Embed Size (px)
Citation preview
Pass-the-Hash: How Attackers Spread and How to Stop ThemMark Russinovich Technical FellowMicrosoft Azure
Nathan Ide Principal Dev LeadMicrosoft Windows
Pass-the-Hash == Single-Sign OnPass-the-hash is the use of a saved credential or authenticator
It exists solely to support single-sign on (SSO)
If you want SSO, you are exposed to PTH
In other words:If you want SSO, pass-the-hash cannot be “fixed”
This is not a “Windows problem”
There are two types of pass-the-hash:Credential reuse: using the saved credential on the system on which it was saved
Credential theft: taking the saved credential to another system and using it from there
2
Pass-the-Hash TechniquePass-the-Hash on Windows TodayNew Windows Mitigations:
Local AccountDomain AccountRestricted Remote AdministrationAuthentication Policies and Silos
Pass-the-HashAgenda
User: SuePassword hash: C9DF4E…
Single-Sign On, ExplainedSue’s Laptop
User: SuePassword: a1b2c3
Sue’s User SessionUser: SuePassword hash: C9DF4E…
File Server
1
2
3
Sue’s User Session4
1. Sue enters username and password2. PC creates Sue’s user session3. PC proves knowledge of Sue’s hash to Server4. Server creates a session for Sue
User: FredHash:A3D7
Fred’s LaptopFred’s User SessionUser: FredPassword hash: A3D7…
Sue’s LaptopSue’s User Session
Pass-the-Hash Technique
Malware User SessionUser: FredPassword hash: A3D7…
Malware User SessionUser: FredHash: A3D7
User: SueHash: C9DF
User: SuePassword hash: C9DF…
File Server
User: SueHash:C9DF
1 2 3
1. Fred runs malware2. Malware infects Sue’s laptop as Fred3. Malware infects File Server as Sue
Pass-the-Hash TechniquePass-the-Hash on Windows TodayNew Windows Mitigations:
Local AccountDomain AccountRestricted Remote AdministrationAuthentication Policies and Silos
Pass-the-HashAgenda
Windows Pass-the-Hash in the News
7
The virus erased data on three-quarters of Aramco’s corporate PCs — documents, spreadsheets, e-mails, files — replacing
all of it with an image of a burning American flag.
“… I wouldn’t say the vendor had AD credentials but that the internal administrators would
use their AD login to access the system from inside. This would mean the sever had access to
the rest of the corporate network ...”
Windows Pass-the-Hash in Mark’s Inbox
PsExec EULAYou are not permitted to
use PsExec for illegal activity.
Windows Single-Sign On Architecture
User: SueHash: C9DF4E…
Sue’s Laptop PTHDemo-DC
Local Security Authority (LSASS)
NTLM
Digest
Kerberos
NTOWF: C9DF4E56A2D1…
Password: a1b2c3
Ticket-Granting
Ticket
Service TicketService TicketService Ticket
Service Ticket
Password: a1b2c3
User: Sue
192.168.1.1
Service Ticket
“Credential footprint”
PTHDemo-DC
Windows Pass-the-Hash “Discovery”
Microsoft published Pass-the-Hash guidance in December 2012.
Highlighted best practices and dispelled urban legends
Microsoft Guidance
Pass-the-Hash Tools on Windows
Sue’s Laptop
Local Security Authority (LSASS)
NTLM
Digest
Kerberos
NTOWF: C9DF4E56A2D1…
Password: a1b2c3
Ticket-Granting
TicketCredentia
l Store
Service TicketService TicketService Ticket
Service Ticket
NTOWF: A3D723B95DA…
Demo
Pass-the-Hash with Windows Credential Editor
Pass-the-Hash TechniquePass-the-Hash on Windows TodayNew Windows Mitigations:
Local AccountDomain AccountRestricted Remote AdministrationAuthentication Policies and Silos
Pass-the-HashAgenda
Problem: Local Account Traversal
Fred’s Laptop
Security Accounts Manager
User: AdminHash:A2DF…
User: AdminHash:A2DF…
Sue’s Laptop
Security Accounts Manager
User: AdminHash:A2DF…
Two new well-known groups:
“Local account”
“Local account and member of
Administrators group”
Useful for restricting access
Local Account Mitigations
Demo
Local Account Mitigations
Pass-the-Hash TechniquePass-the-Hash on Windows TodayNew Windows Mitigations:
Local AccountDomain AccountRestricted Remote AdministrationAuthentication Policies and Silos
Pass-the-HashAgenda
Problem: Domain Credential Harvesting
Sue’s Laptop
Local Security Authority (LSASS)
NTLM
Digest
Kerberos
NTOWF: C9DF4E56A2D1…
Password: a1b2c3
Ticket-Granting
Ticket
Credential Store
Service TicketService TicketService Ticket
Service Ticket
Reduced credential footprint
Aggressive session expiry
New “Protected Users” RID
Hardened LSASS process
Domain Account Mitigations
Demo
Domain Account Mitigations
Pass-the-Hash TechniquePass-the-Hash on Windows TodayNew Windows Mitigations:
Local AccountDomain AccountRestricted Remote AdministrationAuthentication Policies and Silos
Pass-the-HashAgenda
Problem: Remote Administration
User: SuePass:a1b2c3
Fred’s LaptopSue’s Helpdesk PCRemote Desktop Client
LSASSNTLM NTOWF:
C9…DigestPass:
a1b2c3Kerberos
TicketTicketTicket
Mimikatz
Credential Store
Restricted Administration ModeRestricted Administration Mode allows remote administrators to connect without delegationAttaches machine credentials to session
Demo
Restricted Remote Administration
Pass-the-Hash TechniquePass-the-Hash on Windows TodayNew Windows Mitigations:
Local AccountDomain AccountRestricted Remote AdministrationAuthentication Policies and Silos
Pass-the-HashAgenda
Problem: Privileged User Credential Replay
IT admin terminal
Domain ControllerUser:
Sue
Lobby kiosk
User:
Sue
User:
Sue
Fred
Sue
Enable isolation of users or resources
Keeps user in their silo
Prevents outside access to silo
2012R2 domains support Authentication Policies and Silos
Policies allow custom ticket lifetime and issuance conditions
Can restrict users and service accounts
Authentication Policies and SilosPTHDemo Domain
“Sue Lockdown” Authentication Silo
Users
SueFred
“Sue Lockdown” Authentication PolicyTicket lifetime:4 hours
Conditions: Users use Silo PCs
Computers
Fred-PC Sue-PC
Policy:“Sue Lockdown”
Members: Sue; Sue-PC
Silo:Sue …
Silo:Sue …
Demo
Authentication Policies and Silos
Mitigations on Windows 7 and Windows 8.1
The following features will be available on Windows 7 and Windows 8.1:
Local account well-known groupsReduced credential footprintRDP client /restrictedadminProtected Users
ConclusionComprehensive network security must address Pass-the-HashNew Windows mitigations are available
Local account protectionsDomain account protectionsProtected domain accountsAuthentication policies and Silos
Evaluate this session
Scan this QR code to evaluate this session.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
