Microsoft TechDays 2015 and passing the hash

This year I went to Microsoft Tech Days in the Netherlands, hold at the World Forum in The Hague. I secured my ticket early and many thanks to Indivirtual that covered the cost and let me have a couple of days off to attend it. The event was awesome and here are some of the things that I experienced and learned.

For the first day I went up early in the morning to be able to catch a session before the keynote, early birds are early. Getting there involved a tram, a train and another tram. At the Hague Central Station I felt someone tapping me on the shoulder, did I forget to check in/out or? It turned out to be my colleague Sujen that had been on the same train. We headed off towards the World Forum.

We got there just on time and after a quick registration and receiving the mandatory SWAG he joined me for the session I had in mind: Pass the hash and Credential Theft – causes and practical mitigation. A presentation by Aaron Margosis, a Windows nerd, about techniques to hack networks. Cool!

It was an interesting presentation with the mandatory joke about the Dutch and passing the hashish.

The attack vector that passing the hash addresses is that Windows uses hashes of password to authenticate with other computers. What I found interesting was that the hash is stored locally and it is possible to extract it by using various tools. The tool used in the presentation was mimikatz and psexec.

Since these computers authenticate you by the hash you pass it is the root of this vulnerability.

From the presentation I also understood that this is not easy to resolve in the operating system. When used in a server cluster it seem that it relies on being able to pass the hash and while not solved now, by for instance using a password salt as an audience member suggested, it may be in the future.

If you have had more than one Windows computer in a network where you had the same Administrator user on both with the same password. Did you ever think about that you didn’t have to re-enter the password as often as if you had different passwords? Since the hash would be the same on both computers, passing it over to another would successfully authenticate as the local user on the other computer.

When an attacker gains access to a domain attached computer they will be able to authenticate as all users, domain as local, that has logged on to that computer by passing the stored hash of the password I am not quite sure how long the hash is stored but I saw some very old password, in clear text, when testing out mimikatz.

At the moment there is no universal solution for this but a couple of recommended practices to mitigate it. Well, some may say not to use Windows which is correct. 🙂

How to really avoid this today?

Do not login with domain administrator on any computer, basically only login with it on a dedicated computer to avoid mixing with users of other security tiers.

Do not use same password for same local user on computer in the network. As example, if your company uses the same image to setup all computers and do not change the local passwords it may be a possible attack vector.

There is a tool to help mitigate this. Local Administrator Password Solution (LAPS)

I am a developer so I will leave it up to any Tech Pro to figure out how to use it.

Overall, a very interesting presentation to see even for me as a developer and hobby hacker.

Next, the keynote.

Al Gore and Internet

Many joke about how Al Gore claimed to have created the Internet. I always defend Al Gore and his role in making the Internet possible. In his role as senator he was part of financing the research that later became the Internet.

Even one of the fathers of Internet, Vint Cerf, is giving Al Gore some credit.

The Vice President [Al Gore] deserves credit for his early recognition of the value of high speed computing and communication and for his long-term and consistent articulation of the potential value of the Internet to American citizens and industry and, indeed, to the rest of the world.

Learn more about the Internet

What many does not know about the Internet is that it is a really amazing system of connected networks. Information are transferred around this network by using a bunch of tables telling us where the information we need are and then sending our requests and responses around it.

Sometimes it stops working and I found this blog interesting in analyzing a failure, why it failed and how it was fixed.

Why Google Went Offline Today and a Bit about How the Internet Works