Pass the Hash II: Briefing at Black Hat

by Cory Friend, Systems Engineer, Atmos Energy
At a briefing similar to the one I covered yesterday, Skip Duckwall & Chris Campbell presented “Pass the Hash II: Admin’s Revenge.” There was some overlap in information, but I want to focus on a couple potential land mines that they uncovered.
  • Using Microsoft’s Group Policy Preferences (GPP) to set local admin passwords
  • Use of Smartcards
As we know, hash “Pass the Hash” attacks capture account logon credentials on one machine and then use them to authenticate to another machine. One of the features of GPP—which certainly screams “vulnerability”– is the ability to set the local admin’s password across your enterprise. In my previous post we discussed the dangers of having the same local admin password on multiple machines, and using GPP to set passwords only takes these vulnerabilities to a whole new level. The password that GPP distributes is stored on the domain controller and encrypted using a 32 bit AES key that is widely known. This encrypted string is retrievable from the DC using a normal user domain account and then is easily decrypted with the known  key. Chris and Skip have released a PowerShell script  that simplifies this whole process revealing the clear text password.
Smartcards, on the other hand, would seemingly prevent Pass the Hash since they involve multifactor authentication, right? No. In actuality, they make the problem worse. When you use smartcards, there is still a usable password associated with the account but that password never expires, which means that once you obtain the hash you have persistence forever.  Many perimeter services like OWA don’t require a smartcard and will accept not only the account’s password that never changes but will also accept the password’s hash.
Microsoft, for their part, have recommend the importance of restricting and protecting privileged domain accounts to limit the ability of administrators to inadvertently expose privileged credentials to higher risk computers and Pass the Hash-seeking cyber attackers.
I’d also recommend reading the whitepaper titled “Hello My name is: Microsoft and I have a credential problem” to gain a deeper understanding of these threats while learning how to detect them and deploy strategies to mitigate the risk.
Tuesday, August 6, 2013