The weakest link

Windows provides the best platform for security solutions. So I said.

Now, let’s imagine the perfectly secure enterprise. Everyone is using smart cards to log on to the systems – user passwords aren’t used at all. AD, Kerberos and SSL where applicable. What can go wrong?

A lot. Because backward compatibility is a big issue. For example, you are a smartcard-only Windows user. You don’t use a password – but you still have a password. Really long and random – if you get a NTLMv2 hash and try to brute force it, you are likely to come across a collision before getting the true password (pure speculation on my side). But NTLM (v2 – whatever) still exists in this ecosystem. It may be used in remote administration and service account scenarios.

Marcus Murray, a security MVP, and his colleagues of Sweden’s Truesec, came up with a spectacular technique of using NTLM hashes instead of logon credentials in NTLM-based environment (which is every Windows environment, for now). Here’s a video of the attack. Marcus is blogging – in English – about the attack as I type this.

So opportunity is there. All that is required is owning (as in: 0wn1ng, or having local system-equivalent rights) a workstation in an enterprise, and getting a privileged domain user, or a domain service account, to log on to the workstation – and then I can account of those, with all the privilege, in the entire domain.

There are ways to mitigate the risk. You can make it really hard to compromise a workstation – full disc encryption is a very good first step. You can limit the scenarios of remote logons to the workstations – using technology and process.

But the right approach would be phasing out NTLM. Mark Russinovich of Sysinternals fame, a MS Technical Fellow, told me they are working on that but couldn’t provide details. Just like we can disable LM and NTLM, we should be able to do same with NTLMv2. I guess it’s possible to create a rootkit that will do just that – but we want that coming from Microsoft. Something to do in Windows “7”. Generally, it’s a good idea to include backward compatibility as a feature. But software vendors should provide an option to turn off legacy protocols.  As long as we are in control and can to testing and plan migration, that would be the right balance.

3 thoughts on “The weakest link”

  1. Hello,

    This technique is old. There has been public information about using hash since 1998, both in form of POC and whitepapers.

    Take care,


  2. Yes, I have found few mentions of Linux/SAMBA tools searching for “pass the hash”.

    I wonder why Microsoft decided to do nothing. Perhaps they see the need to become local system equivalent the root issue – but the ways to collect NTLM hashes aren’t limited to that. Some additional threat modeling needs to be done.

  3. Yes, Paul Ashton posted something into mailinglists in around 1998. I have been spoking about the concept since 1999 in different conferences.
    But generally available Linux/SAMBA tools are newer than the POCs I meant.

    Original public concept for Windows tools was released by Hernan Ochoa, in year 2000. The tool he did was a Windows tool.
    Earlier to this, Dominique Brezinski and Eric Schultze did local SAM database writing directly, Foundstone spent some time to demo this Core’s Windows tool in 2000-2001 mainly in USA conferences. I also heard concept was demoed with a Windows tool, in a conference held in Finland around December 2003, and a year after as well. So nothing new in that sense either – seems that what goes around, goes around.

    Passing the hash works because that is how protocol was designed. Vectors how to do it…that is another story.

    Take care,


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>