Shulou(Shulou.com)06/01 Report--

How to understand Windows authentication and catch password, in view of this problem, this article introduces the corresponding analysis and answer in detail, hoping to help more partners who want to solve this problem to find a more simple and easy way.

1. What are the main authentication methods of windows?

There are two main authentication methods of windows: NTLM authentication and Kerberos authentication. At the same time, Windows Access Token records a user's SID, group ID, Session, and permissions and other information, and also plays a role in authority authentication.

Among them, NTLM authentication mainly has two ways: local authentication and network authentication. When logging in locally, the user's password is stored in the file% SystemRoot%\ system32\ config\ sam. When the user enters the password for local authentication, all operations are carried out locally. He actually converts the password entered by the user into NTLM Hash and then compares it with the NTLM Hash in SAM. Network authentication is an authentication mode based on a Challenge/Response authentication mechanism. His certification process will be discussed in more detail below.

Kerberos authentication is used in domain environment. It is a Ticket-based authentication method. His whole authentication process involves three parties: client, server and KDC (Key Distribution Center). In the Windows domain environment, DC (domain control) is used as the KDC.

Access Token (access token) is an object used to describe the process or thread safety context. The information contained in the token is the identity and permission information of the process or thread related to the user account. When a user logs in, the system generates an Access Token, and all processes running as that user have a copy of the token. This explains why user A creates a process while user B does not have permission for the process.

2. What is the authentication process of NTLM?

The first is local authentication, that is, how NTLM Hash is generated.

When the user logs out, restarts, and locks the screen, the operating system will let winlogon display the login interface, that is, the input box. When winlogon.exe receives the input, it gives the password to the LSASS process, which stores a plaintext password, encrypts the plaintext password to NTLM Hash, and compares and authenticates the SAM database. Winlogon.exe, or Windows Logon Process, is a Windows NT user login program that manages user login and logout.

LSASS is used in the security mechanism of Microsoft Windows system. It is used for local security and login policies.)

For example, when the user enters the password 123456, the operating system will convert 123456 to hexadecimal. After Unicode conversion, the operating system will call the MD4 encryption algorithm to encrypt. The hexadecimal of this encryption result is NTLM Hash.

123456-> hex (hexadecimal encoding) = 313233343536 313233343536-> Unicode = 610064006d0069006e00 610064006d0069006e00-> MD4 = 209c6174da490caeb422f3fa5a7ae634

After understanding the process of local authentication, let's talk about the specific process of network authentication.

The authentication of NTLM protocol needs three messages: negotiation, challenge and authentication.

Negotiation: mainly used to confirm the version of the agreement between the two parties, encryption level, etc.

Challenge: after receiving the negotiation message from the client, the server will read the contents and select the service content, encryption level, security service and so on. And generate a random number challenge, and then generate a challenge message to return to the client. This message is the main function of the challenge / response authentication mechanism.

Authentication: verification is mainly after the completion of the challenge, the verification result, which is a step of authentication.

The detailed process is as follows:

* * step, enter the password, and then LSASS will store the NTLM Hash value of the password locally first.

In the second step, the client sends the plaintext of the user name to the server

In the third step, the server generates a 16-bit random number, namely challenge, and passes it back to the client.

In the fourth step, when the client receives the challenge, encrypt it with the NTLM Hash stored in step * *, and then send the encrypted challenge to the server, that is, response.

In the fifth step, after receiving the response, the server sends an authentication request to the DC for the client. The request mainly contains the following three aspects: the client user name, the client NTLM Hash encrypted Challenge, and the original Challenge.

Step 6, when DC receives these three values, it will find the NTLM Hash corresponding to the user name in DC's account database (ntds.dit) according to the user name, and then compare the hash with the passed value. If the same is the same, the authentication is successful, otherwise, it fails.

What is mentioned above is NTLM v1 authentication. The most significant difference between NTLM v2 and v1 is that Challenge is different from encryption algorithms. What they have in common is that encrypted key is NTLM Hash. The Challenge of NTLM v1 has 8 bits, and the Challenge of NTLM v2 has 16 bits. The main encryption algorithm of NTLM v1 is DES,NTLM v2. The main encryption algorithm of DES,NTLM v2 is HMAC-MD5.

3. What are the main poses for NTLM?

When we get NTLM Hash through dump hash, I usually first try to see if I can crack it directly online. Commonly used cracking websites:

Https://www.objectif-securite.ch/en/ophcrack.php/

Http://www.cmd5.com/

Https://www.somd5.com/

If you can't crack it, you can try Pass The Hash (hash passing).

Hash passing is to use the NTLM Hash corresponding to the user name to encrypt the Chanllenge given by the server and generate a Response to complete the authentication. Pass The Hash can complete a NTLM protocol authentication process without entering a password, so it is not a loophole, it is a skill.

The commonly used pth tools are: mimikatz (* *), wmiexec/psexec, exploit/windows/smb/psexec_psh, powershell invoke series of mini scripts.

Of course, pth also has its advantages. If the target machine has KB2871997 installed, then we cannot pth. Then we have another pose: Pass The Key. For 8.1/2012r2, to install patch kb2871997's Win 7/2008r2/8/2012, you can use AES keys instead of NTLM Hash. When mimikatz catches hash, he can catch him as well. In fact, the pth in mimikatz itself is ptk.

Command:

Mimikatz "privilege::debug"sekurlsa::pth / user:a / domain:test.local / aes256:f74b379b5b422819db694aaf78f49177ed21c98ddad6b0e246a7e17df6d19d5c"

In addition to these, there are many other postures, such as patching administrator account throwing pth, when Restricted Admin Mode is enabled, win8.1 and server12 R2 support pth by default, enabling WDigest to hijack winlogon fairy jump, and so on.

4. What are the main knowledge points to pay attention to in Kerberos certification?

First, explain some nouns:

Basic concepts:

KDC: Key Distribution Center, the key distribution center, is responsible for managing tickets, authenticating tickets, and distributing tickets, but KDC is not a separate service, it consists of AS and TGS.

AS: Authentication Service, verification service, service for generating TGT for client

TGS: Ticket Granting Service, a ticket-granting service that generates the ticket of a service for client

TGT: Ticket Granting Ticket, admission ticket, through which a ticket can be obtained, is the existence of a temporary voucher.

Ticket: a ticket, which is a certificate for objects in a network to access each other.

AD: Account Database, which stores the whitelist of all client. Only the client that exists in the whitelist can successfully apply for TGT.

DC: Domain Controller, domain control

KRBTGT: each domain controller has a krbtgt account, which is the service account of KDC, which is used to create TGS encrypted keys.

Kerberos provides a centralized authentication method, which involves three parties in the whole authentication process: client, server and KDC. In the Windows domain environment, DC plays the role of KDC, Kerberos is a ticket-based authentication method, and Ticket is used to securely transfer the user's identity between the authentication server and the service requested by the user, as well as some additional information. It is used to ensure that the user using Ticket must be the user specified in Ticket. Once Ticket is generated, it can be used by Client multiple times during its lifetime to apply for the service of the same Server. There is a problem of bill theft.

Let's talk about the general work flow of kerberos. If a client in a domain wants to access a server resource in the same domain, he needs to first purchase a Ticket approved by the server. That is to say, the client needs to buy a ticket in advance before visiting the server and wait for the service to check the ticket before entering. But this ticket cannot be purchased directly, and a subscription warrant (TGT) is required. In other words, the client needs to obtain a subscription warrant in advance before buying a ticket, which and the ticket to enter the server are sold by KDC. Quote a very clear picture on the Internet.

5. What are the main poses for Kerberos in domain penetration?

After talking about the certification process, we should talk about the two kinds of bills that are commonly used: silver bills and gold bills.

The silver bill is characterized by the fact that it does not need to interact with the KDC and requires the NTLM Hash of the target service. So when we have a Server Hash, we can forge a Ticket that is not certified by KDC.

Take advantage of:

Kerberos::golden / domain: / sid: / target: / service: / rc4: / user: / ptt

Because silver tickets require the Hash of the target server, there is no way to generate tickets for all servers in the domain, nor can you apply through TGT. Therefore, it can only be forged for certain services on the server. For example, cifs service is used for file sharing between Windows hosts, while other services such as LDAP cannot access the file system of server.

Compared with silver bills, gold bills are characterized by the need to communicate with DC and the hash of krbtgt users, that is, the need to take domain control.

Take advantage of:

Lsadump::dcsync / domain: domain name / user:krbtgt

Kerberos::golden / domain: / sid: / rc4: / user: / ptt

After getting the golden ticket, you can forge the golden ticket, and then you can get any Kerberos service permission and log in to any host in any domain. Mimikatz exports tickets for all hosts in the domain, with the command sekurlsa::tickets / export, or dump NTDS.dit.

Then it's time to talk about the domain-controlled posture.

There is no doubt that the most commonly used is ms14068. The main tool is goldenPac.py or kekeo/PyKEK. There are many articles on the Internet, which will not be described in detail here.

6. Talking about the main knowledge points of Windows Access Token

There are two kinds of Windows Access Token (access token), one is Delegation token (authorization token), which is mainly used for interactive session login (such as local user direct login, remote desktop login), and the other is Impersonation token (analog token), which is mainly used for non-interactive login (using net use to access shared folders).

When each process is created, a Token is assigned by LSA (Local Security Authority) based on login session permissions. If you specify Token when you CreaetProcess, LSA will use that Token, otherwise it will use a copy of the parent process Token. When the user logs out, the system will switch the authorization token to an impersonation token, and the token will not be cleared until the machine is rebooted.

Generally, tokens are stolen through the incognito module in incognito.exe or msf (incognito in Metasploit is transplanted from incognito under windows platform) to obtain the corresponding permissions of tokens, such as obtaining admin permissions, and then obtaining system permissions by stealing tokens and then impersonating tokens.

In addition, it is recommended to take a look at the article on the use of nine permissions of Windows- token by the boss of 3gstudent. I feel that in the later stage of intranet penetration, if I want to better understand and make use of the relevant loopholes, I still need to be familiar with win32, otherwise it will always float on the surface and cannot be done in depth.

* attach your own summary of the Windows certified mind map.

The answer to the question about how to understand Windows authentication and catch the password is shared here. I hope the above content can be of some help to everyone. If you still have a lot of doubts to be solved, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.