Tag Archives: Pass-the-Hash

Oh dear! Oh dear! I shall be too late! – The White Rabbit

29 October 2017

WannaCry, NotPetya, and now: Bad Rabbit. The good news is that Bad Rabbit isn’t spreading as fast as WannaCry and NotPetya. According to a DARKReading report from October 25th the outbreak appears to die down already.

The bad news is, that it happened again. Like the White Rabbit in Alice’s Adventure in Wonderland, IT departments seem to mutter only “Oh dear! Oh dear! I shall be too late!”, instead of increasing the security baseline of their company networks.

Bad Rabbit uses similar techniques as WannaCry and NotPetya for spreading in the networks:

Open SMB shares, Mimikatz alike ways to dump credentials from the affected systems, a hardcoded list of credentials, … For more technical details see this post from Malwarebytes Labs.

The methods to avoid this are well-known and easy and cheap to implement:

  • Run a user awareness campaign.
  • Reduce the number of users and administrators working with permanent administrative privileges to zero. This is a leadership task!
  • Apply the measures to mitigate Pass-the-Hash attacks to all Windows systems and networks.
  • Limit the functionality of technical users to local systems and the lowest possible privileges. Use individual passwords, eliminate default passwords.
  • Review all firewall rules. Question every required connection. Limit the use of the SMB protocol as far as possible. Eliminate the use of unsecured protocols as far as possible. Patch the systems at the endpoints of firewall rules.

The above list is not exhaustive, but if implemented, the attacker’s ability to explore the network is clearly reduced.

It appears to me, that everyone is waiting for Windows 10 to solve some of the issues. This however is the wrong approach. Windows 10 cannot be introduced with a big bang. In particular in the production, lab, and building automation domain, it will take a few years until we can shutdown Windows XP/7 completely. And during this years, our networks are at risk.

With this, there is no time to lose. The White Rabbits returns.

Have a great week.


IT security projects fail because people are not affected personally

 4 April 2015

In the past weeks I had a lot of discussions with system operators about services running as real users, very often as domain users, if not as domain administrators. In some cases these accounts are used to run services on workstations as well.

From a security point of view this is a nightmare. Once an attacker got the login data of one of the service accounts, he can move across the network and collect credentials. The game is over when he gets access to a workstation where a user signs in with domain administrator credentials.

Executing the service as a local defined account with individual passwords would be a good choice to tackle this problem but, from an operations point of view this is the nightmare because the administrative effort will go straight through the roof.

This clash of interests is a really big challenge for the change manager. ADKAR is a often used model to guide activities during a change processes. But how could a change manager create Awareness in this case? Just telling the system operators to do things differently will not help. You must touch people’s minds with good stories and pictures.

Seeing is believing’ is my recipe: Find a workstation where a globally defined service account is used to run a service and extract all passwords from the LSASS process with MIMIKATZ. MIMIKATZ extracts the password hashes and the WDIGEST and Kerberos passwords in plain text.

Mimikatz Output


The MIMIKATZ output contains the passwords for the service accounts and, if applicable, for the domain administrator. Store this output encrypted in a file, highlight the service accounts and use the file as eye-opener in the next awareness session.

In my experience this  creates the necessary emotional involvement which is required for the next steps in the change process.

There is nothing left to say but …

Wishing you an Easter
that touches your heart
and lives in your thoughts
as a sweet reminder of
just how special you are.

Windows 2008 R2 Server is a bad choice as successor for Windows 2003 Server

26 March 2015

Windows 8.1 / Server 2012 R2 represent a quantum leap for users and companies in terms of security. Important new security features like

  • Restricted Admin mode for remote desktop connections,
  • LSA Protection,
  • Protected users group and
  • the removal of clear text credentials from the lsass process

make an attacker’s life harder. Compared to Windows 8.1 / Server 2012 R2 the last Windows versions are inherently insecure.

Therefore it’s truely confusing when IT groups give users the advice to migrate from Windows 2003 Server to Windows 2008 Server for operational reasons. In the past weeks I often heard terrifying statements like ‘If you prefer to be the guinea pig, go for version 2012’. From a security point of view this is a catastrophe.

With update KB2871997 Microsoft backported some of the new security features to Windows 7/8/Server 2008 R2. For a very good overview please see Sean Metcalf’s report published on Active Directory Security.

Unfortunately the most important features, Restricted Admin Server mode and LSA protection, were not backported. Protection for Windows 7 is better with the update, but Windows 2008 Server is still relatively simple to attack.

With that, the recommendation is to migrate to Windows 2012 R2 Server, provided that the application vendor gives support for this version.

I strongly recommend to enforce Restricted Admin Server mode to protect the administrator credentials.

Have a good day.

Reducing the Effectiveness of Pass-the-Hash – A NSA/CSS Report

15 January 2015

Reducing the Effectiveness of Pass-the-Hash [5], a report compiled by the Network Components and Application Division of the NSA/CSS, is very recommendable for all Windows network administrators and designers.

The design guidelines given in chapter 3 give the foundations for secure operations of Windows networks. Strictly implemented they hamper the propagation of attacks through the network.

I am in no doubt, that the impact of the Sony Attack would have been far smaller, if this guidelines would have been implemented.

Enjoy reading, and, have a good day.