Dr. Microsoft, How I learned to stop worrying and love NTLM.

Presented at ToorCamp 2014, July 11, 2014, 1 p.m. (50 minutes)

In 2012 Microsoft published an 82 page paper, "Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques", that includes policies and procedures around protecting from and mitigating Pass-the-Hash attacks. These procedures place the responsibility on the system administrators, and users. They also say little about the underlying issue of the flawed authentication.

Adopting policies and procedures is a good way to mitigate these attacks, however we believe the focus should be on moving forward and making NTLM obsolete in the enterprise environment. NTLM authentication has been the cornerstone of Windows authentication for over a decade, with NTLMv2 and client/server challenges being the pinnacle of development. A strong and complex password can make cracking harder, but it's not fool proof.

Despite that, the existence of relay and Pass the Hash techniques/tools undermines nearly all of the mechanisms of NTLMv2. We will demonstrate some of the vectors that we have found to be the most useful in the course of every day security testing. Once domain access is obtained, it's only a matter of time before it's game over.

Presenters:

• David Bryan / VideoMan   as VideoMan Aka David Bryan
  David M N Bryan has over 10 years of experience in the computer security industry. As an active participant he volunteers at DEFCON to support the NOC, and many other security conferences. In his spare time he runs the local DEFCON group, DC612, and helps run Thotcon as a board member and OPER. David's day job mostly consists of breaking the computer security around networks and operating systems at Trustwave's SpiderLabs.
• Barrett Weisshaar
  Barrett Weisshaar is a Managing Consultant at Trustwave. He is a member of Trustwave's SpiderLabs East network penetration test practice – the advanced security team focused on penetration testing, incident response, and application security. He has been in the information technology field for nearly a decade and has specialized in information security for over 8 years. In this time, Barrett has given numerous presentations on multiple facets of security, from smart metering technologies to password strength and recovery techniques. Prior to joining Trustwave, Barrett worked as a security consultant for Deloitte & Touche, focusing on retail security, penetration testing, and security architecture. Barrett holds a Bachelor's from the University of Notre Dame and an M.S. in Information Security from Carnegie Mellon University.

Similar Presentations:

• BSidesSF 2019 / BADPDF: Stealing Windows Credentials via PDF Files
• DEF CON 16 (2008) / Nail the Coffin Shut, NTLM is Dead
• Black Hat USA 2013 / Pass the Hash and Other Credential Theft and Reuse: Mitigating the risk of Lateral Movement and Privilege Escalation