Demo - Hack Password Hash (Pass-the-hash) - BSides Amman 2019

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

attackers love passwords and we ask security professionals hate them for their weaknesses and end-users either write them down share them or use weak passwords that can be easily guessed but attackers are not after your password anymore they can do the same damage by only knowing your password hash the bad news is that windows keep all password hashes in a protected area in memory if attackers can hack into that protected area they can access password hashes for every account using that Windows machine not only your password you think this is bad wait till you learn that attackers can use these hashes to connect to remote resources also using pass the hash technique and this is how attackers move inside your network usually undetected now do you want to see all this in action I'm sure you do so in this demo I'm going to show you how to hack into this protected area in memory and get access to all these hashes we talked about to make this demo more interesting we're going to steal the hash of the local administrator account and pass that hash to a nearby Windows machine and gain access to sensitive information this is known as passed the hash technique so let's start our demo let me start by opening a command prompt and verify what account I'm using and whether it is a local admin on the machine or not you can see that I'm running under an account that is member of the local administrator group now let me quickly clean the screen and browse to my tools folder and I want to find the tool called mini cats which is the number one forbidden tool by Microsoft and there is a good reason for that this tool dumps password from memory as well as hashes now let me run the tool and clean my screen and I will start by attaching it to a debugger by typing privileged debug you can see I get an error but don't worry this is intentional the reason is I need to run the command prompt with elevated rights so let me quickly open a command prompt with run administrator browse to my tools folder and run mimikatz again now I will try to type the same comment debug privilege and you can see the common run successfully now this is possible because by default the local administrators group has debug privilege which we can quickly verify by opening the local group policies console browse to Windows settings security settings use the right management and then search for debug programs here you can see that administrators have the right by default and you can see that assigning this right can be a security risk now let me go back to mimikatz and now I will enable logging so that any output generated by this tool will be locked in a text file as you can see here now here is where the magic starts I will type secure Elysee Elysee stands for local security authority so secure Elysee and then logon passwords fall to dump the hash is stored in memory for every account who logged onto this machine now all what you see here in the screen is a memory dump of all passwords in memory here is my user Hammad and you can see different type of hashes for my password stored in memory and available to me using this tool and this is what allows Windows to any real single sign-on in the first place so that I don't need to type my password each time I access network resources that's why Windows Store password hashes in memory the most interesting part is the ntlm hash of my password now let us try to find another password hash is stored in memory just for fun and as you can see there are a lot of them here is an account called l3 admin which is level 3 admin it seems one of the level 3 engineers locked on to this machine perhaps to solve a problem and we can see the ntlm hash for this account available for us let me try to open the loop file and search in the loop file just for clarity and try to find other password hashes specifically the password hash for the local admin on this machine which is called the master account we can see the domain is demo one which is the name of the Machine and this mean this is a local user and here is the ntlm hash of the master account which is the default locale administrator on that machine I will copy that hash and open a new notepad and paste the hash there for our next step later in this demo we will use this hash to connect to another machine called demo 3 using my account which is Hammar I don't have access to connect to a demo 3 machine which is a nearby machine in fact let me prove it to you very quickly I am using PS exec to connect to demo 3 and you can see I don't have admin rights on that machine but if I am lucky enough the local admin password of my machine and demo 3 machine is the same password and since I have the hash of the local admin password in my notepad I can use mimikatz to have a functional command prompt using the context of the local admin just by passing the hash you can see the full command I use in mimikatz I type secure LSA then the username as master the domain name as localhost since this is a local account and the ntlm hash I got earlier in my notepad now you can see I got a new functioning command prompt window let me put both windows next to each others the left side window is running under my account hamad and the right side window is running under the built-in admin account now the confusing part is when we type Who am I on both windows I would expect the result to be master in the right side window which is the local admin account but don't worry this is just how things work with these tools to prove it you remember my account could not connect to demo 3 machine as see here again now on the right side window you can see I'm using PS exit again to connect to the monthly machine and the tool is taking time to establish a remote session on day one three using the master account password and since my machine and demo three machine both have a local admin account called master with the same password this command should work and bypassing the hash I have now a functional command prompt on a remote machine if I type hostname on both terminals you can see on the left side the hostname is demo one and on the right side the hostname is demo three I can even browse the file system on the remote computer locate a secret folder and access the credit-card information data machine accomplished what you can learn from the demo is that the debug privilege is very risky privilege you should use group policy to prevent anyone including administrators to have such right unless you have specific needs also your users should not be admins on their machines they should be running under a normal account and perhaps use another separate admin account as we saw in the demo we used the hash of the local admin account to connect to a remote machine because the local admin password is the same across all machines you should always make sure to have different local admin passwords across your machines and to do that you can use the solution from Microsoft called local administrative password solution or labs 8 PS also as a best practice you should have your admins working with two machines one machine to access email and browse the web and a separate machine to perform highly privileged tasks this way if a malware was delivered through the web or email it cannot do much damage because your admins are using separate machine for admin tasks now one of the two machines can be a virtual machine and there is a great solution from Microsoft to implement that it is called the privileged admin workstation that I encourage you to look at finally you can disable the local admin and the guest accounts on all machines just in case here are some good references for you to learn more about some tools and technologies we talked about so far [Music]

Info

Channel: Ammar Hasayen

Views: 6,965

Rating: undefined out of 5

Keywords: Cybersecurity, Security, Conference, Webinar, BSides, Security Bsides, BSidesAmman, BSides Amman, Hacker, Hacking, Hack, Defense In Depth, Windows

Id: WzylaI-VR2s

Channel Id: undefined

Length: 10min 5sec (605 seconds)

Published: Sun Jul 07 2019