Microsoft TechDays 2015 and passing the hash

This year I went to Microsoft Tech Days in the Netherlands, hold at the World Forum in The Hague. I secured my ticket early and many thanks to Indivirtual that covered the cost and let me have a couple of days off to attend it. The event was awesome and here are some of the things that I experienced and learned.

For the first day I went up early in the morning to be able to catch a session before the keynote, early birds are early. Getting there involved a tram, a train and another tram. At the Hague Central Station I felt someone tapping me on the shoulder, did I forget to check in/out or? It turned out to be my colleague Sujen that had been on the same train. We headed off towards the World Forum.

We got there just on time and after a quick registration and receiving the mandatory SWAG he joined me for the session I had in mind: Pass the hash and Credential Theft – causes and practical mitigation. A presentation by Aaron Margosis, a Windows nerd, about techniques to hack networks. Cool!

It was an interesting presentation with the mandatory joke about the Dutch and passing the hashish.

The attack vector that passing the hash addresses is that Windows uses hashes of password to authenticate with other computers. What I found interesting was that the hash is stored locally and it is possible to extract it by using various tools. The tool used in the presentation was mimikatz and psexec.

Since these computers authenticate you by the hash you pass it is the root of this vulnerability.

From the presentation I also understood that this is not easy to resolve in the operating system. When used in a server cluster it seem that it relies on being able to pass the hash and while not solved now, by for instance using a password salt as an audience member suggested, it may be in the future.

If you have had more than one Windows computer in a network where you had the same Administrator user on both with the same password. Did you ever think about that you didn’t have to re-enter the password as often as if you had different passwords? Since the hash would be the same on both computers, passing it over to another would successfully authenticate as the local user on the other computer.

When an attacker gains access to a domain attached computer they will be able to authenticate as all users, domain as local, that has logged on to that computer by passing the stored hash of the password I am not quite sure how long the hash is stored but I saw some very old password, in clear text, when testing out mimikatz.

At the moment there is no universal solution for this but a couple of recommended practices to mitigate it. Well, some may say not to use Windows which is correct. 🙂

How to really avoid this today?

Do not login with domain administrator on any computer, basically only login with it on a dedicated computer to avoid mixing with users of other security tiers.

Do not use same password for same local user on computer in the network. As example, if your company uses the same image to setup all computers and do not change the local passwords it may be a possible attack vector.

There is a tool to help mitigate this. Local Administrator Password Solution (LAPS)

I am a developer so I will leave it up to any Tech Pro to figure out how to use it.

Overall, a very interesting presentation to see even for me as a developer and hobby hacker.

Next, the keynote.