Home > HowTo, Security > Pass-the-hash from memory

Pass-the-hash from memory

October 15th, 2012 Leave a comment Go to comments

This is the most impressive and scariest hack I ever seen.
The tool called WCE, Windows Credential Editor can get any password
from a Windows box, from memory! So even if you login in the server 3months ago,
the hack would still work. This is no common pass-the-hash attack,


The tool allows users to:
– Perform Pass-the-Hash on Windows
– ‘Steal’ NTLM credentials from memory (with and without code injection)
– ‘Steal’ Kerberos Tickets from Windows machines
– Use the ‘stolen’ kerberos Tickets on other Windows or Unix machines to gain access to systems and services
– Dump cleartext passwords stored by Windows authentication packages


Using this tool wce, to become Domain Administrator the attacker would need,to become a local administrator privileges to run WCE and be able to steal NTLM credentials from memory. This is a post-exploitation tool.
You also need local administrator privileges to perform Pass-The-Hash (change your current NTLM credentials, or launch a new program in a new Windows logon session with the NTLM credentials specified).


Defending against pass-the-hash atttacks
The reason pass-the-hash attacks are so feared is that once the password hashes have been obtained, the attackers can move around the compromised environment with ease. Hashes can be used to access any protected resource within the same forest. Worse, if a domain admin has logged on to a computer, a local attacker with Administrator credentials can harvest the domain admin authentication hashes right out of memory.

I think it is the latter attack, the ability for an attacker to elevate themselves to domain administrator — just because a domain admin had logged on to a box — that scares defenders the most. Essentially, the trustworthiness of your domain admin credentials are now an exponential factor of every computer they have ever been used on.

How to fix it? The best way is to not have any domain admins. Even if attackers compromise elevated accounts, their access is less than elevated domain admin. And if they add themselves to the domain admins group, an alert will be generated quickly because your monitoring software will know that should be an empty group. Here are other actions you can take:

Never log on to a normal end-user workstation as a domain administrator. Limit your domain administrator logons to domain controllers or special file servers. By never logging onto regular workstations, you significantly reduce risk.
– If you have to log on using domain admin (or other elevated credentials), always do so from a trusted computer. These are known as “jump” boxes. These jump boxes can be unique per user, virtual machined, and flashed cleaned after every use. The idea is to always log on to boxes that you know are clean.
– Do as many administration tasks and fixes as possible using remote console tools, which are less likely to leave password credentials in memory on the remote computers. Most pass-the-hash attacks take interactive log-ons (unfortunately Remote Desktop and Terminal Services are interactive log-ons), so the less of them you do, the better.
– If you have to interactively log on to a computer, after you are through, reboot the computer (if possible). Rebooting removes the credential temporarily stored in memory.
– Frequently update elevated account passwords. I have many clients who change passwords after every use, often with the help of third-party software. That way, if an attacker grabs the credentials out of memory, so what? They aren’t any good anymore.

The No. 1 way to prevent pass-the-hash attacks is to keep the bad guy from getting domain admin or local admin in the first place.


Another way attackers use, is to the the NTLM hash from the Wire (using Wireshark) and use it latter on
with tools such as runash refrence

Another Really cool tool I found was smbexec

  1. No comments yet.
  1. No trackbacks yet.