Tick toc says the clock

Free stuff doesn’t come all that often.  The wonderful window to a free OS is about to close. Tomorrow is the last day  – miss it and you will have shell out for it.  Sources say it will cost a reasonable 130 bucks but why throw out money?  Get Windows 10 from your updates or from official sites and enjoy an amazing new OS for free!

Pass the Hash: Windows security

Hey y’all

Password security is nothing new.  We have been told about complex passwords for a long time (in IT anything over 10 years is a long time 🙂 ). I have been hearing a lot lately about a type of attack on networks called “Pass the Hash”. In a basic sense this whole attack is simply taking a hash of a password (the encrypted – not “cracked” form of the password) and using that to authenticate into your oh-so-pretty-and-secure network.  Devious, yes.  Preventable, for sure.

I will be talking about this in at least 2 posts. First off we will cover what is a hash, rainbow table and all the other terminology you will need to understand around this. Then, we talk about how to prevent it and I will give you some homework (aka my sources) if you want more information.

This is the guiding principle here: ” All passwords are hackable given enough time. Your goal is make that time as long as possible.”

Account hashes are one way transformations (unless you are using reversible encryption. This means that once the password has been encrypted using whatever encrypting mechanism you prefer it is not possible to reverse the process.  Never use clear text passwords or transmission methods

Rainbow tables are tables built when you know several possible combinations of words used as a password.  They serve to help speed up the process.  Using “dictionary” words is a big asset to hackers – so always make sure you don’t use actual words in a password

So here is what happens

  1. User creates a password
  2. That gets stored in your security application (Active Directory,..) as a hash (AD takes the password and encrypts it
  3. The user logs on.
  4. One of the main suppositions in these attacks is that the attacker can see your network traffic.  Either they plugged into a wire or have sniffing software.  They see the hash get sent and capture it.  They could have a Linux Live sitting on a CD or USB key and boot a machine using that OS.  Also, the could hve console access and run tools like FGDUMP.  They can also resort to specialized attacks like “Cain and Able” which is a type of ARP cache poisoning/spoofing (see my sources post for more details).  There is another called “John the Ripper” (great name BTW.
  5. Now they don’t actually have the password but they do have the hash and that is all they really need since this is what is used to authenticate.
  6. At this point they try to escalate the privileges of the account (maybe this was an admin account running in non-admin mode) and commence their nefarious work

Voila – that is the essence of the attack. Very simple, no?  That is why it is so popular.  In the next installment I will give you my sources and 6 simple things you can do on your own network to prevent (or at least minimize) these exploits