Pass-the-Hash Attacks - DSInternals · 1997 –Pass-the-Hash demonstrated using a modified Samba...

Preview:

Click to see full reader

Citation preview

Michael Grafnetter

www.dsinternals.com

Pass-the-Hash Attacks

Agenda

PtH Attack Anatomy

Mitigation

– Proactive

– Reactive

Windows 10 + Windows Server 2016

PtH History and Future

1988 – Microsoft releases Lan Manager

1997 – Pass-the-Hash demonstrated using a modified Samba

2007 – Benjamin Delpy releases Mimikatz

2008 – Pass-the-Ticket attack demonstrated

2012 – Microsoft releases Pass-the-Hash guidance

2013 – Windows contains built-in defenses against PtH

2015 – Michael Grafnetter releases the DSInternals tools ;-)

2016 – More defense mechanisms coming to Windows

PtH Attack Anatomy

Theft Use Compromise

Lateral and Vertical Movement

Metasploit Framework

Metasploit Framework

Mimikatz

DEMO

Pass-the-Hash + RDP

LSASS NTLM Hashes

Passing the Hash

PtH Attack Premises

Single

Sign-On

Symmetric

Cryptography

Pass-the-Hash

Attack Surface

Stealing the Hash

Credentials Lifecycle / Attack Vectors

Credentials Lifecycle / Attack Vectors

Hashes in SAM/AD

Authentication Method Hash Function Salted

LM DES NO

NTLM, NTLMv2 MD4 NO

Kerberos (RC4) MD4 NO

Kerberos (AES) PBKDF2 (4096*HMAC_SHA1) YES

Digest MD5 YES

Active Directory Database - Offline Files

– C:\Windows\NTDS\ntds.dit

– C:\Windows\System32\config\SYSTEM

Acquire

– Locally: ntdsutil IFM

– Remotely: WMI (Win32_Process), psexec

– Offline: VHDs, VMDKs, Backups

Extract

– Windows: DSInternals PowerShell Module

– Linux: NTDSXtract

DEMO

Extracting hashes from ntds.dit

GUI Tools

KRBTGT Account

Proactive Measures

Encryption

RODC

Backup protection

Regular password changes

Active Directory Database - Online

MS-DRSR/RPC

Go to www.dsinternals.com for demo ;-)

Proactive Measures

Avoid using administrative accounts

Do not run untrusted SW

Do not delegate the right to replicate directory changes

Use an application firewall / IDS ???

SAM Database

Offline

– Files

• C:\Windows\System32\config\SAM

• C:\Windows\System32\config\SYSTEM

– Tools

• Windows Password Recovery

Online

– Mimikatz

Online SAM Dump

Proactive Measures

Bitlocker

Randomize local Administrator passwords

Restrict administrative access

LSA Protected Process

GP Local Admin Pwd Management Solution

Restrict Local Admins - KB2871997

Credentials Lifecycle / Attack Vectors

Windows Integrated Authentication

LSASS NTLM Hashes

LSASS Kerberos Keys

LSASS Kerberos Tickets

Memory Dump

Memory Dump

SSP Cached Creds (SSO)

Proactive Measures

Enable Additional LSA Protection?

Restrict administrative access

Applocker/SRP whitelisting

Protected Users group

Restricted Admin RDP

Authentication Policies and Silos

Disable Automatic Restart Sign-On

Do not submit minidumps

Enabling LSA Protected Process

Disabling LSA Protected Process

Protected LSA

Protected LSA

Bypassing the LSA protection

Bypassing the LSA protection

Debug Privilege

RestrictedAdmin RDP - KB2871997

Credential Delegation – Security vs. Comfort

Disable Wdigest SSO – KB2871997

Protected Users Group

Automatic Restart Sign-On

Blacklisting?

Credentials Lifecycle / Attack Vectors

ARP Poisoning + NTLM Downgrade

Using the Hash/Key/Ticket

Passing the Hash

PTH Firefox

RDP NTLM Authentication

Kerberos Golden and Silver Tickets

Proactive Measures Disable NTLM Authentication

Disable Kerberos RC4-HMAC

Shorten Kerberos ticket lifetime

Implement Smartcard Authentication

Strengthening Kerberos Security

Kerberos Ticket Lifetime

SmartCard Authentication

PtH Mitigation Strategies

Planning for compromise

Identify all high-value assets

Protect against known and unknown threats

Detect PtH and related attacks

Respond to suspicious activity

Recover from a breach

NIST Framework for Improving

Critical Infrastructure Cybersecurity

NIST Framework for Improving

Critical Infrastructure Cybersecurity

High-Value Accounts

Admins

– Domain Adminis

– Enterprise Admin

– Schema Adminis

– BUILTIN\Administrators

– BUILTIN\Hyper-V Adminstrators

Service Accounts

– SCCM, SCOM, DPM, Software Installation,…

BMC Accounts

Tier Model

Tier Model - Administrative logon restrictions

Authentication Policies and Silos

PtH Detection

Attack Graph

Events

Authentication

– Success

– Failure

Replication Traffic

Group Membership Changes

Audit Process Creation

Audit Process Creation

Audit Process Creation

Reactive Measures

Change account passwords (including services!)

Reset computer account passwords

Disable+Enable smartcard-enforced accounts

Reset KRBTGT account

Implement countermeasures

Windows 10 + Windows Server 2016

Hypervisor Code Integrity protected by VSM

Device Guard

Privileged Access Management for AD

Microsoft Passport (FIDO) + Windows Hello

Endanced AD FS / DRA GUI

Next Steps

Learn more about PtH Attacks

Have fun with the tools

Secure your network

Michael Grafnetter

www.dsinternals.com

Pass-the-Hash Attacks

Recommended

Evolving Hash Functions using Genetic Algorithmsajiips.com.au/papers/V4.1/V4N1.4 - Evolving Hash Functions using... · hash function called "PKP Hash" by Peter.K.Pearson [5] that
Documents
Hash Functions and Hash Tables - CSE, IIT Bombay
Documents
Pass-The-Hash Toolkit for Windows Implementation & use · – Lots of impl. with the same approach since then: » Samba-TNG provides built-in functionality for ‘passing-the-hash’
Documents
Hash Functions 1 Hash Functions Hash Functions 2 Cryptographic Hash Function Crypto hash function h(x) must provide o Compression output length is
Documents
Red vs. Blue Conf... · Active Directory Domain Controller database . * Dump Kerberos tickets for all users. * for current user. Credential Injection Password hash (pass-the-hash)
Documents
Some Cryptanalytic Results on Zipper Hash and Concatenated ... · Zipper hash is a two pass scheme, which makes it un t for practical consideration. But, from the theoretical point
Documents
Mitigating Pass-the-Hash (PtH) Attacks and Other ... · PDF fileMitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques Mitigating the risk of lateral movement
Documents
Cryptographic Hash Functions CS432. Overview Hash Functions Hash Algorithms: MD5 (Message Digest). MD5 (Message Digest). SHA1: (Secure Hash Algorithm)
Documents
Recommendation for applications using approved … WORDS: digital signatures, hash algorithm, hash function, hash-based key derivation algorithms, hash value, HMAC, message digest,
Documents
Chapter 3 Public Key Cryptography · 30 One way datadata hash value hash value. 31 Collision resistant datadata hash function hash value hash value datadata. 32 Message Authentication
Documents
Hash-Based Indexingadrem.uantwerpen.be/sites/default/files/db2-hash-indexes.pdfHash-Based Indexing Hash-Based Indexing Static Hashing Hash Functions Extendible Hashing Search Insertion
Documents
Tweakable Hash Functions in Stateless Hash-Based Signature
Documents
DSInternals PowerShell Module
Documents
Olympics, hash lyrics, forthcoming events, hash humour etc
Documents
Pass-the-Hash: How Attackers Spread and How to Stop … · Pass-the-Hash: How Attackers Spread and How to Stop Them . HTA-W03 . Mark Russinovich . Technical Fellow . Microsoft Corporation
Documents
Microsoft - Mitigating Pass-The-Hash (PtH) Attacks and Other Credential Theft Techniques_English
Documents
Viewfinity and Pass the Hash - download.101com.comdownload.101com.com/pub/mcp/Files/Viewfinity_-_Pass_the_Hash.pdf · Viewfinity and pass-the-hash Viewfinity provides the only solution
Documents
Cryptographic Hash functions Hash Functions RIPEMD-160 and
Documents
How Cyber Criminals Steal Passwords via Pass-the-Hash and Other Attack Methods
Software
Pass-the-Hash II: The Wrath of Hardware - RSA … ID: #RSAC Nathan Ide. Pass-the-Hash II: The Wrath of Hardware. HTA-R03. Principal Software Engineering Lead. Microsoft, Windows security
Documents