Windows Server - Hash injection mitigation?

Asked By ITGu on 06-Oct-07 07:45 PM
It appears there is a new hash injection tool that works on 2003 and XP
systems called msvctl.exe. It was demonstrated at Microsoft TechED 2007 in
Orlando and there's a lengthy blog about it at:

http://blogs.pointbridge.com/Blogs/seaman_derek/Lists/Posts/Post.aspx?ID=20

Besides the mitigation points listed in the blog, are there any other
methods to thwart such injection attacks? Of course non-administrator rights
is a great start, but I work in a big company and we have a lot of
application administrators that can just access one or two servers, and I'm
concerned they could use this technique to gain access to additional servers
on the network.

Ideas?




Steve Riley [MSFT] replied on 06-Oct-07 09:09 PM
This attack, more properly called a pass-the-hash attack, is not new and has
been known for some time. Any system that relies on challenge-response -- in
other words, just about every current authentication system -- operates the
same way.

We have made mention of these kinds of attacks in the past. Jesper
Johansson, my former colleague, has similarly demonstrated them.
Furthermore, unlike Marcus, Jesper explains how such an attack could happen:
attack the authentication server (domain controller) or attack a member
computer where someone is logged on. In either case, you need to become
admin of the computer before you can force the compromised machine to
release its hashes from memory, which lessens the likelihood of success. And
if you did manage to become admin, there are fare more interesting attacks
that you'd want to attempt. By the way, sniffing a network connection won't
reveal hashes.

In other words, there's nothing new here, and very little that you need to
worry about.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com
Felix Chandler replied to Steve Riley [MSFT] on 28-Mar-10 02:46 PM
1) The first issue is getting in as local admin. In my company the boot order was HD first, but this took 1 minute to bypass by removing the relevant jumper. Next, ophcrack will give you the local admin password, but it does cost some 999$ if this involves non-alphanumeric values. There are other tools to replace the local admin password with your own, basically think of a password, run it through MD5 to produce a hash, then use a LiveCD to replace the relevant SAM hash by your own.

So, first step is the easy one.

2) Next, you need gsecdump. Well, any antivirus I know kills it as soon as it is seen by Windows. So what do you do? You write it on a read-only media like a CD. Still, I get an 'access denied' message from the AV. So you need to kill AV. Two ways I can think of: Erase the relevant folder via a LiveCD or boot in SafeMode and erase the relevant executables in that folder. I was unable to disable AV otherwise. Next, you need to trick a domain admin into doing a remote access, perhaps asking for help with your printer or something. Assuming this access does take place and the domain admin does not reboot the machine, but logs off, then under Local Computer Policy->Computer Configuration->Windows Settings->Security Settings->Security Options->Interactive Logon: Number of Previous logons to cache(in case domain controller....)

you see that the system keeps the last N logons. If N=0, then only the last credentials are kept, i.e. your own, when you log on after the domain admin has logged off. So this attack is not that simple and it looks like it can be prevented with the right configuration, unless I miss something.

I should add  that there is another tool, mimikatz

http://www.oxid.netsons.org/phpBB3/view ... f=8&t=3655

which also gets hashes, not sure if from disk or cache, not detected by the AV and I am not sure if this can be used to get the domain admin hashes.