Getting Credentials from a locked Windows PC in 12 Seconds Joe - - PowerPoint PPT Presentation

Getting Credentials from a locked Windows PC in 12 Seconds

Joe Granneman, MBA, CISSP – Principal Consultant

About illumination.io

• Rockford based Cybersecurity Services

– Penetration Testing – HIPAA, PCI, and GLBA Compliance Testing – Social Engineering Testing – Incident Response – Disaster Recovery Planning – Security Architecture Design – Strategic Information Security Planning – Information Security Program Development

About the Speaker

Your Mission

Your Tools

You Only Need 12 Seconds

So how does this work?

Windows Authentication is a Mess of Old Technology

NTLMv1 NTLMv2

What is a LAN Turtle?

The Secret Sauce

LAN Turtle in Action

What did we get?

• Proxy-Auth-NTLMv2-172.16.84.113.txt
• Bob::LAPTOP-

GK7EEVOS:1122334455667788:1A6B63055DA390F158E33C470F318 E76:0101000000000000AFD31FB3F133D2014423BC942F310F9C00 0000000200060053004D0042000100160053004D0042002D00540 04F004F004C004B00490054000400120073006D0062002E006C00 6F00630061006C0003002800730065007200760065007200320030 00300033002E0073006D0062002E006C006F00630061006C00050 0120073006D0062002E006C006F00630061006C00080030003000 0000000000000000000000200000ADA2DDBB95B9C6DDDF83211E AC531214D6B257A2FBB5AA90AD99C06E26F168F10A00100000000 00000000000000000000000000009001A0048005400540050002F 00700072006F00780079007300720076000000000000000000

Encryption Methods Matter

• NetNTLMv1 : 27362.0 MH/s
• NetNTLMv2 : 2115.9 MH/s
• NTLM : 64790.0 MH/s
• LANMAN : Instant

GPU Cracking Engaged

How to Defend?

How to Defend?

Disable NETBIOS over TCP/IP in DHCP Manager

How to Defend?

Disable NetBIOS over TCP/IP in NIC Settings

Don’t Forget the Basics

• Strong passwords still work

– 12 characters is the new minimum

• Utilize dual factor auth where possible
• Physical security is still king

Getting Credentials from a locked Windows PC in 12 Seconds

Joe Granneman, MBA, CISSP – Principal Consultant