Password-Stealing Tool Targets Windows; Evades Antivirus
Mandiant’s M-Threat 2015 report details how a publicly-available “pentesting” tool, Mimikatz, can be used to steal password hashes and dump plaintext passwords extracted from memory, helping attackers move laterally within your network.
Mimikatz is a Windows security audit tool developed by Security Researcher Benjamin Delpy (@gentilkiwi). He presented Abusing Microsoft Kerberos: Sorry You Guys Don’t Get It at BlackHat 2014 with Skip Duckwall (@passingthehash) outlining how Microsoft Active Directory and Kerberos can be compromised with the use of Mimikatz.
In Mandiant’s report, they found that in nearly every case they investigated, the victim organizations’ antivirus software failed to stop Mimikatz, as attackers would modify and recompile the source code to prevent detection (Mimikatz is available on Github). As an ADSecurity.org stated, they “consider Mimikatz to be the ‘Swiss Army knife’ of Windows credentials – that one tool that can do everything.”
Stolen password hash attacks, or pass the hash, have been around for quite awhile - a white paper from the SANS Institute acknowledges that “although pass the hash attacks have been around for a little over thirteen years, the knowledge of its existence is still poor.” By stealing password hashes, an attacker can easily gain access to Windows systems protected by only a password, or single-factor authentication.
Windows performs a one-way hash algorithm on the user’s password, scrambling the password so it can’t be reverted back to its original form, as Active Directory Security wrote about last July. After a user logs in, their credentials are stored in the Local Security Authority Subsystem Service (LSASS) process in memory. This is used for single sign-on (SSO) services, allowing a user to access different resources and systems without being prompted again to complete authentication.
Windows encrypts most credentials stored in memory, but this type of encryption is reversible - Mimikatz can dump credentials from LSASS, as well as Kerberos passwords and other plaintext passwords. Linux and Unix systems store Kerberos credentials in a cache file, which Mimikatz can also extract.
A blog on Aorato.com goes into much greater detail about how attackers can effectively change a victim’s password to anything they want by leveraging backwards compatibility functions built into encryption algorithms of Active Directory’s SSO authentication protocols, NTLM and Kerberos. That means, using Mimikatz, an attacker can obtain a valid Kerberos ticket. Below, an image from Deply's blog:
As Mandiant’s report noted:
...the Mimikatz “golden ticket” allows an intruder that has compromised a domain controller to generate a Kerberos ticket-granting ticket for any user. This golden ticket can be generated offline, remain valid for an indefinite lifespan, and be used to impersonate any account—even after a password reset. An attacker with a golden ticket could re-compromise a remediated environment and instantly regain domain administrator privileges.
Active Directory Security also reported in January that the Skeleton Key malware is now integrated with Mimikatz, allowing an attacker to inject a skeleton key into LSASS on the domain controller. The Skeleton key malware allows an attacker to log into any remote access service using a password of their choice, targeting systems protected only by single-factor authentication. Learn more about the malware in Single-Factor Authentication: Vulnerable to New Malware & The Same Old Threats.
To protect against pass the hash attacks, Microsoft recommended two methods that aren’t viable or practical, from Aorato.com’s perspective:
- Implement smart card authentication (smart cards are expensive and difficult to deploy throughout an enterprise)
- Remove the weaker encryption algorithm from the systems (this requires removing its use throughout the enterprise, which can prevent users from accessing older systems)
Smart card authentication is a form of two-factor authentication, relying on something that you have. However, it’s true that smart cards can be expensive and difficult to deploy to thousands of end users in a large enterprise.
A more viable alternative could be a two-factor authentication method that doesn’t require an extra device - many solutions allow users to log in securely with their smartphones by using a mobile application like Duo Mobile.
With a cloud-based two-factor solution, enterprise-level authentication need not be expensive or difficult to deploy throughout a large organization. And it can be effective way to protect against credential-stealing attacks like Mimikatz and Skeleton Key malware.
Learn more different solutions in our Two-Factor Authentication Evaluation Guide.