- 學位論文
以企業網路威脅模擬環境之實驗案例探討Windows雜湊傳遞Pass-the-Hash攻擊
Hands-on Enterprise Cyber Threat Labs Study on Windows Pass-the-Hash Attack
摘要
導入目錄服務(Directory Service)有助於企業網路集中化、單一入口簽入、統一帳號權限控管、第三方服務驗證整合等管理,其中尤以微軟活動目錄服務(Active Directory, AD)最為廣泛使用,然而集中化便利與安全性的衡量是目前企業資訊管理所面臨最大的挑戰。雖然微軟的網域控制服務(Domain Controller Service)結合AD的驗證機制(AD DS)提供了系統存取控制的便利性安全架構,然其本機安全性授權服務行程(Local Security Authority Subsystem Service, LSASS)會在記憶體中儲存登入憑證資訊(Login Credentials),例如帳號名稱與LM/NTLM密碼雜湊值(Hash Value),經由LSASS注入惡意代碼從其記憶體盜取儲存的密碼雜湊值即可無需明文密碼而可直接透過傳遞雜湊(Pass-the-Hash, PtH)進行冒名驗證攻擊以取得本機或遠端電腦服務控制權,其主要利用雜湊加密與驗證協定等弱點,任何接受LM/NTLM認證之作業系統皆可被PtH攻擊,因為LM/NTLM是直接傳遞密碼雜湊進行挑戰應答型認證 (Challenge-Response Authentication)。PtH攻擊起源於1997年由Paul Ashton在Bugtraq所提出,然時至今日,FireEye於2016年的M-TRENDS的報告中顯示,PtH攻擊依然是目前攻擊鏈(Kill Chains)中提權(Escalate Privileges)與內部擴散(Lateral Movement )常用手法之一,可見了解PtH的攻擊手法、技術工具與程序以及對應的防禦策略依然是目前重要的研究主題。本論文主要透過建置PtH企業網路威脅模擬環境(Enterprise Cyber PtH Threat Labs)以實驗案例(Hands-on Labs)來綜合探討PtH所利用之Windows LM/NTLM驗證機制行為、PtH弱點利用原理、PtH攻擊設計與模擬場域實作、以及更進一步透過稽核日誌來分析正常驗證行為與PtH攻擊異常行為之可識別特徵。研究結果顯示,除了從實驗案例的日誌分析到PtH的可識別特徵外,本論文所提出的企業網路威脅模擬環境與實驗案例實務分析亦有助於資安從業人員從實務案例中學習駭客思維,進而有效提升防禦駭客攻擊之能力來有效降低企業網路之資安威脅。
並列摘要
Directory Service Integration helps organization that effectively centralized manages the growing number of users, roles, devices, provides seamless user experience with single sing on for all directory service aware applications, and supports security police enforcement etc. However, centralized management makes more convenience also tend to make it irresponsibly less secure, and so it is at present always extremely difficult to balance the two sides. Microsoft Active Directory (AD) is one of most widely used services on enterprise networks, the AD Domain Services (AD DS) provides secure and flexible architecture for systems/services access control, while the Local Security Authority Subsystem Service (LSASS) process is called upon to store credentials (e.g. account name and LM/NT hash) associated with LSASS logon sessions in memory when a user does any of interactive logon, an attacker can steal cached credentials via LSASS injection and reuse the stolen hash of user password to authenticate to a remote server/service by using Pass-the-Hash (PtH) attack. PtH technique was originally published on Bugtrag in 1997, and it is also a commonly used attack method for privilege escalation and lateral movement reported in FireEye M-TRENDS 2016 to date, since the defending against PtH attacks is complex multi-faceted and remaining challenges, even though a good many of literatures have discussed extensively with PtH attacks and defenses. Thus in this thesis, we are mainly to discuss TTPs(Tactics, Techniques, and Procedures) and analysis the characteristics using audit logs for PtH attacks utilized real-world like PtH hands-on labs exercising in our developed enterprise cyber threat virtual labs. The experiment results show that we found out some differentiated characters between normal LM/NTLM authentications and un-normal of PtH attacks which was not mentioned in literatures. Additionally, this thesis provides a lot of hands-on labs with step-by-step practice guide around the PtH attacks that can be used to build next-generation cyber threat detection system and comprehensively strengthen the capabilities for combating advanced persistent threats.