While most of the original pth-suite tools made their way into Kali Linux in 2015, the notable exception - which I alluded to earlier - was pth-firefox, which, as the name suggests, patched the NTLM authentication code in Firefox to allow Pass-the-Hash. When considering the estimable set of Pass-the-Hash tools available in Kali Linux - pth-suite - there was a strange gap. So, the question becomes, how would one practically carry out such an attack against an NTLM authenticated website? For a long time, performing Google searches of this topic and trawling through the results offered me no additional insight into how to use current (circa 2015-2018) tooling to execute such an attack. Meaning that even for the the most security conscious users, who might have used a 20+ character - generally uncrackable - passphrase, there would be no protection against an attacker using their compromised password hash to impersonate them on a target corporate web application. Pass-the-Hash, in this scenario, effectively allows the impersonation of any corporate employee, without needing to crack any password hashes, or keylog any passwords from their workstations. after a complete domain hashdump for a given domain has been obtained, which contains the NT hashes associated with all employee user accounts. The full impact of this is apparent when a full domain compromise occurs - i.e. Being able to execute Pass-the-Hash attacks against these websites is therefore a useful technique for effective post-exploitation on Windows environments. Due to the ubiquity of enterprise Windows Active Directory environments, a large number of internal corporate web applications make use of this authentication scheme to allow seamless SSO to corporate resources from company workstations. One of the specific applications of this attack that has always interested me is the ability to PtH to websites that make use of NTLM authentication. The Github documentation for the PtH module in Mimikatz.Exploiting PtH using the PsExec module in Metasploit." Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy" - A discussion of PtH for local user accounts, and the additional restrictions imposed on this form of PtH since Windows Vista.Most of these tools have found a new home in Kali Linux, with one notable exception - which contributed to the writing of this blog post). The pth-suite Linux tools are of specific interest (When they were originally released, these were coded for Backtrack Linux. These describe a working means to execute PtH attacks from Windows machines that had been developed in 2000. Hernan Ochoa's slides discussing the original Pass-the-Hash Toolkit.Useful for understanding why PtH for NTLM authentication is possible in Windows environments. The official Microsoft documentation detailing how " The client computes a cryptographic hash of the password and discards the actual password." before attempting NTLM authentication.A small primer of references discussing these attacks, selected from amongst the many good resources available, follows: The use of Pass-the-Hash (PtH) attacks against Windows environments has been well documented over the years.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |