Monday, November 03, 2008

HITB2008 - Malaysia - Pass-The-Hash Toolkit for Windows Presentation

Hey, so I'm back from Malaysia!.
Great place, very interesting, I need to go back as soon as possible :).

Thanks to Dhillon for the opportunity to present in the conference and going to Malaysia, and the entire HITB Crew for your help during the conference. Special Thanks go to Fabian, a HITB Volunteer, that waited for me at the airport at 6:20am to send me on my way to the Hotel. Thanks Fabian! :).

Materials for the conference are available here:

http://conference.hackinthebox.org/hitbsecconf2008kl/materials/

My presentation, "Pass-the-hash toolkit for Windows - Implementation & Use" is available here:

http://conference.hackinthebox.org/hitbsecconf2008kl/materials/D1T1%20-%20Hernan%20Ochoa%20-%20Pass-The-Hash%20Toolkit%20for%20Windows.pdf

The presentation is a good starting point to understand how the tools were implemented, and will also give you an insight on how to use the tools and why.

The presentation does not describe exactly the demo I did where I reproduced (as a single example of this situtation) a 'vulnerability' where NTLM credentials remained in memory after users log off, which is also one of the best arguments in favor of using the whosthere/whosthere-tool during a pentest, but it shouldn't matter anyway because I just reproduced the 'bug' to show the audience I was not lying about this issue :), so being able to reproduce it (the case I showed at least) should not be relevant; the only relevant thing is: you should use whosthere/whosthere-alt during pentests to gather admin credentials of past logons that are in memory :).

3 comments:

CG said...

Hernan,
looks like it was a good talk. hope they release the videos soon

Justin Searle said...

Seconded. Great talk presentation.

BTW, thought I'd pass on a little trick to increase your chances of gaining domain admin credentials. Once you crack the local admin account of a workstation, or another user with local admin rights, use psexec.exe to run whosethere.exe across the entire network. We've done this across IP spaces as large as 200,000 IPs, and it works like a charm. And to speed things up, use nmap to generate a list of windows machines by doing a port sweep for SMB ports, then feed that into psexec.exe.

- justin @ InGuardians

Rich Rumble said...

PSH, Gsecdump/msvtl are very scary the more I use them... What if anything can be done to mitigate? Do you move to a kerberos authentication scheme? Gaining admin on M$ systems isn't much of a challenge most times, so dumping the hash's and making use of PSH is also just as trivial. Can M$ fix it without breaking compatibility? I doubt it ;) Do we have to rely on AV solutions or perhaps DEP (Data Execution Prevention) could help? Just curious, right now I love using your tools, my clients don't like it, and they don't like me telling them there is *NOTHING* that can be done about it...