Documente Academic
Documente Profesional
Documente Cultură
Manuel Urueña
In the case of online attacks, it is not possible to simply copy the SAM
file to another location. The SAM file cannot be moved or copied while
Windows is running, since the Windows kernel obtains and keeps an
exclusive filesystem lock on the SAM file, and will not release that lock
until the operating system has shut down or a "Blue Screen of Death"
exception has been thrown. However, the in-memory copy of the
contents of the SAM can be dumped using various techniques
(including pwdump), making the password hashes available for offline
brute-force attack.
Syskey is a utility that encrypts the hashed password information in a SAM database in a Windows
system using a 128-bit RC4 encryption key that, by default, is stored in the Windows registry. Syskey can
optionally be configured to require the user to enter the key at boot time as a startup password or load it
on removable storage media (e.g., USB flash drive).
http://unaaldia.hispasec.com/2008/04/mitos-y-leyendas-las-contrasenas-en.html
https://en.wikipedia.org/wiki/Syskey | https://en.wikipedia.org/wiki/Security_Account_Manager
2
Lan Manager (LM)
https://en.wikipedia.org/wiki/LAN_Manager
¿Contraseña de ≤ 14 carácteres?
► ¡NO! 2 contraseñas de 7 carácteres en mayúsculas
► 14 bytes de contraseña de longitud fija
► Se crean dos DES cada uno con 7 bytes
3
NT LAN Manager (NTLM hash)
https://en.wikipedia.org/wiki/NT_LAN_Manager
“In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols that
provides authentication, integrity, and confidentiality to users. NTLM is the successor to the
authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product.
The NTLM protocol suite is implemented in a Security Support Provider, which combines the
LAN Manager authentication protocol, NTLMv1 (MD4), NTLMv2 (HMAC-MD5) and NTLM2
Session (MS-CHAPv2) protocols in a single package. Whether these protocols are used or can
be used on a system is governed by Group Policy settings, for which different versions of
Windows have different default settings. NTLM passwords are considered weak because they
can be brute-forced very easily with modern hardware”.
“NTLM is a challenge-response authentication protocol which uses three messages to authenticate a client in a connection
oriented environment (connectionless is similar), and a fourth additional message if integrity is desired: 1. First, the client
establishes a network path to the server and sends a NEGOTIATE_MESSAGE advertising its capabilities, 2. Next, the
server responds with CHALLENGE_MESSAGE which is used to establish the identity of the client y 3. Finally, the
client responds to the challenge with an AUTHENTICATE_MESSAGE”.
“The NTLM protocol uses one or both of two hashed password values, both of which are also stored on the server (or domain
controller), and which though a lack of salting are password equivalent, meaning that if you grab the hash value from the
server, you can authenticate without knowing the actual password. The two are the LM Hash (a DES-based function applied to
the first 14 chars of the password converted to the traditional 8 bit PC charset for the language), and the NT Hash (MD4 of the
little endian UTF-16 Unicode password). Both hash values are 16 bytes (128 bits) each.”
4
Autenticación con Kerberos (SSO basado en Tokens)
http://web.mit.edu/kerberos/www/
5
Kerberos: Autenticación con cifra simétrica y KDC
http://www.lsv.ens-cachan.fr/spore/nssk.html
http://www.isi.edu/gost/publications/kerberos-neuman-tso.html
6
Fases de autenticación Kerberos
1. Obtención de credenciales del KDC:
• Autenticación del usuario → Ticket Granting Ticket (TGT)
2. Petición de autenticación al KDC para un servicio:
• <TGT, Servicio> → Ticket Granting Service (TGS)
3. Presentación del ticket al servidor final:
• TGS → Servicio
7
Demo: Sistema Kerberos
http://cswilliams.ncat.edu/IA_visualization_labs/security_visual_tools/kerberos/
kerberos_demo.html
https://en.wikipedia.org/wiki/Integrated_Windows_Authentication
https://uit.stanford.edu/service/ess/pc/docs/kerberos
8
Ataques contra contraseñas
10
https://www.youtube.com/watch?v=4vIu8ld68fc
https://www.wired.com/2014/08/gyroscope-listening-hack/
11
Ataques de fuerza bruta
http://www.neoteo.com/colossus-un-coloso-secreto-
contra-enigma-16078 https://en.wikipedia.org/wiki/EFF_DES_cracker (1998)
12
Computación con GPUs/GPGPUs (1)
http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-
every-standard-windows-password-in-6-hours/
13
Computación con GPUs/GPGPUs (y 2)
► Herramientas Gratuitas GPU:
OclHashcat - http://www.hashcat.net
Ighashgpu - http://www.golubev.com/hashgpu.htm
BarsWF - http://3.14.by/en/md5
Whitepixel - http://whitepixe.zorinaq.com
hashkill - http://www.gat3way.eu/hashkill/index.php
14
Rainbow Tables (1)
https://en.wikipedia.org/wiki/Rainbow_table
15
15
Rainbow Tables (y 2)
► Generación:
- Rtgen: http://Project-rainbowcrack.com
- Cain&Abel (winrtgen): http://www.oxid.it
- Precomp (0phcrack): http://ophcrack.sourceforge.net
► Online:
- http://passcracking.com
- http://md5pass.info/add.php
► Tablas pre-generadas:
- Free Rainbow Tables: http://www.freerainbowtables.com
- Shmoo group: http://rainbowtables.shmoo.com
- Ophcrack: http://ophcrack.sourceforge.net
16
16
17
17
Contraseñas de “calidad”
http://www.passwordmeter.com
18
18
Te obligan a revelar la contraseña
19
19
Ataques a las contraseñas (LM/NTLM) (1)
► Ataques online – basados la en inyección de DLL o leyendo la memoria del
proceso LSASS (Local Security Authority Subsystem):
Herramientas: Fgdump, pwdump, bkhive, samdump2, Mimikatz, Windows Credential
Editor (WCE)…
http://www.tarasco.org/security/pwdump_7/
http://ampliasecurity.com
https://www.slideshare.net/rootedcon/hernan-ochoa-wce-internals-rootedcon-2011
Herramientas:
• Hiren’s Boot CD (Windows gate 1.1)
• Kon-Boot (salta el proceso de autenticación)
https://hipertextual.com/archivo/2014/05/acceder-a-windows-sin-saber-contrasena/
20
Ataques a las contraseñas (LM/NTLM) (y 2)
• Ataque sin descifrar – Pass the hash
https://dfir-blog.com/2015/11/08/protecting-windows-networks-defeating-pass-the-hash/
https://blog.varonis.com/windows-10-authentication-the-end-of-pass-the-hash/
http://www.securitybydefault.com/2011/11/obtencion-del-fichero-sam-y-system-sin.html
21
Ataques a las contraseñas (Kerberos) (1)
https://digital-forensics.sans.org/blog/2014/11/24/kerberos-in-the-crosshairs-golden-tickets-silver-tickets-
mitm-more
Overpass-the-hash
Se pasa el hash de autenticación de
usuario para luego obtener un ticket TGT
22
Ataques a las contraseñas (Kerberos) (2)
https://digital-forensics.sans.org/blog/2014/11/24/kerberos-in-the-crosshairs-golden-tickets-silver-tickets-
mitm-more
Pass-the-ticket
23
Ataques a las contraseñas (Kerberos) (3)
https://digital-forensics.sans.org/blog/2014/11/24/kerberos-in-the-crosshairs-golden-tickets-silver-tickets-
mitm-more
24
Ataques a las contraseñas (Kerberos) (y 4)
25
https://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating%20Pass-
the-Hash%20(PtH)%20Attacks%20and%20Other%20Credential%20Theft%20Techniques_English.pdf
https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-
007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
26
www.unir.net