 Next, Gerald is going to talk about some computer forensic stuff. How many people do forensics here? I do. I do, yeah. And pass the hash tax. How many people have used pass the hash before? I raised that other hand. Yeah. All right. So look to your left, look to your right. Everybody has got a reason to listen to this. This is going to be pretty interesting. And bonus, this is a Linux laptop that hooked up the projector the first time. That's big. That's big. Can't believe that. All right. Let's give Gerald a big hand. Okay. Hi, my name is Gerard Leighy. I'm here to talk about forensic artifacts from the pass the hash attack. Before I start, I'd like to thank the organizer of DEF CON for allowing me to present this topic at DEF CON 23. Standard disclaimer. The views and opinions expressed in this presentation are those of the authors and does not necessarily represent the official policy, the official policy or position of the company that the author works for. So I have to read this in order to present. Okay. So what's a hash? Basically, hash functions, the hash function is any function that can be used to map digital data of arbitrary size to digital data of fixed size. In the case of Windows, a password is stored in either a land man hash or an NTLM hash format. Okay. So basically, you type in your password. A password is not stored on the system in plain text. What happens is it's converted to a hash function. Hash function goes through it and that's what's saved in your system. So basically hash equals password. Where are the hash stored? There are a bunch of places where they're stored. And here they are. Yeah, I don't have to read it for you guys. Okay. So here's some of the examples. So the best example that I've ever heard of, you know, hashes and what they look like in the real world would be like the coffee cup. You know, when I was doing my CISSP, Sean Harris talked about this or you get a coffee cup that's your plain text password. When you drop it, that's the mathematical function that it's going through. When it hits the ground, that's your hash. So when you log into a Windows system, it's not comparing your coffee cups, it's comparing the splats on the ground. The splats on the ground match, you're in. Okay, so pass the hash. So this pass the hash is a hacking technique that allows an attacker to authenticate to a remote service by using the underlying NTLM or landman hash of a user's password. Instead of requiring the associated plain text password. Like I said before, in this case, hash is equals to password. If you can get your hands on that hash, you really don't need that person's password. So one of the things that I've done in my demo environment was I did a bunch of logging changes. Out of the box, if you do not change the logging, you will not catch anything. Microsoft even goes as far as to tell you that. That's why I actually included the KB article that says this. So basically they give you, hey, you know, you might want to turn this on, you might want to turn that on. Because if you don't, you're not going to catch anything. So a lot of these artifacts that I'm going to show you guys, some of them don't even appear unless you turn on this logging. And the logging that you turn on really doesn't add that much to your logs. And also because you're going to put more stuff in your logs, you need to increase the log file size. And Microsoft also gives recommendations on that. Okay. So in my demo domain, I was going to do a live demo, but the problem is the screen size is not going to work. But then so the demo that I have though, I will show a video. And it's a Windows 2012 native mode domain. So for people that are admins out there, it's native mode. That means the LM hash don't even use that. That hash is weak. So this is NTLM. The domain name is on those that are internal. So for this one over here, you're going to see the boxes that I'm going to be playing with are the Windows 7 client, the member server, is Wntk8 R2, and Wntk12 domain controller. There's going to be a user called IMA user. He basically has access to the client box. And he's the admin on the client box. And he's also an admin for an application on the member server. This is like a lot of people out there. A lot of corporations, a lot of businesses have users that have to administer applications on servers. So this is, you know, this is what's out there. The IMA domain admin, even though he has access to all the stuff in the domain, usually you'll see them on the Wntk domain, you'll see them on the domain controllers. And every now and then you'll see them on the domain servers, on the member servers rather. That might look cool because you're saving, you know, you don't have to make a separate account. But for this attack, this is what's going to catch you is your domain admin doing work on a member server. It's that intersection that you get caught. Also, for people that have been small, medium, or even large corporations, what happens is that they have what they call a golden image. On this golden image, what they do is they have the same local admin password. So for all these clients out there, hey, they have the same, we call it the SID 500. That's the, you know, if you look in Microsoft stuff for well-known SIDs, anything that has the 500 at the end of it, that's the administrator account. So what you could probably do is that I'm going to show it to you later on when I dump the hashes. You're going to see an account that says administrator, but he doesn't have it. And there's going to be another account with my name on it that has 500 on it. So the one that has my name on it, that's the real local administrator account that's just been renamed. Same thing goes for the servers also. People do golden images. And the reason why I mention this is because when you pass the hash, Microsoft actually fixed this last year, so you can't pass the hash using, you know, local accounts except for the 500 account. That's the reason why you need to know the 500 account. So when we talk about pass the hash sequence, what happens is usually there's a compromise that comes to, that hits one of your clients. I use the social engineering toolkits, so I owe Dave a hug and a beer in a bar just so you guys know. Basically if you use, so what happens is after you do a compromise, they're going to elevate privileges, right? They're going to go from the user, because usually when you do a compromise, the compromise usually takes place in the security context of the user. The attacker is then going to elevate privileges, scrape hashes, and do recon at that time, too. Okay? Once he's on the recon, so on the recon, he's going to either enumerate the domain or find out places where he wants to, you know, pass the hash, too. Once you pass the hash, he's going to go to the security context of the user, and then he's going to go to the security context of the user, and then he's going to pass to the next box you do. What you're going to do next is, you know, you're going to do the same thing that you usually do, which is elevate privileges, scrape hashes, and recon. On all these boxes that you pass through, here are some optional stuff, leave back, you know, you can leave backdoors just in case you want to visit that box again, and you can crack hashes. Cracking hashes, yeah. They're kind of cool cracking hashes. Once you've done all of these events, what they're prepping, what you're prepping for is the final assault. The final thing you want to do is you want to get a domain admin hash, you want to pass that hash to the domain controller. Once you're on the domain controller, what you're going to do is you're going to extract the active directory. Once you've extracted the active directory, you can do some really cool attacks, such as golden tickets and skeleton key attacks. And those are like what I think of them as ultimate persistent attacks. Okay, so what I'm going to do is I'm going to try to pull out my video here and I'm hoping that it's going to show let's see. I'm going to try to put it full screen so maybe you guys can see it. Is it not working? Can you guys see the words that I'm typing out there? I mean that on the video or now? Or is it good? Okay, so what I'm going to try to do is I'm going to try to play it as fast as I can. Because the resolution is not as good as it should be. Full screen it. Okay. No, that's that was full screen. Okay, that's about as full as it's going to get for me. Sorry, guys. So basically what I've done is that I've already compromised the box. I go in through my back door. What my back door does is that it's kind of like a sticky key thing or it's a variation of it. So as you can tell, I already speak through the box and I do certain keystrokes, I get a shell. And what I'm doing is I'm going to try to extract the hashes, okay? So when I try to extract the hashes I have a script on the box that I pre-put on there that I put on the boxes. I have these videos by the way so you guys can see it. It's posted to my friend's website at the end of this so you guys can actually see it and I do narrate on it it. Sorry about that. So what I do is I run my script it dumps the hashes I'm going to notice that hey I don't have the domain admin hash. So what I do is I say okay let's put the domain admin hash on that box and I log in as the domain admin on one of these boxes. So once I log in as the domain admin what's going to happen is I'm going to go back to my Cali box and I'm going to scrape the hash again and once I scrape the hash it's there. What you should have seen is that 500 thing unfortunately I can't show it to you. So basically when I run the hash scraper again this time it's going to show up and I'm going to grab that hash. So I really apologize that you guys can't see it but then basically it's going to grab you know it's going to show the hash over there at that point I'm going to grab the hash and then once I grab that hash let me stop this. There's this script from Core Impact these Python scripts that you can use and what I do is I got the hashes. Hopefully you guys can see these hashes a little bit clearer. So what I'm going to do is I'm going to run a tool from Core Impact and then what it's going to do is that it's going to pass that hash to the domain controller. Once it does that what's going to happen is that I'll be able to extract the Active Directory information database. The way that this particular script does it is that it goes through the volume shadow copy and once again we can't see nothing. I'm so sorry. One of the things that I was going to talk about if you listen to the video what this account does is that the hash of it creates all the Kerberos tickets so once somebody gets on top of your domain controller once they have this hash they can make golden tickets where they can impersonate any user in your network and you will never know anything about it. So basically once the attacker gets to your domain controller it's over. It's pretty much over. You can reset, you can do some things but then there's other attacks you can do so that you can maintain persistence in the domain once you get to the domain controller. I'm just going to skip these videos already because I can't see nothing. At this point I'm just going to start talking about forensic evidence. So there's two types of forensic evidence out there. You've got volatile and non-volatile evidence. Volto stuff is when you turn off the PC it's gone forever. So when you go to a PC or a server that you're going to grab evidence from, at the very least these are some of the very least things that I usually grab. The best thing is grabbing the RAM or hibernating the box so you get a hyperfill, that's this file. If it's a VMware image you could actually suspend the VM and use the VMM file for it. For non-volatile stuff at the very least the best get a disk image. That's one of the best things to grab for non-volatile stuff. For VMware just grab the VMDK. For the analysis tools for volatile stuff I've used the FD Pro and Mandate Memorized to dump memory. There's a bunch of other tools out there if you look at memory dumpers. To analyze memory volatility. Cool. It's free. It's the right size to actually do a lot of most of the analysis for most of the stuff that you need. Volatility is great. If you need to go deeper HP Gary or Sponder Pro very expensive program but like I said most of the work you can do most of the IOCs you want to find you can find it with volatility and it's free. $10,000 free. Creating disk images a lot of times you can use Linux to do it use DD to grab the image of it really nice. Or you can use Ncase or FTK imager. Those things are nice also. To analyze it I kind of like the timeline. It's great. Puts everything together for you. Ncase and FTK those are pricey things again. What I'm going to start doing is showing you guys what kind of pieces of evidence I talked about like the compromise stage and all those other stages. For this one over here the compromise stage when the security event log if you guys turn this on this is what you'll see. Anytime somebody does something you'll see a process creation followed by hey who created that process and what's the image of it right here what was the name of the file that was executed because from this one over here this was when I used Cali I believe to create a interpreter shell that's what it looks like left this artifact out there for the compromise part 2 what you can do is look at the disk for something called a prefetch every time a computer program runs this artifact is created in the prefetch for client systems for server systems they don't use prefetch if you got an SSD on a client system there will be no prefetch there will be no artifacts for this one over here this is what it looks like an end case for me when I look at it you can here's the maze entries over there for the timestamps and if you look on the left side you'll see that hey ping was run along with PowerShell that might be normal for some systems but if you're talking about your admin assistant running these programs another thing that you can talk about if you don't have the prefetch how can you prove that something ran on your system? shim cache it's actually called the application compatibility cache but they nicknamed it the shim cache the reason why it's the reason why it's nicknamed the shim cache is because of what it does when a program executes when you want to execute a program the operating system takes a look at it and tries to shim it to work with the current operating system the shimming process is saved in memory that's usually saved in memory once the system powers down gracefully notice the word gracefully that part of memory is purged to disk to the registry so what you can do is you can parse it using volatility if it's still in memory and if the system's been shut down already you can use something called regripper it's a bunch of pro scripts out there it's free free is good and this is what it looks like in regripper over here it's pretty cool because this one over here it was from what was this one from I think this was also from when I used metasploit on this one over here you can see that the program it tells you that this executable with this right here with this time was executed on the system one of those things that gives you proof that hey, this actually ran on your system so another thing that you can use with the volatility is this thing called the malpine command it's a pretty cool program pretty cool part the volatility is that it goes through walking the battery looking for executables so an mz header for people that don't know mz means that it's an executable it's executable so what we have here is a program with something injected into it so the first part it's already hokie to begin with and the second part is inside this hokie program it's executable there's another program nested within it so these things are pretty cool because a lot of times if you use certain programs you'll find it in dlhost you'll see if somebody process hollowed and they put a program in there you'll see that mz header back doors a lot of times what I've seen is that some people what they do is they just they don't want to do anything special don't want to put any malware in the system so what do you do? make a user on the system one of these things is that you can make a user and just say get into the system later I'll make a local user making the main user is hard making a local user easy because you've already compromised the system what this log entry will tell you is hey which user created the back door the time and date stamp so that's pretty cool a lot of people some people will do this just to get around security another thing that a lot of malware tends to do is they tend to put run keys out there what the run keys will do is that when the system starts up it'll execute their malware to do whatever it needs to do call home or open another port or something another thing that happens also a lot of people like to install services on the system so that when the services are on the system what we can do is we can use regripper to find out hey when's the last time these services were created and this way we can find any of the back doors that get left behind as the attackers passing their hash through a lot of times you just can't pass the hash in one day that's why they're called APTs they take several months to just keep on winding and winding through your network okay so when I talk about privilege escalation we're talking about going all the way to the local system account so usually when you pop a box using a Java exploit or if a user clicks on hey your UPS bill has arrived .exe usually there are users you're in the user context so what you have to do is you sometimes have to privilege escalate to the administrator account and from the administrator account you can privilege escalate all the way to the local system account you'll be able to scrape hashes you have to be, you can't be an administrator you've got to be the system account to scrape those hashes because of that oh by the way somebody wants to ask me how to do it in Cali so I actually put this in the slide deck so if anybody wants to basically you'll have to pop the box first but once you're a user you can do these steps to escalate yourself all the way up to system okay so for privilege escalation this is what it looks like when you privilege escalate on the system this event ID by itself is not bad basically when you privilege escalate you'll get a 4611 from the consent UI and you'll get this little detail thingy over here by itself it's not bad when you patch your systems you'll see this now the trick is looking at it you say hey I got this but where's my patching and that's when you start looking for those artifacts to find out hey why did the consent UI get popped you know so those are the things like so forensically there's not one thing that says you see this thing it's bad it doesn't work that way you have to look at it and check the context of it on this one over here is where I'm scraping the hashes using something called the windows credential editor they like to use other people's tools but they don't understand what happens behind the scenes so if you have advanced logging what happens is that certain artifacts get left in the event log on this one over here whenever you run the windows credential editor something gets left in the system event log an event ID 7045 and when you do that it'll tell you hey service got installed running under the context of the local system and it'll also tell you what program is it pointing at to run so just remember that you know when somebody's running like off the shelf malware windows credential editor you'll see these type of artifacts getting populated into your event log but also just remember though in order to see this you have to turn on turn up the logging from the default if you don't turn up the logging from the default you'll never see this event ID ooh okay okay I will not break what tradition so once the windows credential editor the service being installed the service starting and the service stopping so what they're doing is they're scraping the hashes system account and so when they do it as a system account what happens is that like I said before you have to scrape hashes as a system oh shit yes Mimi cats one of my favorite tools I'm supposed to be a white hat but Mimi cats is a really cool tool if anybody has ever used Mimi cats you know you can scrape hashes with it like over here when I used Mimi cats user oh knows and his hash right until I'm hash now it's time to stop talking okay all right who knows what's going on here so so we understand that it is your first time speaking at DEF CON well congratulations it's very tough to get in here so how about a round of applause for the new speaker now oh I'm sorry really wow not getting it so with Mimi cats it's a pretty cool tool when you use volatility one of the cool things you can do there's this command called the consoles command it's just like you're sitting right behind the person and watching everything they're typing okay he just went on like nothing happened that's just amazing he'll be coming back I'm pretty sure so these tools by the way you can find them if you just google it you can find it you will however need to turn off the malware prevention part on your google chrome or your firefox they will not let you download this thing for some odd reason one of the cool things about this is like I said though it'll scrape it'll go through memory it'll scrape stuff for you one of the additional things that I've seen Mimi cats do that is really awesome this is a process called the W digest process the W digest process if you'll notice here I got that user here's my user here's my domain but look there's my password it's not cryptid so it's kind of Mimi cats has the ability to scrape plain text passwords from your system so if you ever see Mimi cats on your system nahhh okay and please notice that on the consoles command when you run Mimi cats it goes into its own shell notice that the consoles command actually shows you what's going on inside that shell so that's one of the cool things about the consoles command another thing that remember when I said about one of the optional activities you guys can do is crack hashes many many years ago I used John the Ripper which is a CPU cracker it took one weekend to crack a nine-pack character password which is when it was a simple one too it just took one whole weekend and I was like oh my god that's too long and then I discovered something called OCL hashcat OCL hashcat here's the numbers off their box if you use an Ubuntu 14 4 box using 8 radions 8 of those radions each radion is about 500 bucks if you think about it for about 10 to 20 grand you can crack hashes at 183 trillion times cracks per second that's awesome to put into context 8 character passwords 9 hours with just one box if you have a cluster of these boxes do what they call a meet in the middle attack 8 character passwords really quick for these 8 character passwords so scale it up to what a nation state could do and how fast they could crack something and you start to see that this is kind of bad on this one over here I used the consoles and command scan again to find how I reconned the boxes so as soon as I compromised the box what I did is I looked at certain artifacts on the box just because you have somebody's hash you need to know where can I pass this guy's hash to some of the things I looked at is something called the default RDP saves the last place you actually RDP to why is that important think about it this way if you can RDP into a box more than likely you are the administrator of that server somebody that's doing recon another thing I look at is I look at shares if I see you map to a dollar sign share you're probably admin on that box so that's a box that I probably want to pass my hash to another thing that I usually do is I enumerate the domain and I try to find out where every single domain controller is in this environment there's only one domain controller so this shows up over here and it tells me it's the PDC emulator so there's these five roles that one of those administrators know about it's called the FISMO roles flexible single master of operations roles one of them is the PDC emulator if you're going to do a skeleton key attack the PDC emulator is the best place to do it from because the skeleton key attack does is that basically everybody has two passwords their own and the password that I set and this is the best place and usually once you do a skeleton key attack you get all these replication issues but if you do it from the PDC emulator less chance of that and one of my friends I wanted to say where he's from he actually showed me an APT some of the commands that the APTs used to do this kind of data is 2011 from the timestamp on the side but if you look at the commands that they're doing what the APTs are doing is that they are looking at the domain they're enumerating the domain they're finding out who the domain admins are you want to find those out you want to find out where every controller is you want to find out every computer out there and every user out there because if you can find all the users and all that you can find which people which commands are admins and stuff like that so this is some of the things that people do for recon all these commands by the way there's more but you can still PowerShell and get the same things from you can still PowerShell on the Windows 7 box and get all this information here that this thing was doing lateral movement so some of the things that we do once somebody has compromised the box and passes hashes they look like any other user so that's the bad thing once they grab your hash they look like you you know who knows you could get busted for doing something you never did somebody can impersonate you once they have your hash they can do whatever you can do they can read your email for all that care if you look at this one over here the event ID 4624 logon when you log into a system you get these type logon types type 2s interactive 3 network logins here's one of the things that a lot of people don't know is that on the domain controllers when you log every time you log into the domain controller what happens is that you have to get into the script directory to run the logon scripts that results in a type 3 logon on the domain controller so it makes it really hard if you're trying to trace if it's the person logging in or if it's a real attacker doing stuff on your domain controller also another thing too is that when you log into a system it's a type 10 a lot of people like to do RDP pivots once you crack hashes RDP pivoting is the way to go because if you think about it your IDS is not going to catch RDP that's normal background stuff a lot of people what I've seen them do is if they can crack your credentials and pass they don't need to pass hash one of the things that I'm going to talk about is on this one over here it'll tell you which workstation you came in from and you know what IP so that's how you can backtrack their lateral movement okay there's these other logs in Microsoft land usually people think of logs as security application and system logs in Microsoft introduced a bunch more logs and some of these logs I have it listed over here but what they list is when you RDP into a box they'll tell you who the user is and here's the important part right here they'll tell you what IP address they came from so that's another way you can trace when somebody is pivoting in your network another thing too is that with the RDP pivots so if you got a person that's never ever used RDP before when they use RDP a default RDP file gets created and in there it lists down the last IP at the RDP too so in that case you can find out where they've been to you can also look at something called shell bags which is I won't get into it but what the shell bags can do is they'll tell you you ever notice that when you RDP to another button and you keep on RDPing well same thing happens to an attacker that's using your box all these shell bags are created so you can find out where they've been and lastly the last thing I'm going to talk about is something called the BMC cache a lot of people don't know about this one but when you RDP to a box one of the things that it does is it stores these bitmap images so that it doesn't have to send it all over again what we can do is we can actually parse that file and look at the picture of what the attacker was looking at so I actually grabbed one of these pictures from something that I've seen before and you can tell over here this is prime for an attacker remember the thing I said about the dollar sign shares and the dollar sign shares next thing if I saw this picture on a box that was compromised I'm going to look at those boxes because they're most likely been compromised so it shows that the attacker might have been there another thing too is that do you see the user directory over there hey if these switched user context we could catch them and if you look at the bottom that's somebody's inbox in Microsoft Outlook so that means that the attacker was reading that guy's email so in closing these are some of the artifacts you can find when you pass the hash you know hopefully if there's one thing that you want to take away from this is turn up logging if you leave it at the default you'll never see if somebody's going through your network how much time do I have left seven minutes okay any questions no then you'd privilege escalate up no you can so what you would do is find a way to get from user to admin you might use a zero day to move up to become an admin on that box and then move all the way up to local system so just it does help though I'm going to tell you right now taking admin making sure that all your users are not admins on their boxes really helps a lot most malware over there they're scripted so that they take advantage of the fact that most people are lazy and are admins on their boxes so if you take like for all my kids I don't have admin and so I don't have admin I don't have flash I don't have job on mine everything I do yeah everything I do is in a VM everything I do is in a VM when I'm done looking at the stuff I need to look at I roll it back now as far as the privilege escalation goes yeah it really helps but to a determined attacker it will not stop them but it really helps against things like people that use automated malware like Zeus and stuff like that banking malware they usually don't go that extra step to make sure that they can compromise you beyond user so which is good yes over here here's what laps I've never used that I've used Emmett that probably works pretty good how good is it to use laps right how efficient of a counter measure is to use laps laps is pretty good from what you've been explaining to me it's a group policy that scrambles the local administrator account right so if it scrambles the local administrator account basically you can't pass hash from workstation to workstation because the 500 account the one at the local admin account it's scrambled but then that means also that nobody else can use it if it's scrambled like a lot of people that are in IT for some odd reason they kind of fixate on that 500 account and they kind of like it and that's one of the bad things last question right there oh okay I didn't know that I haven't been in admin for a while so okay and that concludes my thing I think I'm out of time thank you for coming to listen to me