Security Assessment of Microsoft DirectAccess

A thesis for the completion of Master of Science in Communication and Media Engineering CME By Ali Hardudi Supervised by Prof. Dr. rer. nat. habil. Dirk Westhoff M. Sc. Enno Rey

ERNW GmbH. Agenda ¬ Introduction . Objective . A Quick Look into DirectAccess ¬ DirectAccess Lab ¬ Assessment . Scenarios and Attacker . IPv6 Attacks . TLS and IPSEC Default Configuration ¬ Conclusion

#2 ERNW GmbH. 14.03.2016 Security Assessment of Microsoft DirectAccess

Introduction

14.03.2016 Security Assessment of Microsoft DirectAccess #3 ERNW GmbH. Thesis Objective

¬ Thesis objective . Study the DirectAccess . Performing a security evaluation

14.03.2016 Security Assessment of Microsoft DirectAccess #4 ERNW GmbH. DirectAccess Features

 Pure IPv6  No user interaction  Remote management and administration  Bidirectional access  Enhanced security features  Working over IPv4 Internet infrastructure

14.03.2016 Security Assessment of Microsoft DirectAccess #5 ERNW GmbH. DirectAccess Limitations

 Not all Windows OS’s are supported  The following options are not always possible:  End to End encryption  Force tunneling  Performance degradation when IP-HTTPS tunneling is used  Complex technology

14.03.2016 Security Assessment of Microsoft DirectAccess #6 ERNW GmbH.

Technologies and Protocols

IKE, HTTPS, DNS64, ISAKMP, Kerberos, ¬ Active Directory Domain Controller (AD DC). PKI, NTLM, DHCPV6 ¬ IPSEC ¬ Public Key Infrastructure (PKI) ¬ HTTPS server as Network Location Service (NLS) TCP, UDP ¬ Name Resolution Policy Table (NRPT) ¬ IPv6 tunneling technologies ¬ NAT64/DNS64 IPv6, IPv6 Tunneling, ICMPv6 ¬ Others (e.g. Forefront Unified Access Gateway IPsec (ESP, AH), NAT64 (UAG), Network Access Protection (NAP))

Figure 1 DirectAccess stack of main protocols

14.03.2016 Security Assessment of Microsoft DirectAccess #7 ERNW GmbH. TLS handshake

HTTPS service

DirectAccess C lie n t DirectAccess S e rv e r

Figure 2 DirectAccess connection steps using IP-HTTPS 14.03.2016 Security Assessment of Microsoft DirectAccess #8 ERNW GmbH. HTTPS service

DirectAccess C lie n t DirectAccess S e rv e r

IP-HTTPS tunnel

Figure 2 DirectAccess connection steps using IP-HTTPS 14.03.2016 Security Assessment of Microsoft DirectAccess #9 ERNW GmbH. HTTPS service

DirectAccess C lie n t Complete ND protocol DirectAccess S e rv e r

IP-HTTPS tunnel

Figure 2 DirectAccess connection steps using IP-HTTPS 14.03.2016 Security Assessment of Microsoft DirectAccess #10 ERNW GmbH. IP-HTTPS in te rfa c e

HTTPS service

DirectAccess C lie n t DirectAccess S e rv e r

IP-HTTPS tunnel

Figure 2 DirectAccess connection steps using IP-HTTPS 14.03.2016 Security Assessment of Microsoft DirectAccess #11 ERNW GmbH. N T L M v 2

HTTPS service

DirectAccess C lie n t Authenticating and Building the DirectAccess IPSEC infrastructure tunnel S e rv e r

IP-HTTPS tunnel

Figure 2 DirectAccess connection steps using IP-HTTPS 14.03.2016 Security Assessment of Microsoft DirectAccess #12 ERNW GmbH. HTTPS service

DirectAccess C lie n t DirectAccess S e rv e r

IPSEC Infrastructure tunnel IP-HTTPS tunnel

Figure 2 DirectAccess connection steps using IP-HTTPS 14.03.2016 Security Assessment of Microsoft DirectAccess #13 ERNW GmbH. HTTPS service

DirectAccess C lie n t DNS conversation DirectAccess S e rv e r

IPSEC Infrastructure tunnel IP-HTTPS tunnel

Figure 2 DirectAccess connection steps using IP-HTTPS 14.03.2016 Security Assessment of Microsoft DirectAccess #14 ERNW GmbH. AD DC

HTTPS service

DirectAccess C lie n t DirectAccess S e rv e r

IPSEC Infrastructure tunnel IP-HTTPS tunnel

Figure 2 DirectAccess connection steps using IP-HTTPS 14.03.2016 Security Assessment of Microsoft DirectAccess #15 ERNW GmbH. AD DC

HTTPS service

DirectAccess C lie n t DirectAccess S e rv e r

IPSEC Infrastructure tunnel IP-HTTPS tunnel

Figure 2 DirectAccess connection steps using IP-HTTPS 14.03.2016 Security Assessment of Microsoft DirectAccess #16 ERNW GmbH. AD DC

K e rb e ro s

HTTPS service

DirectAccess C lie n t DirectAccess Authenticating and Building the S e rv e r IPSEC intranet tunnel IPSEC Infrastructure tunnel IP-HTTPS tunnel

Figure 2 DirectAccess connection steps using IP-HTTPS 14.03.2016 Security Assessment of Microsoft DirectAccess #17 ERNW GmbH. AD DC

HTTPS service

DirectAccess C lie n t DirectAccess S e rv e r

IPSEC Infrastructure tunnel IPSEC Intranet IP-HTTPS tunnel tunnel Figure 2 DirectAccess connection steps using IP-HTTPS 14.03.2016 Security Assessment of Microsoft DirectAccess #18 ERNW GmbH. AD DC

HTTPS service

DirectAccess C lie n t DirectAccess S e rv e r DNS conversation IPSEC Infrastructure tunnel IPSEC Intranet IP-HTTPS tunnel tunnel Figure 2 DirectAccess connection steps using IP-HTTPS 14.03.2016 Security Assessment of Microsoft DirectAccess #19 ERNW GmbH. AD DC

HTTPS service

DirectAccess C lie n t DirectAccess S e rv e r

IPSEC Infrastructure tunnel IPSEC Intranet IP-HTTPS tunnel tunnel Figure 2 DirectAccess connection steps using IP-HTTPS R e s o u rc e s 14.03.2016 Security Assessment of Microsoft DirectAccess #20 ERNW GmbH. Lab Deployment

14.03.2016 Security Assessment of Microsoft DirectAccess #21 ERNW GmbH. Windows server 2012 R2 (Internet Service Provider (ISP)) Windows server 2012 R2 (Certificate Authority) Windows server 2012 R2 (AD DC) Windows server 2012 R2 (Internal resources) Windows server 2012 R2 Windows 8.1 Enterprise (DirectAccess server) (DirectAccess client)

Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012 R2 (Host VM)

Cisco Catalyst 2950 series Figure 3 DirectAccess lab components 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Windows server 2012 R2 (Internet Service Provider (ISP)) Windows server 2012 R2 (Certificate Authority) Windows server 2012 R2 (AD DC) Windows server 2012 R2 (Internal resources) Windows server 2012 R2 Windows 8.1 Enterprise (DirectAccess server) (DirectAccess client)

Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012 R2 (Host VM)

Cisco Catalyst 2950 series Figure 3 DirectAccess lab components 14.03.2016 Security Assessment of Microsoft DirectAccess #23 ERNW GmbH. Windows server 2012 R2 (Internet Service Provider (ISP)) Windows server 2012 R2 (Certificate Authority) Windows server 2012 R2 (AD DC) Windows server 2012 R2 (Internal resources) Windows server 2012 R2 Windows 8.1 Enterprise (DirectAccess server) (DirectAccess client)

Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012 R2 (Host VM)

Cisco Catalyst 2950 series Figure 3 DirectAccess lab components 14.03.2016 Security Assessment of Microsoft DirectAccess #24 ERNW GmbH. Windows server 2012 R2 (Internet Service Provider (ISP)) Windows server 2012 R2 (Certificate Authority) Windows server 2012 R2 (AD DC) Windows server 2012 R2 (Internal resources) Windows server 2012 R2 Windows 8.1 Enterprise (DirectAccess server) (DirectAccess client)

Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012 R2 (Host VM)

Cisco Catalyst 2950 series Figure 3 DirectAccess lab components 14.03.2016 Security Assessment of Microsoft DirectAccess #25 ERNW GmbH. Windows server 2012 R2 (Internet Service Provider (ISP)) Windows server 2012 R2 (Certificate Authority) Windows server 2012 R2 (AD DC) Windows server 2012 R2 IP-HTTPS (Internal resources) Interface Windows server 2012 R2 Windows 8.1 Enterprise (DirectAccess server) (DirectAccess client)

Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012 R2 (Host VM)

Cisco Catalyst 2950 series Figure 3 DirectAccess lab components 14.03.2016 Security Assessment of Microsoft DirectAccess #26 ERNW GmbH. Windows server 2012 R2 (Internet Service Provider (ISP)) Windows server 2012 R2 (Certificate Authority) Windows server 2012 R2 (AD DC) Windows server 2012 R2 (Internal resources) Windows server 2012 R2 Windows 8.1 Enterprise (DirectAccess server) (DirectAccess client)

Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012 R2 (Host VM)

Cisco Catalyst 2950 series Figure 3 DirectAccess lab components 14.03.2016 Security Assessment of Microsoft DirectAccess #27 ERNW GmbH. Windows server 2012 R2 (Internet Service Provider (ISP)) Windows server 2012 R2 (Certificate Authority) Windows server 2012 R2 (AD DC) Windows server 2012 R2 (Internal resources) Windows server 2012 R2 Windows 8.1 Enterprise (DirectAccess server) (DirectAccess client)

Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012 R2 (Host VM)

Cisco Catalyst 2950 series Figure 3 DirectAccess lab components 14.03.2016 Security Assessment of Microsoft DirectAccess #28 ERNW GmbH. Windows server 2012 R2 (Internet Service Provider (ISP)) Windows server 2012 R2 (Certificate Authority) Windows server 2012 R2 (AD DC) Windows server 2012 R2 (Internal resources) Windows server 2012 R2 Windows 8.1 Enterprise (DirectAccess server) (DirectAccess client)

Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012 R2 (Host VM)

Cisco Catalyst 2950 series Figure 3 DirectAccess lab components 14.03.2016 Security Assessment of Microsoft DirectAccess #29 ERNW GmbH. DirectAccess configuration

 Full access model  DirectAccess server is an edge topology  The DirectAccess computers are assigned to a security group  The IPv6 tunneling is IP-HTTPS  All the certificates are issued by the corpnet Certificate Authority (CA)  IPSEC Encapsulated Security Payload (ESP) Figure 4 Screenshot for the configuration panel protocol tunnel mode of DirectAccess  Windows 8.1 uses Null cipher suites for IP- HTTPS

14.03.2016 Security Assessment of Microsoft DirectAccess #30 ERNW GmbH. Figure 5 DirectAccess lab topology

14.03.2016 Security Assessment of Microsoft DirectAccess #31 ERNW GmbH. Assessment

14.03.2016 Security Assessment of Microsoft DirectAccess #32 ERNW GmbH. Scenarios and Attacker

¬ Two different scenarios were assessed: . IP-HTTPS default configuration . Authenticated IP-HTTPS

¬ Attacker knowledge and capabilities: . URL/IP of the DirectAccess server . Compromised or a trusted certificate . Position of attacker is remotely settled or within the local subnet of the client

14.03.2016 Security Assessment of Microsoft DirectAccess #33 ERNW GmbH. Attacker can establish this tunnel without Attacker can utilize some authentication types of ICMPv 6 p a c k e ts

A D D C

IC M P v 6 A tta c k e r R e s o u rc e s Unauthenticated IP -HTTPS tunnel In tra n e t

In te rn e t

HTTPS service

DirectAccess Certificate K e rb e ro s HTTPS service N T L M v 2 S e rv e r A u th o rity NLS DirectAccess c lie n t

IPSEC intranet tunnel IC M P v 6 travels outside the IPSEC tunnels IPSEC infrastructure tunnel Figure 6 IP-HTTPS default configuration scenario 14.03.2016 Security Assessment of Microsoft DirectAccess #34 ERNW GmbH. IP-HTTPS using Python

¬ The IP-HTTPS tunnel was established ¬ The internal servers were reachable using ICMPv6 echo request

Figure 7 Using Ubuntu and Python IP-HTTPS interface to connect to the DirectAccess server

14.03.2016 Security Assessment of Microsoft DirectAccess #35 ERNW GmbH. IP-HTTPS using Python

¬ The IP-HTTPS tunnel was established ¬ The internal servers were reachable using ICMPv6 echo request

Figure 8 Python IP-HTTPS was configured with IPv6 addresses

14.03.2016 Security Assessment of Microsoft DirectAccess #36 ERNW GmbH. Performed Attacks

L Attack Attacker position

 The unauthenticated IP-HTTPS: 1 Scan alive hosts using Ping scan Local or remote

¬ Packets with multicast 2 Scan for alive DA clients using Duplicate Address Local or remote destination addresses are not 3 Send packets with spoofed IPv6 addresses Local or remote forwarded 4 Denial of Service against IP-HTTPS tunnel Local or remote ¬ Packets with unicast addresses 5 Neighbor Cache exhaustion Local or remote are not forwarded 6 MITM using a trusted certificate Local or remote ¬ Server replies on behalf of 7 MITM by relaying IPSEC packets via attacker’s Local clients, if a client wants to computer configure an address that is Table 1 Attacks that were performed on the unauthenticated IP-HTTPS tunnel already configured

14.03.2016 Security Assessment of Microsoft DirectAccess #37 ERNW GmbH. spoofing attack

Figure 9 A packet with a spoofed source address 14.03.2016 Security Assessment of Microsoft DirectAccess #38 ERNW GmbH. spoofing attack

Figure10 DirectAccess server replied to the spoofed address 14.03.2016 Security Assessment of Microsoft DirectAccess #39 ERNW GmbH. spoofing attack

Figure10 DirectAccess server replied to the spoofed address 14.03.2016 Security Assessment of Microsoft DirectAccess #40 ERNW GmbH. Neighbor Cache Exhaustion

¬ Windows server 2012 uses RFC 7048 “Neighbor Unreachability Detection Is Too Impatient” ¬ Unreachable state is maintained for a cache entry (CE)

Figure11 DirectAccess server neighbor cache 14.03.2016 Security Assessment of Microsoft DirectAccess #41 ERNW GmbH. Scan Connected DirectAccess Clients

Figure12 Clients IPv6 enumeration using Duplicate Address Detection

14.03.2016 Security Assessment of Microsoft DirectAccess #42 ERNW GmbH. Scan Connected DirectAccess Clients

Figure13 DirectAccess server replied on behalf of the existing DirectAccess client

14.03.2016 Security Assessment of Microsoft DirectAccess #43 ERNW GmbH. Attacker establishes the IP-HTTPS tunnel using a Attacker can utilize some s to le n / trusted certificate types of ICMPv 6 p a c k e ts

A D D C

IC M P v 6 A tta c k e r R e s o u rc e s Authenticated IP -HTTPS tunnel In tra n e t

In te rn e t

HTTPS service

DirectAccess Certificate K e rb e ro s HTTPS service N T L M v 2 S e rv e r A u th o rity NLS DirectAccess c lie n t

IPSEC intranet tunnel ICMPV 6 packets from the attacker can reach DirectAccess client / s IPSEC infrastructure tunnel Figure 14 Authenticated IP-HTTPS scenario

14.03.2016 Security Assessment of Microsoft DirectAccess #44 ERNW GmbH. Authenticated IP-HTTPS

¬ Almost all types of packets are accepted by the DirectAccess ¬ Null cipher suites can not be used any more

DA client certificate was extracted using mimikatz Figure 15 Configuring IP-HTTPS server component to use authentication

14.03.2016 Security Assessment of Microsoft DirectAccess #45 ERNW GmbH. Authenticated IP-HTTPS

¬ Almost all types of packets are accepted by the DirectAccess ¬ Null cipher suites can not be used any more

DA client certificate was extracted using mimikatz

Figure 16 Using certificate mapping to finish configuring authentication on IP-HTTPS tunnel

14.03.2016 Security Assessment of Microsoft DirectAccess #46 ERNW GmbH. Authenticated IP-HTTPS

¬ Almost all types of packets are accepted by the DirectAccess ¬ Null cipher suites can not be used any more

DA client certificate was

extracted using mimikatz Figure 17 Packets where received by Python IP-HTTPS interface on Ubuntu

14.03.2016 Security Assessment of Microsoft DirectAccess #47 ERNW GmbH. Performed Attacks

L Attack Attacker position

1 Scan for alive DirectAccess clients using Ping scan Local or remote ¬ All the authenticated IP-HTTPS 2 Scan DirectAccess clients for open ports Local or remote connections are trusted DoS against DirectAccess clients by sending fake Router ¬ The only packets that are not forwarded 3 Local or remote those which have unspecified IPv6 source Advertisement (RA) with randomized prefixes

address “::” 4 Hijacking IPSEC packets that are sent to the client and Local or remote cause a DoS

DoS DirectAccess client, by sending unsolicited 5 Neighbor Solicitation (NS) with the IPv6 of the Local or remote DirectAccess server as a source address Table 2 Attacks that were performed on the authenticated IP-HTTPS tunnel

14.03.2016 Security Assessment of Microsoft DirectAccess #48 ERNW GmbH. DoS with Fake RA

Figure 18 Part of the addresses that were configured after receiving a fake RA with randomized prefixes 14.03.2016 Security Assessment of Microsoft DirectAccess #49 ERNW GmbH. N tim e s S p o o fe d N A

A u th e n tic a te d IP -H T T P S tu n n e l

IPSECNA IPSECNS HTTPS service K e rb e ro s N T L M v 2

DirectAccess DirectAccess c lie n t S e rv e r

Figure 19 Hijacking the IPSEC downstream traffic 14.03.2016 Security Assessment of Microsoft DirectAccess #50 ERNW GmbH. MITM The IP-HTTPS Traffic

Figure 20 The attacking machine received IPSEC packets after a DirectAccess client was switched off

14.03.2016 Security Assessment of Microsoft DirectAccess #51 ERNW GmbH. MITM The IP-HTTPS Traffic

Figure 21 Sending spoofed NA’s to the DirectAccess server and hijacking the connection from server to the client

14.03.2016 Security Assessment of Microsoft DirectAccess #52 ERNW GmbH. MITM The IP-HTTPS Traffic

¬ Spoof the server RA ¬ Set the Router Preference flag with high priority ¬ Set all Route Information (RFC 4191) options with high priority ¬ Use the same advertised Prefix Information

Figure 22 Router Advertisement (RA) sent by DirectAccess server

14.03.2016 Security Assessment of Microsoft DirectAccess #53 ERNW GmbH. IPSECNS

Fake RA

LAN ACCESS Point

HTTPS service K e rb e ro s N T L M v 2 IP-HTTPS tunnel DirectAccess DirectAccess c lie n t In te rn e t S e rv e r

Figure 23 MITM on the local subnet

14.03.2016 Security Assessment of Microsoft DirectAccess #54 ERNW GmbH. Source: https://www.schneier.com/essays/archives/1999/11/a_plea_for_simplicit.html

14.03.2016 Security Assessment of Microsoft DirectAccess #55 ERNW GmbH. Conclusion ¬ DirectAccess is a relatively new technology that offers the corpnet users a flexible, an always-on and an automatic access to the internal resources. ¬ The security assessment process showed that IP-HTTPS is a very critical component, which could be utilized by attackers to perform many IPv6 attacks on both DirectAccess client and server. ¬ The Thesis also pointed out the necessity of reviewing the configuration of both TLS and IPSEC protocol. ¬ The infrastructure tunnel and the 6to4 tunneling represent very attractive sources of attacks.

14.03.2016 Security Assessment of Microsoft DirectAccess #56 ERNW GmbH. © 2016 Ali Hardudi. All rights reserved.

14.03.2016 Security Assessment of Microsoft DirectAccess #57 ERNW GmbH.