Home > Uncategorized > Protecting against pass the hash attacks

Protecting against pass the hash attacks

For some odd reason (okay I was listening to the pauldotcom podcast), I was inspired to look into protecting against pass the hash and compile a quick list of things.

I already implement some group policies to disable the use of LM and NTLMv1 hashes and reduce the hashes stored locally:

Computer config\windows\security\local policies\security options\
-Interactive logon: Number of previous logons to cache: 1 logon
-Network Security: Do not store LAN manager hash value on next password change: enabled
-Network Security: LAN manager authentication level: Send NTLMv2 response only: Refuse LM & NTLM

There’s a lot of written on this topic already, but it’s very complex and requires defense in depth. So here’s a quick list of related stuff.

Here’s two writeups that look good:

Break down:
Local administrative access (via popping an exploit for instance) = access to hashes
Network traffic access (MITM, via ARP spoofing for instance) = access to hashes.

  • Whole disk encryption: auditing whether the system disk is encrypted.
  • Other defenses against stopping exploits from popping. If the exploit pops during a local administrative session, then any hashes in use (that are available to lsass.exe) are accessible to any administrator (anyone with the se_??? right).
    • patching (there are always exploitable bugs)
    • IPS/IDS (perimeter and host)
    • EMET sandboxing
  • restricting powerful accounts (including local administrator accounts) [this means have two sets of administrative accounts (or more). For instance, never log on to a workstation with a domain administrator account; but have (deployed) an additional set of accounts for workstation administrators.]
  • Use of OTP for powerful accounts [I need to verify this will always regenerate the hash]
  • Powerful function sandboxing. [seriously, use a IPKVM straight to the boxen, VM or a dedicated box for your domain admin functions]
  • NAC [stops bad people from accessing LANs]
  • 802.1x & NAP [stops bad people from accessing LANs]
  • ARP spoofing protections [stops bad people from MITM]

User rights “considered elevated access” by MSFT:

  • Create token object (SeCreateTokenPrivilege)
  • Act as part of the operating system (SeTcbPrivilege)
  • Take ownership (SeTakeOwnershipPrivilege)
  • Back up files and directories (SeBackupPrivilege)
  • Restore files and directories (SeRestorePrivilege)
  • Debug programs (SeDebugPrivilege)
  • Impersonate client after authentication (SeImpersonate)
  • Modify object label (SeRelabelPrivilege)
  • Load and unload device drivers (SeLoadDriverPrivilege)

A lot of the above will eventually be covered within the scope of the Securing your network project.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: