Acquire current user hashes without admin privileges

Presented at DEF CON 22 (2014), Aug. 8, 2014, 4 p.m. (60 minutes).

If an attacker has only user level access to an infected machine inside corporate internal network, that means he or she has quite a limited number of ways to get the password of that user. Already known techniques require additional network access or great amount of luck. Having no access to internal network and absence of admin privileges is a common case during spear phishing attacks and social engineering activities. This talk will cover a brand new technique to grab credentials from a pwned machine even without admins privileges. The technique is possible due to a design flaw in the Windows SSPI implementation. A proof of concept tool will also be presented.


Presenters:

  • Anton Sapozhnikov - KPMG
    Anton Sapozhnikov has more than 7 years of experience in penetration testing, worked with many companies from the Fortune Global 500 list. In his spare time Anton participates in CTFs with More Smoked Leet Chicken, the team awardee and winner of Codegate, HITB, DEFCON, etc. Anton currently works for KPMG's Information Risk Management practice performing penetration testing, risk assessment, framework alignment, and policy development engagements. Twitter: @snowytoxa

Links:

Similar Presentations: