Just before the release of Windows Server 2016, myself and several other tech journalists were invited to Redmond for a reviewer’s workshop. Microsoft tends to provide these types of workshops to tech journalists before major product releases, as a way of helping us to quickly learn about the product’s features and architecture. Although the bulk of the content at these reviewer’s workshops is technical in nature, there is usually a somewhat subtle marketing message attached to the presentation. This time around, Microsoft’s messaging could not have been more clear. To paraphrase, the message was that the world is an increasingly dangerous place, so Microsoft has put security at the forefront of the Windows Server 2016 design process.
I have to admit that I was truly impressed by some of the security features that Microsoft has introduced in its latest operating system. One such feature is credential guard. As its name would suggest, credential guard is a mechanism that is designed to prevent the theft of credentials. Doing so goes a long way toward preventing pass the hash and other types of privilege escalation attacks.
Before I start talking about how credential guard works, I want to spend a bit of time talking about pass the hash attacks. My hope is that by knowing how pass the hash attacks work, you will be better equipped to appreciate what Microsoft has done with Credential Guard.
The first thing that you need to know about pass the hash attacks is that there are a number of variations. Because I would like to begin discussing Credential Guard at some point, I’m not going to turn this into an exhaustive discussion of pass the hash attacks. I am instead going to focus on one of the more popular forms.
Pass the hash attacks are based on two basic principles. The first principle is that for a hacker, there is value in gaining access to a user account, regardless of how restricted that user account might be. The reason for this is that even the most basic user account can help a hacker to gain a foothold within a network.
The second principle that is key to understanding pass the hash attacks, is that a hacker doesn’t necessarily have to have a user’s password in order to compromise a system. Sometimes, having a password hash works just as well as having the actual password. This is important, because the Windows operating system doesn’t actually store user’s passwords, it stores password hashes. If Windows were to store the actual passwords, then it would be relatively easy for a hacker to break in and steal the passwords. Instead, Windows takes the user’s password and then passes it through a mathematical function to create a hash. The hash is created in such a way that it cannot be reverse engineered in order to derive the password from the hash. There is an interesting article on TechNet that explains in detail how the hashing process works and how passwords (or password hashes rather) are stored in windows (https://technet.microsoft.com/en-us/library/hh994558(v=ws.10).aspx).
So now that you know how password hashes are used within the Windows operating system, the phrase “pass the hash” is probably beginning to make a bit more sense. But just for fun, let’s pretend that I am a hacker and that pass the hash is my preferred attack method, and that I want to use this technique to gain full administrative access to someone’s network. Let’s also pretend that all of the network users are using strong passwords.
As a hacker, the first thing that I need is a point of entry into the network. However, the pass the hash technique can’t help me with this. Pass the hash can only be used once network access has been obtained.
That being the case, I as a hacker would most likely try to use social engineering to gain access to the network. I might call users on the phone, and pretend to be from technical support. A naïve user might disclose their password, and information about the corporate VPN. Another option might be to somehow trick a user into running a Trojan that captures the user’s password and some basic information about the network. Regardless of which method is used, the first step in the process has to be to get a user’s password, and to locate a portal through which the network can be remotely accessed.
So let’s pretend that I tricked a user into installing a Trojan that gives me remote access to their PC, and that the Trojan is equipped with a keystroke logger, so I have managed to capture the user’s password. Now I can log in as the user. Just to make things interesting however, let’s assume that the user does not have access to anything interesting.
Even though this particular user doesn’t have any kind of useful network access, it doesn’t really matter. The important thing is that I, as a hacker, have logged in to the user’s desktop PC, and now have access to the contents of that device. Because of the way that Windows works, the user’s password hash is stored on the device. However, password hashes for any other user who has logged into the PC recently are also stored on the PC’s hard disk. I can capture these hashes, and use them to log into the network to see where they get me.
The odds are pretty good that none of the password hashes that are stored on the device will provide access to anything useful. Even so, I may be able to use the user’s password to log into other PCs. This would give me the opportunity to examine the password hashes that are stored on those PCs. If I capture the hashes from enough PCs, then sooner or later I will probably find a PC that an administrator has logged into recently. Once I have an administrative password hash, then I can gain administrative control over the network.
My goal in this article is not to teach you how to hack a Windows network. In fact, I have purposely left out some of the finer points of a pass the hash hack, so as to avoid providing detailed instructions to would be hackers. The point is however, that pass the hash is a popular hacking method, and Microsoft’s new Credential Guard feature can help to prevent this type of hack. I will show you how Credential Guard works in the next article.