2 user: sue password hash: c9df4e… sue’s laptop user: sue password: a1b2c3 sue’s user session...
TRANSCRIPT
![Page 1: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/1.jpg)
Pass-the-Hash: How Attackers Spread and How to Stop ThemMark Russinovich Technical FellowMicrosoft Azure
Nathan Ide Principal Dev LeadMicrosoft Windows
![Page 2: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/2.jpg)
Pass-the-Hash == Single-Sign OnPass-the-hash is the use of a saved credential or authenticator
It exists solely to support single-sign on (SSO)
If you want SSO, you are exposed to PTH
In other words:If you want SSO, pass-the-hash cannot be “fixed”
This is not a “Windows problem”
There are two types of pass-the-hash:Credential reuse: using the saved credential on the system on which it was saved
Credential theft: taking the saved credential to another system and using it from there
2
![Page 3: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/3.jpg)
Pass-the-Hash TechniquePass-the-Hash on Windows TodayNew Windows Mitigations:
Local AccountDomain AccountRestricted Remote AdministrationAuthentication Policies and Silos
Pass-the-HashAgenda
![Page 4: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/4.jpg)
User: SuePassword hash: C9DF4E…
Single-Sign On, ExplainedSue’s Laptop
User: SuePassword: a1b2c3
Sue’s User SessionUser: SuePassword hash: C9DF4E…
File Server
1
2
3
Sue’s User Session4
1. Sue enters username and password2. PC creates Sue’s user session3. PC proves knowledge of Sue’s hash to Server4. Server creates a session for Sue
![Page 5: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/5.jpg)
User: FredHash:A3D7
Fred’s LaptopFred’s User SessionUser: FredPassword hash: A3D7…
Sue’s LaptopSue’s User Session
Pass-the-Hash Technique
Malware User SessionUser: FredPassword hash: A3D7…
Malware User SessionUser: FredHash: A3D7
User: SueHash: C9DF
User: SuePassword hash: C9DF…
File Server
User: SueHash:C9DF
1 2 3
1. Fred runs malware2. Malware infects Sue’s laptop as Fred3. Malware infects File Server as Sue
![Page 6: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/6.jpg)
Pass-the-Hash TechniquePass-the-Hash on Windows TodayNew Windows Mitigations:
Local AccountDomain AccountRestricted Remote AdministrationAuthentication Policies and Silos
Pass-the-HashAgenda
![Page 7: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/7.jpg)
Windows Pass-the-Hash in the News
7
The virus erased data on three-quarters of Aramco’s corporate PCs — documents, spreadsheets, e-mails, files — replacing
all of it with an image of a burning American flag.
“… I wouldn’t say the vendor had AD credentials but that the internal administrators would
use their AD login to access the system from inside. This would mean the sever had access to
the rest of the corporate network ...”
![Page 8: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/8.jpg)
Windows Pass-the-Hash in Mark’s Inbox
PsExec EULAYou are not permitted to
use PsExec for illegal activity.
![Page 9: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/9.jpg)
Windows Single-Sign On Architecture
User: SueHash: C9DF4E…
Sue’s Laptop PTHDemo-DC
Local Security Authority (LSASS)
NTLM
Digest
Kerberos
NTOWF: C9DF4E56A2D1…
Password: a1b2c3
Ticket-Granting
Ticket
Service TicketService TicketService Ticket
Service Ticket
Password: a1b2c3
User: Sue
192.168.1.1
Service Ticket
“Credential footprint”
PTHDemo-DC
![Page 10: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/10.jpg)
Windows Pass-the-Hash “Discovery”
![Page 11: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/11.jpg)
Microsoft published Pass-the-Hash guidance in December 2012.
Highlighted best practices and dispelled urban legends
Microsoft Guidance
![Page 12: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/12.jpg)
Pass-the-Hash Tools on Windows
Sue’s Laptop
Local Security Authority (LSASS)
NTLM
Digest
Kerberos
NTOWF: C9DF4E56A2D1…
Password: a1b2c3
Ticket-Granting
TicketCredentia
l Store
Service TicketService TicketService Ticket
Service Ticket
NTOWF: A3D723B95DA…
![Page 13: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/13.jpg)
Demo
Pass-the-Hash with Windows Credential Editor
![Page 14: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/14.jpg)
Pass-the-Hash TechniquePass-the-Hash on Windows TodayNew Windows Mitigations:
Local AccountDomain AccountRestricted Remote AdministrationAuthentication Policies and Silos
Pass-the-HashAgenda
![Page 15: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/15.jpg)
Problem: Local Account Traversal
Fred’s Laptop
Security Accounts Manager
User: AdminHash:A2DF…
User: AdminHash:A2DF…
Sue’s Laptop
Security Accounts Manager
User: AdminHash:A2DF…
![Page 16: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/16.jpg)
Two new well-known groups:
“Local account”
“Local account and member of
Administrators group”
Useful for restricting access
Local Account Mitigations
![Page 17: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/17.jpg)
Demo
Local Account Mitigations
![Page 18: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/18.jpg)
Pass-the-Hash TechniquePass-the-Hash on Windows TodayNew Windows Mitigations:
Local AccountDomain AccountRestricted Remote AdministrationAuthentication Policies and Silos
Pass-the-HashAgenda
![Page 19: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/19.jpg)
Problem: Domain Credential Harvesting
Sue’s Laptop
Local Security Authority (LSASS)
NTLM
Digest
Kerberos
NTOWF: C9DF4E56A2D1…
Password: a1b2c3
Ticket-Granting
Ticket
Credential Store
Service TicketService TicketService Ticket
Service Ticket
![Page 20: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/20.jpg)
Reduced credential footprint
Aggressive session expiry
New “Protected Users” RID
Hardened LSASS process
Domain Account Mitigations
![Page 21: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/21.jpg)
Demo
Domain Account Mitigations
![Page 22: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/22.jpg)
Pass-the-Hash TechniquePass-the-Hash on Windows TodayNew Windows Mitigations:
Local AccountDomain AccountRestricted Remote AdministrationAuthentication Policies and Silos
Pass-the-HashAgenda
![Page 23: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/23.jpg)
Problem: Remote Administration
User: SuePass:a1b2c3
Fred’s LaptopSue’s Helpdesk PCRemote Desktop Client
LSASSNTLM NTOWF:
C9…DigestPass:
a1b2c3Kerberos
TicketTicketTicket
Mimikatz
Credential Store
![Page 24: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/24.jpg)
Restricted Administration ModeRestricted Administration Mode allows remote administrators to connect without delegationAttaches machine credentials to session
![Page 25: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/25.jpg)
Demo
Restricted Remote Administration
![Page 26: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/26.jpg)
Pass-the-Hash TechniquePass-the-Hash on Windows TodayNew Windows Mitigations:
Local AccountDomain AccountRestricted Remote AdministrationAuthentication Policies and Silos
Pass-the-HashAgenda
![Page 27: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/27.jpg)
Problem: Privileged User Credential Replay
IT admin terminal
Domain ControllerUser:
Sue
Lobby kiosk
User:
Sue
User:
Sue
Fred
Sue
![Page 28: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/28.jpg)
Enable isolation of users or resources
Keeps user in their silo
Prevents outside access to silo
2012R2 domains support Authentication Policies and Silos
Policies allow custom ticket lifetime and issuance conditions
Can restrict users and service accounts
Authentication Policies and SilosPTHDemo Domain
“Sue Lockdown” Authentication Silo
Users
SueFred
“Sue Lockdown” Authentication PolicyTicket lifetime:4 hours
Conditions: Users use Silo PCs
Computers
Fred-PC Sue-PC
Policy:“Sue Lockdown”
Members: Sue; Sue-PC
Silo:Sue …
Silo:Sue …
![Page 29: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/29.jpg)
Demo
Authentication Policies and Silos
![Page 30: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/30.jpg)
Mitigations on Windows 7 and Windows 8.1
The following features will be available on Windows 7 and Windows 8.1:
Local account well-known groupsReduced credential footprintRDP client /restrictedadminProtected Users
![Page 31: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/31.jpg)
ConclusionComprehensive network security must address Pass-the-HashNew Windows mitigations are available
Local account protectionsDomain account protectionsProtected domain accountsAuthentication policies and Silos
![Page 32: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/32.jpg)
Evaluate this session
Scan this QR code to evaluate this session.
![Page 33: 2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649da15503460f94a8df3e/html5/thumbnails/33.jpg)
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.