Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Cleartext & PtH Still Live…
$ whoami /all
• Will Hunt
• Associate Director @ NotSoSecure
• 9+ years in InfoSec
• Blackhat USA trainer
• Pentester, for...
Clear Text Creds
• Windows historically stored cleartext creds in RAM
• Win 8.1 / 2012 R2+ disabled lsass.exe clear text s...
Clear Text Conclusion
• Win 7 / 2008R2 / 8 / 2012 / 8.1 / 2012R2
• Adding requires lock, removing requires signout
• Meter...
PtH
Hashes in Memory
• Hashes are stored in RAM
– Registry
– At logon in lsass.exe
– RDP (disconnect instead of log off)
• 8.1...
Pass The Hash
• Authenticate via SMB using hash
• 8.1 / 2012 R2+ (2871997)
• Prevents network/remote interactive logons us...
2871997 Counter Attack
• “Prevents network/remote interactive logons using local
accouts (excluding RID 500)”
• Other loca...
RID 500 Caveat
• “Admin Approval Mode”
• https://technet.microsoft.com/en-
us/library/dd835564(v=ws.10).aspx#BKMK_BuiltInA...
RID 500 Caveat
• So… can anyone spot a trend emerging?
• reg add
HKLMSOFTWAREMicrosoftWindowsCurrentVersi
onPoliciesSystem...
Remember Restricted Admin?
• 8.1 / 2012 R2 improvements mitigated some vectors…
• Also introduced new ones!
• “Restricted ...
Registry or Group Policy
• reg add
HKEY_LOCAL_MACHINESystemCurrentControlSetControl
Lsa /v DisableRestrictedAdmin /t REG_D...
Registry or Group Policy
• Both not present by default (need to be created)
• DisableRestrictedAdmin
• Simple enables or d...
RDP PtH
• Otherwise…
RDP PtH
• 2871997 was backported  RDP PtH on Win7+ *
• freerdp-x11
• xfreerdp /u:will /d:mydomain /pth:<nthash>
/v:<remot...
PtH Conclusion
• Remote UAC Protection now enabled
• 2871997 (Protected Users / Restricted Admin)
• HKEY_LOCAL_MACHINESOFT...
Protected Users?
• What about the protected users?
• No hashes left in RAM, AES kerberos auth only, all good?
• Nope!
• Cl...
tl;dr
• #Tryharder Microsoft
• Clear text still accessible (if not already by default)
• PtH still possible (if not alread...
Thank you ☺
Questions?
Upcoming SlideShare
Loading in …5
×

Cleartext and PtH still alive

1,459 views

Published on

Cleartext and PtH still alive by @stealthsploit

Published in: Technology
  • Be the first to comment

Cleartext and PtH still alive

  1. 1. Cleartext & PtH Still Live…
  2. 2. $ whoami /all • Will Hunt • Associate Director @ NotSoSecure • 9+ years in InfoSec • Blackhat USA trainer • Pentester, formerly digital forensics, trainer of both • @Stealthsploit / stealthsploit.com
  3. 3. Clear Text Creds • Windows historically stored cleartext creds in RAM • Win 8.1 / 2012 R2+ disabled lsass.exe clear text storage by default • Backported (2871997) to 7/8/2008 R2/2012 as a reg key • Backported and set to 1 (clear text enabled) by default • Let’s change that! • reg add HKLMSYSTEMCurrentControlSetControlSecurityProviders WDigest /v UseLogonCredential /t REG_DWORD /d 1
  4. 4. Clear Text Conclusion • Win 7 / 2008R2 / 8 / 2012 / 8.1 / 2012R2 • Adding requires lock, removing requires signout • Meterpreter mimikatz and kiwi work • mimikatz often only detects kerberos, not wdigest • Win 10 (inc Enterprise without Cred Guard) • Signout required for add or delete • Only meterpreter kiwi works – wdigest • Win 2016 (without Cred Guard) • Adding requires lock, removing requires reboot • Only meterpreter kiwi works – wdigest
  5. 5. PtH
  6. 6. Hashes in Memory • Hashes are stored in RAM – Registry – At logon in lsass.exe – RDP (disconnect instead of log off) • 8.1 / 2012 R2+ Restricted Admin Mode – RunAs – Services running under user accounts • Not network logons (e.g. file share) – Challenge / response  hash never gets there
  7. 7. Pass The Hash • Authenticate via SMB using hash • 8.1 / 2012 R2+ (2871997) • Prevents network/remote interactive logons using local accounts (excluding RID 500) • Protected Users Group – No hashes left in RAM as users can’t authenticate with NTLM (AES kerb auth only). Reduced TGT lifespan • Restricted Admin Mode – did this help elsewhere? ;-) • 10 Ent / 2016 implemented Credential Guard
  8. 8. 2871997 Counter Attack • “Prevents network/remote interactive logons using local accouts (excluding RID 500)” • Other local admins still may be able to write to registry! • Thanks MS, I’ll just change that (again)… • reg add HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows CurrentVersionPoliciesSystem /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1
  9. 9. RID 500 Caveat • “Admin Approval Mode” • https://technet.microsoft.com/en- us/library/dd835564(v=ws.10).aspx#BKMK_BuiltInAdmin • Sysadmin’s “get out of jail free” for RID 500 • HKLMSOFTWAREMicrosoftWindowsCurrentVersi onPoliciesSystemFilterAdministratorToken • Key often set via GPO – domain users can enum systems that do/don’t have the key set • RID 500 still often present in enterprises even though disabled by default!
  10. 10. RID 500 Caveat • So… can anyone spot a trend emerging? • reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersi onPoliciesSystem /v FilterAdministratorToken /t REG_DWORD /d 1 • Disabled by default – if enabled (and set to 1) RID 500 gets UAC protection At least this one’s for the blue team!
  11. 11. Remember Restricted Admin? • 8.1 / 2012 R2 improvements mitigated some vectors… • Also introduced new ones! • “Restricted Admin mode provides a method of interactively logging on to a remote host server without transmitting your credentials to the server.”* • Enabled for admins only (hint is in the name) • No creds are left on remote box so network auth must be used (Kerberos / NTLM) *https://technet.microsoft.com/en-us/library/security/2871997.aspx
  12. 12. Registry or Group Policy • reg add HKEY_LOCAL_MACHINESystemCurrentControlSetControl Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0 • reg add HKEY_LOCAL_MACHINESystemCurrentControlSetControl Lsa /v DisableRestrictedAdminOutboundCreds /t REG_DWORD /d 0
  13. 13. Registry or Group Policy • Both not present by default (need to be created) • DisableRestrictedAdmin • Simple enables or disables Restricted Admin mode • 0 = doesn’t exist (default) = enabled • 1 = disabled • DisableRestrictedAdminOutboundCreds • Whether user is able to authenticate to remote resources (from RDP RA session) using local machine account • 0 = doesn’t exist (default) = enabled • 1 = disabled
  14. 14. RDP PtH • Otherwise…
  15. 15. RDP PtH • 2871997 was backported  RDP PtH on Win7+ * • freerdp-x11 • xfreerdp /u:will /d:mydomain /pth:<nthash> /v:<remoteIP> • Kali 1.1.0 / freerdp-x11 • freerdp-x11 updated and functionality removed • Tricky to compile old client on Kali rolling * https://blogs.technet.microsoft.com/kfalde/2015/01/10/restricted-admin-mode-for- rdp-in-windows-7-2008-r2/
  16. 16. PtH Conclusion • Remote UAC Protection now enabled • 2871997 (Protected Users / Restricted Admin) • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurr entVersionPoliciesSystem /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 • Backported to earlier versions • Win 8.1 / 2012 R2+ • PtH still works • mimikatz can also pth • sekurlsa::pth /user:stealthsploit /domain:mydomain.local /ntlm:7dfa0531d73101ca080c7379a9bff1c7 /run:cmd.exe • RDP PtH • If backported works on Win 7+
  17. 17. Protected Users? • What about the protected users? • No hashes left in RAM, AES kerberos auth only, all good? • Nope! • Classic ticket steal • DA is a protected user • Remotely logs into compromised server • Attacker has temporary access to TGT • Reduced TGT lifespan now 4 hours • Attacker dumps NTDS.dit with TGT • Attacker establishes domain persistence
  18. 18. tl;dr • #Tryharder Microsoft • Clear text still accessible (if not already by default) • PtH still possible (if not already by default) • RDP PtH is possible • Typical variables in play • Admin access • Write access to registry
  19. 19. Thank you ☺ Questions?

×