Protecting Privileged Domain Accounts during Live Response

More documents

Recommendations

Info

Offline Cracking Two methods: Brute-‐force/Dictionary attacks: real-‐ Rainbow Table attacks: pre-‐ Very effective against LM hashes (99.9%) Effective against many NT hashes up to about 8 characters Online Rainbow Tables: http://www.onlinehashcrack.com/ Pass-‐the-‐Hash Techniques which allow attackers to authenticate with the hash directly (so no need to crack the passwords) Example tools include Pass-‐the-‐Hash Toolkit & Metasploit 10
Hashes must reside on the system For local accounts, hashes stored in the SAM database For domain accounts, the domain user must have performed an interactive logon to the system (more on interactive logons in a moment) If interactive logon occurs, hashes are stored in 2 places: Stored Stored in memory while the user remains logged on Attacker must have Administrative rights to obtain the hashes 11
Page 1 and 2: Mike Pilkington SANS Forensics and
Page 3 and 4: If you live in Houston and are inte
Page 5 and 6: For effective IR, what do we need t
Page 7 and 8: There are 3 areas where our credent
Page 9: 3 types of password hashes supporte
Page 13 and 14: Windows codes: From: http://www.ul
Page 15 and 16: Next, I used the RunAs -‐ MSA
Page 17 and 18: -‐ now logs into the remote mac
Page 19 and 20: -‐ In the same second, the WMI
Page 22 and 23: Just wanted to demonstrate that I w
Page 24 and 25: Access tokens allow a privileges a
Page 26 and 27: Impersonate-‐level tokens are p
Page 28 and 29: Output from Incognito shows tokens
Page 30 and 31: Rebooted boxes, then logged back in
Page 32 and 33: NO with NET USE and WMIC YES with P
Page 34 and 35: Delegate-‐level tokens availabl
Page 36 and 37: Net authentication prior to Windows
Page 38 and 39: Provides mutual-‐authentication
Page 40 and 41: The related Relay Attack, to a 3rd
Page 42 and 43: By design, LM/NTLM (v1 & v2) uses p
Page 44 and 45: completely NTLM is still used in th
Page 47 and 48: Turns out that PsExec and NET USE w
Page 49 and 50: Use local admin account whenever po
Page 51 and 52: posting a set of written articles o
Page 53: Contact me directly: mike@securitys

Protecting Privileged Domain Accounts during Live Response

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?