1. Pass-the-Hash

2. Jump Start Agenda Module 1: Today’s Threat Landscape
Module 2: Key Principles of Security
Module 3: Understanding your enemy!
Module 4: Phases of Hackers
Lunch Break
Module 5: What motivates hackers?
Module 6: Pass the Hash
Module 7: Windows Security Capabilities and Tools

3. Module Insights
Explore the major thread coming with pass-the-hash and the mitigation options available.

4. Wonderful Internet Services
Pass the Hash
Every time you connect to the internet, you have instant and direct IP connectivity to…
Online Services
Internet cafes in
vacation spots
Activities
Ideological Movements
Nation States
Organized Crime
Wonderful Internet Services

5. Pass-the-Hash Definition
“Hash” = cached credential
Usually not “cleartext”
Identically powerful to “cleartext” by most systems
Can be stored in memory or persisted on disk
Most operating systems cache credentials for SSO
Username/
Hash
Username/
Hash
Username/
Password

6. Pass-the-Hash Technique
Attacker gains local admin access to initial system
Uses collected hashes to move laterally through the network
Additional hashes are collected as they go
New hashes give access to additional systems
Network/domain privileged account compromised  Game Over
User A/
Hash A
User B/
Hash B
User A/
Hash A
User B/
Hash B

7. Attack Scenario Attack activities Description Lateral movement
TechReady 16
7/18/2019
Attack Scenario
Attack activities
Description
Lateral movement
In this activity, the attacker uses the credentials obtained from a compromised computer to gain access to another computer of the same value to the organization
Privilege escalation
In this activity, the attacker uses the credentials obtained from a compromised computer to gain access to another computer of a higher value to the organization.
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8. Typical Pass The Hash Attack
Power:
Domain
Controllers
Bad guy targets workstations
User running as local admin compromised, Bad guy harvests credentials.
Bad guy uses credentials for lateral traversal
Data:
Servers and
Applications
Bad guy acquires domain admin credentials and associated privileges – privilege escalation
Bad guy has direct or indirect access to read/write/destroy data and systems in the environment.
Access:
Users and
Workstations

9. Windows Credential Editor NTLM Pass-the-Hash

10. Crack the Hash

11. Why can’t Microsoft release an update to fix it?
These accounts have complete control over the computer’s memory, disks, and processor resources.
Pass the Hash and other credential theft attacks exploit the access that an attacker gains by compromising an account in the local administrators group.

12. Current Guidance
Microsoft published Pass- the-Hash guidance in December 2012.
Highlighted best practices and dispelled urban legends.

13. Key Takeaways

14. Connect with the speakers!
@ErdalOzkaya
@MiladPFE

15. TechNet Virtual Labs
Deep technical content and free product evaluations
Hands-on deep technical labs
Free, online, technical courses
At the TechNet Evaluation Center you can download free, trial versions of Microsoft software, with no feature limits. Dozens of trials are available – all at no cost.
Try Windows Server 2012 for up to 180 days. Download the Windows 8 Enterprise 90-day evaluation. Or try Windows Azure at no-cost for up to 90 days.
Microsoft Hands On Labs offer virtual environments that will take you through guided, technically deep product learning experience.
Learn at your own pace in labs that you can complete in 90 minutes or less. There is no complex setup or installation is required to use TechNet Virtual Labs.
Microsoft Virtual Academy provides free online training on the IT scenarios that are important to your company and your career.
Learn at your own pace and boost your IT skills with over 100 courses across more than 15 Microsoft technologies including Windows Server, Windows 8, Windows Azure, Office 365, virtualization, Windows Phone, and more.
Download Microsoft software trials today.
Find Hand On Labs.
Take a free online course.
Technet.microsoft.com/evalcenter
Technet.microsoft.com/virtuallabs
microsoftvirtualacademy.com