Transcript Take care of your passwords

Passwords Everywhere
Ing. Ondřej Ševeček | GOPAS a.s. |
MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker |
[email protected] | www.sevecek.com |
GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS
Take care of your passwords
 People use the same passwords for different services
• AD network, mobile phone, credit card PIN, facebook, eshops, free-mail, …




People type their passwords on unknown computers
Passwords travel over network unencrypted
Somebody else is your computer administrator
Computers store passwords often in full form
Hardware keyloggers
 Easy soldier
Different service = different password?
 Do you thing the databases of facebook, google+,
gmail, microsoft, alza, seznam, … are encrypted?
• nonsense
 What do you thing the Indians do when bored?
• are they surfing your email, or facebook?
 What do you thing is the first thing a virus is going to
do after infection?
• list all user accounts
• touch anything in your network with your current password
User Account Control (UAC)
 Locally limits Administrators group membership
 Does nothing over network
 It matters only for a BFU on a single machine
 It does not affect administrative accounts
Windows authentication seems secure
 Kerberos, Kerberos, Kerberos, sometimes NTLM
 Encrypted network transport
• AES, mutual authentication, rekeying, etc.
Passwords are in memory
plaintext
password
LSASS
IS
Client
Internet
Explorer
Ctrl-Alt-Del
Outlook
Lync
Passwords are in LSASS memory
plaintext
password
Local
LSASS
Server
LSASS
Internet
Explorer
IS
Client
Outlook
Lync
Kerberos
NTLM
Server
Who can steal passwords from LSASS
 Local Administrators
• Debug privilege is just the only necessary to break into
LSASS memory
Basic authentication
 HTTP Basic authentication
• used veeeeery often even on intranets
• mostly BFU accounts
 LDAP Simple bind
• used veeeeery often by third-party NAS, VPN, VoIP,
gateways, routers, VMWare console, etc.
• often administrative accounts
 RDP
• used extreeeeemely often
• extreeeeemely often administrative accounts
Passwords are in LSASS memory
plaintext
password
Server
LSASS
VPN
MSTSC
Internet
Explorer
IS
Client
Outlook
Lync
plain-text
Server
Passwords are stored in full form
 IIS application pools
 Services
 Scheduled tasks
After attack, change your password!
 Really?
 Password filter on DC or on local SAM database
Good password
 Long at least 12 characters
 All four types of characters (a-z, A-Z, 0-9, #$%^…)
• 80% passwords are alfa-numeric
 Never reuse the same password for critical services
• not too much change necessary
Password locking?
 Do not exagerate
•
•
•
•
6 characters complex password
75 trials per one lock
for 1 minute
= 3 300 years
Cracking from local/AD hashes (non-cache)
 MD4 hashes
• brute-force 8 characters complex
 1 CPU = 25 years
 10 GPUs = 15 days
• rainbow-table 8 characters complex
 = minutes
 = 120 GB
 Every character makes it 80x more difficult
 12 characters complex password is unbreakable
• at least for non-NSA mortals
Cracking from network trace and password
cache
 No use for rainbow-table
• MD4 salted
 Only brute-force possible
What to remember
 Never type a password on an unknown computer
 Accessing remote machines with RDP sends there
your password
 Disable all HTTP Basic and LDAP Simple bind
authentications
 Use smart cards instead
Where to read more
http://www.sevecek.com/Lists/Categories/Category.aspx
?CategoryId=17&Name=(Anti)hacking
http://www.sevecek.com/Lists/Posts/Post.aspx?ID=145
NASHLEDANOU
na kurzech v počítačové škole GOPAS, a.s.
GOC171 - Active Directory Troubleshooting
GOC172 - Kerberos Troubleshooting
GOC173 - Enterprise PKI Deployment
GOC175 - Administering Security
GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS