- 學位論文
以企業網路威脅模擬環境之實驗案例探討Windows憑證傳遞Pass-the-Ticket攻擊
Hands-on Enterprise Cyber Threat Labs Study on Windows Pass-the-Ticket Attacks
摘要
大部分組織皆導入目錄服務(Directory Service)進行組織網路之集中化管理,然由於集中化管理的便利性與集中性使得該架構成為攻擊者首要入侵標的,因為一旦獲得目錄服務之所有權即可完全掌握目標組織網路。目錄服務中尤以微軟活動目錄服務(Active Directory, AD)最為廣泛使用,雖然微軟的Active Directory 網域服務(Active Directory Domain Services, AD DS)提供了比NTLM (NT LAN Manager)更安全的Kerberos驗證機制,但因其架構的缺陷致使現今利用Kerberos的弱點來進行提權(Escalate Privileges)、內部擴散(Lateral Movement)、取得企業網路所有權等攻擊,如FireEye在M-Trends 2015年威脅報告指出。當使用者欲存取某特定網域服務時,必須先使用帳號密碼雜湊(NTLM Hash Value)向金鑰分發中心(Key Distribution Center, KDC)的認證服務(Authentication Service)來取得索票憑證(Ticket-Granting-Ticket, TGT),再透過TGT跟KDC的服務票證授予伺服器(Ticket Granting Service, TGS) 來取得服務票證TGS,最後藉由此TGS來取得網域服務使用權。然而Windows Kerberos驗證機制會將TGT與TGS快取存放至使用者本機的檔案中或本機安全授權服務(Local Security Authority Subsystem Service, LSASS)的行程記憶體中,且預設10個小時內是有效的,因此攻擊者可以從該使用者本機電腦的快取檔案或經由LSASS注入從記憶體竊取出TGT與TGS等認證資訊,透過傳遞憑證或服務票證(Pass-the-Ticket, PtT)技術即可順利取得該使用者具有授權的網域服務,更甚者從盜取的AD DS伺服器中從KDC取出具有憑證管理最高權限的krbtgt帳號與密碼等資訊來建立網域最高權限票證(稱為Golden Ticket),並藉此票證取得目標網域所有控制權。時至今日,PtT與Golden Ticket攻擊依然是目前攻擊鏈(Kill Chains)中提權(Escalate Privileges)與內部擴散(Lateral Movement)常用手法之一,可見PtT等攻擊手法、技術工具與程序以及對應的防禦策略依然是目前極具挑戰的研究議題。本論文主要透過建置PtT企業網路威脅模擬環境(Enterprise Cyber PtT Threat Labs)以實驗案例(Hands-on Labs)來綜合探討PtT所利用之Windows Kerberos驗證機制行為、PtT弱點利用原理、PtT攻擊設計與模擬場域實作、以及透過稽核日誌來分析正常驗證行為與PtT攻擊行為之可識別特徵。研究結果顯示,我們除了從實驗案例的日誌分析到PtH的可識別特徵外,本論文所提出的模擬環境與實驗案例分析亦有助於資安從業人員從實務案例中學習駭客思維,進而有效提升防禦駭客攻擊之能力來有效降低企業網路之資安威脅。
並列摘要
Most of organizations are integrating Directory Service for helping centralized information system management effectively and conveniently today. However, centralized management makes more convenience also lead to an irresponsibly decrease in security. Obtain administrative access to organization’s directory services is able to completely compromise target organization’s network, so it is one of the first things determined adversaries do, because a directory service contains authentication credentials of organization’s resources. Kerberos authentication protocol is modern the preferred authentication mechanism used by default in a domain-based Windows networks that provides mutual authentication and authorization for clients and Servers. In Kerberos, a user is using Ticket (Ticket-Granting-Ticket, TGT) granted by Authentication Server (AS) of Key Distribution Center (KDC) authenticated with its password NTLM hash to request service Ticket (Ticket-Granting-Service, TGS) from Ticket Granting Server (TGS) of KDC to gain access a particular network resource. Although, it is considered a better secure authentication protocol than NTLM, while the Pass-the-Ticket (PtT) technique is still used by Advanced Persistent Threat (APT) via misusing the flaws of Kerberos protocol in Windows networks as FireEye M-TRENDS 2015 reported to date. An adversary can steal cached TGT or TGS and used to compromise and gain privilege access to a target domain networks directly without user’s password, and even become a domain administrator on the domain controller by exploiting the Golden Ticket created by KDC krbtgt user account password. Thus in this thesis, we are mainly to discuss TTPs(Tactics, Techniques, and Procedures) and analysis the characteristics with audit logs for PtT and Golden Ticket attacks utilized real-world like PtT hands-on labs exercising in our developed enterprise cyber PtT threat virtual labs. The experiment results show that we found out some differentiated characters between normal Kerberos authentications and un-normal of PtT and Golden Ticket attacks which was not mentioned in literatures. Additionally, this thesis also provides a lot of hands-on labs with step-by-step practice guide around the PtT attacks that can be used to build next-generation cyber threat detection system and comprehensively strengthen the capabilities for combating advanced persistent.