Pass-the-Hash

Jump Start Agenda Module 1: Today’s Threat Landscape Module 2: Key Principles of Security Module 3: Understanding your enemy! Module 4: Phases of Hackers Lunch Break Module 5: What motivates hackers? Module 6: Pass the Hash Module 7: Windows Security Capabilities and Tools

Module Insights Explore the major thread coming with pass-the-hash and the mitigation options available.

Wonderful Internet Services Pass the Hash Every time you connect to the internet, you have instant and direct IP connectivity to… Online Services Internet cafes in vacation spots Activities Ideological Movements Nation States Organized Crime Wonderful Internet Services

Pass-the-Hash Definition “Hash” = cached credential Usually not “cleartext” Identically powerful to “cleartext” by most systems Can be stored in memory or persisted on disk Most operating systems cache credentials for SSO Username/ Hash Username/ Hash Username/ Password

Pass-the-Hash Technique Attacker gains local admin access to initial system Uses collected hashes to move laterally through the network Additional hashes are collected as they go New hashes give access to additional systems Network/domain privileged account compromised  Game Over User A/ Hash A User B/ Hash B User A/ Hash A User B/ Hash B

Attack Scenario Attack activities Description Lateral movement TechReady 16 7/18/2019 Attack Scenario Attack activities Description Lateral movement In this activity, the attacker uses the credentials obtained from a compromised computer to gain access to another computer of the same value to the organization Privilege escalation In this activity, the attacker uses the credentials obtained from a compromised computer to gain access to another computer of a higher value to the organization. © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Typical Pass The Hash Attack Power: Domain Controllers Bad guy targets workstations User running as local admin compromised, Bad guy harvests credentials. Bad guy uses credentials for lateral traversal Data: Servers and Applications Bad guy acquires domain admin credentials and associated privileges – privilege escalation Bad guy has direct or indirect access to read/write/destroy data and systems in the environment. Access: Users and Workstations

Windows Credential Editor NTLM Pass-the-Hash

Crack the Hash

Why can’t Microsoft release an update to fix it? These accounts have complete control over the computer’s memory, disks, and processor resources. Pass the Hash and other credential theft attacks exploit the access that an attacker gains by compromising an account in the local administrators group.

Current Guidance Microsoft published Pass- the-Hash guidance in December 2012. Highlighted best practices and dispelled urban legends.

Key Takeaways

Connect with the speakers! @ErdalOzkaya @MiladPFE http://erdalozkaya.com/ https://www.facebook.com/milad.aslaner

TechNet Virtual Labs Deep technical content and free product evaluations Hands-on deep technical labs Free, online, technical courses At the TechNet Evaluation Center you can download free, trial versions of Microsoft software, with no feature limits. Dozens of trials are available – all at no cost. Try Windows Server 2012 for up to 180 days. Download the Windows 8 Enterprise 90-day evaluation. Or try Windows Azure at no-cost for up to 90 days. Microsoft Hands On Labs offer virtual environments that will take you through guided, technically deep product learning experience. Learn at your own pace in labs that you can complete in 90 minutes or less. There is no complex setup or installation is required to use TechNet Virtual Labs. Microsoft Virtual Academy provides free online training on the IT scenarios that are important to your company and your career. Learn at your own pace and boost your IT skills with over 100 courses across more than 15 Microsoft technologies including Windows Server, Windows 8, Windows Azure, Office 365, virtualization, Windows Phone, and more. Download Microsoft software trials today. Find Hand On Labs. Take a free online course. Technet.microsoft.com/evalcenter Technet.microsoft.com/virtuallabs microsoftvirtualacademy.com