TOPIC 7B Implement Knowledge-Based Authentication

NTLM authentication (NT LAN Manager authentication)

A challenge-response authentication protocol created by Microsoft for use in its products

What is the only indicator of an offline attack?

A file system audit log that records the malicious account accessing one of these files

What happens if the attacker cannot obtain a database of passwords?

A packet sniffer might be used to obtain the client response to a server challenge in a protocol such as NTLM or CHAP/MS-CHAP Though these protocols avoid sending the hash of the password directly, the response is derived from it in some way

Kerberos

A single sign-on authentication and authorization service that is based on a time-sensitive ticket-granting system.

Dictionary attack

A type of password attack that compares encrypted passwords against a predetermined list of possible password values

Brute force attack

A type of password attack where an attacker uses an application to exhaustively try every possible alphanumeric combination to try to crack encrypted passwords.

Hybrid password attack

An attack that utilizes multiple attack vectors including dictionary, rainbow table, and brute force attack methodologies when trying to crack a password.

Single sign-on (SSO)

An authentication technology that enables a user to authenticate once and receive authorizations for multiple services.

Challenge Handshake Authentication Protocol (CHAP)

Authentication scheme developed for dial-up networks that uses an encrypted three-way handshake to authenticate the client to the server. The challenge-response is repeated throughout the connection (though transparently to the user) to guard against replay attacks.

Password spraying

Brute force attack in which multiple user accounts are tested with a dictionary of common passwords.

Three-way handshake

Challenge, Response, Verification

How can client access resources within the domain (Kerberos)?

Client requests a Service ticket (a token that grants access to a target application server). This process of granting service tickets is handled by the TGS.

Hashcat

Command-line tool used to perform brute force and dictionary attacks against password hashes.

Key Distribution Center (KDC)

Components of Kerberos that authenticates users and issues tickets (tokens)

Service ticket

Containing information about the user, such as a timestamp, system IP address, Security Identifier (SID) and the SIDs of gorups to which he or she belongs, and the service session key. This is encrypted using the application server's secret key

Brute force attacks (longer passwords)

Distributed across multiple hardware components, like a cluster of high-end graphics cards, can be successful at cracking longer passwords

How is the TGS able to decrypt TGT copy and name of application servers?

For the first, the KDC's secret key is used while the TGS session key for the second

PAM (Pluggable Authentication Modules)

Framework for implementing authentication providers in Linux

Brute-force attacks (short passwords)

Heavily constrained by time and computing resources, and are the most effective at cracking short passwords

MS-CHAPv2

Implementation of CHAP created by Microsoft for use in its products.

Ticket Granting Ticket (TGT)

In Kerberos, a token issued to an authenticated account to allow access to authorized application servers

What is an optional way of the application server to respond to the client?

It can respond using the timestamped used in the authenticator, which is encrypted by using the service session key. The client decrypts the timestamp and verifies that it matches the value already sent, and concludes that the application server is trustworthy

What does the application do with the service ticket?

It decrypts the ticket to obtain the service session key using its secret key, confirming that the client has sent it in an untampered message. It then decrypts the authenticator using the service session key

In Windows, how is the SSO provided?

It is provided by the Kerberos framework

What does mutual authentication prevent?

It prevents a man-in-the-middle attack, where a malicious user could intercept communications between the client and server

Where does the client forward the service ticket that is unable to be decrypted?

It would be sent to the application server and adds another time-stamped authenticator, which is encrypted using the service session key

How is the output space determined?

Its determined by the number of bits used by the algorithm (128-bit MD5 or 256-bit SHA256). The larger the output space and the more characters that were used in the plaintext password, the more difficult it is to compute and test each possible hash to find a match.

Password Authentication Protocol (PAP)

Obsolete authentication mechanism used with PPP. PAP transfers the password in plaintext and so is vulnerable to eavesdropping.

Example of plaintext/unencrypted attacks

PAP or Telnet

What is one common source of credential breaches?

Passwords embedded in application code that has subsequently been uploaded to a public repository

What does the TGS service respond with?

Service session key and Service Ticket

What is a drawback of Kerberos?

The KDC represents a single point-of-failure for the network. In practice, backup KDC servers can be implemented

Offline attack

The attacker has managed to obtain a database of password hashes, such as %SystemRoot%\System32\config\SAM, %SystemRoot%\NTDS\NTDS.DIT (Active Directory credential store), or /etc/shadow

How do rainbow table attacks redefine the dictionary approach?

The attacker uses a precomputed lookup table of all possible passwords and their matching hashes. Not all possible hash values are stored, as this would require too much memory.

What does the client send TGS?

The client sends a copy of its TGT and the name of the application servers it wishes to access plus an authenticator, consisting of a time-stamped client ID encrypted using the TGS session key

What happens when a user logs in to a local interactive shell?

The password is checked against a hash stored in /etc/shadow

Verification

The server performs its own hash using the password hash stored for the client. If it matches the response, then access is granted; otherwise, the connection is dropped

Online password attack

The threat actor interacts with the authentication service directly-- a web login form or VPN gateway, for instance. The attacker submits passwords using either a database of known passwords (and variations) or a list of passwords that have been cracked offline

In Linux, where are local user account names stored in?

They are stored in /etc/passwd

How can online password attacks be mitigated?

They can be mitigated by restricting the number or rate of logon attempts, and by shunning logon attempts from known bad IP addresses

How can password crackers exploit weaknesses in a protocol?

They can exploit weaknesses in a protocol to calculate the hash and match it to a dictionary word or brute force it

What does an online password attack show up as in audit logs?

They would show up as repeatedly failed logons and then a successful logon, or as successful logon attempts at unusual times or locations

Rainbow table

Tool for speeding up attacks against Windows passwords by, precomputing possible hashes

What else is also used as a vault for backup?

USB keys. Most operating systems and browsers implement native password vaults

Password key

USB tokens for connecting to PCs and smartphones. Some can use nearfield communications (NFC) or Bluetooth as well as physical connectivity

What helps slow down rainbow table attacks?

Using a salt to add a random value to the stored plaintext helps to slow down rainbow table attacks, because the tables cannot be created in advance and must be recreated for each combo of password and salt value

Plaintext/unencrypted attack

exploits password storage or a network authentication protocol that does not use encryption

Service session key

for use between the client and the application server. This is encrypted with the TGS session key.

Remote sign-in

if the user's device is not connected to the local network, authentication can take place over some type of virtual private network (VPN) or web portal.

Password cracker

password guessing software can attempt to crack captured hashes of user credentials by running through all possible combo (Brute force). This can be made less computationally intensive by using a dictionary of standard words or phrases

Password vault

software-based password manager, typically using a cloud service to allow access from any device

Windows network sign-in

the LSA can pass the credentials for authentication to a network service. The preferred system for network authentication is based on Kerberos, but legacy network applications might use NT LAN Manager (NTLM) authentication.

Windows local sign-in

the Local Security Authority (LSA) compares the submitted credential to a hash stored in the Security Accounts Manager (SAM) database, which is part of the registry. This is also referred to as interactive logon.

Response

the client responds with a hash calculated from the server challenge message and client password (or other shared secret)

Challenge

the server challenges the client, sending a randomly generated challenge message

Authentication provider

the software architecture and code that underpins the mechanism by which the user is authenticated before starting a shell. Login (Linux) or logon or sign-in (Windows)

Mutual authentication

when a server is authenticated to the client