Tag Archives: Mimikatz

Oh dear! Oh dear! I shall be too late! – The White Rabbit

29 October 2017

WannaCry, NotPetya, and now: Bad Rabbit. The good news is that Bad Rabbit isn’t spreading as fast as WannaCry and NotPetya. According to a DARKReading report from October 25th the outbreak appears to die down already.

The bad news is, that it happened again. Like the White Rabbit in Alice’s Adventure in Wonderland, IT departments seem to mutter only “Oh dear! Oh dear! I shall be too late!”, instead of increasing the security baseline of their company networks.

Bad Rabbit uses similar techniques as WannaCry and NotPetya for spreading in the networks:

Open SMB shares, Mimikatz alike ways to dump credentials from the affected systems, a hardcoded list of credentials, … For more technical details see this post from Malwarebytes Labs.

The methods to avoid this are well-known and easy and cheap to implement:

  • Run a user awareness campaign.
  • Reduce the number of users and administrators working with permanent administrative privileges to zero. This is a leadership task!
  • Apply the measures to mitigate Pass-the-Hash attacks to all Windows systems and networks.
  • Limit the functionality of technical users to local systems and the lowest possible privileges. Use individual passwords, eliminate default passwords.
  • Review all firewall rules. Question every required connection. Limit the use of the SMB protocol as far as possible. Eliminate the use of unsecured protocols as far as possible. Patch the systems at the endpoints of firewall rules.

The above list is not exhaustive, but if implemented, the attacker’s ability to explore the network is clearly reduced.

It appears to me, that everyone is waiting for Windows 10 to solve some of the issues. This however is the wrong approach. Windows 10 cannot be introduced with a big bang. In particular in the production, lab, and building automation domain, it will take a few years until we can shutdown Windows XP/7 completely. And during this years, our networks are at risk.

With this, there is no time to lose. The White Rabbits returns.

Have a great week.

Advertisements

Why is the industry such vulnerable against WannaCry and NotPetya style attacks? Part II.

16 July 2017

In part one of this post I discussed the impact of the aging IT infrastructure on the industry’s vulnerability against WannaCry and NotPetya style attacks. Part II deals with the OS basics.

Built-in features of the Windows operating system

Windows is the hacker’s paradise. Not because of the endless stream of vulnerabilities. I my opinion, Microsoft does a good job in managing this.

But because Windows is designed to support the efficient administration of networks with thousands of windows workstations, servers, users and applications.

The authorization subsystem (Active Directory) allows the assignment of fine grained permissions to users and groups to whatever resources, and the authorization check before access to resources in near real-time. It is highly scalable to support a single office LAN as well as a segmented global network.

Built-in utilities like Admin Shares, WMI (Windows Management Instrumentation), netsh, ipconfig, and the net command enable administrators to query and to change workstation, server and user settings across the network and to support efficient software distribution and troubleshooting. Windows Server Update Service (WSUS) supports the administrators in keeping the known vulnerabilities patched.

Everything is of course scriptable with the Windows Command Shell, Powershell and VBScript. All utilities can be leveraged up to a certain extent by every user and fully by administrators.

And of course, also by malware or cyber-criminals. Once a cyber-criminal managed to get on your network with e.g. a RAT (Remote Access Toolkit), he can walk across your network and do his malicious work with just the built-in tools. A download of utilities from a C&C (command and Control) server is not necessary. With this, the cyber-criminal is nearly invisible and he will stay nearly invisible for a long time if he makes no errors.

The Principle of least privilege is implemented in Windows at all levels of the OS stack. This is ensured by the Secure Development Lifecycle (SDL), which is the mandatory Microsoft development policy since 2004. Thus, under normal conditions, the Windows built-in security features would limit the impact of a malware.

Unfortunately, software failures cannot be avoided by the SDL because they are systemic errors – we build them during development right into the software. Once a process state triggers such a systemic error and someone finds a method to reproduce the error condition, the error becomes a vulnerability, e.g. MS017-10. This is no problem unless an exploit is published which allows a cyber-criminal to leverage the vulnerability for e.g. privilege escalation. With this, he gets full access to all the built-in tools and to all processes, including the authorization subsystem.

But even if exploiting a vulnerability leads not to a privilege escalation only some patience is needed. Just probe the network until a user is found who works with permanent administrative privileges. If such a session is hijacked, a cyber-criminal gets full access to all tools and the authorization subsystem on the computer.

With administrative privileges the attacker or malware can dump the authorization subsystem on the computer and extract either the password hashes or the clear text passwords. The example below shows an extract created by MIMIKATZ on a Windows 7 Enterprise Editon Workstation.

C:\Program Files (x86)\mimikatz\x64>mimikatz
.#####.   mimikatz 2.1.1 (x64) built on Jun 18 2017 18:46:28
.## ^ ##.  "A La Vie, A L'Amour"
## / \ ##  /* * *
## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
'## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
'#####'                                     with 21 modules * * */
....

Authentication Id : 0 ; 315690 (00000000:0004d12a)
Session           : Interactive from 1
User Name         : kjochem
Domain            : WIN-2OLSA000OLM
Logon Server      : WIN-2OLSA000OLM
Logon Time        : 16.07.2017 21:31:24
SID               : S-1-5-21-3248755352-2707638487-1840279341-1000
msv :
[00000003] Primary
* Username : kjochem
* Domain   : WIN-2OLSA000OLM
* NTLM     : dd94b116548a739e24ad775193c2d13b <--- Password hash
    ….. 
wdigest :
* Username : kjochem
* Domain   : WIN-2OLSA000OLM
* Password : #Not very12strange! <--- Clear text password
kerberos :
* Username : kjochem
* Domain   : WIN-2OLSA000OLM
* Password : (null)
ssp :
credman :

The extracted passwords can be used for direct login to further systems, the password hashes in Pass-the-Hash attacks on further nodes. In any case the chance of detection is low since the attacker behaves like a normal user.

This is the way NotPetya works and other malware worked in the past and will work in future.

Windows is highly optimized to allow cost effective operation of networks of thousands of computers. This leads automatically to misconfigurations, e.g. through domain based technical accounts with high privileges on all workstations and servers. In combination with users working with permanent administrative privileges the cyber criminal’s life is simplified.

What are mitigating measures?

The selection below makes no claim to be complete.

Migration to Windows 10.

Drop all old-style transportation and authentication protocols during this process. Migration to Windows 10 is the first choice because baseline security in Windows 10 is higher than in Windows 7. For example, the issue with the plain text passwords in the authorization subsystem is gone. But this is not helpful in industry because we must deal for at least 5 to 10 years with Windows 7 or Windows 2008 server and old-style protocols.

Short and mid-term mitigation measures.

  • Reduce the number of users working with permanent administrative rights to zero. This is a leadership task!
  • Implement priority patching of critical systems, especially for those on the perimeter to the production networks.
  • Review all firewall rules. Focus on required connections, limit the use of the SMB protocol as far as possible.
  • Review all technical users. Limit their functionality to the local systems and lowest possible privileges, if possible.
  • Roll out a security incident detection tool (SIEM) to all clients and servers. For example, dumping of processes in memory of a workstation or server is a clear indicator for a hacking attempt. Immediate action upon such events is required.
  • Implement privileged account and session management, in the best case with one-time passwords which are changed after the session ends.
  • Apply the measures to mitigate Pass-the-Hash attacks to all Windows networks. For details please see https://www.microsoft.com/en-us/download/details.aspx?id=36036.

Long-term measures.

  • Microsoft should build a production friendly Windows with limited functionality. This Windows should have a much smaller attack surface than the standard multi-purpose Windows systems of today.
  • The dependency on the SMB protocol for exchange of data between the office and the production networks should be reduced, in the best case to zero.

Have a great week!

netsh – The Cyber Attacker’s Tool of Choice

3 February 2016

For IT pros the Windows built-in command netsh is one of the tools of choice for troubleshooting network issues.

For a cyber attacker netsh is the tool of choice once he managed to get access to the company network. ‘netsh trace’ may be used to record every key stroke a user sends e.g. to the login dialog of web application or a banking application in plain text.

Using netsh trace is disturbingly easy:

[1] Start the recording session for programs connecting to internet services

netsh trace start scenario=InternetClient capture=yes tracefile=NetTrace-ICP.etl level=4

[2] Wait for the user to connect to a service …

[3] Stop the recording session

netsh trace stop

[4] Convert the trace file into readable format

netsh trace convert input=NetTrace-ICP.etl output=NetTrace-ICP.etl.xml dump=XML

[5] Open the file with notepad and search for the user name donot.like@get.phished:

<EventData>
<Data Name="RequestHandle">0xCC000C</Data>
<Data Name="Length">502</Data>
<Data Name="Headers">loginfmt=donot.like%40get.phished&amp;passwd=-Plain-Text-Here-&amp;login=donot.like%40get.phished&amp;……</Data>
</EventData>

Thus netsh trace can replace key loggers or tools like Mimikatz or Lazagne. Since the attacker must not reload utilities from the C&C server the likelihood of detection decreases.

Fortunately the attacker must run netsh trace in administrative context, but since many users always work in admin context this is not a real hurdle.

Apart from cyber attacks users should be concerned about privacy issues. If a support technician starts netsh in a remote troubleshooting session the likelihood is high that he may see your password or PIN. To prevent trouble users should always change their passwords after netsh was used to solve network issues.

Take care!

IT security projects fail because people are not affected personally

 4 April 2015

In the past weeks I had a lot of discussions with system operators about services running as real users, very often as domain users, if not as domain administrators. In some cases these accounts are used to run services on workstations as well.

From a security point of view this is a nightmare. Once an attacker got the login data of one of the service accounts, he can move across the network and collect credentials. The game is over when he gets access to a workstation where a user signs in with domain administrator credentials.

Executing the service as a local defined account with individual passwords would be a good choice to tackle this problem but, from an operations point of view this is the nightmare because the administrative effort will go straight through the roof.

This clash of interests is a really big challenge for the change manager. ADKAR is a often used model to guide activities during a change processes. But how could a change manager create Awareness in this case? Just telling the system operators to do things differently will not help. You must touch people’s minds with good stories and pictures.

Seeing is believing’ is my recipe: Find a workstation where a globally defined service account is used to run a service and extract all passwords from the LSASS process with MIMIKATZ. MIMIKATZ extracts the password hashes and the WDIGEST and Kerberos passwords in plain text.

Mimikatz Output

MIMIKATZ Output

The MIMIKATZ output contains the passwords for the service accounts and, if applicable, for the domain administrator. Store this output encrypted in a file, highlight the service accounts and use the file as eye-opener in the next awareness session.

In my experience this  creates the necessary emotional involvement which is required for the next steps in the change process.

There is nothing left to say but …

Wishing you an Easter
that touches your heart
and lives in your thoughts
as a sweet reminder of
just how special you are.