Although we’ve seen presentations on Pass the Hash attacks for years, now is a good time to actually make good on that New Year’s resolution to start hardening your Active Directory environment against these, and other related attacks.
Roughly six months ago, Patrick Jungles, a Security Program Manager working with Microsoft’s Trustworthy Computing group in Redmond, presented a session at the BlueHat Security Briefings event on Pass the Hash and Other Credential Theft and Reuse: Preventing Lateral Movement and Privilege Escalation:
Although this is a slightly older session on the topic, I thought to bring it to your attention, since the accompanying whitepaper details information that wasn’t just used for this presentation, but also for two presentations at both TechEd North America and TechEd Europe.
The Pass the Hash and Other Credential Theft and Reuse: Preventing Lateral Movement and Privilege Escalation session at TechEd North America was presented by Aaron Margosis and Mark Simos:
The session at TechEd Europe was the wildly popular Live Demonstration: Hacker Tools You Should Know and Worry About session by Marcus Murray and Hasain Alshakarti at TechEd Europe 2013 in Madrid last month:
Now, both these sessions have their roots in a whitepaper, published by Microsoft in December 2012 on mitigating Pass the Hash (PtH) Attacks and Other Credential Theft Techniques, like Keystroke Loggers, Stored Passwords, Brute Force Atacks, Man-in-the-Middle attacks and attacks against the Local Security Authority Subsystem (LSASS).
In this 80-page document, written by Patrick Jungles, Mark Simos, Roger Grimes, Aaron Margosis and Laura Robinson, the authors explain what the Pash the Hash (PtH) attack actually is:
A Pass-the-Hash (PtH) attack uses a technique in which an attacker captures account logon credentials on one computer and then uses those captured credentials to authenticate to other computers over the network. A PtH attack is very similar in concept to a password theft attack, but it relies on stealing and reusing password hash values rather than the actual plaintext password. The password hash value, which is a one-way mathematical representation of a password, can be used directly as an authenticator to access services on behalf of the user through single sign-on (SSO) authentication.
After watching the videos you might want Microsoft to close this gap, but Microsoft is very clear about that:
Credential theft and reuse is not a problem that can be addressed with a simple software update.
This leaves us with a job. A serious job, because the whitepaper points out the following tasks to mitigate Pass the Hash (PtH) attacks:
- Restrict and protect high privileged domain accounts
- Separate administrative accounts from user accounts for administrative personnel
- Create specific administrative workstation hosts for administrators
- Restrict server and workstation logon access
- Disable the account delegation right for privileged accounts
- Restrict and protect local accounts with administrative privileges
- Enforce local account restrictions for remote access
- Deny network logon to all local accounts
- Create unique passwords for privileged local accounts
- Restrict inbound traffic using the Windows Firewall
Other actions you can take to prevent these types of attacks mentioned in this whitepaper, are:
- Remove standard users from the local administrators group
- Limit the number and use of privileged domain accounts
- Configure outbound proxies to deny Internet access to privileged accounts
- Ensure administrative accounts do not have email accounts
- Use remote management tools that do not place reusable credentials on a remote computer’s memory
- Avoid logons to less secure computers that are potentially compromised
- Update applications and operating systems
- Secure and manage domain controllers
- Remove LM hashes
- Disable the NTLM protocol
- Use Smart cards and multifactor authentication
- Use Jump servers
- Reboot workstations and servers
Call to Action
The above actions are considered security best practices. I encourage you to implement these best practices, where applicable to your environment. Especially, since the tools used to perform Pass the Hash (PtH) attacks are available to everyone for free.
Test the impact of your mitigating factors in a test environment, before you implement these into your production environment. If you have no test environment… Think again.
Related videos on Channel 9
Pass the Hash and Other Credential Theft and Reuse: Preventing Lateral Movement and Privilege Escalation (BlueHat Security Briefings, Patrick Jungles)
Pass the Hash and Other Credential Theft and Reuse: Preventing Lateral Movement and Privilege Escalation (TechEd North America, Aaron Margosis and Mark Simos)
Live Demonstration: Hacker Tools You Should Know and Worry About
(TechEd Europe, Hasain Alshakarti and Marcus murray)
Channel9 Speaker Profile: Patrick Jungles
Channel9 Speaker Profile: Hasain Alshakarti
Channel9 Speaker Profile: Marcus Murray
Wikipedia on Pass the Hash
Intercepting pass-the-hash attacks
Stop pass-the-hash attacks before they begin
Dissecting the Pass the Hash Attack
Tools used in the TechEd session by Marcus Murray and Hasain Alshakarti
TechEd: Pass the Hash: Preventing Lateral Movement (ATC-B210)
Password Cracking ‘Pass The Hash’ style
New Guidance to Mitigate Determined Adversaries’ Favorite Attack: Pass-the-Hash
Pass The Hash
Hardening your Windows Client
Mitigating "Pass the Hash"…