1. GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS
Passwords Everywhere
Ing. Ondřej Ševeček | GOPAS a.s. |
MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker |
| |
GOPAS: | |

2. Take care of your passwords
People use the same passwords for different services
AD network, mobile phone, credit card PIN, facebook, e-shops, fre , …
People type their passwords on unknown computers
Passwords travel over network unencrypted
Somebody else is your computer administrator
Computers store passwords often in full form

3. Hardware keyloggers
Easy soldier

4. Different service = different password?
Do you thing the databases of facebook, google+, gmail, microsoft, alza, seznam, … are encrypted?
nonsense
What do you thing the Indians do when bored?
are they surfing your , or facebook?
What do you thing is the first thing a virus is going to do after infection?
list all user accounts
touch anything in your network with your current password

5. User Account Control (UAC)
Locally limits Administrators group membership
Does nothing over network
It matters only for a BFU on a single machine
It does not affect administrative accounts

6. Windows authentication seems secure
Kerberos, Kerberos, Kerberos, sometimes NTLM
Encrypted network transport
AES, mutual authentication, rekeying, etc.

7. Passwords are in memory
plaintext password
LSASS
IS Client
Internet Explorer
Ctrl-Alt-Del
Outlook
Lync

8. Passwords are in LSASS memory
plaintext password
Local LSASS
Server LSASS
IS Client
Kerberos
Server
Internet Explorer
NTLM
Outlook
Lync

9. Who can steal passwords from LSASS
Local Administrators
Debug privilege is just the only necessary to break into LSASS memory

10. Basic authentication HTTP Basic authentication LDAP Simple bind RDP
used veeeeery often even on intranets
mostly BFU accounts
LDAP Simple bind
used veeeeery often by third-party NAS, VPN, VoIP, gateways, routers, VMWare console, etc.
often administrative accounts
RDP
used extreeeeemely often
extreeeeemely often administrative accounts

11. Passwords are in LSASS memory
Server LSASS
plaintext password
VPN
MSTSC
IS Client
plain-text
Server
Internet Explorer
Outlook
Lync

12. Passwords are stored in full form
IIS application pools
Services
Scheduled tasks

13. After attack, change your password!
Really?
Password filter on DC or on local SAM database

14. Good password Long at least 12 characters
All four types of characters (a-z, A-Z, 0-9, #$%^…)
80% passwords are alfa-numeric
Never reuse the same password for critical services
not too much change necessary

15. Password locking? Do not exagerate 6 characters complex password
75 trials per one lock
for 1 minute
= years

16. Cracking from local/AD hashes (non-cache)
MD4 hashes
brute-force 8 characters complex
1 CPU = 25 years
10 GPUs = 15 days
rainbow-table 8 characters complex
= minutes
= 120 GB
Every character makes it 80x more difficult
12 characters complex password is unbreakable
at least for non-NSA mortals

17. Cracking from network trace and password cache
No use for rainbow-table
MD4 salted
Only brute-force possible

18. What to remember Never type a password on an unknown computer
Accessing remote machines with RDP sends there your password
Disable all HTTP Basic and LDAP Simple bind authentications
Use smart cards instead

19. Where to read more

20. GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS
NASHLEDANOU
na kurzech v počítačové škole GOPAS, a.s.
GOC171 - Active Directory Troubleshooting
GOC172 - Kerberos Troubleshooting
GOC173 - Enterprise PKI Deployment
GOC175 - Administering Security
GOPAS: | |