Exposing the Secrets of Windows Credential

Provider

Presented By:Subrat Sarkar

Give me your password

Common Methods to Steal Password

• Reading registry hives - LM and NT password hashes for local accounts are stored in the Security Accounts Manager (SAM) database file.• Injecting into LSASS - inject code into the existing LSASS process, so

the code is able to call the necessary functions to read memory structure.• Reading LSASS’s memory - recovering credentials from a memory

dump file is supported in mimikatz.• Decoding NTDS.DIT - LM and NT hashes for Active Directory domain

accounts are stored in the Active Directory database file, NTDS.DIT

Windows 7 Authentication Architecture

Logon Authentication

• Interactive Logon• Local Logon: A local logon requires that the user have a user account in the

SAM on the local computer. • Domain Logon: A domain logon requires that the user have a user account in

the domain’s Active Directory.

• Network Logon

Interactive Local Logon

Interactive Domain Logon

Windows Interactive Logon Architecture

Windows Interactive Logon Component

Component Description

Winlogon Provides interactive logon infrastructure.

Logon UI Provides interactive UI rendering.

Credential providers (password and smart card) Describes credential information and serializing credentials.

LSA Processes logon credentials.

Authentication packages Includes NTLM and Kerberos. Communicates with server authentication packages to authenticate users.

Windows Credential Providers

LogonUI enumerates all of the credential providers registered under -HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers

DLL should Implement following 2 COM Interfaces – 1. ICredentialProviderCredential2. ICredentialProvider

ICredentialProviderCredential::GetSerialization

Live Demo

Disable Credential Provider

• Method 1: Using Group Policy.• Open local Group Policy editor, navigate to Computer Configuration -> Administrative Templates ->

System -> Logon, and then find the policy Exclude credential providers on the right side.• Right Click Exclude credential providers, click Edit, click Enabled and enters the comma-separated

CLSID which to exclude multiple credential providers during authentication.• Click OK to save the changes.

• Method 2: Using Registry.• Open Registry Editor , then Navigate to the registry keyHKEY_LOCAL_MACHINE\SOFTWARE\

Microsoft\Windows\CurrentVersion\Authentication\Credential Providers• Right click on the CLSID of the provider, select New -> DWORD (32-bit) Value, then enter the value

name to Disabled, after that modify the value data to 1.• The provider will be disabled on the next session which is created during log off, switch user, or

reboot.

• SysInternal - AutoRuns

Reference

• https://msdn.microsoft.com/en-us/magazine/cc163489.aspx• https://technet.microsoft.com/en-us/library/dn169016(v=ws.10).aspx• https://technet.microsoft.com/en-us/library/cc780095(v=ws.10).aspx• https://technet.microsoft.com/en-us/library/dn169029(v=ws.10).aspx• https://msdn.microsoft.com/en-us/library/windows/desktop/bb648647(v=vs.85).

aspx• https://technet.microsoft.com/en-us/library/ff404303(v=ws.10).aspx• https://technet.microsoft.com/en-us/library/dn169014(v=ws.10).aspx• https://technet.microsoft.com/en-us/library/cc780332(v=ws.10).aspx• https://

social.technet.microsoft.com/Forums/windows/en-US/9c23976a-3e2b-4b71-9f19-83ee3df0848b/how-to-disable-additional-credential-providers?forum=w8itprosecurity