🏺 Credentials

This article is about credentials, the keys to the realm.

🗝️ Clear Text Creds

Clear text creds are usually stored in memory. This memory usually belongs to some processes. For example, lsass, tspkg, wdigest`.

🏺 TsPkg and Wdigest

❗️ TsPkg and WDigest can be decrypted to retrieve plaintext passwords.

TsPkg (Terminal Services Package): TsPkg is a security package used in Microsoft Windows operating systems. It is part of the authentication process for Remote Desktop Services (formerly known as Terminal Services). TsPkg is responsible for negotiating and exchanging credentials between the client and the server during the remote desktop session initiation.

Wdigest: Wdigest is a Windows security package that handles storing and retrieving user credentials (such as usernames and passwords) for Windows authentication. It was primarily used in older versions of Windows, including Windows 7 and earlier. Wdigest stored user passwords in a less secure format than newer authentication protocols. As a result, it became a target for potential security vulnerabilities, leading to its deprecation in later versions of Windows. WDigest.dll was introduced in the Windows XP operating system The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges, as documented in RFCs 2617 and 2831.”

To prevent WDigest credentials from being stored in memory, a Group Policy setting can be applied to the UseLogonCredential registry entry under the following subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest

1. If the UseLogonCredential value is set to 0, WDigest will not store credentials in memory.
2. If the UseLogonCredential value is set to 1, WDigest will store credentials in memory.

🗝️ Tokens

With tokens, one can pretend to be someone else. This is how SSO works. These tokens have some attributes assigned to them. Some attributes, like SeImpersonate, let one process access the context or tokens of another process.

Each logon and process in the system has a token. This token determines what privileges this fellow has. This token consists of:

• User SID
• Group SID
• Integrity level (mandatory label). Vista+/WinServer 2008+. This label determines the process’s privileges based on the assigned accesses and groups.
• Logon session SID
• Token type (primary or impersonation)
• Impersonation level
• User privileges list
• Other

Checks:

• What is your mandatory label❓
  • Compare this label to the object’s label.
• Take User and Group SIDs of the process and ACL of the object in question.

📚 docs

SeDebugPrivilege - allows one process to access the memory space of another process (for example, RAM dumpers need that privilege). SeDelegateSessionUserImpersonatePrivilege - pretend to be others on the same system. Often used legitimately when a service acts from the user’s behalf.

🗝️ LM and NT Hashes

LM (⛔️ deprecated)

LM hashes were used a long time ago and were very weak. They used DES and the following algorithm to secure a password.

# Step 0. The length is at most 14 characters long
password = password[0:14] 

# Step 1. Convert all characters to uppercase
password = upper(password) 
pwd_len = len(all_caps)

hash = list(all_caps)

# Step 2. pad with 0s if the length is less than 14
for i in range(14-pwd_len): hash.append('0') 

# Step 3. Split the password into two strings, each consisting of seven characters, and encrypt both parts individually.
first_part = encrypt_des(hash[0:7]) 
second_part = encrypt_des(hash[7:len(all_caps)])

# Step 4. Return a concatenated string.
return first_part + second_part

The root cause of the vulnerability in the LM hash is the practice of padding the password with a known value (0s) and encrypting the two parts separately. This vulnerability becomes evident when the password length is equal to or less than 7 characters. In such cases, the second part of the string will always be the same value: AAD3B435B51404EE. As a result, passwords with a length of 7 characters or less are easier to crack due to this predictable pattern. One would need a rainbow table to do that.

NTLM

DES + MD4 until SP3

NTLMv2

MD5 [username][sids][LM][NTLM]

❗️LM hash is not generated if the password length is less than 15. ❗️Passwords are not salted.

❗️It is advisable not to utilize CredSSP on machines running an operating system older than Windows 8 when using batch scripts, as CredSSP caches credentials on remote systems. Additionally, CredSSP sends credentials over the network, making it vulnerable to Man-in-the-Middle (MiM) attacks.

Each process, file or any other object has a set of requirements. For some process to get access, it needs to fulfil these requirements. At the same time, these processes have passports or tickets 🎫 which they can use to get something or somewhere. Requirements are called security descriptors; these “passports” are called access tokens. More information about both can be found here and here.

Access tokens can have the following information (not limited):

• (SID) for the user’s account or/and a group and their privileges
• ID for current logon session - logon SID
• Owner SID
• The source of the access token
• Primary or impersonalisation token?
• Integrity level

Security Descriptors also have a set of fields in it:

• Integrity level
• SID of the owner or group
• DACL (list of users allowed and what they can do)
• SACL (list of access attempts that will generate alerts ⚠️)

🗝️ Tickets

Kerberos tickets are valid for 10 hours and stored in RAM. For more info on Kerberos and its abuse, see the article in attacks -> protocols section.

🛠️ Mimikatz, 🛠️ WCE, 🛠️ kerberoast

📕 RTFM

mimikatz > privilege::debug
mimikatz > kerberos::ptt [ticket]
mimikatz > exit
klist # see the cache

⚔️ Attacks

❗️Hashes are only present in RAM if the user is logged in interactively and is still logged in.

1. Get the creds 🛠️ fgdump, c AceHash, 🛠️ PWDumpX, 🛠️ creddump,🛠️ WCE
   1. Get from LSASS 🛠️ Mimikatz or WCE (Windows Credential Editor).
   2. Dump LSASS for the offline attack.
   3. Get from SAM hive in RAM or on disk 🛠️ gsecdump ❓ gsecdump.exe -a > file.txt
   4. Get from the cache with 🛠️ creddump. One can get hashes, cached creds and LSA secrets from the hive.
      1. 📕 pwdump.py SYSTEM SAM true -> local NT hashes.
      2. 📕 cachedump.py SYSTEM SECURITY true -> Cached hashes.
   5. Get LSA secrets from
2. Crack the hash with the tools like 🛠️ hashcat or 🛠️ John-the-Ripper. LM hashes are very weak (see LM hash section). Both 🛠️ John the ripper and 🛠️ hashcat can crack hashes extracted from the cache, but the password needs to be very, very easy or in the wordlist. Otherwise - inefficient.
3. Pass-the-hash. Use the hash in its original form. 🛠️ Metasploit PsExec, 🛠️ WCE, 🛠️ SMBshell. Limited to NTLM challenge-response protocol. Typically, use the SMB protocol to map file shares and perform PsExec-style remote execution or WMI. 📕 sekurlsa::pth /user:someuser /domain:domaincontrollername /ntlm:hashstolen /run:".\psexec.exe -accepteula \\IP cmd.exe".
4. Escalate.
   1. Attribute change. With admin or SYSTEM privileges, one can add SeImpersonate attribute to a token to steal the tokens of another process and use them to access resources they could not access otherwise 🛠️ Incognito, 🛠️ Metasploit, 🛠️ PowerShell, 🛠️ Mimikatz
   2. RID Hijacking. The system identifies users by their RIDs (the last portion of SID), not by username. What happens if we have manually changed the RID of the guest user? If we set it to 500, the system would treat him as the default admin with all the corresponding rights.
5. Reset Password. There is also a technique that allows resetting local account passwords by clearing lmpw_len (LM password hash length) and ntpw_len (NTLM password hash length) at 0x2c and 0x30, respectively [8].

📕 RTFM

# Changing TOKENS' attributes
mimikatz > privlege::debug # attacker being authenticated as a local admin adds debug attribute to his token
token::whoami
token::elevate /domainadmin # mimikatz tool looks for the domain admin token in memory and retrieves it.

🔔 Detection and 🔎 Investigation

🏺 Artefacts

Event logs

🐾 Detection Patterns

1. New accounts created (Windows 4720)
2. Anomalous logins (workstation to workstation, sensitive networks) - 4624, 4776
3. After-hours logins
4. Unusual locations
5. Ex-employees
6. Privileged account usage (Windows 4672)
7. Watch out for registry key 🔑HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential set 1.

By login type

1. Console login, RunAs, PsExec alternate creds - look for logon type 2.
2. Network use, PowerShell remoting (Invoke-Command and Enter-PSSession), PsExec alternate creds, PsExec w/o explicit creds and Remote registry - type 3.
3. Remote Desktop - 10.
4. Remote Scheduled tasks - 4 (password saved as LSA secret).
5. Run as Service - 5 (password saved as LSA secret).

📚 Further reading: https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-access-model

🛡️ Defense

PowerShell remoting is, so far, the most secure option. It enables Remote Credential Guard by default.

1. UAC (MAC + least privilege).
2. A small number of apps should require admin privileges.
3. Managed Service accounts (good defence against Kerberos attacks): long complex passwords, frequent password changes. -> Group Managed Service Accounts (flexible and admin-friendly).
4. Windows 8+
   1. Doesn’t cache credentials (even when using CredSSP), TsPkg, Wdigest.
   2. New security groups were added. This restricted local admins from the network or remote interactive logons to domain-joint systems.
   3. Some processes are marked as protected, and protected processes can’t run unsigned code. LSASS process is one of the most important ones. This protection is off by default + one can sign the cred-dumping malware (like 🛠️ Mimikatz).
   4. Remote Desktop with /restrictedAdmin switch -> creds are not pushed to the remote system.
   5. Domain Protected Users, security group. They can’t use NTLM, CredSSP or Digest authentication mechanisms (protection against some of the 🛠️ Mimikatz techniques and pass-the-hash tools). Creds are not cached, nor are they delegated. Kerberos ticket 🎫 lives for 4 hours tops. RC4 encryption is off (too weak).
   6. Group Managed Service accounts (gMSA). With GMSA, one can use the same account for several services and can be used on multiple computers within the same domain. MSA and gMSA automate password management for services (managed by AD), eliminate the need to hardcode the credentials, adhere to the least privilege principle, and isolate service accounts.
5. Windows 10+
   1. Remote Credential Guard. Protects all the accounts, not only admin.
   2. Credential Guard. Uses machine virtualisation to isolate creds.
   3. Device Guard. Can lock a system to prevent the use of untrusted code.
6. User PowerShell
7. Don’t interact logon to remote machines with an admin account (console, RDP and runas).
8. Terminate RDP sessions properly. The disconnect is NOT closed. You can set a timeout to terminate disconnected sessions. This can be set via Group Policy.
9. Assign Account is Sensitive and Cannot be Delegated attribute to prevent token delegation.
10. Limit the number of cached logon accounts in SOFTWARE\Microsoft\Windows NT\Current Version\WInlogon, cachedlogonscount value. Be careful, though, services need cached creds.
11. Complex passwords.
12. Add valuable users to the domain-protected users’ security group, not cache creds.

Built-in:

1. can’t remotely write to C$ and Admin$ shares
2. can’t use some remote management tools like schtasks, at, wmic (if it’s disabled).

Custom:

1. Unique, strong passwords
2. No network logins for these accounts
3. 2FA?

Important Security Patches

1. KB2871997 - no clear text in LSASS, two security groups are created.
2. KB2928120 - The security update modifies the Group Policy Management Editor window of the Group Policy Management Console (GPMC) by removing the ability to configure and distribute passwords using the following Group Policy Preferences extensions.

📚 Further reading: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/the-importance-of-kb2871997-and-kb2928120-for-credential/ba-p/258478

References