/en-US/9c23976a-3e2b- 4b71-9f19-83ee3df0848b/how-to-disable-additional-credential- providers?forum=w8itprosecurity https://social.technet.microsoft.com/Forums/windows/en-US/9c23976a-3e2b- 4b71-9f19-83ee3df0848b/how-to-disable-additional-credential- providers?forum=w8itprosecurity

Download ppt "Exposing the Secrets of Windows Credential Provider Presented By: Subrat Sarkar Give me your password."

Similar presentations

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
The Cain Tool Presented by: Sagar Chivate CS 685F.

The Cain Tool Presented by: Sagar Chivate CS 685F.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Khan Rashid Lesson 11-The Best Policy: Managing Computers and Users Through Group Policy.

Khan Rashid Lesson 11-The Best Policy: Managing Computers and Users Through Group Policy.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration.
Understanding Networks I. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Understanding Networks I. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.

Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.
Terminal Server © N. Ganesan, Ph.D.. Reference Thin-Client Concept Thin-Client concept tutorial.

Terminal Server © N. Ganesan, Ph.D.. Reference Thin-Client Concept Thin-Client concept tutorial.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 3: Creating and Managing User Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 3: Creating and Managing User Accounts.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.

11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.
11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.

11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.
Windows Security Mechanisms Al Bento - University of Baltimore.

Windows Security Mechanisms Al Bento - University of Baltimore.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.

Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.
Forensic Artifacts From A Pass The Hash (PtH) Attack

Forensic Artifacts From A Pass The Hash (PtH) Attack
WARNING! Sample chapter -Materials in this sample chapter is selected advanced penetration from https://training.zdresearch.com https://training.zdresearch.com.

WARNING! Sample chapter -Materials in this sample chapter is selected advanced penetration from

Similar presentations

Ads by Google