Introduction:
When it comes to credential compromise, a primary target is the account password hashes stored in Windows. These credentials exist in various formats, with LM (deprecated) and NT hashes being the most well-known. This information is stored in different locations, such as the SAM registry hive for local accounts and in-memory for domain accounts during interactive sessions.
Attack Methods:
Several standard attacks exist for accessing these credentials, all requiring administrator privileges:
Memory Extraction: Direct extraction from the LSASS process.
LSASS Process Dump: Dumping the LSASS process for offline attacks.
SAM Hive Extraction: Extracting local account hashes from the SAM hive in memory or on disk.
Cracking Password Hashes:
Once these hashes are obtained, attackers can crack them easily using tools like John the Ripper or employ rainbow table pre-computation attacks. Alternatively, attackers can use the hashes for authentication, as explained in the "Pass the Hash" technique.
Cleartext Passwords:
Researchers have discovered various types of stored credentials in memory, including those from SSO methods like TsPkg and Wdigest, as well as LiveSSP derived from Windows "Live" cloud accounts. Tools like Mimikatz and Windows Credential Editor (WCE) can extract and decrypt these passwords.
Pass-the-Hash Attacks:
Pass-the-hash allows attackers to authenticate using a stolen account hash without knowing the actual password. This method is particularly valuable for attackers who have acquired highly privileged hashes. It works with NTLM authentication, utilizing the fact that only the hash is necessary for the NTLM challenge-response protocol. Despite the prevalence of Kerberos, NTLM is still widely available in Windows enterprises. Tools like Metasploit PsExec, WCE, and SMBshell facilitate pass-the-hash attacks, enabling actions such as mapping file shares and remote execution via protocols like SMB and tools like WMI.
Defense:
1. Stop Remote Interactive Sessions with Highly Privileged Accounts:
Emphasize the avoidance of console logons, RDP sessions, and runas commands for highly privileged accounts.
Discuss the criticality of preventing attackers from gaining local administrative rights, which could lead to credential stealing.
2. Proper Termination of RDP Sessions:
Highlight the risks associated with improper termination of RDP sessions, leading to persistent hashes on systems.
Introduce the use of Group Policy to set time limits for disconnected sessions, ensuring that old RDP sessions are terminated appropriately.
3. Security Enhancements in Windows 8.1+ and Windows 10:
Explore the security improvements introduced by Microsoft, such as the elimination of WDigest and TsPkg credentials by default in Windows 8.1+.
Discuss pass-the-hash mitigations, including Restricted Administrator accounts, the Domain Protected User security group, and Protected Processes.
Introduce Windows 10 features like Credential Guard and Remote Credential Guard, emphasizing their role in preventing hash exposure during interactive logons.
4. Monitoring and Auditing Registry Changes:
Emphasize the significance of monitoring the Windows registry for unexpected changes, especially in critical keys like "UseLogonCredential."
Encourage regular audits to ensure that security configurations remain intact.
5. Local Administrator Account Security:
Introduce Microsoft's Local Administrator Password Solution (LAPS) for centralizing security and management of local administrator account passwords.
Stress the importance of unique passwords for local administrator accounts, reducing the risk of lateral movement.
Akash Patel
Comments