Monday, March 24, 2014

Using an SSP/AP LSASS Proxy to Mitigate Pass-the-Hash Pre-Windows 8.1

mit·i·gate
verb
  1. 1.
    make less severe, serious, or painful.
    "he wanted to mitigate misery in the world"
    synonyms:alleviatereducediminishlessenweakenlightenattenuate, take the edge off, allayeaseassuagepalliaterelieve, tone down 


Intro

A colleague (Matt Weeks/scriptjunkie) guest posted an article on the passing-the-hash blog (@passingthehash) about March being Pass-the-Hash awareness month, updating us on where we are at today regarding the family of issues.  I thought this would be a good subject for an opening post.  This post mostly concerns pre-Windows 8.1 systems that use Smart Cards and Kerberos as their primary form of authentication.  It may apply to other configurations as well.

This post covers the very basics of what I did to create a custom Security Support Provider/Authentication Package (SSP/AP) as a proxy in order to help mitigate the problem of LSASS storing NTLM credentials in its memory space.  This technique should probably only be used when your primary mode of authentication is something other than NTLM, such as Kerberos, as it will prevent LSASS from properly caching NTLM credentials on the client for later use.  While this does not solve the problem and is by no means a perfect solution (that probably has to come from Microsoft), it will at least offer some protection against some of the low hanging fruit attacks.