Exposing the secrets of Windows credential providerer
-
Upload
securityxploded -
Category
Technology
-
view
343 -
download
1
Transcript of Exposing the secrets of Windows credential providerer
Exposing the Secrets of Windows Credential
Provider
Presented By:Subrat Sarkar
Give me your password
Common Methods to Steal Password
• Reading registry hives - LM and NT password hashes for local accounts are stored in the Security Accounts Manager (SAM) database file.• Injecting into LSASS - inject code into the existing LSASS process, so
the code is able to call the necessary functions to read memory structure.• Reading LSASS’s memory - recovering credentials from a memory
dump file is supported in mimikatz.• Decoding NTDS.DIT - LM and NT hashes for Active Directory domain
accounts are stored in the Active Directory database file, NTDS.DIT
Windows 7 Authentication Architecture
Logon Authentication
• Interactive Logon• Local Logon: A local logon requires that the user have a user account in the
SAM on the local computer. • Domain Logon: A domain logon requires that the user have a user account in
the domain’s Active Directory.
• Network Logon
Interactive Local Logon
Interactive Domain Logon
Windows Interactive Logon Architecture
Windows Interactive Logon Component
Component Description
Winlogon Provides interactive logon infrastructure.
Logon UI Provides interactive UI rendering.
Credential providers (password and smart card) Describes credential information and serializing credentials.
LSA Processes logon credentials.
Authentication packages Includes NTLM and Kerberos. Communicates with server authentication packages to authenticate users.
Windows Credential Providers
LogonUI enumerates all of the credential providers registered under -HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers
DLL should Implement following 2 COM Interfaces – 1. ICredentialProviderCredential2. ICredentialProvider
ICredentialProviderCredential::GetSerialization
Live Demo
Disable Credential Provider
• Method 1: Using Group Policy.• Open local Group Policy editor, navigate to Computer Configuration -> Administrative Templates ->
System -> Logon, and then find the policy Exclude credential providers on the right side.• Right Click Exclude credential providers, click Edit, click Enabled and enters the comma-separated
CLSID which to exclude multiple credential providers during authentication.• Click OK to save the changes.
• Method 2: Using Registry.• Open Registry Editor , then Navigate to the registry keyHKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Windows\CurrentVersion\Authentication\Credential Providers• Right click on the CLSID of the provider, select New -> DWORD (32-bit) Value, then enter the value
name to Disabled, after that modify the value data to 1.• The provider will be disabled on the next session which is created during log off, switch user, or
reboot.
• SysInternal - AutoRuns
Reference
• https://msdn.microsoft.com/en-us/magazine/cc163489.aspx• https://technet.microsoft.com/en-us/library/dn169016(v=ws.10).aspx• https://technet.microsoft.com/en-us/library/cc780095(v=ws.10).aspx• https://technet.microsoft.com/en-us/library/dn169029(v=ws.10).aspx• https://msdn.microsoft.com/en-us/library/windows/desktop/bb648647(v=vs.85).
aspx• https://technet.microsoft.com/en-us/library/ff404303(v=ws.10).aspx• https://technet.microsoft.com/en-us/library/dn169014(v=ws.10).aspx• https://technet.microsoft.com/en-us/library/cc780332(v=ws.10).aspx• https://
social.technet.microsoft.com/Forums/windows/en-US/9c23976a-3e2b-4b71-9f19-83ee3df0848b/how-to-disable-additional-credential-providers?forum=w8itprosecurity