Pass-The-Hash: Gaining Root Access to Your Network June 24, 2014 Tim Slaybaugh Cyber Incident Analyst Northrop Grumman Information Systems

– Roger Grimes, InfoWorld What is Pass-The-Hash? “Attackers using PtH completely compromise just about every network they hit. Pretty much every APT attack team uses them.” – Roger Grimes, InfoWorld FIRST OBJECTIVE – ELEVATE PRIVILEGES, GAIN FULL ACCESS

What is Pass-The-Hash? First published in 1997 by Paul Ashton Allows the use of LM and NTLM hashes to authenticate to a remote host Passwords do not need to be cracked Hashes can be harvested from the physical disk or memory NTLM hashes are used by THOUSANDS of applications and services including Sharepoint, .NET, Microsoft Exchange and nearly all printers.

How does Pass-The-Hash work? Requires admin privileges, therefore an exploit has to be run to gain access Injects into the Local Security Authority Subsystem Service (LSASS) process to access hashes in memory Grabs locally stored hashes from SAM registry hive. Smartcard credentials and Kerberos tickets can be harvested also! NOT DETECTABLE by IDS systems since post Pass-The-Hash exploits will look like normal logins with admin credentials. SMART CARD credentials are susceptible to Pass-The-Hash because credentials are cached similar to password authentication. Initial attack relies on STANDARD ATTACK VECTORS that gain elevated privileges on the box such as spearphish email, drive-by, etc. ELEVATED PRIVILEGES can be from Local Admin account, elevated privileges from the victim, etc. By using the hash of KRBTGT, an attacker can create a GOLDEN KERBEROS TICKET that would allow authentication even after the admin changes their password!

Pass-The-Hash and Smartcards Smart card credentials are cached in an identical manner as passwords. Systems that allow both Smartcard or password logons store smartcard credentials for a very long time Systems that require smartcard only logon will periodically change the hash. In Active Directory this requires the SmartcardLogonRequired option to be toggled.

Pass-The-Hash Tools: PWDump Latest version is PWDump 7.1 Author: Andres Tarasco Acuna Dumps the local SAM hive Uses syskey key from SYSTEM hive to dump LM and NTLM hashes Statically links the OpenSSL library, libeay32.dll PWDump 6 links lsremora.dll There are earlier versions of PWDump with other authors. I often see the name pf PWDump changed to something inconspicuous but libeay32.dll remains unchanged. PWDump is a very common tool and easy to use. I’ve seen it used multiple times in the past few months. PWDump6 requires two dependent files, pwserv.exe and lsremora.dll. And for 64bit systems there is pwserv64.exe and lsremora64.dll.

PWDump PWDump runs from the command line and dumps LM and NTLM hashes from the local SAM hive. This is an example of output from PWDump. In this event only NTLM hashes were available in the SAM hive. The output for LM hashes has been replaced with ‘NO PASSWORD***********’.

PWDump PWDump with dependency, libeay32.dll in $LogFile Windows metadata files like $LogFile will show PWDump with its dependency file, libeay32.dll. It is important to note that the file libeay32.dll is an open source library used by many administrative and incident response tools such as the memory capture tools, Dump-It (Moonsols) and FTK Imager (AccessData). Libeay32.dll is also used by Symantec’s Ghost imager. Finding this file on a normal users workstation who does not have admin or incident response duties may be suspicious.

PWDump PWDump in AV signature database After seven iterations of PWDump, the password grabbing tool has become well known by Antivirus vendors. Yet it continues to be deployed because of its ease of use. Intruders will often rename, pack or modify the code to avoid AV detection. This is an example of an AV signature database with references to PWDump.

PWDump Keywords used to identify PWDump activity: Error reading hive root key Andres Tarasco Acuna savedump.dat Error opening sam hive raw password extractor A few keywords used to identify variants of PWDump on an image.

Pass-The-Hash Tools: Mimikatz Author: Benjamin Delpy Support for both x86 and 64bit systems Requires sekurLSA.dll to run Extracts hashes and cleartext passwords In the latest version of Mimikatz, the library, ‘sekurLSA.dll’ is embedded in the file.

Mimikatz Unlike most PTH tools, Mimikatz will run from the root of Windows. You can identify the location on the system from where the executable ran by the path in the Prefetch trace file. If the tool has not cleaned up after itself it may be possible to find it still resident in the path. Location is important to note if the file has been renamed.

Mimikatz Mimikatz hooks the System Service Descriptor Table (SSDT) similar to rootkit activity. Memory captures are great for identifying PtH activity. Hooked SSDTs are easy to identify in memory with memory forensic tools such as Volatility seen above. Here the fourth service table (0x82985b6c) contains multiple hooked functions pointing to an unknown driver (in this case, mimidrv.sys, the driver for Mimikatz)

Mimikatz Looking at mimikatz.exe using Volatility plugin ‘handles’ Hooks lsass.exe Runs from across the network via PSEXECSVC Using the Volatility plugin, ‘handles’ you can identify the source of an unknown executable and insight into its capability. The PID 2616 is for the PtH tool, mimikatz.exe. Looking at mimikatz.exe using Volatility plugin ‘handles’

Mimikatz ‘Handles’ will also identify this hook into the Local Security Authority Subsystem Service (lsass.exe). Vice versa, looking at lssas.exe using the Handles plugin you can find the injection from mimikatz.exe. The PID 488 is for lsass.exe.

Mimikatz Mimikatz.exe and conhost.exe start up at the same time indicating that mimikatz is likely being controlled through an interactive console. More observations on Mimikatz running in memory.

Mimikatz Console activity can be recovered from memory. Using the Volatility plugin, ‘consoles’ it is possible to identify recent interactive consoles. This is always contingent upon the VOLUME OF ACTIVITY the system is exposed to, how fast the INCIDENT RESPONSE is, and the SIZE of the memory capture.

Mimikatz Mimikatz is logged in the Windows power configuration file, ‘energy-ntkl.etl’. WINDOWS VISTA AND WINDOWS 7 introduced a host of new metadata files and logs to the Windows operating environment. NEVER INTENDED FOR FORENSIC EVIDENCE. With the introduction of the power configuration log, ‘energy-ntkl.etl’ in Windows 7, any application that calls the functions PowerCreateRequest or SetThreadExecutionState is logged. Mimikatz will call the function PowerCreateRequest when polling data from a victim system over the network to prevent the system from going into sleep mode while connected. From Memory

Mimikatz Keywords used to identify Mimikatz activity: Benjamin DELPY gentilkiwi sekurlsa kiwissp.log Pass-the-Ticket Often Pass-The-Hash tools are RENAMED TO HIDE FROM SYSTEM ADMINISTRATORS. However, they will often IMPORT THE SAME NAMED MODULES and output consistently named logs. In this OBJECTS.DATA log you can see the Mimikatz driver, mimikatz.sys and dependent library, mimilib.dll listed.

Pass-The-Hash Tools: gsecdump Johannes Gumbel, Truesec Freeware Latest version is 2.0b5 Extracts hashes from SAM, Active Directory and active logon sessions Works with both x86 and 64bit systems

Gsecdump Keywords used to identify gsecdump activity: Johannes Gumbel Truesec dump_usedhashes crap! gsecdump Crap! The author is fairly animated with his documentation in the tool. All of the Pass-The-Hash tools we talk about have been designed for penetration testing and contain significant documentation that can be used to locate artifacts.

Pass-The-Hash Tools: PSHToolkit Author: Hernan Ochoa, Core Labs Latest version, 1.4 Toolkit contains three tools: iam.exe, whosthere.exe and genhash.exe Iam.exe is used to change/modify NTLM credentials in memory Whosthere.exe is used to list logon sessions that are using NTLM credentials Genhash.exe used to test iam.exe PSHToolkit is a complete suite of PtH and hash dumping tools. Similar to the previous PtH tools discussed, iam.exe also uses its own library, IAMDLL.DLL.

PSH Toolkit Iam.dll requires a dependent library, iamdll.dll Noting the reference to VirtualProtect in the data above, this file appears to be capable of Process Injection. Analysis of a memory capture can give further details on activity associated with a process injection. VIRTUALPROTECT changes the protection of an address in memory. For process injection to occur, one would have to change protection to _READ_WRITE_EXECUTE LSASRV.DLL – Legitimate Windows library called by Winlogon.exe to interact with NTLM Authentication Package (msv1_0.dll) Strings extracted from the iamdll.dll indicate that it is capable of changing NTLM credentials.

PSH Toolkit Indicators of the PSH Toolkit can be found in several Windows metadata files like $LogFile seen above. Since many intruders will remove their tools after use, Windows metadata files, such as $LogFile, $usnJrnl and OBJECTS.DATA become valuable resources when tracking down prior activity.

PSH Toolkit Keywords used to identify PSH Toolkit activity: Hernan Ochoa ChangeCreds GenHash iamdll.dll pth.dll Some of these strings are unique to specific tools within the set, however, the presence of one of the tools will usually indicate that the complete kit was resident. Hernan Ochoa is also author of the Windows Credential Editor through Amplia Security.

Pass-The-Hash Tools: Windows Credential Editor Author: Hernan Ochoa, Amplia Security Latest release is 1.42 beta Support for both x86 and 64bit systems Extracts NTLM credentials from memory as well as Kerberos tickets and cleartext passwords WCE.EXE can acquire credentials by process injection or simply reading LSASS memory. By creating a forged ‘golden’ Kerberos ticket can authenticate even after the admin changes their password.

Windows Credential Editor Windows Time Stamp Library called by WCE.exe RecentFileCache is part of the Windows Application Experience and Compatibility feature. Embedded in WCE.EXE is a dependent library, wceaux.dll. When WCE.EXE executes this file is dropped on the system Often the intruder may change the name of WCE.EXE, but the name of the dependency will remain unchanged. RecentFileCache.bcf is part of Windows Application Experience and Compatibility feature.

Windows Credential Editor Wceaux.dll is dropped in the user’s AppData\Local\Temp directory. This was found in memory running the Volatility plugin, ‘filescan’. FILESCAN scans memory looking for _FILE_OBJECT structure. It will find files even if hidden by a rootkit.

Windows Credential Editor BootCKCL.etl located at %System32%\WDI\LogFiles generates a boot trace each time a profile logs on. WCE.EXE shows up if it is set for persistence. Another new log file introduced with Windows 7 is BootCKCL.etl (BootCircularKernelContextLogger) part of the Windows Diagnostic Infrastructure (WDI). The –r switch configures WCE.EXE to either run indefinitely or when a new logon occurs. This configuration is reported by the Windows boot trace file, BootCKCL.etl. This file is hidden and requires Administrator permissions to access it.

Windows Credential Editor Windows Credential Editor set for persistence with the –r switch. With this configuration dumped credentials are cached in memory every five seconds making them easy to extract from a forensic memory image.

Windows Credential Editor WCE injects into the lsass.exe process every five seconds to dump user credentials. WCE.exe shown here as PID 4016 is injected into the lsass.exe process. Multiple identical transactions especially into the lsass.exe process are a clear sign of an attempt to dump credentials from the local system. This is output from the Volatility plugin, HANDLES.

Windows Credential Editor When WCE.EXE dumps hashes and Kerberos tickets it creates output files by default in the directory from where it ran. While these files can be renamed and/or deleted by the intruder, evidence of their existence is easy to find through deleted $MFT entries, layout.ini files etc. WCE will also dump Kerberos tickets in UNIX format to wce_ccache. WCE.EXE will also generate output files for password hashes (credentials.txt) and Kerberos tickets (wce_krbtkts).

Windows Credential Editor Keywords used to identify WCE.EXE activity: Hernan Ochoa \\.\pipe\WCEServicePipe Dump Kerberos tickets to file Getlsasrvaddr.exe Evidence can sometimes be as easy as looking for the author’s name. Here is a list of keywords that may be helpful in identifying WCE.EXE on your system or network. GETLSASRVADDR.EXE is a tool that is included with Windows Credential Editor that identifies the addresses in memory for WCE.EXE to read logon sessions. No DLL injection required. GETLSASRVADDR.EXE requires an outbound HTTP connection to get symsrv.dll from Microsoft.

APIs Associated with Pass-The-Hash SamLookupDomainInSamServer NlpGetPrimaryCredential LsaEnumerateLogonSessions SamrOpenDomain SamrOpenUser SamIGetPrivateData SamrQueryInformationUser SamIConnect SamRidToSid One of the most effective ways of identifying a Pass-The-Hash tool that has been renamed is to examine the APIs that are used by the tool. This is a list of uncommon or undocumented Windows APIs that are often used by Pass-The-Hash toolkits. IMPORTANT: While many of these may be common in Windows library files (.dll), references to these statically loaded functions in an executable (.exe) would be suspicious.

They have my hash. Where do they go from here? Scenarios for Pass-The-Hash: Dump all hashes on local system looking for admin privileges. Remote Admin support Local Admin Help Desk support Patches and updates Database logons Assume they were successful. Determine what hashes were grabbed. ****NOTE – Please take a forensic image of the system before doing incident response!! Credentials from RPC connections can remain cached on the system for a very long time. In some environments where a standard BASE IMAGE is used the local admin account is the same across the enterprise. This makes LATERAL MOVEMENT very easy! Recent HELP DESK logons may be cached. These accounts usually have super user privileges. In some instances the intruder has “CREATED” A PROBLEM for the purpose of generating a help desk login. AUTOMATED OR BUILTIN ACCOUNTS that download patches or push updates often have the same password and access across the entire domain. Database servers (SQL, etc.) cache multiple logon credentials from users across the network. Some may have elevated privileges. TRUST RELATIONSHIPS can be exploited with anyone who has permissions on another domain.

Was Pass-The-Hash used on your system? Grep \:[0-9,A-F,a-f]{32,32}\:[0-9,A-F,a-f]{32,32} Grep \:[0-9,A-W,a-f,\*,\x00]{32,32}\:[0-9,A-F,a-f]{32,32} We’ve reviewed several ways to identify hash dumping activity on a system by looking for the tools. Another is to look for the hashes themselves. A grep string like the one above will locate LM and NTLM hashes. LM HASH which is still used for backward compatibility can be turned off by an Administrator. In this case a hash may be replaced with ******NO PASSWORD******. There are different ways and different platforms on which to write a grep expression, this is just a general idea.

Was Pass-The-Hash used on your system? Sometimes memory may be the only location where you may find dumped hashes. Grep for hashes in memory also!

Was Pass-The-Hash used on your network? SMB connections over ports 139/445 to a writeable share (e.g. C$, admin$) Client then accesses svcctl named pipe through SMB Malware files are transferred, usually an EXE and a DLL Connection to Windows Service Control Manager (SCM) remote protocol SCM will run under services.exe What would network traffic look like? Uses the following SVCCTL functions: OpenSCManager, CreateService, StartService, QueryService( checks to see when a service starts), writes files (EXE, DLL) to the system via the named pipe, executes then uses standard SMB functions to delete the files and finishes by calling OpenService and StopService to close the pipe A successful connection through SVCCTL will give the user the ability to start, stop, create and delete a service on the target machine. If a service does not specify a required set of privileges, the SCM assumes by default that the service requires all of the privileges that are associated with the account. This assures backward compatibility. However, if a service group contains a mixture of services with defined privileges and ones without defined privileges, the entire group runs using the privileges associated with the account.

Network Activity Call stack of a server side RPC call. This connection was initiated from a remote system. Data was recovered from ‘pagefile.sys’. This data was recovered from pagefile.sys. The RPC connection was initiated from an external system.

Named Pipes as Attack Vectors Security = Impersonation Dynamic False – User has full privileges pipe\svcctl – access to all processes running Another capture from pagefile.sys. SVCCTL gives full access to all running processes, START, STOP, CREATE, DELETE. Remote connection from mimikatz.exe via named pipe

Named Pipes as Attack Vectors The lsarpc interface is used to communicate with the Local Security Authority This capture taken from pagefile.sys shows a connection the Local Security Authority. By default, this connection allows for ANONYMOUS ACCESS.

Named Pipes as Attack Vectors Output from the Volatility plugin, ‘handles’ give clear indication of mimikatz being executed across the network via a PSEXESVC named pipe. PID 2396 is mimikatz.exe

Named Pipes as Attack Vectors Require SMB Security Signatures HKLM_Local_Machine\SYSTEM\CurrentControlSet\Service s\LanManServer\Parameters\RequireSecuritySignature "0" With WINDOWS SERVER 2008 R2 and later Microsoft attempts to harden servers against exploit attempts via named pipes by requiring SMB security signatures by default. In the registry, the SYSTEM key for the LanManServer under RequireSecuritySignature is set to “1”. Finding the key set to “0” would be considered suspicious.

Proprietary services and Named Pipes Windows Credential Editor connects using a named pipe for its own proprietary service. You could catch this in memory or pagefile.sys.

Event Logs SMB connections to the Service Control Manager (SCM) are often recorded in the SYSTEM EVENT LOG. Connections can often be correlated through local system event logs

Event Logs Access to the share with System level privileges Access to all services running on the system This access can be identical for many network exploits but is NEARLY ALWAYS used by Pass-The-Hash toolkits. WINDOWS 8.1 – On Windows 8.1, lsass.exe runs as a PROTECTED SERVICE. A determined intruder can change this setting in the registry, however it requires a reboot of the system. This reboot and change will show up in the System event log.

Pass-The-Hash and Windows 8.1 Domain Accounts do not store plaintext passwords in Memory Restricted Admin RDP uses only network authentication – No credentials left on the remote box Protected users using Kerberos authentication cannot be delegated Authentication silos introduced With Windows 8.1 Microsoft attempts to mitigate many of the vulnerabilities associated with Pass-The-Hash. But how successful are they? Domain account hashes would STILL BE IN MEMORY if used on the system. Restricted Admin RDP is similar to using a product such as Tivoli or PuTTy Kerberos authentication cannot be delegated however the tickets will still be in memory, albeit a shorter life expectancy than password hashes. Authentication silos are Microsoft’s way of containing high-privilege credentials to only those systems that are pertinent to the selected account.

Pass-The-Hash and Windows 8.1 LSASS runs as a protected process LM Hashes are not stored in memory New SIDs for the “Local Account” LSASS runs as a protected process. This may make it incompatible with some LEGACY applications. Also, this can be changed in the REGISTRY but requires a RESTART of the system which would show up in the EVENT LOGS. The new SID is for “Local Account and member of the Administrators Group” which can be configured to DENY NETWORK LOGONS.

Mitigation Use Kerberos authentication package Enforce a password policy of a 14 character minimum Remove or limit access to Windows shares Disable the remote registry service Limit the possibility of DLL injection by removing users and groups from the ‘Debug Programs’ policy setting (SeDebugPrivilege) Kerberos tickets have a significantly shorter life expectancy than NTLM hashes. Fourteen character or longer passwords are NOT STORED LOCALLY in the SAM hive. Some shares like IPC$ cannot be removed.

Mitigation Use NTLMv2 over NTLM if you cannot use Kerberos Use console tools like Tivoli for remote administration Use two factor authentication Protected Users Group NTLM is not used. Kerberos or third party SSP is required Kerberos tickets have a shorter life span Windows Digest is not cached Windows Vista set “Send NTLMv2 responses only” as default but this was rescinded in Windows 7 because of issues with BACKWARD COMPATIBILITY Remote administration tools like Tivoli or PuTTy DO NOT CACHE credentials locally and enforce account logoffs. Restricted Admin RDP in Windows 8.1. Use Protected Users Group for high value accounts (Server 2012) Kerberos tickets are shortened from ten hours down to FOUR HOURS. Windows Digest are reversibly encrypted credentials.

References Delfy, B. (2012). Blog de Gentil Kiwi/Mimikatz. Retrieved from URL. Ewaida, B. (2010). Pass-the-hash attacks: Tools and Mitigation. SANS Institute. Gumbel, J. (2010). Gsecdump v2.0b5. Retrieved from URL. Hummel, C. (2009). Why Crack When You Can Pass The Hash? SANS Institute. Microsoft Corp, (2014) Microsoft Developer Network, msdn.microsoft.com National Security Agency/Central Security Service (2013). Reducing the Effectiveness of Pass-The-Hash. Ochoa, H. (2011). Windows Credential Editor. Amplia Security. Retrieved from URL.

References Sanders, C. (2010). Dissecting the Pass The Hash attack. Retrieved from URL. Tarasco Acuna, A. (2010). Password Dumper pwdump7 (v7.1). Retrieved from URL. Vipzen (2014). Sorry, Microsoft: Pass The Hash on Windows 8.1 still works. Retrieved from URL.

Thank You! Timothy.slaybaugh@ngc.com