Introduction

[Date: 2023/07/26]

In this Class 42: Learning Journal, I am going to talk about the main ideas/concepts covered in the pass the hash with mimikatz lecture.

After that, I am going to make a refletion based on the question referred at the end of this page.

Today I Learned

Linux Passwords

Security professionals should always know how popular operating systems store user credentials.

The etc/passws directory contains information necessary for user login.

cat /etc/passwd reveals:

• Username
• Password
• User ID (UID)
• Group ID (GID)
• Information about User ID
• Home directory
• Command/shell

Windows Passwords

Windows Users

Windows user privileges

• Typically, user accounts can be assigned into the administrators group to receive those privileges. Remember RBAC (Role Based Access Control)?
• Windows maintains a hidden Administrator account that is the final authority and has even higher privileges than a administrator-classed user

Windows Authentication

Windows authenticates its users via Local Security Authority (LSA) which performs a negotiation process during authentication.

• Out of the box, LSA will use NTLM (New Technology LAN Manager)
• Id DC is properly configured, LSA prefers to use Kerberos when available

NTLM

NT (New Technology) LAN Manager (NTLM) uses a challenge-response protocol to avoid sending user passwords in plaintext.

• Released with Windows NT 4.0
• NTLM credential: Domain name; User name; One-way hash of the user's password

SAM

The Security Account Manager (SAM) is a database file in Windows that stores user passwords as NTLM Hashes.

• SAM registry entry located in registry hive HKEY_LOCAL_MACHINE
• SAM file located in C:\Windows\System32\config

SAM file targeted by hash dumping tools

• Old logic: Who cares if my password hashes get stolen?
• New logic: Rainbow tables

Ophcrack

Ophcrack is a Windows password cracking tool that can hash dump from encrypted SAM and attempt to crack the dumped hashes using rainbow tables.

Kerberos

Windows prefers to use kerberos when it's available for authentication processes.

Originally developed by MIT in the late 80s, Kerberos is a computer network security protocol that authenticates service requests between two or more trusted hosts across an untrusted network.

• Uses secret-key cryptography and a trsuted third party for authenticating client-server applications and verifying users' identities

Components of the Kerberos workflow:

• Client
• Server
• Authentication Server (AS)
• Key Distribution Center (KDC)
• Ticket Granting Server (TGS)

Secret keys used by Kerberos workflow:

• Client/user
• TGS secret key
• Server secret key

Lateral Movement

TA0008: Lateral Movement is a post-exploitation tactic used to maneuver deeper into a network in search of sensistive data or high-value assets

• In T1550: Use Alternative Authentication Material, adversaries use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment

Pass the Hash

Mimikatz is a post-exploitation tool used to perform lateral movement on Windows systems.

A pass the hash attack is a lateral movement technique where the password hash from one computer is used to authenticate into another.

Mimikatz exploits a vulnerability in the WDigest feature

• Mimikatz goes into Windows' debugging mode and abuses a loohole using WDigest to authenticate into another computer

WDigest Vulnerability

"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest

• If the UseLogonCredential value is set to 0, WDigest will not store credentials in memory
• If the Use XXXXXXXX

Mimikatz

C:\Tools\mimikatz\x64\mimikatz.exe runs Mimikatz

sekurlsa::logonPasswords

Mimikatz does not require a successful crack, but can pass the hash to another computer instead.

What else can Mimikatz do?

• Pass-the-Hash
• Over-Pass the Hash (Pass the Key)
• Kerberos Golden Ticket
• Kerberos Silver Ticket
• Pass-the-Cache