1. Pass-The-Hash: Gaining Root Access to Your Network
June 24, 2014
Tim Slaybaugh
Cyber Incident Analyst
Northrop Grumman Information Systems

2. – Roger Grimes, InfoWorld
What is Pass-The-Hash?
“Attackers using PtH completely compromise just about every network they hit. Pretty much every APT attack team uses them.”
– Roger Grimes, InfoWorld
FIRST OBJECTIVE – ELEVATE PRIVILEGES, GAIN FULL ACCESS

3. What is Pass-The-Hash? First published in 1997 by Paul Ashton
Allows the use of LM and NTLM hashes to authenticate to a remote host
Passwords do not need to be cracked
Hashes can be harvested from the physical disk or memory
NTLM hashes are used by THOUSANDS of applications and services including Sharepoint, .NET, Microsoft Exchange and nearly all printers.

4. How does Pass-The-Hash work?
Requires admin privileges, therefore an exploit has to be run to gain access
Injects into the Local Security Authority Subsystem Service (LSASS) process to access hashes in memory
Grabs locally stored hashes from SAM registry hive.
Smartcard credentials and Kerberos tickets can be harvested also!
NOT DETECTABLE by IDS systems since post Pass-The-Hash exploits will look like normal logins with admin credentials.
SMART CARD credentials are susceptible to Pass-The-Hash because credentials are cached similar to password authentication.
Initial attack relies on STANDARD ATTACK VECTORS that gain elevated privileges on the box such as spearphish , drive-by, etc. ELEVATED PRIVILEGES can be from Local Admin account, elevated privileges from the victim, etc.
By using the hash of KRBTGT, an attacker can create a GOLDEN KERBEROS TICKET that would allow authentication even after the admin changes their password!

5. Pass-The-Hash and Smartcards
Smart card credentials are cached in an identical manner as passwords.
Systems that allow both Smartcard or password logons store smartcard credentials for a very long time
Systems that require smartcard only logon will periodically change the hash.
In Active Directory this requires the SmartcardLogonRequired option to be toggled.

6. Pass-The-Hash Tools: PWDump
Latest version is PWDump 7.1
Author: Andres Tarasco Acuna
Dumps the local SAM hive
Uses syskey key from SYSTEM hive to dump LM and NTLM hashes
Statically links the OpenSSL library, libeay32.dll
PWDump 6 links lsremora.dll
There are earlier versions of PWDump with other authors.
I often see the name pf PWDump changed to something inconspicuous but libeay32.dll remains unchanged.
PWDump is a very common tool and easy to use. I’ve seen it used multiple times in the past few months.
PWDump6 requires two dependent files, pwserv.exe and lsremora.dll. And for 64bit systems there is pwserv64.exe and lsremora64.dll.

7. PWDump
PWDump runs from the command line and dumps LM and NTLM hashes from the local SAM hive.
This is an example of output from PWDump. In this event only NTLM hashes were available in the SAM hive. The output for LM hashes has been replaced with ‘NO PASSWORD***********’.

8. PWDump PWDump with dependency, libeay32.dll in $LogFile
Windows metadata files like $LogFile will show PWDump with its dependency file, libeay32.dll.
It is important to note that the file libeay32.dll is an open source library used by many administrative and incident response tools such as the memory capture tools, Dump-It (Moonsols) and FTK Imager (AccessData). Libeay32.dll is also used by Symantec’s Ghost imager.
Finding this file on a normal users workstation who does not have admin or incident response duties may be suspicious.

9. PWDump PWDump in AV signature database
After seven iterations of PWDump, the password grabbing tool has become well known by Antivirus vendors. Yet it continues to be deployed because of its ease of use. Intruders will often rename, pack or modify the code to avoid AV detection. This is an example of an AV signature database with references to PWDump.

10. PWDump Keywords used to identify PWDump activity:
Error reading hive root key
Andres Tarasco Acuna
savedump.dat
Error opening sam hive
raw password extractor
A few keywords used to identify variants of PWDump on an image.

11. Pass-The-Hash Tools: Mimikatz
Author: Benjamin Delpy
Support for both x86 and 64bit systems
Requires sekurLSA.dll to run
Extracts hashes and cleartext passwords
In the latest version of Mimikatz, the library, ‘sekurLSA.dll’ is embedded in the file.

12. Mimikatz
Unlike most PTH tools, Mimikatz will run from the root of Windows.
You can identify the location on the system from where the executable ran by the path in the Prefetch trace file. If the tool has not cleaned up after itself it may be possible to find it still resident in the path.
Location is important to note if the file has been renamed.

13. Mimikatz
Mimikatz hooks the System Service Descriptor Table (SSDT) similar to rootkit activity.
Memory captures are great for identifying PtH activity.
Hooked SSDTs are easy to identify in memory with memory forensic tools such as Volatility seen above. Here the fourth service table (0x82985b6c) contains multiple hooked functions pointing to an unknown driver (in this case, mimidrv.sys, the driver for Mimikatz)

14. Mimikatz Looking at mimikatz.exe using Volatility plugin ‘handles’
Hooks lsass.exe
Runs from across the network via PSEXECSVC
Using the Volatility plugin, ‘handles’ you can identify the source of an unknown executable and insight into its capability. The PID 2616 is for the PtH tool, mimikatz.exe.
Looking at mimikatz.exe using Volatility plugin ‘handles’

15. Mimikatz
‘Handles’ will also identify this hook into the Local Security Authority Subsystem Service (lsass.exe).
Vice versa, looking at lssas.exe using the Handles plugin you can find the injection from mimikatz.exe. The PID 488 is for lsass.exe.

16. Mimikatz
Mimikatz.exe and conhost.exe start up at the same time indicating that mimikatz is likely being controlled through an interactive console.
More observations on Mimikatz running in memory.

17. Mimikatz Console activity can be recovered from memory.
Using the Volatility plugin, ‘consoles’ it is possible to identify recent interactive consoles. This is always contingent upon the VOLUME OF ACTIVITY the system is exposed to, how fast the INCIDENT RESPONSE is, and the SIZE of the memory capture.

18. Mimikatz
Mimikatz is logged in the Windows power configuration file, ‘energy-ntkl.etl’.
WINDOWS VISTA AND WINDOWS 7 introduced a host of new metadata files and logs to the Windows operating environment. NEVER INTENDED FOR FORENSIC EVIDENCE.
With the introduction of the power configuration log, ‘energy-ntkl.etl’ in Windows 7, any application that calls the functions PowerCreateRequest or SetThreadExecutionState is logged.
Mimikatz will call the function PowerCreateRequest when polling data from a victim system over the network to prevent the system from going into sleep mode while connected.
From Memory

19. Mimikatz Keywords used to identify Mimikatz activity: Benjamin DELPY
gentilkiwi
sekurlsa
kiwissp.log
Pass-the-Ticket
Often Pass-The-Hash tools are RENAMED TO HIDE FROM SYSTEM ADMINISTRATORS. However, they will often IMPORT THE SAME NAMED MODULES and output consistently named logs.
In this OBJECTS.DATA log you can see the Mimikatz driver, mimikatz.sys and dependent library, mimilib.dll listed.

20. Pass-The-Hash Tools: gsecdump
Johannes Gumbel, Truesec
Freeware
Latest version is 2.0b5
Extracts hashes from SAM, Active Directory and active logon sessions
Works with both x86 and 64bit systems

21. Gsecdump Keywords used to identify gsecdump activity: Johannes Gumbel
Truesec
dump_usedhashes
crap!
gsecdump
Crap! The author is fairly animated with his documentation in the tool. All of the Pass-The-Hash tools we talk about have been designed for penetration testing and contain significant documentation that can be used to locate artifacts.

22. Pass-The-Hash Tools: PSHToolkit
Author: Hernan Ochoa, Core Labs
Latest version, 1.4
Toolkit contains three tools: iam.exe, whosthere.exe and genhash.exe
Iam.exe is used to change/modify NTLM credentials in memory
Whosthere.exe is used to list logon sessions that are using NTLM credentials
Genhash.exe used to test iam.exe
PSHToolkit is a complete suite of PtH and hash dumping tools. Similar to the previous PtH tools discussed, iam.exe also uses its own library, IAMDLL.DLL.

23. PSH Toolkit Iam.dll requires a dependent library, iamdll.dll
Noting the reference to VirtualProtect in the data above, this file appears to be capable of Process Injection. Analysis of a memory capture can give further details on activity associated with a process injection.
VIRTUALPROTECT changes the protection of an address in memory. For process injection to occur, one would have to change protection to _READ_WRITE_EXECUTE
LSASRV.DLL – Legitimate Windows library called by Winlogon.exe to interact with NTLM Authentication Package (msv1_0.dll)
Strings extracted from the iamdll.dll indicate that it is capable of changing NTLM credentials.

24. PSH Toolkit
Indicators of the PSH Toolkit can be found in several Windows metadata files like $LogFile seen above.
Since many intruders will remove their tools after use, Windows metadata files, such as $LogFile, $usnJrnl and OBJECTS.DATA become valuable resources when tracking down prior activity.

25. PSH Toolkit Keywords used to identify PSH Toolkit activity:
Hernan Ochoa
ChangeCreds
GenHash
iamdll.dll
pth.dll
Some of these strings are unique to specific tools within the set, however, the presence of one of the tools will usually indicate that the complete kit was resident.
Hernan Ochoa is also author of the Windows Credential Editor through Amplia Security.

26. Pass-The-Hash Tools: Windows Credential Editor
Author: Hernan Ochoa, Amplia Security
Latest release is 1.42 beta
Support for both x86 and 64bit systems
Extracts NTLM credentials from memory as well as Kerberos tickets and cleartext passwords
WCE.EXE can acquire credentials by process injection or simply reading LSASS memory.
By creating a forged ‘golden’ Kerberos ticket can authenticate even after the admin changes their password.

27. Windows Credential Editor
Windows Time Stamp
Library called by WCE.exe
RecentFileCache is part of the Windows Application Experience and Compatibility feature. Embedded in WCE.EXE is a dependent library, wceaux.dll. When WCE.EXE executes this file is dropped on the system
Often the intruder may change the name of WCE.EXE, but the name of the dependency will remain unchanged.
RecentFileCache.bcf is part of Windows Application Experience and Compatibility feature.

28. Windows Credential Editor
Wceaux.dll is dropped in the user’s AppData\Local\Temp directory.
This was found in memory running the Volatility plugin, ‘filescan’.
FILESCAN scans memory looking for _FILE_OBJECT structure. It will find files even if hidden by a rootkit.

29. Windows Credential Editor
BootCKCL.etl located at %System32%\WDI\LogFiles generates a boot trace each time a profile logs on. WCE.EXE shows up if it is set for persistence.
Another new log file introduced with Windows 7 is BootCKCL.etl (BootCircularKernelContextLogger) part of the Windows Diagnostic Infrastructure (WDI).
The –r switch configures WCE.EXE to either run indefinitely or when a new logon occurs. This configuration is reported by the Windows boot trace file, BootCKCL.etl.
This file is hidden and requires Administrator permissions to access it.

30. Windows Credential Editor
Windows Credential Editor set for persistence with the –r switch.
With this configuration dumped credentials are cached in memory every five seconds making them easy to extract from a forensic memory image.

31. Windows Credential Editor
WCE injects into the lsass.exe process every five seconds to dump user credentials.
WCE.exe shown here as PID 4016 is injected into the lsass.exe process. Multiple identical transactions especially into the lsass.exe process are a clear sign of an attempt to dump credentials from the local system.
This is output from the Volatility plugin, HANDLES.

32. Windows Credential Editor
When WCE.EXE dumps hashes and Kerberos tickets it creates output files by default in the directory from where it ran. While these files can be renamed and/or deleted by the intruder, evidence of their existence is easy to find through deleted $MFT entries, layout.ini files etc.
WCE will also dump Kerberos tickets in UNIX format to wce_ccache.
WCE.EXE will also generate output files for password hashes (credentials.txt) and Kerberos tickets (wce_krbtkts).

33. Windows Credential Editor
Keywords used to identify WCE.EXE activity:
Hernan Ochoa
\\.\pipe\WCEServicePipe
Dump Kerberos tickets to file
Getlsasrvaddr.exe
Evidence can sometimes be as easy as looking for the author’s name. Here is a list of keywords that may be helpful in identifying WCE.EXE on your system or network.
GETLSASRVADDR.EXE is a tool that is included with Windows Credential Editor that identifies the addresses in memory for WCE.EXE to read logon sessions. No DLL injection required. GETLSASRVADDR.EXE requires an outbound HTTP connection to get symsrv.dll from Microsoft.

34. APIs Associated with Pass-The-Hash
SamLookupDomainInSamServer
NlpGetPrimaryCredential
LsaEnumerateLogonSessions
SamrOpenDomain
SamrOpenUser
SamIGetPrivateData
SamrQueryInformationUser
SamIConnect
SamRidToSid
One of the most effective ways of identifying a Pass-The-Hash tool that has been renamed is to examine the APIs that are used by the tool. This is a list of uncommon or undocumented Windows APIs that are often used by Pass-The-Hash toolkits.
IMPORTANT: While many of these may be common in Windows library files (.dll), references to these statically loaded functions in an executable (.exe) would be suspicious.

35. They have my hash. Where do they go from here?
Scenarios for Pass-The-Hash:
Dump all hashes on local system looking for admin privileges.
Remote Admin support
Local Admin
Help Desk support
Patches and updates
Database logons
Assume they were successful. Determine what hashes were grabbed. ****NOTE – Please take a forensic image of the system before doing incident response!!
Credentials from RPC connections can remain cached on the system for a very long time.
In some environments where a standard BASE IMAGE is used the local admin account is the same across the enterprise. This makes LATERAL MOVEMENT very easy!
Recent HELP DESK logons may be cached. These accounts usually have super user privileges. In some instances the intruder has “CREATED” A PROBLEM for the purpose of generating a help desk login.
AUTOMATED OR BUILTIN ACCOUNTS that download patches or push updates often have the same password and access across the entire domain.
Database servers (SQL, etc.) cache multiple logon credentials from users across the network. Some may have elevated privileges.
TRUST RELATIONSHIPS can be exploited with anyone who has permissions on another domain.

36. Was Pass-The-Hash used on your system?
Grep \:[0-9,A-F,a-f]{32,32}\:[0-9,A-F,a-f]{32,32}
Grep \:[0-9,A-W,a-f,\*,\x00]{32,32}\:[0-9,A-F,a-f]{32,32}
We’ve reviewed several ways to identify hash dumping activity on a system by looking for the tools. Another is to look for the hashes themselves. A grep string like the one above will locate LM and NTLM hashes.
LM HASH which is still used for backward compatibility can be turned off by an Administrator. In this case a hash may be replaced with ******NO PASSWORD******.
There are different ways and different platforms on which to write a grep expression, this is just a general idea.

37. Was Pass-The-Hash used on your system?
Sometimes memory may be the only location where you may find dumped hashes.
Grep for hashes in memory also!

38. Was Pass-The-Hash used on your network?
SMB connections over ports 139/445 to a writeable share (e.g. C$, admin$)
Client then accesses svcctl named pipe through SMB
Malware files are transferred, usually an EXE and a DLL
Connection to Windows Service Control Manager (SCM) remote protocol
SCM will run under services.exe
What would network traffic look like?
Uses the following SVCCTL functions: OpenSCManager, CreateService, StartService, QueryService( checks to see when a service starts), writes files (EXE, DLL) to the system via the named pipe, executes then uses standard SMB functions to delete the files and finishes by calling OpenService and StopService to close the pipe
A successful connection through SVCCTL will give the user the ability to start, stop, create and delete a service on the target machine.
If a service does not specify a required set of privileges, the SCM assumes by default that the service requires all of the privileges that are associated with the account. This assures backward compatibility. However, if a service group contains a mixture of services with defined privileges and ones without defined privileges, the entire group runs using the privileges associated with the account.

39. Network Activity
Call stack of a server side RPC call. This connection was initiated from a remote system.
Data was recovered from ‘pagefile.sys’.
This data was recovered from pagefile.sys. The RPC connection was initiated from an external system.

40. Named Pipes as Attack Vectors
Security = Impersonation Dynamic False – User has full privileges
pipe\svcctl – access to all processes running
Another capture from pagefile.sys. SVCCTL gives full access to all running processes, START, STOP, CREATE, DELETE.
Remote connection from mimikatz.exe via named pipe

41. Named Pipes as Attack Vectors
The lsarpc interface is used to communicate with the Local Security Authority
This capture taken from pagefile.sys shows a connection the Local Security Authority. By default, this connection allows for ANONYMOUS ACCESS.

42. Named Pipes as Attack Vectors
Output from the Volatility plugin, ‘handles’ give clear indication of mimikatz being executed across the network via a PSEXESVC named pipe.
PID 2396 is mimikatz.exe

43. Named Pipes as Attack Vectors
Require SMB Security Signatures HKLM_Local_Machine\SYSTEM\CurrentControlSet\Service s\LanManServer\Parameters\RequireSecuritySignature "0"
With WINDOWS SERVER 2008 R2 and later Microsoft attempts to harden servers against exploit attempts via named pipes by requiring SMB security signatures by default. In the registry, the SYSTEM key for the LanManServer under RequireSecuritySignature is set to “1”. Finding the key set to “0” would be considered suspicious.

44. Proprietary services and Named Pipes
Windows Credential Editor connects using a named pipe for its own proprietary service.
You could catch this in memory or pagefile.sys.

45. Event Logs
SMB connections to the Service Control Manager (SCM) are often recorded in the SYSTEM EVENT LOG.
Connections can often be correlated through local system event logs

46. Event Logs Access to the share with System level privileges
Access to all services running on the system
This access can be identical for many network exploits but is NEARLY ALWAYS used by Pass-The-Hash toolkits.
WINDOWS 8.1 – On Windows 8.1, lsass.exe runs as a PROTECTED SERVICE. A determined intruder can change this setting in the registry, however it requires a reboot of the system. This reboot and change will show up in the System event log.

47. Pass-The-Hash and Windows 8.1
Domain Accounts do not store plaintext passwords in Memory
Restricted Admin RDP uses only network authentication – No credentials left on the remote box
Protected users using Kerberos authentication cannot be delegated
Authentication silos introduced
With Windows 8.1 Microsoft attempts to mitigate many of the vulnerabilities associated with Pass-The-Hash. But how successful are they?
Domain account hashes would STILL BE IN MEMORY if used on the system.
Restricted Admin RDP is similar to using a product such as Tivoli or PuTTy
Kerberos authentication cannot be delegated however the tickets will still be in memory, albeit a shorter life expectancy than password hashes.
Authentication silos are Microsoft’s way of containing high-privilege credentials to only those systems that are pertinent to the selected account.

48. Pass-The-Hash and Windows 8.1
LSASS runs as a protected process
LM Hashes are not stored in memory
New SIDs for the “Local Account”
LSASS runs as a protected process. This may make it incompatible with some LEGACY applications. Also, this can be changed in the REGISTRY but requires a RESTART of the system which would show up in the EVENT LOGS.
The new SID is for “Local Account and member of the Administrators Group” which can be configured to DENY NETWORK LOGONS.

49. Mitigation Use Kerberos authentication package
Enforce a password policy of a 14 character minimum
Remove or limit access to Windows shares
Disable the remote registry service
Limit the possibility of DLL injection by removing users and groups from the ‘Debug Programs’ policy setting (SeDebugPrivilege)
Kerberos tickets have a significantly shorter life expectancy than NTLM hashes.
Fourteen character or longer passwords are NOT STORED LOCALLY in the SAM hive.
Some shares like IPC$ cannot be removed.

50. Mitigation Use NTLMv2 over NTLM if you cannot use Kerberos
Use console tools like Tivoli for remote administration
Use two factor authentication
Protected Users Group
NTLM is not used. Kerberos or third party SSP is required
Kerberos tickets have a shorter life span
Windows Digest is not cached
Windows Vista set “Send NTLMv2 responses only” as default but this was rescinded in Windows 7 because of issues with BACKWARD COMPATIBILITY
Remote administration tools like Tivoli or PuTTy DO NOT CACHE credentials locally and enforce account logoffs. Restricted Admin RDP in Windows 8.1.
Use Protected Users Group for high value accounts (Server 2012)
Kerberos tickets are shortened from ten hours down to FOUR HOURS.
Windows Digest are reversibly encrypted credentials.

51. References
Delfy, B. (2012). Blog de Gentil Kiwi/Mimikatz. Retrieved from URL.
Ewaida, B. (2010). Pass-the-hash attacks: Tools and Mitigation. SANS Institute.
Gumbel, J. (2010). Gsecdump v2.0b5. Retrieved from URL.
Hummel, C. (2009). Why Crack When You Can Pass The Hash? SANS Institute.
Microsoft Corp, (2014) Microsoft Developer Network, msdn.microsoft.com
National Security Agency/Central Security Service (2013). Reducing the Effectiveness of Pass-The-Hash.
Ochoa, H. (2011). Windows Credential Editor. Amplia Security. Retrieved from URL.

52. References
Sanders, C. (2010). Dissecting the Pass The Hash attack. Retrieved from URL.
Tarasco Acuna, A. (2010). Password Dumper pwdump7 (v7.1). Retrieved from URL.
Vipzen (2014). Sorry, Microsoft: Pass The Hash on Windows 8.1 still works. Retrieved from URL.

53. Thank You!