Presentation Title: Pass-the-Hash Toolkit for Windows
Presentation Abstract:

The ‘Pass-the-hash’ technique, first published in 1997 by Paul Ashton, basically allows attackers to use captured NTLM hashes to authenticate to remote hosts without having to decrypt those hashes to obtain the cleartext password. All these years this technique has been performed using modified smb clients (e.g.: samba) or third-party implementations of the SMB/CIFS protocol. This means that after successfully authenticating to a remote host using the ‘pass-the-hash’ technique, functionality available to attackers/penetration testers is limited to what is implemented by these clients.

The Pass-The-hash toolkit is the first public implementation of the ‘pass-the-hash’ technique for the Windows platform. It allows attackers/penetration testers to perform the technique from a Windows machine (e.g.: by changing the current local logon session credentials or by creating a new local logon session with the desired credentials: username/domain/NTLM hashes) and then, once authenticated, use native Windows administration utilities (made by Microsoft or a third-party) to access remote services, gaining access to all the functionality provided by the native utilities without limitations.

This presentation will describe how the different tools included in the toolkit were implemented, and will explain how to use the toolkit during a penetration test.

About Hernan

Hernan has been working for Core for the last ~9 years and has wrote a full-blown antivirus software mostly used to detect and remove ‘latin-american’ viruses in ‘98. At that time the most important antivirus products did not detect viruses created in south-america or it took them too long to do it. After a couple of years, he began working for CORE at the time the company was just starting out. He participated in the research, design & development of a multi-os security suite for a bank supporting DOS, Novell, Win31, Win95, Win98, WinNT and wrote device drivers, intermediate drivers and programs to hook syscalls.

He was also involved in the creation of the CORE IMPACT product and wrote several modules for it; including modules to inject IMPACT agents on process in runtime, fake smb server to capture credentials, etc. He is currently actively working as a security consultant doing pentests, reverse-engineering, blackbox security audits, webapp pentests, source code audits, etc.