2 Pass-the-Hash Technique Pass-the-Hash on Windows Today New Windows Mitigations: Sue’s Laptop Sue’s User Session File Server 2 Sue’s User Session 4 User: Sue Password hash: C9DF4E… User: Sue Password hash: C9DF4E… 3 User: Sue Password: a1b2c3 1 1. 2. 3. 4. Sue enters username and password PC creates Sue’s user session PC proves knowledge of Sue’s hash to Server Server creates a session for Sue Sue’s Laptop Fred’s Laptop Fred’s User Session File Server Sue’s User Session User: Fred Password hash: A3D7… User: Sue Password hash: C9DF… Malware User Session User: Fred Password hash: A3D7… 1 User: Fred Hash:A3D7 Malware User Session User: Fred Hash: A3D7 User: Sue Hash: C9DF User: Sue Hash:C9DF 2 1. Fred runs malware 2. Malware infects Sue’s laptop as Fred 3. Malware infects File Server as Sue 3 Pass-the-Hash Technique Pass-the-Hash on Windows Today New Windows Mitigations: “… I wouldn’t say the vendor had AD credentials but that the internal The virus erased data on three-quarters of administrators would use their AD Aramco’s corporate PCs — documents, login toe-mails, accessfiles the — system from spreadsheets, replacing all of it inside. Thisofwould mean the sever with an image a burning American flag. had access to the rest of the 7 corporate network ...” PsExec EULA You are not permitted to use PsExec for illegal activity. Local Security Authority (LSASS) NTLM Digest NTOWF: C9DF4E56A2D1… User: Sue Password: a1b2c3 PTHDemo-DC User: Sue Hash: C9DF4E… Sue’sa1b2c3 Laptop Password: Kerberos Ticket-Granting Ticket Service Ticket Service Ticket Service Ticket Service Ticket Service Ticket 192.168.1.1 “Credential footprint” PTHDemo-DC published Local Security Authority (LSASS) NTLM Digest NTOWF: A3D723B95DA… C9DF4E56A2D1… Sue’sa1b2c3 Laptop Password: Kerberos Ticket-Granting Service Ticket Service Ticket Service Ticket Service Ticket Ticket Credential Store Pass-the-Hash Technique Pass-the-Hash on Windows Today New Windows Mitigations: Local Account Fred’s Laptop Security User: Admin Accounts Hash:A2DF… Manager Sue’s Laptop User: Admin Hash:A2DF… Security User: Admin Accounts Hash:A2DF… Manager Pass-the-Hash Technique Pass-the-Hash on Windows Today New Windows Mitigations: Local Account Domain Account Local Security Authority (LSASS) NTLM Digest NTOWF: C9DF4E56A2D1… Sue’sa1b2c3 Laptop Password: Kerberos Ticket-Granting Ticket Credential Store Service Ticket Service Ticket Service Ticket Service Ticket Pass-the-Hash Technique Pass-the-Hash on Windows Today New Windows Mitigations: Local Account Domain Account Restricted Remote Administration Sue’s Helpdesk PC Fred’s Laptop LSASS NTLM NTOWF: C9… Remote Desktop Client User: Sue Pass:a1b2c3 Digest Pass: a1b2c3 Ticket Kerberos Ticket Mimikatz Credential Store Pass-the-Hash Technique Pass-the-Hash on Windows Today New Windows Mitigations: Local Account Domain Account Restricted Remote Administration Authentication Policies and Silos Lobby kiosk Fred IT admin terminal Sue User: Sue Domain Controller PTHDemo Domain Users Computers Silo:Sue … Fred Sue Silo:Sue … Fred-PC Sue-PC “Sue Lockdown” Authentication Policy Ticket lifetime:4 hours Conditions: Users use Silo PCs “Sue Lockdown” Authentication Silo Policy:“Sue Lockdown” Members: Sue; Sue-PC
© Copyright 2026 Paperzz