TOPIC 7B Implement Knowledge-Based Authentication
NTLM authentication (NT LAN Manager authentication)
A challenge-response authentication protocol created by Microsoft for use in its products
What is the only indicator of an offline attack?
A file system audit log that records the malicious account accessing one of these files
What happens if the attacker cannot obtain a database of passwords?
A packet sniffer might be used to obtain the client response to a server challenge in a protocol such as NTLM or CHAP/MS-CHAP Though these protocols avoid sending the hash of the password directly, the response is derived from it in some way
Kerberos
A single sign-on authentication and authorization service that is based on a time-sensitive ticket-granting system.
Dictionary attack
A type of password attack that compares encrypted passwords against a predetermined list of possible password values
Brute force attack
A type of password attack where an attacker uses an application to exhaustively try every possible alphanumeric combination to try to crack encrypted passwords.
Hybrid password attack
An attack that utilizes multiple attack vectors including dictionary, rainbow table, and brute force attack methodologies when trying to crack a password.
Single sign-on (SSO)
An authentication technology that enables a user to authenticate once and receive authorizations for multiple services.
Challenge Handshake Authentication Protocol (CHAP)
Authentication scheme developed for dial-up networks that uses an encrypted three-way handshake to authenticate the client to the server. The challenge-response is repeated throughout the connection (though transparently to the user) to guard against replay attacks.
Password spraying
Brute force attack in which multiple user accounts are tested with a dictionary of common passwords.
Three-way handshake
Challenge, Response, Verification
How can client access resources within the domain (Kerberos)?
Client requests a Service ticket (a token that grants access to a target application server). This process of granting service tickets is handled by the TGS.
Hashcat
Command-line tool used to perform brute force and dictionary attacks against password hashes.
Key Distribution Center (KDC)
Components of Kerberos that authenticates users and issues tickets (tokens)
Service ticket
Containing information about the user, such as a timestamp, system IP address, Security Identifier (SID) and the SIDs of gorups to which he or she belongs, and the service session key. This is encrypted using the application server's secret key
Brute force attacks (longer passwords)
Distributed across multiple hardware components, like a cluster of high-end graphics cards, can be successful at cracking longer passwords
How is the TGS able to decrypt TGT copy and name of application servers?
For the first, the KDC's secret key is used while the TGS session key for the second
PAM (Pluggable Authentication Modules)
Framework for implementing authentication providers in Linux
Brute-force attacks (short passwords)
Heavily constrained by time and computing resources, and are the most effective at cracking short passwords
MS-CHAPv2
Implementation of CHAP created by Microsoft for use in its products.
Ticket Granting Ticket (TGT)
In Kerberos, a token issued to an authenticated account to allow access to authorized application servers
What is an optional way of the application server to respond to the client?
It can respond using the timestamped used in the authenticator, which is encrypted by using the service session key. The client decrypts the timestamp and verifies that it matches the value already sent, and concludes that the application server is trustworthy
What does the application do with the service ticket?
It decrypts the ticket to obtain the service session key using its secret key, confirming that the client has sent it in an untampered message. It then decrypts the authenticator using the service session key
In Windows, how is the SSO provided?
It is provided by the Kerberos framework
What does mutual authentication prevent?
It prevents a man-in-the-middle attack, where a malicious user could intercept communications between the client and server
Where does the client forward the service ticket that is unable to be decrypted?
It would be sent to the application server and adds another time-stamped authenticator, which is encrypted using the service session key
How is the output space determined?
Its determined by the number of bits used by the algorithm (128-bit MD5 or 256-bit SHA256). The larger the output space and the more characters that were used in the plaintext password, the more difficult it is to compute and test each possible hash to find a match.
Password Authentication Protocol (PAP)
Obsolete authentication mechanism used with PPP. PAP transfers the password in plaintext and so is vulnerable to eavesdropping.
Example of plaintext/unencrypted attacks
PAP or Telnet
What is one common source of credential breaches?
Passwords embedded in application code that has subsequently been uploaded to a public repository
What does the TGS service respond with?
Service session key and Service Ticket
What is a drawback of Kerberos?
The KDC represents a single point-of-failure for the network. In practice, backup KDC servers can be implemented
Offline attack
The attacker has managed to obtain a database of password hashes, such as %SystemRoot%\System32\config\SAM, %SystemRoot%\NTDS\NTDS.DIT (Active Directory credential store), or /etc/shadow
How do rainbow table attacks redefine the dictionary approach?
The attacker uses a precomputed lookup table of all possible passwords and their matching hashes. Not all possible hash values are stored, as this would require too much memory.
What does the client send TGS?
The client sends a copy of its TGT and the name of the application servers it wishes to access plus an authenticator, consisting of a time-stamped client ID encrypted using the TGS session key
What happens when a user logs in to a local interactive shell?
The password is checked against a hash stored in /etc/shadow
Verification
The server performs its own hash using the password hash stored for the client. If it matches the response, then access is granted; otherwise, the connection is dropped
Online password attack
The threat actor interacts with the authentication service directly-- a web login form or VPN gateway, for instance. The attacker submits passwords using either a database of known passwords (and variations) or a list of passwords that have been cracked offline
In Linux, where are local user account names stored in?
They are stored in /etc/passwd
How can online password attacks be mitigated?
They can be mitigated by restricting the number or rate of logon attempts, and by shunning logon attempts from known bad IP addresses
How can password crackers exploit weaknesses in a protocol?
They can exploit weaknesses in a protocol to calculate the hash and match it to a dictionary word or brute force it
What does an online password attack show up as in audit logs?
They would show up as repeatedly failed logons and then a successful logon, or as successful logon attempts at unusual times or locations
Rainbow table
Tool for speeding up attacks against Windows passwords by, precomputing possible hashes
What else is also used as a vault for backup?
USB keys. Most operating systems and browsers implement native password vaults
Password key
USB tokens for connecting to PCs and smartphones. Some can use nearfield communications (NFC) or Bluetooth as well as physical connectivity
What helps slow down rainbow table attacks?
Using a salt to add a random value to the stored plaintext helps to slow down rainbow table attacks, because the tables cannot be created in advance and must be recreated for each combo of password and salt value
Plaintext/unencrypted attack
exploits password storage or a network authentication protocol that does not use encryption
Service session key
for use between the client and the application server. This is encrypted with the TGS session key.
Remote sign-in
if the user's device is not connected to the local network, authentication can take place over some type of virtual private network (VPN) or web portal.
Password cracker
password guessing software can attempt to crack captured hashes of user credentials by running through all possible combo (Brute force). This can be made less computationally intensive by using a dictionary of standard words or phrases
Password vault
software-based password manager, typically using a cloud service to allow access from any device
Windows network sign-in
the LSA can pass the credentials for authentication to a network service. The preferred system for network authentication is based on Kerberos, but legacy network applications might use NT LAN Manager (NTLM) authentication.
Windows local sign-in
the Local Security Authority (LSA) compares the submitted credential to a hash stored in the Security Accounts Manager (SAM) database, which is part of the registry. This is also referred to as interactive logon.
Response
the client responds with a hash calculated from the server challenge message and client password (or other shared secret)
Challenge
the server challenges the client, sending a randomly generated challenge message
Authentication provider
the software architecture and code that underpins the mechanism by which the user is authenticated before starting a shell. Login (Linux) or logon or sign-in (Windows)
Mutual authentication
when a server is authenticated to the client