Microsoft Technology Summit 2012
Transkrypt
Microsoft Technology Summit 2012
Adventures in Underland What Passwords Do When No One Is Watching Paula Januszkiewicz MVP: Enterprise Security, MCT CQURE: CEO, Penetration Tester | [email protected] IDesign: Security Architect | http://cqure.pl Agenda Tools! Our tools: http://cqure.pl Tools Or: http://stderr.pl/tools Check out the following links: http://www.gentilkiwi.com/ - Benjamin Delpy http://www.ntdsxtract.com/ - Csaba Barta The Longest Password ’Ever’ How often do you share your password with others? 90 percent of user-generated passwords at risk of being compromised in 2013 [2013] Deloitte Technology Report 75 percent of people use same password for social portal and email [2010] BitDefender Study … 6 million passwords stolen …hackers may have stolen passwords of 250,000 users …hacker group has apparently dumped 453,492 usernames and passwords obtained in plaintext …personal data for more than 50 million users was stolen Conclusions Because solution requires it Because we need to confirm that we are who we are But we do not know how this data is stored Demo: Introduction File to be a little bit zilla Agenda CPAU: Information http://www.joeware.net/freetools/ ID, password and command line in a file so it can be used by normal users Demo: CPAU Work it, work it baby! CPAU: Getting the Password Whatever the cryptography is used, let’s allow application to use the password Send through the network, stored in logfiles, etc. Loaded in the memory In between operating system mechanisms that can be listened to Security Motto: Know how your app works! Demo: CPAU … get the password now! CPAU: Waiting for the reaction Application Dirty Games: Remotely Through the network since Windows 8 You allow somebody to dig into the kernel of your OS Each chunk of your data is exposed Bcdedit /debug ON – invisible! Demo: Debugging over Network Well, well, well… Application Pools Purpose: Assign resources, serve as a security sandbox Their identity is definded in Application Pool settings Processes HTTP and non-HTTP resources They are stored in the encrypted form in applicationHost.config Demo: Application Pools Getting password from IIS configuration Demo: Application Pools Encrypt the configuration file Agenda Chasing the obvious: NTDS.DIT, SAM The above means: To read the clear text password you need to struggle! Demo: Offline NTDS.DIT Sharing is caring! Memory Dumps: For ’troubleshooting’ Whatever sensitive was used – it is in the memory Used for detect suspicious behavior of processes Saved in %windir% Published carelessly on the public forums Demo: Memory dumps Sharing is caring! Services Always need some identity to run the executable! Must be stored locally, especially when domain credentials are used Can be accessed when we impersonate to Local System If you cannot use gMSA, MSA, use subscription for svc_ accounts (naming convention) Demo: Services Getting password from LSA Secrets Scheduled Tasks As in case of services – password can be revealed Saved in user’s Credential Manager User’s password can be used to get access to the task’s password After changing the password – it still runs Demo: Scheduled Tasks Getting password from LSA Secrets Data Protection API Password, data blob, entrophy Protects from outsiders when being in offline access Effectively protects users data You need to be able to get access to some of your passwords from the past Demo: DPAPI Positive scenario first! Demo: DPAPI Negative scenario last! Agenda Passwords: Summary Thank You! Our tools: http://cqure.pl Tools Or: http://stderr.pl/tools Check out the following links: http://www.gentilkiwi.com/ - Benjamin Delpy http://www.ntdsxtract.com/ - Csaba Barta Resources http://channel9.msdn.com/Events/TechEd www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn Wypełnij ankietę i wygraj nagrody! Organizatorzy MTS czytają wszystkie ankiety. Wystarczy 5 minut Twojego czasu na wypełnienie ankiety! Dzięki nim masz realny wpływ na konferencję oraz merytorykę i prelegentów kolejnego MTS. Masz szansę wygrać m.in. wejściówkę na MTS 2014 (24x) oraz inne nagrody. Gdzie i jak? Ankiety dostępne są online – na stronie konferencji (mtskonferencja.pl) Można je wypełnić od dziś, aż do 5 listopada 2013 © 2013 Microsoft Corporation. Wszelkie prawa zastrzeżone. Microsoft, Windows oraz inne nazwy produktów są lub mogą być znakami towarowymi lub zastrzeżonymi znakami towarowymi firmy Microsoft w Stanach Zjednoczonych i innych krajach. Zamieszczone informacje mają charakter wyłącznie informacyjny. FIRMA MICROSOFT NIE UDZIELA ŻADNYCH GWARANCJI (WYRAŻONYCH WPROST LUB DOMYŚLNIE), W TYM TAKŻE USTAWOWEJ RĘKOJMI ZA WADY FIZYCZNE I PRAWNE, CO DO INFORMACJI ZAWARTYCH W TEJ PREZENTACJI.