Mark Russinovich Technical Fellow Microsoft Azure Nathan Ide Principal Dev Lead Microsoft Windows PasstheHash SingleSign On Passthehash is the use of a saved credential or authenticator ID: 217055
Download Presentation The PPT/PDF document "Pass-the-Hash: How Attackers Spread and ..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Pass-the-Hash: How Attackers Spread and How to Stop Them
Mark Russinovich Technical Fellow
Microsoft Azure
Nathan Ide Principal Dev Lead
Microsoft WindowsSlide2
Pass-the-Hash == Single-Sign On
Pass-the-hash is the use of a saved credential or authenticator
It exists solely to support single-sign on (SSO)
If you want SSO, you are exposed to PTH In other words:If you want SSO, pass-the-hash cannot be “fixed”This is not a “Windows problem”There are two types of pass-the-hash:Credential reuse: using the saved credential on the system on which it was savedCredential theft: taking the saved credential to another system and using it from there
2Slide3
Pass-the-Hash Technique
Pass-the-Hash on Windows Today
New Windows Mitigations:
Local AccountDomain AccountRestricted Remote AdministrationAuthentication Policies and SilosPass-the-HashAgendaSlide4
User: Sue
Password hash: C9DF4E…
Single-Sign On, Explained
Sue’s Laptop
User: Sue
Password: a1b2c3
Sue’s User Session
User: Sue
Password hash: C9DF4E…
File Server
1
2
3
Sue’s User Session
4
Sue enters username and password
PC creates Sue’s user session
PC proves knowledge of Sue’s hash to Server
Server creates a session for Sue Slide5
User: Fred
Hash:A3D7
Fred’s Laptop
Fred’s User Session
User: Fred
Password hash: A3D7…
Sue’s Laptop
Sue’s User Session
Pass-the-Hash Technique
Malware User Session
User: Fred
Password hash: A3D7…
Malware User Session
User: Fred
Hash: A3D7
User: Sue
Hash: C9DF
User: Sue
Password hash: C9DF…
File Server
User: Sue
Hash:C9DF
1
2
3
Fred runs malware
Malware infects Sue’s laptop as Fred
Malware infects File Server as SueSlide6
Pass-the-Hash Technique
Pass-the-Hash on Windows Today
New Windows Mitigations:
Local AccountDomain AccountRestricted Remote AdministrationAuthentication Policies and SilosPass-the-HashAgendaSlide7
Windows Pass-the-Hash in the News
7
The virus erased data on three-quarters of Aramco’s corporate PCs — documents, spreadsheets, e-mails, files — replacing all of it with an image of a burning American flag.
“… I wouldn’t say the vendor had AD credentials but that the internal administrators would use their AD login to access the system from inside. This would mean the sever had access to the rest of the corporate network ...”Slide8
Windows Pass-the-Hash in Mark’s Inbox
PsExec
EULA
You are not permitted to use
PsExec
for illegal activity.Slide9
Windows Single-Sign On Architecture
User: Sue
Hash: C9DF4E…
Sue’s Laptop
PTHDemo
-DC
Local Security Authority (LSASS)
NTLM
Digest
Kerberos
NTOWF: C9DF4E56A2D1…
Password: a1b2c3
Ticket-Granting Ticket
Service Ticket
Service Ticket
Service Ticket
Service Ticket
Password: a1b2c3
User: Sue
192.168.1.1
Service Ticket
“Credential footprint”
PTHDemo
-DCSlide10
Windows Pass-the-Hash “Discovery”Slide11
Microsoft
published
Pass-the-Hash guidance in December 2012.
Highlighted best practices and dispelled urban legendsMicrosoft GuidanceSlide12
Pass-the-Hash Tools on Windows
Sue’s Laptop
Local Security Authority (LSASS)
NTLM
Digest
Kerberos
NTOWF: C9DF4E56A2D1…
Password: a1b2c3
Ticket-Granting Ticket
Credential Store
Service Ticket
Service Ticket
Service Ticket
Service Ticket
NTOWF: A3D723B95DA…Slide13
Demo
Pass-the-Hash with Windows Credential EditorSlide14
Pass-the-Hash Technique
Pass-the-Hash on Windows Today
New Windows Mitigations:
Local AccountDomain AccountRestricted Remote AdministrationAuthentication Policies and SilosPass-the-HashAgendaSlide15
Problem: Local Account Traversal
Fred’s Laptop
Security Accounts Manager
User: Admin
Hash:A2DF…
User: Admin
Hash:A2DF…
Sue’s Laptop
Security Accounts Manager
User: Admin
Hash:A2DF…Slide16
Two new well-known groups:
“Local account”
“Local account and member of Administrators group”
Useful for restricting accessLocal Account MitigationsSlide17
Demo
Local Account MitigationsSlide18
Pass-the-Hash Technique
Pass-the-Hash on Windows Today
New Windows Mitigations:
Local AccountDomain AccountRestricted Remote AdministrationAuthentication Policies and SilosPass-the-HashAgendaSlide19
Problem: Domain Credential Harvesting
Sue’s Laptop
Local Security Authority (LSASS)
NTLM
Digest
Kerberos
NTOWF: C9DF4E56A2D1…
Password: a1b2c3
Ticket-Granting Ticket
Credential Store
Service Ticket
Service Ticket
Service Ticket
Service TicketSlide20
Reduced
credential footprint
Aggressive session expiry
New “Protected Users” RIDHardened LSASS processDomain Account MitigationsSlide21
Demo
Domain Account MitigationsSlide22
Pass-the-Hash Technique
Pass-the-Hash on Windows Today
New Windows Mitigations:
Local AccountDomain AccountRestricted Remote AdministrationAuthentication Policies and SilosPass-the-HashAgendaSlide23
Problem: Remote Administration
User: Sue
Pass:a1b2c3
Fred’s Laptop
Sue’s Helpdesk PC
Remote Desktop Client
LSASS
NTLM
NTOWF: C9…
Digest
Pass: a1b2c3
Kerberos
Ticket
Ticket
Ticket
Mimikatz
Credential StoreSlide24
Restricted Administration Mode
Restricted Administration
M
ode allows remote administrators to connect without delegationAttaches machine credentials to sessionSlide25
Demo
Restricted Remote AdministrationSlide26
Pass-the-Hash Technique
Pass-the-Hash on Windows Today
New Windows Mitigations:
Local AccountDomain AccountRestricted Remote AdministrationAuthentication Policies and SilosPass-the-HashAgendaSlide27
Problem: Privileged User Credential Replay
IT admin terminal
Domain Controller
User: Sue
Lobby kiosk
User: Sue
User: Sue
Fred
SueSlide28
Enable isolation of users or resources
Keeps user in their silo
Prevents outside access to silo
2012R2 domains support Authentication Policies and SilosPolicies allow custom ticket lifetime and issuance conditionsCan restrict users and service accountsAuthentication Policies and SilosPTHDemo Domain
“Sue Lockdown” Authentication Silo
Users
Sue
Fred
“Sue Lockdown” Authentication Policy
Ticket lifetime:4 hours
Conditions: Users use Silo PCs
Computers
Fred-PC
Sue-PC
Policy:“Sue
Lockdown”
Members: Sue; Sue-PC
Silo:Sue
…
Silo:Sue
…Slide29
Demo
Authentication Policies and SilosSlide30
Mitigations on Windows 7 and Windows 8.1
The following features will be available on Windows 7 and Windows 8.1:
Local account well-known groups
Reduced credential footprintRDP client /restrictedadminProtected UsersSlide31
Conclusion
Comprehensive network security must address
Pass-the-Hash
New Windows mitigations are availableLocal account protectionsDomain account protectionsProtected domain accountsAuthentication policies and SilosSlide32
Evaluate this session
Scan this
QR
code
to evaluate
this
session.Slide33
©
2014
Microsoft Corporation. All rights reserved. Microsoft, Windows,
and
other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.