We study Adversarial Tactics, Techniques & Common Knowledge (ATT @ CK). Enterprise Tactics. Part 6

    Retrieving credentials (Credential Access)

    Links to all parts:
    Part 1. Obtaining initial access (Initial Access)
    Part 2. Execution (Execution)
    Part 3. Consolidation (Persistence)
    Part 4. Privilege Escalation
    Part 5. Defense Evasion
    Part 6. Obtaining credentials (Credential Access)
    Part 7. Discovery (Discovery)
    Part 8. Lateral Movement

    Having obtained the credentials, the attacker gains access or even control over the system, domain or service (technological) accounts. The adversary is likely to attempt to acquire legitimate credentials of user and administrative accounts in order to identify himself in the system and obtain all the permissions of the captured account, thereby making it harder for the defense party to detect malicious activity. The enemy can also, if possible, create accounts for the purpose of their subsequent use in the attacked environment.

    The author is not responsible for the possible consequences of the application of the information contained in the article, and also apologizes for any inaccuracies in some formulations and terms. The published information is a free recount of MITER ATT & CK content .

    Account Manipulation (Account Manipulation)

    System: Windows
    Permissions: Administrator
    Description: Manipulating user accounts is aimed at maintaining a certain level of access rights in the attacked environment. Manipulations involve changing permissions, account settings and how to authenticate it, adding or changing access groups. The actions of an attacker can be aimed at undermining security policies, such as password expiration, in order to prolong the life of compromised accounts. To create or manage accounts, the adversary must already have sufficient permissions in the system or domain.

    Protection recommendations:Use multi-factor authentication. Protect domain controllers by restricting access to these systems. Eliminate the use of domain administrator accounts in unprivileged systems and for day-to-day operations that may contribute to their compromise.

    Bash history

    System: Linux, macOS
    Permissions: User
    Description: Bash keeps track of commands executed by the user using the History utility. When the user logs out, the history is saved to the file ~ / .bash_history . As a rule, this file contains the last 500 user commands. Often, in the command parameters the user specifies the username and password, which will also be saved in ~ / .bash_history when the user logs off. Attackers can view the ~ / .bash_history files of various system users in the hope of getting their credentials.

    Security Tips: There are several ways to prevent the command history from being written to a file.~ / .bash_history :
    set + o history - disable recording;
    set -o history - resume recording;
    unset HISTFILE — add to bash_rc file;
    ln -s / dev / null ~ / .bash_history — write command history to / dev / null .

    Brute force or exhaustive search (Brute Force)

    System: Windows, Linux, macOS
    Permissions: User
    Description:An adversary can use password recovery tools when credentials are unknown or when he fails to get a password hash. Opponents can use systematic selection techniques, calculating the appropriate cache or using rainbow tables. Hacking is usually done outside the attacked system. Without knowing the password, attackers may try to log in using an empty password value or a value from the list of possible passwords. Depending on the password policy, such actions can lead to numerous authentication errors and account lockout, so the adversary can use so-called password dispersal (password sraying), the essence of which is to search for the most popular or probable passwords with different accounts. This reduces the chance of blocking,

    Security Tips : Apply account blocking policies after a certain number of failed login attempts. Consider using multifactor authentication. Follow the recommendations to prevent unauthorized access to existing accounts (see protection recommendations for the “ Valid accounts ” equipment ) .

    Credential Dumping

    System: Windows, Linux, macOS
    Permissions: Administrator, System, root
    Description: Dumping credentials ( eng. Dumping - "waste disposal" ) - the process of obtaining logins and passwords, usually in the form of a hash or text password from the operating system or software The credential dumping tools can be used by both attackers and security testers.

    SAM (Account Manager)
    SAM is a database of local host accounts. Typically, SAM stores accounts that are shown by the " net user " command.". To read SAM you need system level access. There are many tools for extracting SAM data from memory:
    pwdumpx.exe ;
    gsecdump ;
    Mimikatz ;
    secretdump.py .

    You can extract the SAM file from the registry using the REG utility: Next Creddump7 will help extract hashes from SAM database Note: Rid 500 is an embedded local administrator account Rid 501 is a guest account. User accounts start with Rid 1000+ . Cached credentials (DCC2)
    reg save HKLM\sam sam;
    reg save HKLM\system system.

    Domain Cached Credentials v2 (DCC2) is a credential cache used in Windows Vista and later to authenticate a user when a domain controller is unavailable. The number of cached accounts can be individually for each system. This hash is not subject to pass-the-hash attacks . To retrieve a SAM file from memory, use the following. tools:
    pwdumpx.exe ;
    gsecdump ;
    Mimikatz ;
    Alternatively, Reg or Creddump7 can also be used. Credential caching in Windows Vista is performed using PBKDF2 (the standard for generating a key from a password).

    Local Security Authority (LSA) Secrets
    LSA Secrets are cached credential repositories in which the system stores credentials, including user passwords, service accounts, InternetExpolorer passwords, SQL and other private data, such as encryption keys for cached domain passwords. With System level permissions, you can access LSA Secrets stored in the registry:
    HKEY_LOCAL_MACHINE \ SECURITY \ Policy \ Secrets .
    When services start in the context of a local or domain account, their passwords are stored in the registry. If automatic login is enabled, private account information is also stored in the registry. By analogy with the previous dumping methods, all the same tools are used to attack LSA Secret:
    pwdumpx.exe ;
    gsecdump ;
    Mimikatz ;
    The SAM file can be extracted from the registry using the REG utility, and credentials using the Creddump7. Passwords extracted from LSA Secret are encoded in UTF-16, i.e. plain text. In Windows 10, additional security measures LSA Secret are applied.

    NTDS from Domain Controller
    For authentication and authorization, AD stores information about domain members — devices and users. The AD database is stored by default on a domain controller in the % SystemRoot% \ NTDS \ Ntds.dit file .
    The following methods and tools are used to extract hashes from the AD database:
    • Volume Shadow Copy (shadow copy of the volume);
    • ntdsutil.exe;
    • secretdump.py;
    • Invoke-NinjaCopy

    Group Policy Preference (GPP) Files
    GPP or Group Policy Preferences are XML files that describe various parameters of domain policies, such as mounting a network drive in the context of a specific account or presetting local accounts in domain systems. Such files may contain credentials. Group policies are stored in the SYSVOL domain controller, so any user can read GPP files and try to decrypt the passwords contained in them using the following. tools:
    • Metasploit (post / windows / gather / credentials / gpp);
    • Get-GPPPassword;
    • gpprefdecrypt.py.

    To identify all the XML-files on SYSVOL share, you can use the command:
    dir /s *.xml.

    Service Principal Names (SPNs)
    see the Kerberoasting

    Plaintext Credentials technique
    After the user is logged in, a lot of credentials are generated, which are stored in the Local Authority Subsystem Service (LSASS) process. These credentials can be collected by the administrator or System.

    SSPI (Security Support Provider Interface) provides a common interface for several Security Support Providers (SSPs). SSP are software modules (DLLs) containing one or more authentication and cryptography schemes that are loaded into the LSASS process at system startup.

    Some SSPs can be used to obtain credentials:
    • Msv: interactive login to the system, login as a batch job (batch logon), for example, launch tasks of the Task Scheduler service, login to the system as a service through the MSV authentication package;
    • Wdigest: Digest Authentication Protocol is designed for network authentication using the HTTP and SASL (Simple Authentication Security Layer);
    • Kerberos: provides domain authentication in Windows 2000 and later versions;
    • CredSSP: SSO (Single Sign-On - single sign-on allows users to authenticate once and access resources without entering credentials) and Network Level Authentication (used for authentication in Remote Desktop Services).

    Tools for obtaining credentials:
    Windows credential Editor;
    • Mimikatz.

    A dump of the LSASS process can be saved for later analysis in another system.
    The following command is executed on the target host:
    procdump -ma lsass.exe lsass_dump

    Next, Mimikatz: is started on another system . DCSync
    securlsa::Minidump lsassdump.dmp

    DCSync is a form of dumping credentials from a domain controller. By abusing the domain controller API, instead of using malicious code that can be identified, an attacker can imitate the replication process from a remote domain controller. Members of Administrators, Domain Admins, Enterprise Admins, or computer accounts can run DCSync to retrieve password information from AD, which can include domain account hashes such as the Key Distribution Center Service Account (KRBTGT) used in Windows 2000 for the Key Distribution Center service. and Administrator. Then hashes can be used to create a Golden Ticket and to conduct an Pass the Ticket attack or change the password within account manipulation (Account Manipulation). DXSync functionality is included in the lsadump module, part of Mimikatz. Lsadump also supports NetSync for replication over the legacy protocol.

    File System Proc

    Proc is a special file system in a Unix-like OS that presents information about processes and other system information in the form of a hierarchical pseudo-file structure (files exist not on a disk, but in RAM), which acts as an interface for interacting with the OS kernel space. Processes running as root can clear the memory of other running programs. If the program stores in its memory passwords in clear text or as a hash, these values ​​can be extracted from \ Proc for further use or an attempt to recover the password from the hash. Gnome Keyring, sshd and Apache use memory to store such authentication “artifacts.” The above functionality is implemented in an open source tool - MimiPenguin,

    Security Tips :
    Try to track access to LSASS and SAM by the tools allowed in the protected system. Restrict account rights in various systems and network segments in order to prevent an attacker from moving through the protected network in the event of receiving passwords and hashes. Ensure that the local administrator credentials have complex and unique passwords on all systems and network segments. Do not place user or domain administrator accounts in local administrator groups on different systems, because this is equivalent to the fact that all administrators have the same password. Follow Microsoft's recommendations for corporate network development and administration.. In Windows 8.1 and Windows Server 2012 R2, enable LSA (Protected Process Light) process security.

    Identify and block potentially dangerous and malicious software that can be used to get credential dumps.

    In Windows 10, a new mechanism is used to protect LSA Secrets - Credential Guard in Windows Defender. With its appearance, the LSA process does not store private data in memory, but interacts with a new component — an isolated process that is responsible for storing and protecting LSA Secrets. Data stored in an isolated process is protected by virtualization and is not accessible to the rest of the operating system. LSA interacts with an isolated process using remote procedure call (RPC). Credential Guard is not configured by default and has hardware and software requirements. However, it is also not an absolute protection against all forms of dumping credentials.

    Manage Replicating Directory Changes access and other permissions related to domain controller replication. Consider disabling or limiting NTLM traffic. Consider the need to monitor the processes and arguments of program launch commands that may act as indicators for dumping credentials. For example, remote access tools may contain tools such as Mimikatz or PowerShell scripts such as Invoke-Mimikatz PowerSploit.

    Monitor the replication logs of domain controllers for unscheduled replications or replication requests. Also monitor traffic containing requests for replication from third-party IP addresses.

    To get passwords and hashes from memory, the process should open the file / proc / PID / maps on the systemwhere PID is a unique process pid. AuditD monitoring tool can be used to identify hostile processes that open this file and warn about the pid, process name and other arguments of the monitored program.

    Credentials Files (Credentials in Files)

    System: Windows, Linux, macOS
    Permissions: Administrator, System, root
    Description: Attackers can search files containing passwords in local file systems and remote shared folders. These can be user-created files for storing their own credentials, shared credential storage for a group of people, configuration files containing passwords for systems or services, source code files, and binary files containing passwords.
    Using credential dumping tools, passwords can also be extracted from backups, images and snapshots of virtual machines. In addition, passwords may be contained in Group Policy settings (GPP) files stored on a domain controller.

    Protection recommendations:Use organizational measures that prohibit storing passwords in files. Ensure that developers and system administrators are aware of the risks associated with storing passwords in clear text in software configuration files. Periodically monitor the presence of files on your system that contain passwords and then delete them. Restrict the sharing of files in certain directories by granting permissions only to the necessary users. Delete GPP files that contain vulnerable group policy settings.

    Credentials in Registry

    System: Windows
    Rights: User, Administrator
    Description: Attackers can search the Windows registry for credentials and passwords that are stored there for use by programs or services, sometimes credentials are stored for automatic login. Examples of commands for searching password information: Security recommendations: Do not store credentials in the registry. Monitor the registry for credentials. When it is necessary to store credentials, the software must restrict their permissions in order to prevent the possibility of their abuse.
    reg query HKLM /f password /t REG_SZ /s
    reg query HKCU /f password /t REG_SZ /s

    Exploit for Credential Access Exploits

    System: Windows, Linux, macOS
    Permissions: User
    Description: Errors made by developers of authentication and authorization mechanisms may cause software vulnerabilities in which an attacker can gain unauthorized access to credentials. For example, bulletin MS14-068 describes a vulnerability in the Kerberos protocol, with which an attacker can fake Kerberos tickets using domain user rights. Exploiting vulnerabilities to obtain credentials can also be used to elevate privileges.

    Protection recommendations:Regularly update software using centralized management of installation updates for workstations and servers of the enterprise. Develop and implement a process to identify and analyze cyber threats within which threats relevant to your enterprise will be determined. Use sandboxes, virtualization tools and microsegmentation to make it more difficult for an attacker to advance through exploitation of vulnerabilities. In Windows, tools are available to detect activity associated with the exploitation of vulnerabilities, we are talking about Windows Defender Exploit Guard (WDEG) and the Enchanced Mitigation Experience Toolkit (EMET). Another way to prevent exploitation of vulnerabilities is through the use of Control-flow integrity (CFI). CFI is the generic name for methods aimed at limiting the possible ways of executing a program within a predefined control flow graph. However, many protection methods may not work if the malware is designed to protect against protective measures, it also depends on the architecture of the program being analyzed and its binary files.

    Forced Authentication

    System: Windows
    Permissions: User
    Description:Server Message Block (SMB) is commonly used for authentication and communication between windows systems in the context of resource sharing and network file folders. When Windows tries to connect to a remote system via SMB, it automatically tries to authenticate the user and sends the current user credentials to the remote system, so the user does not need to enter credentials to gain access to network resources, which is typical of the corporate environment. As a backup resource sharing protocol, in case of failure of the SMB infrastructure, the Web Distributed Authoring and Versioning (WebDAV) protocol can be used, which is an extension of the HTTP protocol and usually works through TCP ports 80 and 443.

    By invoking SMB forcible authentication, attackers can abuse the behavior of the system being attacked while connecting to a remote system and receive account hashes. Using a phishing technique, the enemy can send the victim a link to a controlled external resource or place a special file on the desktop or on a shared resource. When the user system accesses an unreliable resource, it will attempt to authenticate and send the current user’s hash credentials via SMB to the remote server. Having received a hash, an attacker can perform offline brute-force and get the credentials in clear text or use them for Pass-the-Hash attacks.

    Consider the most popular ways to invoke forced SMB authentication:
    • Phishing attachment containing a document with active content, which is automatically loaded when you open the document. The document may include a file [:] // request [remote address] /Normal.dotm/, which initiates SMB authentication.

    • A modified .lnk or .SCF file (Windows Explorer Command File) containing an external link \ [remote address] \ pic.png in the properties instead of the path to the file's icon. Thus, the system will try to download the file icon and open the link.

    Protection recommendations:Block outgoing SMB traffic sent outside the corporate network by filtering and blocking TCP ports 139, 445 and UDP port 137. Filter and block WebDAV traffic out of the corporate network. If access to external resources via SMB and WebDAV is necessary, then limit external connections using whitelists.


    System: Windows
    Permissions: Administrator, System
    Description: The Windows API functions are usually stored in DLL libraries. The interception technique is to redirect calls to API functions through:

    • Hook procedures are built-in procedures in the OS that execute code when calling various events, such as pressing keys or moving a mouse;

    • Modifications of the address table (IAT), in which the pointers to the API functions are stored. This will “deceive” the attacked application by forcing it to launch the malicious function;

    • Directly changing a function (splicing), during which the first 5 bytes of the function are changed, instead of which the transition to a malicious or other function defined by the attacker is inserted.

    Like injections, attackers can use hooking to execute malicious code, disguise its execution, access the memory of the attacked process, and elevate privileges. Attackers can capture API calls that include parameters that contain authentication data.
    Hooking is usually used by rootkits to hide malicious activity in the system.

    Protection recommendations:Interception of events in the OS is part of the normal operation of the system, so any restriction of this functionality may adversely affect the stability of legitimate applications, such as antivirus software. Efforts to prevent the use of interception techniques need to be focused on the earlier stages of the killchain chain. You can detect malicious hooking activity by monitoring calls to the SetWindowsHookEx and SetWinEventHook functions, using rootkit detectors, analyzing abnormal behavior of processes, such as opening network connections, reading files, and so on.

    Input Capture

    System: Windows, Linux, macOS
    Permissions: Administrator, System
    Description: Attackers can use the means of capturing user input in order to obtain the credentials of existing accounts.
    Key logging is the most common type of user input capture that includes many different ways to intercept keystrokes, but there are other methods for obtaining target information such as calling a UAC request or writing a shell for the default credential provider (Windows Credential Providers). Key logging is the most common way to steal credentials, when the use of credential dumping techniques is inefficient and the attacker is forced to remain passive for a certain period of time.

    In order to collect user credentials, an attacker can also set codes on external corporate portals, such as the VPN login page. This is possible after the portal or service has been compromised by obtaining legitimate administrative access, which in turn could be organized to provide backup access during the initial access and consolidation stages in the system.

    Security Tips : Ensure that you identify and block potentially dangerous and malicious software using AppLocker-like tools or software restriction policies. Take measures to reduce damage in the event that attackers obtain their credentials.

    Follow Microsoft’s corporate network design and management guidelines (https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#anamenameaebmaesae- administrative-forest-design-approach).

    Keyloggers can modify the registry and install drivers. Commonly used API functions are SetWindowsHook, GetKeyState, GetAsyncKeyState. API function calls alone cannot be keylogging indicators, but in combination with analyzing registry changes, detecting driver installations and new disk files may indicate malicious activity. Monitor the appearance of the registry user credential providers (the Custom Provider Credential cmdlet):
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers.

    Input Prompt

    System: macOS
    Permissions: User
    Description: When running programs that require elevation of privileges, the operating system usually prompts the user for the appropriate credentials. Attackers can mimic this feature to request credential input using a standard request form. This form of requesting credentials can be triggered using AppleScript: An

    set thePassword to the text returned of (display dialog "AdobeUpdater needs permission to check for updates. Please authenticate." default answer "")

    attacker will trigger a request to enter credentials by mimicking the normal behavior of the OS, for example, a fake installer or a malware removal package requires confirmation of the appropriate credentials.

    Protection recommendations:Provide user training so that they know which programs can request permission and why. Set up a mandatory check of running AppleScript scripts for signatures of a trusted developer.


    System: Windows
    Permissions: User
    Description: Each service instance has a unique identifier - Service Principal Name (SPN), which is used for authentication with Kerberos. The SPN should be associated with only one account; the service installer writes the SPN to the account properties in AD.

    The attackers who have a valid Kerberos ticket-granting ticket (TGT) can request the Kerberos ticket-granting service (TGS) one or more service tickets to interact with any SPN registered on the domain controller. Service ticket items can be encrypted with the RC4 algorithm, so Kerberos 5 TGS-REP etype 23, which contains the password hash of the account associated with the target SPN and used as a private key (see Kerberos description) is vulnerable and can be cracked through brute force. The same attack can be performed using service tickets derived from network traffic. Having cracked a received hash, an adversary can use a valid account to secure it in the system, escalate privileges, or further advance through the network.

    Security Tips : Use complex and long passwords (ideal 25+ characters) for service accounts and ensure that they change. Starting from Windows Server 2012, Group Managed Service Accounts (gMSA) technology is available, which is designed to automatically change the password of service (technological) accounts with the possibility of their simultaneous use on several servers. Alternatively, consider using third-party password vaults.

    Restrict account rights by providing the minimum required privileges, exclude membership of accounts in privileged groups such as Domain Admins.
    If possible, turn on AES Kerboros encryption or another stronger encryption algorithm, eliminating the use of RC4.

    Enable Kerberos Service Ticket Operations Auditing for logging Kerberos TGS ticket requests. Explore abnormal activity patterns, for example, Event ID 4769 events — accounts that perform multiple requests for a short period of time, especially if they requested RC4 encryption (Ticket Encryption Type: 0x17).


    System: macOS
    Privileges: root
    Description: Keychain (English "keychain") is a storage of user accounts and passwords built into macOS for a variety of services and features, such as WiFi, websites, secure notes, certificates and Kerberos. Keychain files are located in:
    ~ / Library / Keychains;
    • / Library / Keychains;
    • / Network / Linrary / Keychains /.

    The security console utility built into macOS by default provides a convenient way to manage credentials.
    To manage their credentials, users must use an additional account that provides access to their keychain. If the attacker knows the credentials from the user's keychain, he can gain access to all other credentials stored in this user's keychains. By default, the current user account is used to login to Keychains.

    Security Tips : Unlocking a user's Keychains and using passwords from it is a common process that will not go unnoticed by means of detecting malicious activity.

    Poisoning LLMNR / NBT-NS (LLMNR / NBT-NS Poisoning)

    System: Windows
    Permissions: User
    Description: Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are protocols included in all versions of Windows that serve as an alternative way to identify a host. LLMNR is based on the DNS format and resolves the network names of neighboring computers without using DNS. NBT-NS identifies the system on the local network by its NetBIOS name.

    An attacker can fake a trusted source of name resolution that will respond to LLMNR (UDP5355) / NBT-NS (UDP137) traffic so that the victim communicates with the enemy-controlled system. If the requested host requires identification / authentication, the username and NTLMv2 hash of the current user of the victim host will be sent to the enemy-controlled system. Thus, an attacker using a network sniffer can collect transferred hashes and then offline try to get passwords from them using brute-force tools.
    There are several tools that can be used to attack names in local area networks: NBNSpoof, Metasploit and Responder.

    Protection recommendations:Consider possibly disabling LLMNR and NBT-NS in local host security settings or using group policy. Use local security tools that block LLMNR / NBT-NS traffic.
    Check that LLMNR disabled in the registry:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast=dword:00000000.
    If LLMNR / NBT-NS is disabled by security policy, then the traffic monitoring of ports UDP5355 and UDP137 will help detect the attack.

    Network Sniffing

    System: Windows, Linux, macOS
    Description: An attacker can use the network interface in promiscuos mode (“illegible” mode), in which the network card will accept all packets regardless of whom they are addressed to or use span ports (mirroring ports) to capture large amounts of data transmitted over wired or wireless networks.
    Data captured during sniffing may contain credentials sent via unprotected connections without the use of encryption protocols. Various attacks on network services of the LLMNR / NBT-NS type of poisoning by redirecting traffic can also be used to collect credentials on websites, proxy servers and internal systems.

    While listening to the network, the adversary can also reveal various configuration information (running services, version numbers, IP addresses, host names, VLAN ID, etc.) necessary for further network propagation and / or circumvention of security features.

    Security Tips: Ensure that the wireless traffic is properly encrypted. Whenever possible, use Kerberos, SSL and multifactor authentication. Monitor network switches for use of span ports, ARP / DNS poisoning, and unauthorized configuration changes to the router.
    Use tools to detect and block potentially dangerous software that can be used to intercept and analyze network traffic.

    Password Filter DLLs

    System: Windows
    Permissions: Administrator, System
    Description: Windows password filters are mechanisms for applying password policies for domain and local accounts. Filters are implemented in the form of DLL libraries containing methods for checking whether passwords comply with security policy requirements. Password filter DLLs are hosted on local account hosts and domain controllers for domain accounts.

    Before registering new passwords with Security Accounts Manager (SAM), the Local Security Authority (LSA) service requests a password check with each password filter registered in the system. Any potential changes will not take effect. Each filter will not confirm the success of the test.

    An attacker can register malicious password filters on the system in order to collect credentials. Filters receive passwords in clear text from LSA to perform a complexity check. Malicious filters will receive credentials in clear text with each password request.

    Security Tips: Ensure that only valid password filters are registered on your system. DLL default filters are stored in the C: \ Windows \ System32 \ and must have an entry in the registry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\[Notification Packages].
    Newly installed password filters take effect after a system restart, appear in autorun and are loaded into lsass.exe

    Private Keys

    System: Windows, Linux, macOS
    Permissions: User
    Description: Private keys and certificates are used for authentication, encryption / decryption and digital signatures.
    An attacker can collect secret keys on compromised systems for further use when authenticating with remote connection services such as SSH or decrypting other collected files, such as email data files.

    Key and certificate files have extensions such as .key, .pgp, .gpg, .ppk, .P12, .pem, .pfx, .cer, p7b, .asc . An adversary can search for files in key directories, for example ~ / .ssh on * nix-systems or C: \ Users (username.ssh) \ on Windows.

    In the process of using private keys, they must request a password or a passphrase, so the adversary can simultaneously use input capture techniques for keylogging or try to pick up a passphrase offline.

    Security Tips: Use complex pass phrases to make it harder to break secret keys. Store keys on external cryptographic media whenever possible. Make sure that access to critical resources is open only to authorized keys and regularly check access lists.

    Make sure the permissions are correct in folders containing secret keys. Use isolated infrastructure to manage critical systems to prevent user account conflicts and permissions that can be used to navigate the network. Follow the recommendations on protection from existing account abuses by the technician.

    Monitor access to files and directories associated with cryptographic keys and certificates, and audit the authentication logs, identifying abnormal actions indicating improper use of keys or certificates for remote authentication.

    Hacking a password chain in OS X (Securityd Memory)

    System: macOS
    Privileges: root
    Description: In OS X to EL Capitan version, root users can read the passwords of logged in users from Keychain in plain text. This is due to the fact that for the convenience of users, Apple allows the system to cache credentials in order not to ask users to re-enter them every time they need.

    Passwords stored in the Keychain bundle are repeatedly encrypted using a set of keys. The keys, in turn, are encrypted with other keys stored in the same file, like a Russian nesting doll. The master key, which can open the external matryoshka and cascade-start the decryption of the next matryoshka, is something other than the password encrypted with PBKDF2, with which the user logged in. Thus, to read the first password in the user password chain, you need its login password or master key. Operations with keychain are handled by the securityd process, for which a master key is stored in its memory.

    The root name, the attacker can scan the memory in order to find the keychain key encryption keys step by step by decrypting the entire sequence of user passwords, WiFi, mail, browsers, certificates, etc.

    Interception of two-factor authentication (Two-Factor Authentication Interception)

    System: Windows, Linux, macOS
    Permissions: Administrator, System, root
    Description: The use of two-factor and multifactor authentication provides a higher level of security than a single login / password, but organizations should be aware of the methods of interception and circumvention of these security mechanisms.

    Attackers can purposefully use such authentication mechanisms as smart cards to gain access to the system, services, and network resources.
    If you use a smart card for two-factor authentication (2FA), you will need a keylogger to get the password associated with a smart card during normal use. Both with the inserted smart card and with the password for accessing the smart card, the adversary can connect to the network resource using an infected system to proxy authentication using the inserted hardware token.

    Attackers can also target a keylogger for a similar attack on other hardware tokens, such as RSA SecurID. Capturing the token entry (including the user's personal identification code) can provide the adversary with temporary access for the validity period of the received one-time password, and it is possible to allow him to calculate future values ​​of one-time passwords (knowing the algorithm and initial value for generating subsequent temporary passwords).

    Other 2FA methods can also be intercepted and used by an adversary for unauthorized authentication. Usually one-time codes are sent via out-of-band channels (sms, e-mail, etc.). If the device and / or service are not protected, they may be vulnerable to interception.

    Protection recommendations:Ensure that smart cards are removed when not in use. Protect the devices and services used to transmit and receive out-of-band codes. Detect and block potentially dangerous and malicious software that can be used to intercept credentials in 2FA.

    Also popular now: