Mimikatz and Active Directory Kerberos Attacks
Nice Overview of Mimikatz and the many ways it can be used to steal, mimic, create, and bypass credential management in Windows.
Password-Stealing Tool Targets Windows; Evades Antivirus
To protect against pass the hash attacks, Microsoft recommended two methods that aren’t viable or practical, from Aorato.com’s perspective:
- Implement smart card authentication (smart cards are expensive and difficult to deploy throughout an enterprise)
- Remove the weaker encryption algorithm from the systems (this requires removing its use throughout the enterprise, which can prevent users from accessing older systems)
Malware Lateral Movement: A Primer
What can you do to detect and contain the threat actors creeping around in the dark space of your network?
First, you need to be able to shine a light into that dark space and get visibility into what you are missing. Below are some recommendations that will help you do just that:
- Gathering Threat Intelligence about the tools, tactics and procedures of the malicious actors and their campaigns
- Have a threat analytics platform to identify and consolidate the information that will give your analyst the ability to do more proactive hunting for these types of techniques
- Proactively perform forensics and sweeping of endpoints for indicators of compromise
- Harden the devices that are on your network by removing any non-required applications or services and preforming proactive application and system configuration management and logging
- Implement tighter controls and proactive monitoring of credentials and applications, utilizing whitelisting and multifactor authentication methods.
- Perform data exfiltration identification and monitoring by utilizing full packet analysis and monitoring tools.
Defending Against Pass-The-Ticket Attacks
Pass-the-Ticket Countermeasures
In general, Pass-the-Ticket exploits can’t be blocked by standard cyber security defenses because compromised tickets aren’t invalidated when local or domain passwords are changed. And while multifactor authentication is typically a sound verification practice, Pass-the-Ticket exploits bypass it altogether.
Instead, protecting against Pass-the-Ticket requires a different approach on the part of IT. Here are three steps in a Pass-the-Ticket defense process:
- Stabilize the IT Environment: As stated above, Pass-the-Ticket attacks exploit the default authentication in Windows domains, allowing hackers to impersonate users or processes to gain lateral movement on a network. To counter this attack, you need to reduce the attack surface of your network. That involves enforcing frequent, automated credentials updates and secure escalation to impede lateral movement. Start by removing weak, shared local administrator logins. Replace them with cryptographically complex and unique credentials that are frequently changed. And then audit access to the credentials.
- Enforce Secure Privileged Escalation: Further reduce your attack surface by minimizing the presence of highly privileged logins that attackers can use to gain control of your network. Consider a privileged identity management solution that grants users delegated privileged access, and gives authorized administrators temporary membership in pre-defined groups with elevated privileges. These measures limit the ability of cyber attackers to access additional network resources after they’ve exploited a computer or impersonated a user through Pass-the-Ticket.
- Rapid Remediation Process: Establish, in advance, a process to remove attackers’ access to compromised systems. This can be accomplished through a system that changes passwords twice on potentially compromised machines. The two password resets force immediate replication of changed credentials everywhere on the domain to block the use of compromised tickets.The password resets can be used in conjunction with automatic, chained reboots of managed machines after user escalation, or after changes to systems are implemented using escalated credentials. Privileged access management vendor Lieberman Software calls this process a Security DoubleTap™. It clears the system memory of hashes and passwords on compromised machines to curtail further access.
Lieberman Software’s Security Double-Tap™ Defeats Golden Ticket Cyber Attacks
While PTH is a more widely known threat, the related PTT attack is just as dangerous. PTT attacks target Kerberos, the default authentication protocol in Windows domains. These attacks exploit Kerberos by hacking the server that stores a secret key protecting authentication. Once the attacker obtains this secret key, he gains unrestricted access throughout the IT environment – essentially a “Golden Ticket”. The attacks are launched using tools freely available online, such as WCE and Mimikatz.
Removing Pass-the-Ticket Access from Compromised Machines
ERPM now provides an automated double password reset specifically designed to combat the Golden Ticket attack. The two password resets – a Security Double-Tap - force rapid replication of the changed credentials throughout the domain, to block the use of compromised accounts. In conjunction with this process, ERPM can also force an automatic chained reboot of target system to clear memory of hashes and passwords, and prevent memory scraping.
Practical Attacks Against Multifactor
"Multifactor authentication will keep the bad guys out" is the hue and cry of hardeners everywhere, so what is the pen-tester to do? This talk will present a variety of practical attacks against multifactor authentication, ranging from basic configuration oversights to attack strategies that might work forever even if they configure it right. Multiple technologies will be presented. Many people trust their MFA implicitly, as if it's a magic talisman of keeping hackers out, but there is much a pen-tester can do (and thus, much the other kind of hacker can do), and it's important to discuss and illustrate the risks. This talk should be useful for you if you're a pen-tester, but also if you are a defender trying to get the most out of your MFA.
Dumping WDigest Creds with Meterpreter Mimikatz/Kiwi in Windows 8.1
The Windows patch that corrects the wdigest issue of storing passwords in clear text, and how to bypass it.
Microsoft’s Local Administrator Password Solution (LAPS)
Microsoft networks remain amongst the most vulnerable and exploited due to the way in which Active Directory is typically deployed: A base image is created with a standard local administrator password, which is duplicated on all workstations in the environment. When an attacker compromises any workstation, the local administrator password hash can be obtained and used to access every other workstation using the classic Active Directory exploit Pass-the-Hash (PtH). This methodology is described in detail in FireEye/Mandiant M-Trends 2015 case studies.
On May 1 Microsoft released a new tool, Local Administrator Password Solution (Security Advisory 3062591), which provides a solution to the Pass-the-Hash exploit. Local Administrator Password Solution (LAPS) changes each local administrator password to a unique value, preventing reuse. LAPS also provides complementary end-user software to manage local administrative accounts from a centralized server.
Why You Want Two-factor Authentication
Most importantly, 2FA is a tool to ameliorate the security pandemic that is the password. Password re-use, weak password complexity, and insecure credential storage are the harbingers of doom for corporate networks. If you’ve never had the pleasure of using Mimikatz then give it a whirl and enjoy the sinking feeling in your stomach as you realize how your passwords are rarely adequately secured. Even if you use a password manager with long, unique passwords for everything that you log into, you stand to benefit by requiring 2FA as well.
