2 PasstheHash Technique PasstheHash on Windows Today New

2

Pass-the-Hash Technique Pass-the-Hash on Windows Today New Windows Mitigations:

Sue’s Laptop Sue’s User Session File Server 2 Sue’s User Session 4 User: Sue Password hash: C 9 DF 4 E… 3 User: Sue Password: a 1 b 2 c 3 1 1. 2. 3. 4. Sue enters username and password PC creates Sue’s user session PC proves knowledge of Sue’s hash to Server creates a session for Sue

Sue’s Laptop Fred’s User Session Sue’s User Session User: Fred Password hash: A 3 D 7… User: Sue Password hash: C 9 DF… Malware User Session User: Fred Password hash: A 3 D 7… File Server 1 User: Fred Hash: A 3 D 7 Malware User Session User: Fred Hash: A 3 D 7 User: Sue Hash: C 9 DF 2 1. Fred runs malware 2. Malware infects Sue’s laptop as Fred 3. Malware infects File Server as Sue 3

Pass-the-Hash Technique Pass-the-Hash on Windows Today New Windows Mitigations:

“… I wouldn’t say the vendor had AD credentials but that the internal The virus erased data on three-quarters of administrators would use their AD Aramco’s corporate PCs — documents, login toe-mails, accessfiles the — system from spreadsheets, replacing all of it inside. Thisofwould mean the sever with an image a burning American flag. had access to the rest of the 7 corporate network. . . ”

Ps. Exec EULA You are not permitted to use Ps. Exec for illegal activity.

Local Security Authority (LSASS) NTLM Digest NTOWF: C 9 DF 4 E 56 A 2 D 1… User: Sue Password: a 1 b 2 c 3 PTHDemo-DC User: Sue Hash: C 9 DF 4 E… Sue’sa 1 b 2 c 3 Laptop Password: Kerberos Ticket-Granting Ticket Service Ticket Service Ticket 192. 168. 1. 1 “Credential footprint” PTHDemo-DC

published

Local Security Authority (LSASS) NTLM Digest NTOWF: A 3 D 723 B 95 DA… C 9 DF 4 E 56 A 2 D 1… Sue’sa 1 b 2 c 3 Laptop Password: Kerberos Ticket-Granting Service Ticket Ticket Credential Store

Pass-the-Hash Technique Pass-the-Hash on Windows Today New Windows Mitigations: Local Account

Fred’s Laptop Security User: Admin Accounts Hash: A 2 DF… Manager Sue’s Laptop User: Admin Hash: A 2 DF… Security User: Admin Accounts Hash: A 2 DF… Manager

Pass-the-Hash Technique Pass-the-Hash on Windows Today New Windows Mitigations: Local Account Domain Account

Local Security Authority (LSASS) NTLM Digest NTOWF: C 9 DF 4 E 56 A 2 D 1… Sue’sa 1 b 2 c 3 Laptop Password: Kerberos Ticket-Granting Ticket Credential Store Service Ticket

Pass-the-Hash Technique Pass-the-Hash on Windows Today New Windows Mitigations: Local Account Domain Account Restricted Remote Administration

Sue’s Helpdesk PC Fred’s Laptop LSASS NTLM NTOWF: C 9… Remote Desktop Client User: Sue Pass: a 1 b 2 c 3 Digest Pass: a 1 b 2 c 3 Ticket Kerberos Ticket Mimikatz Credential Store

Pass-the-Hash Technique Pass-the-Hash on Windows Today New Windows Mitigations: Local Account Domain Account Restricted Remote Administration Authentication Policies and Silos

Lobby kiosk e Su Sue er: IT admin terminal Us : Sue User Fred User: Sue Domain Controller

PTHDemo Domain Users Computers Silo: Sue … Fred Sue Silo: Sue … Fred-PC Sue-PC “Sue Lockdown” Authentication Policy Ticket lifetime: 4 hours Conditions: Users use Silo PCs “Sue Lockdown” Authentication Silo Policy: “Sue Lockdown” Members: Sue; Sue-PC