The WiKID Blog | WiKID Systemshttp://www.wikidsystems.com/blog/2017-06-29T17:14:10+00:00The WiKID Blog, musings on two-factor authentication, information security and some other stuff.Defeating pass-the-hash attacks with two-factor authentication2017-06-29T17:14:10+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/defeating-pass-the-hash-attacks-with-two-factor-authentication/<p>Implementing two-factor authentication for remote access is a great way to keep attackers out of your network. Users' credentials are floating all around the internet. But attackers can still get in your network through malware and other tools. In the past, we described how <a href="http://www.wikidsystems.com/blog/defense-at-every-stage/" title="Defense in depth with two-factor auth">two-factor authentication can be used at each stage of an attack</a> to make detection easier and execution much harder:</p>
<ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 20px; color: #333333; font-family: 'Open Sans'; font-size: 15px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-style: initial; text-decoration-color: initial;">
<li style="box-sizing: border-box;">Implementing two-factor authentication for remote access will make intrusion much more difficult.</li>
<li style="box-sizing: border-box;">Implementing two-factor authentication for privileged accounts will make escalation much more difficult.</li>
<li style="box-sizing: border-box;">Implementing two-factor authentication at your outbound proxy will make <span style="box-sizing: border-box; float: none;">exfiltration</span> much more difficult.</li>
</ul>
<p>The PCI Council is now requiring <a href="http://www.wikidsystems.com/blog/non-console-administrative-access/" title="2FA for non-console admin access">two-factor authentication for non-console administrative access</a>. To see how easy the pass-the-hash attack is and to show how WiKID can mitigate it, we present the tale of two domain administrators. One uses a static password, the other uses the WiKID Native Active Directory 2FA protocol.</p>
<p>In our lab we setup two boxes: a windows domain server using Server 2012 and a PC running windows 10. On the Win 10 box, download two tools: <a href="https://github.com/gentilkiwi/mimikatz" title="Mimikatz">Mimikatz</a> and <a href="https://technet.microsoft.com/en-us/sysinternals/pstools.aspx" title="PSTools">PStools</a>. We will use mimikatz to grab the hash and psexec to pass it to the AD server to get a console on it. </p>
<p>Note that you will need to turn off Windows Defender as it will remove and quarantine Mimikatz. Right click on the appropriate mimikatz.exe and choose Run as Administrator. You need to be a local admin for the tool to work. </p>
<p><img alt="run mimikatz as admin" height="239" src="https://www.wikidsystems.com/static/media/uploads/.thumbnails/run_as_admin.png/run_as_admin-593x239.png" width="593"/></p>
<p>Next, check that you have the appropropiate privileges by running:</p>
<pre>privilege::debug</pre>
<p>We do:</p>
<p><img alt="privlege::debug command" height="231" src="https://www.wikidsystems.com/static/media/uploads/.thumbnails/privilege_debug.png/privilege_debug-664x231.png" width="664"/></p>
<p>Let's have our two domain admins login to the box to do a bit of work. The first domain admin logs in with their static AD password because, really, what's the point? The network is small and the users are pretty smart. Then our much more sophisticated domain admin logs in with a one-time passcode from their WiKID server, which has been setup to <a href="http://www.wikidsystems.com/learn-more/features-benefits/native-active-directory-two-factor-authentication/" title="two-factor authentication for windows/AD logins">provide 2FA for AD logins</a>, because he really likes to sleep well at night and knows that attackers are clever with many motivations. That these two admins on working on the same computer and network in very different ways is just an example of really bad script development. </p>
<p><img alt="2FA for windows logins" height="258" src="https://www.wikidsystems.com/static/media/uploads/.thumbnails/good-admin-login.png/good-admin-login-584x258.png" width="584"/></p>
<p>Note a few things:</p>
<ul>
<li>The AD protocol supports complex one-time passwords that meet AD complexity requirements.</li>
<li>The password lifetime can be configured in the domain settings too. This setting is key as it is an attack window.</li>
<li>This is the PC client pictured, in real life you would likely use a smart phone software token.</li>
</ul>
<p>Next, we use this mimikatz command to grab the hashes of these two admins:</p>
<pre>sekurlsa::logonpasswords</pre>
<p>This is what we get:</p>
<p><img alt="getting pass-the-hash credentials" height="407" src="https://www.wikidsystems.com/static/media/uploads/.thumbnails/sysadmin_ntml.png/sysadmin_ntml-671x407.png" width="671"/></p>
<p>And:</p>
<p><img alt="more creds for pass-the-hash" height="394" src="https://www.wikidsystems.com/static/media/uploads/.thumbnails/nowen_admin.png/nowen_admin-619x394.png" width="619"/></p>
<p>Note the NTLM hashes - that's what we will use. </p>
<p>Now, we will use Mimikatz's pash-the-hash command to escalate our privilege to domain admin. First, we try the admin that used the static password.</p>
<pre>sekurlsa::pth /user:sysadmin /domain:wikidsystems.com /ntlm:0a53c1165654e555ed5992963d097495</pre>
<p>This command gives us a dos prompt that shows my user hasn't changed:</p>
<p><img alt="user prompt with hash" height="187" src="https://www.wikidsystems.com/static/media/uploads/.thumbnails/user_prompt.png/user_prompt-499x187.png" width="499"/></p>
<p> but in fact, the user has the administrator's ticket. We can use psexec to prove this</p>
<pre><span style="font-weight: 400;">psexec.exe \\192.168.56.129 cmd.exe</span></pre>
<p> </p>
<p><img alt="Hash passed successfully" height="456" src="https://www.wikidsystems.com/static/media/uploads/.thumbnails/hash_passed.png/hash_passed-567x456.png" width="567"/></p>
<p><strong>You can see that we are now sysadmin on the domain server. The attack was successful! </strong></p>
<p>Now, let's try the same with the domain admin that used the WiKID password to login.</p>
<pre>sekurlsa::pth /user:nowen_admin /domain:wikidsystems.com ntlm:f2ef29069c481dfaec8ce0590b4fa46d</pre>
<p> We get our DOS prompt with our username once again:</p>
<p><img alt="user prompt in dos" height="187" src="https://www.wikidsystems.com/static/media/uploads/.thumbnails/user_prompt.png/user_prompt-499x187.png" width="499"/></p>
<p> Now, let's see if the hash will work. We run the same command:</p>
<pre><span style="font-weight: 400;">psexec.exe \\192.168.56.129 cmd.exe</span></pre>
<p><img alt="Pass-the-hash thwarted!" height="354" src="https://www.wikidsystems.com/static/media/uploads/.thumbnails/pass_the_hash_thwarted.png/pass_the_hash_thwarted-577x354.png" width="577"/></p>
<p><strong> It fails! </strong> Of course it does. The password is changed after the expiration of the "one-time password" and the hash is no longer valid. Note that it's not really a one-time password. The WiKID server writes a random password to AD and sends it to the token as well. Once the password expires, the <strong>WiKID server over-writes the password in AD</strong> with another random complex string that no one knows. Thus, there is a window where an attacker can still use the hash - the lifetime of the password, which can be configured in the WiKID domain to whatever you want. It also means that you can setup an alert in your SIEM for both unsuccessful pass-the-hash attacks (a la "honey tokens") and multiple successful logins within the password expiration.</p>
<p>The WiKID server is free for up to 5 users. So, even if you don't use two-factor authentication for remote access, a company with 5 or fewer domain admins could use this for free. That's a lot of companies.</p>
<p> </p>
<p> </p>
<p> </p>It always comes to this: why making the right security designs up front matters.2017-04-26T16:21:42+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/it-always-comes-to-this-why-making-the-right-security-designs-up-front-matters/<p>When we started WiKID, we knew we had to be as secure as or more secure than the leading players at the time (RSA, Vasco, mostly, way back then). We decided that using asymmetric keys generated on users' devices was the best way to overcome objections to software-based tokens. After all, R,S & A had developed public key encryption to overcome the weaknesses of shared secret encryption.<br/><br/>Fast-forward and the dominant form of consumer-oriented two-factor authentication is "two-step" authentication using a shared secret-based protocol (even after hackers successfully stole the shared secretsof a major 2FA vendor) or worse, using SMS. Of course, we know the saying that marketing trumps technology. This seemed like a typical case of that. No one much cared about the increased security offered by asymmetric encryption.<br/><br/>But, security is a slightly different beast because: 1. Attackers are always getting better. 2. Regulationsand compliance can force a market to change despite marketing. The #PCI-DSS Council may be in the process of doing that with their most <a href="http://www.wikidsystems.com/blog/pci-dss-disses-multi-step-authentication/">recent guidance on multi-factor authentication</a>, stating that multi-step authentication leaks account information and should not be used. NIST has said that using SMS as an authentication mechanism is deprecated.<br/><br/>In a way, this will be easier for many systems administrators. Most VPNs and remote access services by default support OTP-based 2FA via RADIUS (which also allows authorization in AD/LDAP another recommended practice) and they do not support a multi-step authentication process. There is no way, for example, to do two-step authentication on a <a href="http://www.wikidsystems.com/support/how-to/keyword/cisco/" title="Cisco 2FA tutorials">Cisco</a> ASA. But, two-factor authentication is easy and can be added to <a href="http://www.wikidsystems.com/support/how-to/keyword/cisco/">ASA Admin accounts</a> as well, a great idea and soon to be required for PCI's non-console admin access requirements.<br/><br/></p>How to add WiKID two-factor authentication to an Aruba Networks Via VPN solution2016-07-07T14:47:27+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/how-to-add-wikid-two-factor-authentication-to-an-aruba-networks-via-vpn-solution/<p>Check out this great video on how to add WiKID two-factor authentication to an HPE/Aruba Networks Via VPN: <a href="https://www.youtube.com/watch?v=hcHXwND301U&feature=youtu.be" title="WiKID 2FA and Aruba VIA VPN">https://www.youtube.com/watch?v=hcHXwND301U&feature=youtu.be</a></p>
<p>Martin was able to use our <a href="http://www.wikidsystems.com/downloads/wikid-strong-authentication-system-enterprise/">free evaluation of the WiKID server</a> to get everything up and tested before purchasing.</p>
<p> </p>