Pass-the-Hash: How Attackers Spread and How to Stop Them Mark Russinovich Nathan Ide
Pass-the-Hash: How Attackers Spread and How to Stop Them SESSION ID: HTA-W03 Mark Russinovich Nathan Ide Technical Fellow Microsoft Corporation Principal Development Lead Microsoft Corporation Pass-the-Hash: Agenda Pass-the-Hash Technique Pass-the-Hash on Windows Today New Windows Mitigations: Local Account Domain Account Restricted Remote Administration Authentication Policies and Silos #RSAC 2 Single-Sign On, Explained Sue’s Laptop Sue’s User Session File Server 2 Sue’s User Session User: Sue Password hash: C9DF4E… 4 User: Sue Password hash: C9DF4E… 3 User: Sue Password: a1b2c3 1 1. 2. 3. 4. Sue enters username and password PC creates Sue’s user session PC proves knowledge of Sue’s hash to Server Server creates a session for Sue #RSAC 3 Pass-the-Hash Technique Sue’s Laptop Fred’s Laptop Fred’s User Session File Server Sue’s User Session User: Fred Password hash: A3D7… User: Sue Password hash: C9DF… Malware User Session User: Fred Password hash: A3D7… User: Fred Hash:A3D7 Malware User Session User: Sue Hash: C9DF User: Fred Hash: A3D7 1 User: Sue Hash:C9DF 2 1. Fred runs malware 2. Malware infects Sue’s laptop as Fred 3. Malware infects File Server as Sue 4 3 #RSAC Pass-the-Hash: Agenda Pass-the-Hash Technique Pass-the-Hash on Windows Today New Windows Mitigations: Local Account Domain Account Restricted Remote Administration Authentication Policies and Silos #RSAC 5 Windows Pass-the-Hash in the News “… I wouldn’t say the vendor had AD credentials but that the internal The virus erased data on three-quarters of Aramco’s administrators would use their AD login corporate PCs — documents, spreadsheets, e-mails, toreplacing access the system inside. files — all of it withfrom an image of aThis burning would meanAmerican the sever had access to flag. the rest of the corporate network ...” #RSAC 6 Windows Pass-the-Hash in Mark’s Inbox #RSAC 7 Windows Single-Sign On Architecture Local Security Authority (LSASS) NTLM Digest Service Ticket NTOWF: C9DF4E56A2D1… PTHDemo-DC User: Sue Hash: C9DF4E… Sue’sa1b2c3 Laptop Password: Kerberos Ticket-Granting Ticket User: Sue PTHDemo-DC 192.168.1.1 Service Ticket Service Service Ticket ServiceTicket Ticket “Credential footprint” Password: a1b2c3 #RSAC 8 Windows Pass-the-Hash “Discovery” #RSAC 9 Microsoft Guidance Microsoft published Pass-the-Hash guidance in December 2012. Highlighted best practices and dispelled urban legends #RSAC 10 Pass-the-Hash Tools on Windows Local Security Authority (LSASS) NTLM Digest NTOWF: A3D723B95DA… C9DF4E56A2D1… Sue’sa1b2c3 Laptop Password: Kerberos Ticket-Granting Ticket Service Ticket Service Service Ticket ServiceTicket Ticket Credential Store #RSAC 11 Demo: Pass-the-Hash with Windows Credential Editor Pass-the-Hash: Agenda Pass-the-Hash Technique Pass-the-Hash on Windows Today New Windows Mitigations: Local Account Domain Account Restricted Remote Administration Authentication Policies and Silos #RSAC 13 Problem: Local Account Traversal Fred’s Laptop Security User: Admin Accounts Hash:A2DF… Manager Sue’s Laptop User: Admin Hash:A2DF… Security User: Admin Accounts Hash:A2DF… Manager #RSAC 14 Local Account Mitigations Two new well-known groups: “Local account” “Local account and member of Administrators group” Useful for restricting access #RSAC 15 Demo: Local Account Mitigations Pass-the-Hash: Agenda Pass-the-Hash Technique Pass-the-Hash on Windows Today New Windows Mitigations: Local Account Domain Account Restricted Remote Administration Authentication Policies and Silos #RSAC 17 Problem: Domain Credential Harvesting Local Security Authority (LSASS) NTLM Digest NTOWF: C9DF4E56A2D1… Sue’sa1b2c3 Laptop Password: Kerberos Ticket-Granting Ticket Service Ticket Service Service Ticket ServiceTicket Ticket Credential Store #RSAC 18 Domain Account Mitigations Reduced credential footprint Aggressive session expiry New “Protected Users” RID Hardened LSASS process #RSAC Demo: Domain Account Mitigations Pass-the-Hash: Agenda Pass-the-Hash Technique Pass-the-Hash on Windows Today New Windows Mitigations: Local Account Domain Account Restricted Remote Administration Authentication Policies and Silos #RSAC 21 Problem: Remote Administration Sue’s Helpdesk PC Fred’s Laptop LSASS NTLM NTOWF: C9… Remote Desktop Client User: Sue Pass:a1b2c3 Digest Pass: a1b2c3 Ticket Kerberos Ticket Mimikatz Credential Store #RSAC Restricted Administration Mode Restricted Administration Mode allows remote administrators to connect without delegation Attaches machine credentials to session #RSAC Demo: Restricted Remote Administration Pass-the-Hash: Agenda Pass-the-Hash Technique Pass-the-Hash on Windows Today New Windows Mitigations: Local Account Domain Account Restricted Remote Administration Authentication Policies and Silos #RSAC 25 Problem: Privileged User Credential Replay Lobby kiosk Fred IT admin terminal Sue User: Sue Domain Controller #RSAC 26 Authentication Policies and Silos PTHDemo Domain Users Fred Computers Silo:Sue … Sue Fred-PC Silo:Sue … Sue-PC “Sue Lockdown” Authentication Policy Ticket lifetime:4 hours Conditions: Users use Silo PCs Enable isolation of users or resources Keeps user in their silo Prevents outside access to silo 2012R2 domains support Authentication Policies and Silos Policies allow custom ticket lifetime and issuance conditions Can restrict users and service accounts “Sue Lockdown” Authentication Silo Policy:“Sue Lockdown” Members: Sue; Sue-PC #RSAC Demo: Authentication Policies and Silos Mitigations on Windows 7 and Windows 8 The following features will be available on Windows 7 and Windows 8: Local account well-known groups Reduced credential footprint RDP client /restrictedadmin Protected Users #RSAC Conclusion Comprehensive network security must address Pass-the-Hash New Windows mitigations are available Local account protections Domain account protections Protected domain accounts Authentication policies and Silos #RSAC 30
© Copyright 2024