Cleartext and PtH still alive by @stealthsploit

1. Cleartext & PtH Still Live…

2. $ whoami /all
• Will Hunt
• Associate Director @ NotSoSecure
• 9+ years in InfoSec
• Blackhat USA trainer
• Pentester, formerly digital forensics, trainer of both
• @Stealthsploit / stealthsploit.com

3. Clear Text Creds
• Windows historically stored cleartext creds in RAM
• Win 8.1 / 2012 R2+ disabled lsass.exe clear text storage
by default
• Backported (2871997) to 7/8/2008 R2/2012 as a reg key
• Backported and set to 1 (clear text enabled) by default
• Let’s change that!
• reg add
HKLMSYSTEMCurrentControlSetControlSecurityProviders
WDigest /v UseLogonCredential /t REG_DWORD /d 1

4. Clear Text Conclusion
• Win 7 / 2008R2 / 8 / 2012 / 8.1 / 2012R2
• Adding requires lock, removing requires signout
• Meterpreter mimikatz and kiwi work
• mimikatz often only detects kerberos, not wdigest
• Win 10 (inc Enterprise without Cred Guard)
• Signout required for add or delete
• Only meterpreter kiwi works – wdigest
• Win 2016 (without Cred Guard)
• Adding requires lock, removing requires reboot
• Only meterpreter kiwi works – wdigest

5. PtH

6. Hashes in Memory
• Hashes are stored in RAM
– Registry
– At logon in lsass.exe
– RDP (disconnect instead of log off)
• 8.1 / 2012 R2+ Restricted Admin Mode
– RunAs
– Services running under user accounts
• Not network logons (e.g. file share)
– Challenge / response  hash never gets there

7. Pass The Hash
• Authenticate via SMB using hash
• 8.1 / 2012 R2+ (2871997)
• Prevents network/remote interactive logons using local
accounts (excluding RID 500)
• Protected Users Group – No hashes left in RAM as users can’t
authenticate with NTLM (AES kerb auth only). Reduced TGT
lifespan
• Restricted Admin Mode – did this help elsewhere? ;-)
• 10 Ent / 2016 implemented Credential Guard

8. 2871997 Counter Attack
• “Prevents network/remote interactive logons using local
accouts (excluding RID 500)”
• Other local admins still may be able to write to registry!
• Thanks MS, I’ll just change that (again)…
• reg add
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
CurrentVersionPoliciesSystem /v
LocalAccountTokenFilterPolicy /t REG_DWORD /d 1

9. RID 500 Caveat
• “Admin Approval Mode”
• https://technet.microsoft.com/en-
us/library/dd835564(v=ws.10).aspx#BKMK_BuiltInAdmin
• Sysadmin’s “get out of jail free” for RID 500
• HKLMSOFTWAREMicrosoftWindowsCurrentVersi
onPoliciesSystemFilterAdministratorToken
• Key often set via GPO – domain users can enum
systems that do/don’t have the key set
• RID 500 still often present in enterprises even
though disabled by default!

10. RID 500 Caveat
• So… can anyone spot a trend emerging?
• reg add
HKLMSOFTWAREMicrosoftWindowsCurrentVersi
onPoliciesSystem /v FilterAdministratorToken /t
REG_DWORD /d 1
• Disabled by default – if enabled (and set to 1) RID
500 gets UAC protection
At least this one’s for the blue team!

11. Remember Restricted Admin?
• 8.1 / 2012 R2 improvements mitigated some vectors…
• Also introduced new ones!
• “Restricted Admin mode provides a method of
interactively logging on to a remote host server without
transmitting your credentials to the server.”*
• Enabled for admins only (hint is in the name)
• No creds are left on remote box so network auth must be
used (Kerberos / NTLM)
*https://technet.microsoft.com/en-us/library/security/2871997.aspx

12. Registry or Group Policy
• reg add
HKEY_LOCAL_MACHINESystemCurrentControlSetControl
Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0
• reg add
HKEY_LOCAL_MACHINESystemCurrentControlSetControl
Lsa /v DisableRestrictedAdminOutboundCreds /t
REG_DWORD /d 0

13. Registry or Group Policy
• Both not present by default (need to be created)
• DisableRestrictedAdmin
• Simple enables or disables Restricted Admin mode
• 0 = doesn’t exist (default) = enabled
• 1 = disabled
• DisableRestrictedAdminOutboundCreds
• Whether user is able to authenticate to remote resources
(from RDP RA session) using local machine account
• 0 = doesn’t exist (default) = enabled
• 1 = disabled

14. RDP PtH
• Otherwise…

15. RDP PtH
• 2871997 was backported  RDP PtH on Win7+ *
• freerdp-x11
• xfreerdp /u:will /d:mydomain /pth:<nthash>
/v:<remoteIP>
• Kali 1.1.0 / freerdp-x11
• freerdp-x11 updated and functionality removed
• Tricky to compile old client on Kali rolling
* https://blogs.technet.microsoft.com/kfalde/2015/01/10/restricted-admin-mode-for-
rdp-in-windows-7-2008-r2/

16. PtH Conclusion
• Remote UAC Protection now enabled
• 2871997 (Protected Users / Restricted Admin)
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurr
entVersionPoliciesSystem /v LocalAccountTokenFilterPolicy
/t REG_DWORD /d 1
• Backported to earlier versions
• Win 8.1 / 2012 R2+
• PtH still works
• mimikatz can also pth
• sekurlsa::pth /user:stealthsploit /domain:mydomain.local
/ntlm:7dfa0531d73101ca080c7379a9bff1c7 /run:cmd.exe
• RDP PtH
• If backported works on Win 7+

17. Protected Users?
• What about the protected users?
• No hashes left in RAM, AES kerberos auth only, all good?
• Nope!
• Classic ticket steal
• DA is a protected user
• Remotely logs into
compromised server
• Attacker has temporary
access to TGT
• Reduced TGT lifespan
now 4 hours
• Attacker dumps NTDS.dit
with TGT
• Attacker establishes domain
persistence

18. tl;dr
• #Tryharder Microsoft
• Clear text still accessible (if not already by default)
• PtH still possible (if not already by default)
• RDP PtH is possible
• Typical variables in play
• Admin access
• Write access to registry

19. Thank you ☺
Questions?