Windows 认证

Windows 本地认证

本地认证基础

When logging in to Windows locally, the operating system will use the password entered by the user as a credential to verify with the password in the system, but where is the password in the operating system stored?

Path: %SystemRoot%\system32\config\sam

When we log in to the system, the system will automatically read the "password" in the SAM file and compare it with the "password" we entered. If the same, it proves that the authentication is successful!

This SAM file retains credential information for all users local to the computer, which can be understood as a database.

NTLM(NT LAN Manager) Hash

NTLM Hash is an important participant in supporting the Net NTLM authentication protocol and local authentication process. Its length is 32 bits and consists of numbers and letters.

Windows itself does not store the user's plaintext password. It will store the user's plaintext password in the SAM database after an encryption algorithm.

When the user logs in, the plain text password entered by the user is also encrypted into NTLM Hash and compared with the NTLM Hash in the SAM database. The predecessor of NTLM Hash was LM Hash, which is basically eliminated at present, but it still exists.

NTLM Hash——产生

admin=209c6174da490caeb422f3fa5a7ae634

admin - hex(hex encoding)=61646d69e

61646d69e - unicode=610064006d0069006e00

610064006d0069006e00 - MD4=209c6174da490caeb422f3fa5a7ae634

本地认证流程

Windows Logon Process (that is, winlogon.exe is a Windows NT user login program that manages user login and logout.

LSASS is the security mechanism of Microsoft Windows systems. Used for local security and login policies.

LM Hash

Convert all lowercase letters to uppercase letters

123ABC //Not reached 7 characters

Convert passwords to hexadecimal, divided into two groups, filled with 14 characters, and fill with0x00 characters

31323341424300000000000000000 Split the password into two sets of 7 byte blocks

31323341424300 00000000000000000 //16

Convert each group into bitstream. If less than 56Bit, add 0 to the left.

31323341424300 - (Convert to binary)

1100010011001000110011010000101000100010001100000000-(Complement 56Bit)

001100010011001000110011010000101000010010001000011000000000000

Divide 8 groups into 7 bits, add 0 at the end

Since the latter are all 0, the result can be imagined, that is all 0;

Convert each set of bitstreams to 16 points and make it into encrypted values, encrypted using DES, and the string KGS!@#$% is Key(0x4B47532140232425), and 8 results are obtained, each of which is converted to hexadecimal.

- 00110001001100010001100011010000010100001000100100000110000011000000000

-30988C6814120C00 - DES(30988C6814120C00) - 48-D7-EB-91- 2F-5E-69-7C

Since our password is no more than 7 bytes, the latter half is fixed :

AA-D3-B4-35-B5-14-04-EE

Concatenate two DES encryption strings. This is the LM hash.

48-D7-EB-91-2F-5E-69-7C-AA-D3-B4-35-B5-14-04-EE

Windows网络认证

During intranet penetration, the working group environment is often encountered, and the working group environment is a logical network environment (work area). The machines affiliated to the working group cannot establish a perfect trust mechanism with each other, and can only be point-to-point. It is a relatively backward authentication method and there is no trust organization.

Assuming that host A and host B belong to the same workgroup environment, if A wants to access the information on host B, he needs to send an account credential that exists on host B to host B, so that he can access the resources on host B after being authenticated.

This is a case where we have been exposed to more SMB shared files. The default port of SMB is 445.

Early SMB protocols transmitted plaintext passwords on the network. Later, the LAN Manager Challenge/Response verification mechanism appeared, referred to as LM for short. It was so simple that it was easily cracked. Now there are NTLM v2 and Kerberos again.

Challenge/Response

Step 1: Negotiation

In this step, the client confirms the version of the protocol to the server, whether it is v1 or v2. More than a little

Step 2: The complete process of questioning:

The client sends user information (user name) request to the server

The server accepts the request and generates a 16-bit random number called "Challenge". The NTLM Hash corresponding to the login username encrypts the Challenge (16-bit random characters) to generate Challenge1. At the same time, after generating Challenge1, send Challenge (16-bit random characters) to the client. //Net NTLM Hash=NTLM Hash(Challenge)

After the client receives the Challenge, it generates a Response using the NTLM Hash encryption Challenge that you want to log in to the account, and then sends the Response to the server.

Step 3: Verification

After the server receives the client's response, compare whether the Change1 and Response are equal. If it is equal, the authentication will be passed.

Use another way to interpret:

After the Server receives the username sent by the Client, it determines whether there is a username share_user in the local account list.

If not, the return authentication failed;

If so, generate a Change, and search for the NTLM Hash corresponding to share_user from the local area, encrypt the Change using NTLM Hash, generate a Net-NTLM Hash to store it in memory, and send the Change to the Client.

After receiving the Change, the Client converts the password of share_user it provides to NTLM Hash and uses NTLM Hash to encrypt the Change. This result is called Response, which is expressed in Net-NTLM Hash, and finally sends the Response to the Server.

The Server receives the Response sent by the Client, compares the Response with the previous Net-NTLM Hash, and if it is equal, the authentication will be passed.

Note :

Chanllenge is a 16-byte random number generated by the server, which is different for each authentication.

Response is manifested in Net-NTLM Hash, which is the result of the Password Hash Encryption Server returned by the server with the password provided by the client.

NTLM v2

The most significant difference between NTLM v1 and NTLM v2 is that Challenge is different from encryption algorithms, and the common point is that the raw materials for encryption are all NTLM Hash.

Let me explain in detail what the difference is :

Challenge: NTLM v1 has 8 bits of Challenge, NTLM v2 has 16 bits of Challenge

Net-NTLM Hash: The main encryption algorithm of NTLM v1 is DES, and the main encryption algorithm of NTLM v2 is HMAC-MD5.

//Responder, smbexec

Pass The Hash

During intranet penetration, we often need to grab the administrator's password and NTLM hash. Collecting this information will help us expand our results, especially in the domain environment.

What is hash delivery?

Hash delivery is a technology that can complete authentication without requiring an account's clear password.

What is hash delivery?

It solved the problem that we could not obtain plaintext passwords during our penetration, and could not crack NTLM Hash but wanted to expand the results of the battle.

必要条件

Hash delivery requires the authenticated host to be able to access the server

Hash passes the username that needs to be passed to authenticated

Hash delivery requires the authenticated user to be passed on.

原理分析

To complete an NTLM authentication, the first step is to send the username to the server to the authentication and wait for the Challenge given by the server.

In fact, hash delivery is to encrypt the server's Disclosure using the NTLM Hash corresponding to the user name to generate a Response to complete the authentication.

Pass The Hash can complete an NTLM protocol authentication process that does not require entering a password, so it is not a vulnerability, but a skill.

Pass The Hash Tools:

Smbmap

CrackMapExec

Smbexec

Metasploit

Implement Hash pass using CrackMapExec:

1

2

3

4

5

6

7

root@kali:~/cache# cme smb 192.168.3.5 -u administrator -H dab7de8feeb5ecac65faf9fdc6cac3a9 -x whoami

SMB 192.168.3.5 445 LIYINGZHEA30B

[*] Windows 7 Ultimate 7601 Service Pack 1 x64 (name:LIYINGZHEA30B)

(domain:PAYLOADS) (signing:False) (SMBv1:True)

SMB 192.168.3.5 445 LIYINGZHEA30B

[+] PAYLOADS\administrator dab7de8feeb5ecac65faf9fdc6cac3a9

(Pwn3d!)SMB 192.168.3.5 445 LIYINGZHEA30B [+] Executed command

Kerberos域认证

Active Directory(活动目录)的概念

Windows provides organized management of assets, services, and network objects for enterprise management, which is very consistent with the management model of the enterprise architecture. The active directory service is the one that carries these management mechanisms. If you want to build a domain, you need to install the Active Directory service.

The active directory service divides the boundaries of the domain by domain names, and outside the domain is no longer within the management scope. That is to say, one domain corresponds to a domain name, and the domains can also trust each other.

Active Directory stores information about network objects and allows administrators and users to easily find and use this information. Active Directory uses a structured data storage method and uses it as a basis to organize directory information logically and hierarchically.

Network objects are divided into : users, user groups, computers, domains, organizational units, and security policies.

Active Directory(活动目录)的概念

Server and Client Computer Management : manages server and client computer accounts, all servers and client computers join domain management and implement group policies.

User Service : manages user domain accounts, user information, enterprise address book (integrated with email system), user group management, user identity authentication, user authorization management, etc. and implements group management policies according to the province.

Resource Management : manages network resources such as printers, file sharing services.

Desktop Configuration : system administrators can centrally configure various desktop configuration policies, such as : user usage domain restrictions, interface functions restrictions, application execution characteristics restrictions, network connection restrictions, security configuration restrictions, etc.

The application system supports : to support various application systems such as finance, personnel, email, enterprise information portal, office automation, patch management, antivirus system, etc.

In the domain, network objects can access each other, but in real cases, some departments need to be restricted, such as sales departments cannot access the technical department's servers.

In the meantime, the Kerberos authentication protocol is required to verify the permissions between network objects.

域认证体系 - Kerberoes

Kerberos is a network authentication protocol designed to provide powerful authentication services for client/server applications through a key system. The implementation of this authentication process does not rely on authentication of the host operating system, does not require trust based on host address, does not require physical security of all hosts on the network, and assumes that data packets transmitted on the network can be read, modified and inserted arbitrarily. In the above cases, Kerberos, as a trusted third-party authentication service, performs authentication services through traditional cryptographic technology (such as : shared key).

域认证所参与的角色

Kerberos' logo is three dog heads, and the dog heads represent the following characters:

Client

Server

KDC(Key Distribution Center)=DC(Domain Controller)

域认证所参与的角色

AD(Account database): stores the whitelist of all clients. Only clients that exist on the whitelist can successfully apply for TGT

Authentication Service: Generates TGT services for client

Ticket Granting Service: Generates a ticket for a service for the client

From a physical perspective, both AD and KDC are domain controllers (Domain Controllers).

域认证粗略流程

client requests the kerberos service, hoping to obtain permission to access the server. After getting this news, kerberos first has to judge whether the client is trustworthy, that is, the whitelist blacklist statement. This is what the AS service does, distinguishing clients by storing blacklists and whitelists in AD. After success, return AS and return TGT to client.

After the client gets TGT, it continues to request from kerberos, hoping to obtain permission to access the server. kerberos got this message again. At this time, through the TGT in the client message, it was determined that the client had this permission and gave the client the permission to access the server ticket.

After the client gets the ticket, he can finally successfully access the server. This ticket is only for this server, and other servers need to apply to TGS.

第一步 Session Key 与 Ticket Granting Ticket

第二步 Session Key 与 Ticket Granting Ticket

第三步 Server Session Key 与 Ticket

白银票据

Features of silver notes:

No need to interact with KDC

NTLM Hash that requires target service

The composition of the Ticket in the third step of authentication:

Ticket=Server Hash(Server Session Key + Client info + End Time)

When you have Server Hash, we can forge a Ticket that is not certified by KDC.

PS: Server Session Key Before the Ticket is sent, the server does not know what the Server Session Key is. Therefore, all credentials come from Server Hash.

伪造白银票据

First, you need to export Server Hash:

1

C:\filesmimikatz.exe 'privilege:debug" 'sekurlsa:logonpasswords' 'exit' log.txt

Forged Notes :

1

mimikatz "kerberos:golden /domain: domain name /sid: domain SID /target: target server hostname /service: service type /rc4:NTLM Hash /user: username /ptt' exit

Other:

kerberos:list #list tickets

kerberos:purge # Clear tickets

Since silver bills require the hash of the target server, it is impossible to generate bills for all servers in the corresponding domain, and they cannot apply through TGT. Therefore, you can only forge certain services on the server. The list of forged service types is as follows :

Service Notes

Service name

WMI

HOST, RPCSS

Powershell Remoteing

HOST, HTTP

WinRM

HOST, HTTP

Scheduled Tasks

HOST

LDAP, DCSync

LDAP

Windows File Share (CIFS)

CIFS

Windows Remote ServerAdministration Tools

RPCSS, LDAP, CIFS

白银票据(Silver Tickets)防御

Try to ensure that the server credentials are not stolen

Enable the PAC (Privileged Attribute Certificate) privilege attribute certificate protection function. PAC mainly stipulates that the server sends the ticket to the kerberos service, and the kerberos service verifies whether the ticket is valid.

Opening mode :

Set ValidateKdcPacSignature in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters to 1

黄金票据(Golden Tickets)

Features of Gold Notes :

Need to communicate with DC

Need hash of krbtgt user

The krbtgt hash here in PS: is the KDC Hash mentioned earlier

Note that the krbtgt hash here in : is the KDC Hash mentioned earlier

黄金票据(Golden Tickets)-MSF kiwi

Using the kiwi module in meterpreter: load kiwi

黄金票据(Golden Tickets) - 伪造

Forged Notes :

1

mimikatz "kerberos:golden /domain: domain name /sid: domain SID /rc4:KRBTGT NTLM Hash /user:arbitrary username /ptt' exit

Tickets 总结

Gold Notes : From the perspective of the attack surface, after obtaining the hash of the krbtgt user, it can persistently hide in the domain, and the log cannot be traced, but it requires DC permissions. Using gold notes can control the entire domain in a domain environment for a long time.

From a defense perspective, krbtgt's password needs to be updated frequently to make the original bill invalid.