SlideShare una empresa de Scribd logo

From zero to SYSTEM on full disk encrypted windows system

Nabeel Ahmed
Nabeel Ahmed

Presentation presented on Hack In Paris 2016

Tecnología
1 de 43
Descargar para leer sin conexión
from zero to system Nabeel ahmed & tom gilis on full disk encrypted windows system
From zero to system on full disk encrypted windows system ABOUT US ๏ Nabeel Ahmed, Security Researcher and Penetration Tester, Dimension Data Belgium ๏ I love to break things =) ๏ @NabeelAhmedBE ๏ blog.nabeelahmed.com ๏ Tom Gilis, Security Consultant (and Team Leader) at Dimension Data Belgium ๏More “boring” stuff like compliancy, …  ๏@tgilis ๏Co-organizer of BruCON 2
From zero to system on full disk encrypted windows system Inspiration 3
From zero to system on full disk encrypted windows system November 2015 4
From zero to system on full disk encrypted windows system Ian haken 5 ๏ A new way to defeat FDE ๏ Rogue Domain Controller ๏ Poison Credential Cache ๏ Windows Security Feature bypass
From zero to system on full disk encrypted windows system Ms15-122 ๏ Implements trust relationship before local cache is updated ๏ Works on Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008 up to 2012 (Windows XP, Windows Server 2003, …) 6
From zero to system on full disk encrypted windows system Bitlocker ๏ TPM (Trusted Platform Module) ๏ Pre-boot PIN ๏ USB Key 7
From zero to system on full disk encrypted windows system ๏ TPM (Trusted Platform Module) ๏ ๏ 8 Bitlocker
From zero to system on full disk encrypted windows system Bitlocker tpm 9 ๏ BitLocker key is stored in TPM ๏ No user interaction when decrypting the drive ๏ Windows login screen is the first and only line of defense
From zero to system on full disk encrypted windows system Trust relationship? ๏ Computer account password is used for trust ๏ Randomly generated every 30 days ๏ 2 computer account passwords are stored ๏ Stored in “HKLMSECURITYPolicySecrets$machine.ACC” 10
From zero to system on full disk encrypted windows system Bypassing the patch 11
From zero to system on full disk encrypted windows system Difference 12 Legitimate DC Rogue DC
From zero to system on full disk encrypted windows system Ticket missing 13
From zero to system on full disk encrypted windows system SPN 14 SPNs are used to support mutual authentication between a client application and a service. A service principal name is associated with an account and an account can have many service principal names. – MSDN SPNs are usually formatted as SERVICE/HOST, but sometimes they also include a port like SERVICE/HOST:PORT.
From zero to system on full disk encrypted windows system Demo time 15
From zero to system on full disk encrypted windows system Kerberos Password change 16 ?????????? EXP_PASS
From zero to system on full disk encrypted windows system Kerberos Password change 17 ?????????? EXP_PASS NEW_PASS
From zero to system on full disk encrypted windows system 18 Conclusion ๏ Checks if a service ticket (T) has been received BUT only validates AFTER the password change ๏ MS16-014 / CVE-2016-0049 ๏ “Suggested workaround” disable local password caching ๏ Patched on all supported Windows versions
From zero to system on full disk encrypted windows system Bluebox 19 ๏ Automated exploitation of MS15-122 and MS16-014 ๏ Less than 1 minute ๏ Written in Python  ๏ Portable (Raspberry Pi) ๏ Kudos to Ian Haken (@ianhaken) ๏ https://github.com/JackOfMostTrades/bluebox
From zero to system on full disk encrypted windows system WHAT’s NEXT ? 20 ๏ Extract any personal data o Documents, emails, passwords.. ๏ Requires admin privileges to : o Retrieve BitLocker Recovery Key (or disable it) o Install Malware o Extract data from other users o …
From zero to system on full disk encrypted windows system Trust relationship? ๏ Trust relationship is not always validated ๏ Working Active Directory set-up ๏ Any other Windows functionality missing trust validation? 22
From zero to system on full disk encrypted windows system PRIVILEGE ESCALATION 23 Will Group Policies work ? ๏ Works on all supported Windows versions ๏ No need for additional (vulnerable) software ๏ No specific configuration requirements
From zero to system on full disk encrypted windows system Group Policies 24 User Configuration Computer Configuration During login (or on refresh) Before login (or on refresh) User or SYSTEM Privileges SYSTEM Privileges User account password Machine account password
From zero to system on full disk encrypted windows system Group Policies 25 User Configuration Computer Configuration During login (or on refresh) Before login (or on refresh) User or SYSTEM Privileges SYSTEM Privileges User account password Machine account password
From zero to system on full disk encrypted windows system Group policies 26
From zero to system on full disk encrypted windows system EXAMPLE – CMD AS SYSTEM 27 1. New Group Policy and assign it to the user account 2. Add the following configuration to the policy : • Download file (e.g. NetCat.exe) • Run NetCat as SYSTEM • Connect to service as User Screenshot Scheduled task GPO
From zero to system on full disk encrypted windows system It works!? 28
From zero to system on full disk encrypted windows system Why does it work? 29 ๏ Client can successfully authenticate against the DC using his credentials ๏ All encrypted traffic remains intact (SMB,LDAP,RPC) ๏ Assumes that the user credentials are sufficient to acknowledge trust relationship. ๏ Reported to Microsoft, who acknowledged the vulnerability but ...
From zero to system on full disk encrypted windows system IS it NEW ? 30 ๏ Luke Jennings (MWR Labs) demonstrated how you can gain SYSTEM access through MITM in March 2015 ๏ MITM attack against legitimate GPO communication, resulting two patches (MS15-011 and MS15-014) ๏ Jennings’ conclusion : “Even on Vista/2008 onwards, user settings group policy can be exploited if you know a user’s password to conduct a form of privilege escalation to gain SYSTEM on domain members. Microsoft have shown no intention thus far of providing a control to protect against this.”
From zero to system on full disk encrypted windows system WINDOWS 10 ? 31
From zero to system on full disk encrypted windows system WINDOWS 10 ? 32
From zero to system on full disk encrypted windows system WIN 7 vs Win 10 33
From zero to system on full disk encrypted windows system WIN 7 vs Win 10 34
From zero to system on full disk encrypted windows system Relative ID User SID 35 S-1-5-21-124525095-708259637-1543119021-20937 Domain Security Identifier Incremental Uses Machine SID when new domain is created
From zero to system on full disk encrypted windows system Setting the SID 36 ๏ Possibilities : o Setting the Machine SID before the AD is created: o Windows SysPrep – Generates new “random” SID o Commercial tools exist o Off-line edit the NTDS.DIT File o SAMBA NT4 PDC to AD-DC Lengthy, complex and prone to errors
From zero to system on full disk encrypted windows system mimikatz to the rescue 37
From zero to system on full disk encrypted windows system Demo time 38
From zero to system on full disk encrypted windows system 39 Conclusion ๏ First validates trust with computer account ๏ MS16-072 / CVE-2016-3223 ๏ Took approx. 8 months to patch and then …
From zero to system on full disk encrypted windows system 40
From zero to system on full disk encrypted windows system Recovering original password 41 ๏ (convert .sys to .dmp) ๏ WinDbg ๏ Mimikatz (extract plaintext credentials) ๏ Only Windows 7 and below Force Hibernation Bypass login screen Elevate privileges Extract HIBERFIL.SYS Reset Local Password Cache
From zero to system on full disk encrypted windows system timeline 42
From zero to system on full disk encrypted windows system timeline 43
From zero to system on full disk encrypted windows system Take aways 44 ๏ Trust relationships not always validated ๏ Don’t take physical security for granted ๏ Backwards compatibility makes patching very difficult ๏ Bypassing authentication and escalating privileges without a single line of code ๏ Kudos to Ian Haken @ianhaken and Benjamin Delpy @gentilwiki ๏ Third time’s a charm? o November 2015 (MS15-122) o February 2016 (MS16-014) o … July 2016  (MS16-???) @nabeelahmedbe blog.ahmednabeel.com @tgilis

Recomendados

Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration TestersChris Gates
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege EscalationSunny Neo
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"Will Schroeder
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellEnclaveSecurity
 

Recomendados

Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration TestersChris Gates
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege EscalationSunny Neo
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"Will Schroeder
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellEnclaveSecurity
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2Royce Davis
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainPriyanka Aash
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access darkRoyce Davis
 
1000 to 0
1000 to 01000 to 0
1000 to 0Sunny Neo
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShellNikhil Mittal
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Introducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitIntroducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitjaredhaight
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellNikhil Mittal
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorMike Felch
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shellNikhil Mittal
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedAlex Davies
 
Attacking Windows Authentication and BitLocker Full Disk Encryption
Attacking Windows Authentication and BitLocker Full Disk EncryptionAttacking Windows Authentication and BitLocker Full Disk Encryption
Attacking Windows Authentication and BitLocker Full Disk EncryptionIan Haken
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalationjakx_
 

Más contenido relacionado

La actualidad más candente

Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2Royce Davis
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainPriyanka Aash
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access darkRoyce Davis
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShellNikhil Mittal
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Introducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitIntroducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitjaredhaight
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellNikhil Mittal
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorMike Felch
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shellNikhil Mittal
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedAlex Davies
 

La actualidad más candente (20)

Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
 
1000 to 0
1000 to 01000 to 0
1000 to 0
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShell
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
Introducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitIntroducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkit
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
 

Destacado

Attacking Windows Authentication and BitLocker Full Disk Encryption
Attacking Windows Authentication and BitLocker Full Disk EncryptionAttacking Windows Authentication and BitLocker Full Disk Encryption
Attacking Windows Authentication and BitLocker Full Disk EncryptionIan Haken
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalationjakx_
 
Data protection in windows
Data protection in windowsData protection in windows
Data protection in windowsVijay Kumar
 
Deploying Microsoft BitLocker
Deploying Microsoft BitLockerDeploying Microsoft BitLocker
Deploying Microsoft BitLockerutahmisfit
 
List of Software tools for encryption
List of Software tools for encryptionList of Software tools for encryption
List of Software tools for encryptionCliford John Reandino
 
Smau Milano 2016 - Paola Presutto, Microsoft
Smau Milano 2016 - Paola Presutto, MicrosoftSmau Milano 2016 - Paola Presutto, Microsoft
Smau Milano 2016 - Paola Presutto, MicrosoftSMAU
 
Managing bitlocker with mbam
Managing bitlocker with mbamManaging bitlocker with mbam
Managing bitlocker with mbamOlav Tvedt
 
Protéger vos données avec le chiffrement dans Azure et Office 365
Protéger vos données avec le chiffrement dans Azure et Office 365Protéger vos données avec le chiffrement dans Azure et Office 365
Protéger vos données avec le chiffrement dans Azure et Office 365Microsoft Technet France
 
Medical Data Encryption 101
Medical Data Encryption 101Medical Data Encryption 101
Medical Data Encryption 101SecurityMetrics
 
Latihan9 comp-forensic-bab6
Latihan9 comp-forensic-bab6Latihan9 comp-forensic-bab6
Latihan9 comp-forensic-bab6sabtolinux
 
A Look Into Cyber Security
A Look Into Cyber SecurityA Look Into Cyber Security
A Look Into Cyber SecurityGTreasury
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalationnullthreat
 
Search Engines Presentation
Search Engines PresentationSearch Engines Presentation
Search Engines PresentationJSCHO9
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCanSecWest
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CanSecWest
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCanSecWest
 
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...Anton Chuvakin
 
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerStudy notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerDavid Sweigert
 

Destacado (20)

Attacking Windows Authentication and BitLocker Full Disk Encryption
Attacking Windows Authentication and BitLocker Full Disk EncryptionAttacking Windows Authentication and BitLocker Full Disk Encryption
Attacking Windows Authentication and BitLocker Full Disk Encryption
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalation
 
Data protection in windows
Data protection in windowsData protection in windows
Data protection in windows
 
Deploying Microsoft BitLocker
Deploying Microsoft BitLockerDeploying Microsoft BitLocker
Deploying Microsoft BitLocker
 
List of Software tools for encryption
List of Software tools for encryptionList of Software tools for encryption
List of Software tools for encryption
 
Smau Milano 2016 - Paola Presutto, Microsoft
Smau Milano 2016 - Paola Presutto, MicrosoftSmau Milano 2016 - Paola Presutto, Microsoft
Smau Milano 2016 - Paola Presutto, Microsoft
 
Managing bitlocker with mbam
Managing bitlocker with mbamManaging bitlocker with mbam
Managing bitlocker with mbam
 
Protéger vos données avec le chiffrement dans Azure et Office 365
Protéger vos données avec le chiffrement dans Azure et Office 365Protéger vos données avec le chiffrement dans Azure et Office 365
Protéger vos données avec le chiffrement dans Azure et Office 365
 
Medical Data Encryption 101
Medical Data Encryption 101Medical Data Encryption 101
Medical Data Encryption 101
 
Latihan9 comp-forensic-bab6
Latihan9 comp-forensic-bab6Latihan9 comp-forensic-bab6
Latihan9 comp-forensic-bab6
 
A Look Into Cyber Security
A Look Into Cyber SecurityA Look Into Cyber Security
A Look Into Cyber Security
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalation
 
Search Engines Presentation
Search Engines PresentationSearch Engines Presentation
Search Engines Presentation
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
 
Security best practices
Security best practices Security best practices
Security best practices
 
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
 
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
 
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerStudy notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security Practitioner
 

Similar a From zero to SYSTEM on full disk encrypted windows system

System Client Details
System Client DetailsSystem Client Details
System Client DetailsSyAM Software
 
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....Denis Gundarev
 
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Jan Ketil Skanke
 
Windows 7 Seminar - Acend Corporate Learning
Windows 7 Seminar - Acend Corporate LearningWindows 7 Seminar - Acend Corporate Learning
Windows 7 Seminar - Acend Corporate LearningAcend Corporate Learning
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Paula Januszkiewicz
 
Smart Printing Technical Presentation
Smart Printing Technical PresentationSmart Printing Technical Presentation
Smart Printing Technical PresentationJohnTileyITQ
 
ITE v5.0 - Chapter 5
ITE v5.0 - Chapter 5ITE v5.0 - Chapter 5
ITE v5.0 - Chapter 5Irsandi Hasan
 
A Critical Analysis of Microsoft Data Protection Solutions
A Critical Analysis of Microsoft Data Protection SolutionsA Critical Analysis of Microsoft Data Protection Solutions
A Critical Analysis of Microsoft Data Protection SolutionsJohn Rhoton
 
Microsoft (Data Protection Solutions)
Microsoft (Data Protection Solutions)Microsoft (Data Protection Solutions)
Microsoft (Data Protection Solutions)Vinayak Hegde
 
Secure containers for trustworthy cloud services: business opportunities
Secure containers for trustworthy cloud services: business opportunities Secure containers for trustworthy cloud services: business opportunities
Secure containers for trustworthy cloud services: business opportunitiesATMOSPHERE .
 
Desktop and server securityse
Desktop and server securityseDesktop and server securityse
Desktop and server securityseAppin Ara
 
Webinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControlWebinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControlSeveralnines
 
Automating Active Directory mgmt in PowerShell
Automating Active Directory mgmt in PowerShellAutomating Active Directory mgmt in PowerShell
Automating Active Directory mgmt in PowerShellConcentrated Technology
 

Similar a From zero to SYSTEM on full disk encrypted windows system (20)

System Client Details
System Client DetailsSystem Client Details
System Client Details
 
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
 
T hin client configuration
T hin client configurationT hin client configuration
T hin client configuration
 
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
 
Windows 7 Seminar - Acend Corporate Learning
Windows 7 Seminar - Acend Corporate LearningWindows 7 Seminar - Acend Corporate Learning
Windows 7 Seminar - Acend Corporate Learning
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
 
Users guide
Users guideUsers guide
Users guide
 
Smart Printing Technical Presentation
Smart Printing Technical PresentationSmart Printing Technical Presentation
Smart Printing Technical Presentation
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
 
ITE v5.0 - Chapter 5
ITE v5.0 - Chapter 5ITE v5.0 - Chapter 5
ITE v5.0 - Chapter 5
 
Ite v5.0 chapter5
Ite v5.0 chapter5Ite v5.0 chapter5
Ite v5.0 chapter5
 
A Critical Analysis of Microsoft Data Protection Solutions
A Critical Analysis of Microsoft Data Protection SolutionsA Critical Analysis of Microsoft Data Protection Solutions
A Critical Analysis of Microsoft Data Protection Solutions
 
Microsoft (Data Protection Solutions)
Microsoft (Data Protection Solutions)Microsoft (Data Protection Solutions)
Microsoft (Data Protection Solutions)
 
Windows 8.1 a closer look
Windows 8.1 a closer lookWindows 8.1 a closer look
Windows 8.1 a closer look
 
Intro xp linux
Intro xp linuxIntro xp linux
Intro xp linux
 
Secure containers for trustworthy cloud services: business opportunities
Secure containers for trustworthy cloud services: business opportunities Secure containers for trustworthy cloud services: business opportunities
Secure containers for trustworthy cloud services: business opportunities
 
Desktop and server securityse
Desktop and server securityseDesktop and server securityse
Desktop and server securityse
 
Desktop and Server Security
Desktop and Server SecurityDesktop and Server Security
Desktop and Server Security
 
Webinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControlWebinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControl
 
Automating Active Directory mgmt in PowerShell
Automating Active Directory mgmt in PowerShellAutomating Active Directory mgmt in PowerShell
Automating Active Directory mgmt in PowerShell
 

Último

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 

Último (20)

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 

From zero to SYSTEM on full disk encrypted windows system

  • 1. from zero to system Nabeel ahmed & tom gilis on full disk encrypted windows system
  • 2. From zero to system on full disk encrypted windows system ABOUT US ๏ Nabeel Ahmed, Security Researcher and Penetration Tester, Dimension Data Belgium ๏ I love to break things =) ๏ @NabeelAhmedBE ๏ blog.nabeelahmed.com ๏ Tom Gilis, Security Consultant (and Team Leader) at Dimension Data Belgium ๏More “boring” stuff like compliancy, …  ๏@tgilis ๏Co-organizer of BruCON 2
  • 3. From zero to system on full disk encrypted windows system Inspiration 3
  • 4. From zero to system on full disk encrypted windows system November 2015 4
  • 5. From zero to system on full disk encrypted windows system Ian haken 5 ๏ A new way to defeat FDE ๏ Rogue Domain Controller ๏ Poison Credential Cache ๏ Windows Security Feature bypass
  • 6. From zero to system on full disk encrypted windows system Ms15-122 ๏ Implements trust relationship before local cache is updated ๏ Works on Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008 up to 2012 (Windows XP, Windows Server 2003, …) 6
  • 7. From zero to system on full disk encrypted windows system Bitlocker ๏ TPM (Trusted Platform Module) ๏ Pre-boot PIN ๏ USB Key 7
  • 8. From zero to system on full disk encrypted windows system ๏ TPM (Trusted Platform Module) ๏ ๏ 8 Bitlocker
  • 9. From zero to system on full disk encrypted windows system Bitlocker tpm 9 ๏ BitLocker key is stored in TPM ๏ No user interaction when decrypting the drive ๏ Windows login screen is the first and only line of defense
  • 10. From zero to system on full disk encrypted windows system Trust relationship? ๏ Computer account password is used for trust ๏ Randomly generated every 30 days ๏ 2 computer account passwords are stored ๏ Stored in “HKLMSECURITYPolicySecrets$machine.ACC” 10
  • 11. From zero to system on full disk encrypted windows system Bypassing the patch 11
  • 12. From zero to system on full disk encrypted windows system Difference 12 Legitimate DC Rogue DC
  • 13. From zero to system on full disk encrypted windows system Ticket missing 13
  • 14. From zero to system on full disk encrypted windows system SPN 14 SPNs are used to support mutual authentication between a client application and a service. A service principal name is associated with an account and an account can have many service principal names. – MSDN SPNs are usually formatted as SERVICE/HOST, but sometimes they also include a port like SERVICE/HOST:PORT.
  • 15. From zero to system on full disk encrypted windows system Demo time 15
  • 16. From zero to system on full disk encrypted windows system Kerberos Password change 16 ?????????? EXP_PASS
  • 17. From zero to system on full disk encrypted windows system Kerberos Password change 17 ?????????? EXP_PASS NEW_PASS
  • 18. From zero to system on full disk encrypted windows system 18 Conclusion ๏ Checks if a service ticket (T) has been received BUT only validates AFTER the password change ๏ MS16-014 / CVE-2016-0049 ๏ “Suggested workaround” disable local password caching ๏ Patched on all supported Windows versions
  • 19. From zero to system on full disk encrypted windows system Bluebox 19 ๏ Automated exploitation of MS15-122 and MS16-014 ๏ Less than 1 minute ๏ Written in Python  ๏ Portable (Raspberry Pi) ๏ Kudos to Ian Haken (@ianhaken) ๏ https://github.com/JackOfMostTrades/bluebox
  • 20. From zero to system on full disk encrypted windows system WHAT’s NEXT ? 20 ๏ Extract any personal data o Documents, emails, passwords.. ๏ Requires admin privileges to : o Retrieve BitLocker Recovery Key (or disable it) o Install Malware o Extract data from other users o …
  • 21. From zero to system on full disk encrypted windows system Trust relationship? ๏ Trust relationship is not always validated ๏ Working Active Directory set-up ๏ Any other Windows functionality missing trust validation? 22
  • 22. From zero to system on full disk encrypted windows system PRIVILEGE ESCALATION 23 Will Group Policies work ? ๏ Works on all supported Windows versions ๏ No need for additional (vulnerable) software ๏ No specific configuration requirements
  • 23. From zero to system on full disk encrypted windows system Group Policies 24 User Configuration Computer Configuration During login (or on refresh) Before login (or on refresh) User or SYSTEM Privileges SYSTEM Privileges User account password Machine account password
  • 24. From zero to system on full disk encrypted windows system Group Policies 25 User Configuration Computer Configuration During login (or on refresh) Before login (or on refresh) User or SYSTEM Privileges SYSTEM Privileges User account password Machine account password
  • 25. From zero to system on full disk encrypted windows system Group policies 26
  • 26. From zero to system on full disk encrypted windows system EXAMPLE – CMD AS SYSTEM 27 1. New Group Policy and assign it to the user account 2. Add the following configuration to the policy : • Download file (e.g. NetCat.exe) • Run NetCat as SYSTEM • Connect to service as User Screenshot Scheduled task GPO
  • 27. From zero to system on full disk encrypted windows system It works!? 28
  • 28. From zero to system on full disk encrypted windows system Why does it work? 29 ๏ Client can successfully authenticate against the DC using his credentials ๏ All encrypted traffic remains intact (SMB,LDAP,RPC) ๏ Assumes that the user credentials are sufficient to acknowledge trust relationship. ๏ Reported to Microsoft, who acknowledged the vulnerability but ...
  • 29. From zero to system on full disk encrypted windows system IS it NEW ? 30 ๏ Luke Jennings (MWR Labs) demonstrated how you can gain SYSTEM access through MITM in March 2015 ๏ MITM attack against legitimate GPO communication, resulting two patches (MS15-011 and MS15-014) ๏ Jennings’ conclusion : “Even on Vista/2008 onwards, user settings group policy can be exploited if you know a user’s password to conduct a form of privilege escalation to gain SYSTEM on domain members. Microsoft have shown no intention thus far of providing a control to protect against this.”
  • 30. From zero to system on full disk encrypted windows system WINDOWS 10 ? 31
  • 31. From zero to system on full disk encrypted windows system WINDOWS 10 ? 32
  • 32. From zero to system on full disk encrypted windows system WIN 7 vs Win 10 33
  • 33. From zero to system on full disk encrypted windows system WIN 7 vs Win 10 34
  • 34. From zero to system on full disk encrypted windows system Relative ID User SID 35 S-1-5-21-124525095-708259637-1543119021-20937 Domain Security Identifier Incremental Uses Machine SID when new domain is created
  • 35. From zero to system on full disk encrypted windows system Setting the SID 36 ๏ Possibilities : o Setting the Machine SID before the AD is created: o Windows SysPrep – Generates new “random” SID o Commercial tools exist o Off-line edit the NTDS.DIT File o SAMBA NT4 PDC to AD-DC Lengthy, complex and prone to errors
  • 36. From zero to system on full disk encrypted windows system mimikatz to the rescue 37
  • 37. From zero to system on full disk encrypted windows system Demo time 38
  • 38. From zero to system on full disk encrypted windows system 39 Conclusion ๏ First validates trust with computer account ๏ MS16-072 / CVE-2016-3223 ๏ Took approx. 8 months to patch and then …
  • 39. From zero to system on full disk encrypted windows system 40
  • 40. From zero to system on full disk encrypted windows system Recovering original password 41 ๏ (convert .sys to .dmp) ๏ WinDbg ๏ Mimikatz (extract plaintext credentials) ๏ Only Windows 7 and below Force Hibernation Bypass login screen Elevate privileges Extract HIBERFIL.SYS Reset Local Password Cache
  • 41. From zero to system on full disk encrypted windows system timeline 42
  • 42. From zero to system on full disk encrypted windows system timeline 43
  • 43. From zero to system on full disk encrypted windows system Take aways 44 ๏ Trust relationships not always validated ๏ Don’t take physical security for granted ๏ Backwards compatibility makes patching very difficult ๏ Bypassing authentication and escalating privileges without a single line of code ๏ Kudos to Ian Haken @ianhaken and Benjamin Delpy @gentilwiki ๏ Third time’s a charm? o November 2015 (MS15-122) o February 2016 (MS16-014) o … July 2016  (MS16-???) @nabeelahmedbe blog.ahmednabeel.com @tgilis