Pass-the-Hash: How Attackers Spread and How to Stop Them

Similar documents

Information Assurance Directorate

Five Steps to Improve Internal Network Security. Chattanooga ISSA

Managing Local Administrator Passwords with LAPS 10/14/2015 PENN STATE SECURITY CONFERENCE

Centralized Oracle Database Authentication and Authorization in a Directory

Basic principles of infrastracture security Impersonation, delegation and code injection

Windows Attack - Gain Enterprise Admin Privileges in 5 Minutes

Accessing the Media General SSL VPN

Pass-the-Hash II: Admin s Revenge. Skip Duckwall & Chris Campbell

Hacker s Perspective on your Windows Infrastructure: Windows 10 Mandatory Check List

Why You Need to Detect More Than PtH. Matt Hathaway, Senior Product Manager, Rapid7 Jeff Myers, Lead Software Engineer, Rapid7

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

Undergraduate Academic Affairs \ Student Affairs IT Services. VPN and Remote Desktop Access from a Windows 7 PC

Internal Penetration Test

SCADA Security. Enabling Integrated Windows Authentication For CitectSCADA Web Client. Applies To: CitectSCADA 6.xx and 7.xx VijeoCitect 6.xx and 7.

Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques. Mitigating the risk of lateral movement and privilege escalation

Using Microsoft Windows Authentication for Microsoft SQL Server Connections in Data Archive

Kerberos. Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, BC. From Italy (?).

How to Access UF Health Jacksonville VPN services

Network Architecture & Active Directory Considerations for the PI System. Bryan Owen - OSIsoft Joel Langill - SCADAhacker

Cyber Essentials Questionnaire

Operating System Security

Pass-the-Hash. Solution Brief

WorkEngine Pre-Deployment Checklist

Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Ian Haken

PCI DSS Compliance: The Importance of Privileged Management. Marco Zhang

Mary Immaculate. ICT Services. ICT Helpdesk. User Guide

Michael Mayer-Gishyan NSA IT Consulting From Zero to Hero. Domain Admin in einem Tag

Remote Access via Appgate for School Users

Secure Global Desktop (SGD)

Connecting to the University Wireless Network

Exploiting Transparent User Identification Systems

Field Description Example. IP address of your DNS server. It is used to resolve fully qualified domain names

Remote Desktop Connection user guide for Android.

Microsoft Auditing Events for Windows 2000/2003 Active Directory. By Ed Ziots Version 1.6 9/20/2005

Instructions for connecting to the LSC-O Secure Wireless Network

How to Efficiently Protect Active Directory from Credential Theft & Large Scale Compromise

Remote Access Password Tips

FileCloud Security FAQ

SECURITY SUBSYSTEM IN WINDOWS

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

Blending Embedded Hardware OTP, SSO, and Out of Band Auth for Secure Cloud Access

Building A Secure Microsoft Exchange Continuity Appliance

Defender Token Deployment System Quick Start Guide

Remote Desktop Solution, (RDS), replacing CITRIX Home Access

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

Securing Administrator Access to Internal Windows Servers

Virtualization and Cloud Computing

SANS Institute First Five Quick Wins

Web Meetings through VPN. Note: Conductor means person leading the meeting. Table of Contents. Instant Web Meetings with VPN (Conductor)...

Secret Server Qualys Integration Guide

Who DIT It? Detecting and Mitigating Privilege Escalation Attacks on the Active Directory Data Store

ecopy ShareScan v4.3 Pre-Installation Checklist

mimikatz 2.0 Benjamin DELPY `gentilkiwi`

Windows passwords security

Configuring and Monitoring Citrix Access Gateway-Linux Servers. eg Enterprise v5.6

Connecting to securevirtual Workspace

How To Secure Your Data Center From Hackers

Contents. Supported Platforms. Event Viewer. User Identification Using the Domain Controller Security Log. SonicOS

Cloud Services ADM. Agent Deployment Guide

CREDENTIAL MANAGER IN WINDOWS 7

Securing Remote Vendor Access with Privileged Account Security

Use of Commercial Backup Software with Juris (Juris 2.x w/msde)

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

LifeCyclePlus Version 1

All your apps & data in the cloud, all in one place.

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

What s New in Juniper Networks Secure Access (SA) SSL VPN Version 6.4

Active Directory Integration

Alert Notification of Critical Results (ANCR) Public Domain Deployment Instructions

Comodo Endpoint Security Manager SME Software Version 2.1

Configuration Task 3: (Optional) As part of configuration, you can deploy rules. For more information, see "Deploy Inbox Rules" below.

Multi-factor authentication

SAST, DAST and Vulnerability Assessments, = 4

Windows Server 2008/2012 Server Hardening

Windows servers. NT networks

Authentication Applications

Red vs. Blue: Modern Active Directory Attacks, Detection, and Protection Whitepaper

Next Generation Jump Servers for Industrial Control Systems

Cyber Essentials KAMI VANIEA 2

Lync SHIELD Product Suite

Note that if at any time during the setup process you are asked to login, click either Cancel or Work Offline depending upon the prompt.

Best Practices for PC Lockdown and Control Policies. By Dwain Kinghorn

Trusteer Rapport Virtual Implementation Scenarios

Best Practices for DanPac Express Cyber Security

Agenda. How to configure

User Guide. Version R91. English

Targeted Intrusion Remediation: Lessons From The Front Lines. Jim Aldridge

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)

Helpdesk Portal End User Guide

Locking down a Hitachi ID Suite server

Network Security 1. Module 4 Trust and Identity Technology. Ola Lundh ola.lundh@edu.falkenberg.se

Configuring and Monitoring SiteMinder Policy Servers

Chapter 1 Scenario 1: Acme Corporation

Seven Strategies to Defend ICSs

Transcription:

Pass-the-Hash: How Attackers Spread and How to Stop Them SESSION ID: HTA-W03 Mark Russinovich Technical Fellow Microsoft Corporation Nathan Ide Principal Development Lead Microsoft Corporation

Pass-the-Hash: Agenda Pass-the-Hash Technique Pass-the-Hash on Windows Today New Windows Mitigations: Local Account Domain Account Restricted Remote Administration Authentication Policies and Silos 2

Single-Sign On, Explained Sue s Laptop Sue s User Session User: Sue Password hash: C9DF4E 2 File Server Sue s User Session 4 User: Sue Password hash: C9DF4E 3 User: Sue Password: a1b2c3 1 1. Sue enters username and password 2. PC creates Sue s user session 3. PC proves knowledge of Sue s hash to Server 4. Server creates a session for Sue 3

Pass-the-Hash Technique Fred s Laptop Fred s User Session User: Fred Password hash: A3D7 Malware User Session User: Fred Password hash: A3D7 User: Fred Hash:A3D7 Sue s Laptop Sue s User Session User: Sue Password hash: C9DF Malware User Session User: Fred Hash: A3D7 User: Sue Hash: C9DF User: Sue Hash:C9DF File Server 1 2 3 1. Fred runs malware 2. Malware infects Sue s laptop as Fred 3. Malware infects File Server as Sue 4

Pass-the-Hash: Agenda Pass-the-Hash Technique Pass-the-Hash on Windows Today New Windows Mitigations: Local Account Domain Account Restricted Remote Administration Authentication Policies and Silos 5

Windows Pass-the-Hash in the News I wouldn t say the vendor had AD credentials but that the internal The virus erased data on three-quarters of Aramco s administrators would use their AD login corporate PCs documents, spreadsheets, e-mails, files to replacing access the all of system it with from an image inside. of a This burning would mean American the sever flag. had access to the rest of the corporate network... 6

Windows Pass-the-Hash in Mark s Inbox 7

Windows Single-Sign On Architecture Local Security Authority (LSASS) NTLM NTOWF: C9DF4E56A2D1 Service Ticket PTHDemo-DC Digest Password: Sue s a1b2c3 Laptop User: Sue Hash: C9DF4E PTHDemo-DC Kerberos Ticket-Granting Ticket Service Ticket Ticket 192.168.1.1 User: Sue Password: a1b2c3 Credential footprint 8

Windows Pass-the-Hash Discovery 9

Microsoft Guidance Microsoft published Pass-the-Hash guidance in December 2012. Highlighted best practices and dispelled urban legends 10

Pass-the-Hash Tools on Windows Local Security Authority (LSASS) NTLM NTOWF: C9DF4E56A2D1 A3D723B95DA Digest Password: Sue s a1b2c3 Laptop Kerberos Ticket-Granting Ticket Service Ticket Ticket Credential Store 11

Demo: Pass-the-Hash with Windows Credential Editor

Pass-the-Hash: Agenda Pass-the-Hash Technique Pass-the-Hash on Windows Today New Windows Mitigations: Local Account Domain Account Restricted Remote Administration Authentication Policies and Silos 13

Problem: Local Account Traversal Fred s Laptop Sue s Laptop Security Accounts Manager User: Admin Hash:A2DF User: Admin Hash:A2DF Security Accounts Manager User: Admin Hash:A2DF 14

Local Account Mitigations Two new well-known groups: Local account Local account and member of Administrators group Useful for restricting access 15

Demo: Local Account Mitigations

Pass-the-Hash: Agenda Pass-the-Hash Technique Pass-the-Hash on Windows Today New Windows Mitigations: Local Account Domain Account Restricted Remote Administration Authentication Policies and Silos 17

Problem: Domain Credential Harvesting Local Security Authority (LSASS) NTLM NTOWF: C9DF4E56A2D1 Digest Password: Sue s a1b2c3 Laptop Kerberos Ticket-Granting Ticket Service Ticket Ticket Credential Store 18

Domain Account Mitigations Reduced credential footprint Aggressive session expiry New Protected Users RID Hardened LSASS process

Demo: Domain Account Mitigations

Pass-the-Hash: Agenda Pass-the-Hash Technique Pass-the-Hash on Windows Today New Windows Mitigations: Local Account Domain Account Restricted Remote Administration Authentication Policies and Silos 21

Problem: Remote Administration Sue s Helpdesk PC Remote Desktop Client User: Sue Pass:a1b2c3 Fred s Laptop LSASS NTLM NTOWF: C9 Digest Pass: a1b2c3 Kerberos Ticket Mimikatz Credential Store

Restricted Administration Mode Restricted Administration Mode allows remote administrators to connect without delegation Attaches machine credentials to session

Demo: Restricted Remote Administration

Pass-the-Hash: Agenda Pass-the-Hash Technique Pass-the-Hash on Windows Today New Windows Mitigations: Local Account Domain Account Restricted Remote Administration Authentication Policies and Silos 25

Problem: Privileged User Credential Replay Lobby kiosk Fred IT admin terminal User: Sue Domain Controller Sue 26

Authentication Policies and Silos PTHDemo Domain Users Computers Enable isolation of users or resources Keeps user in their silo Prevents outside access to silo Fred Silo:Sue Sue Fred-PC Silo:Sue Sue-PC 2012R2 domains support Authentication Policies and Silos Sue Lockdown Authentication Policy Ticket lifetime:4 hours Conditions: Users use Silo PCs Sue Lockdown Authentication Silo Policy: Sue Lockdown Members: Sue; Sue-PC Policies allow custom ticket lifetime and issuance conditions Can restrict users and service accounts

Demo: Authentication Policies and Silos

Mitigations on Windows 7 and Windows 8 The following features will be available on Windows 7 and Windows 8: Local account well-known groups Reduced credential footprint RDP client /restrictedadmin Protected Users

Conclusion Comprehensive network security must address Pass-the-Hash New Windows mitigations are available Local account protections Domain account protections Protected domain accounts Authentication policies and Silos 30