Pay Attention and Be Prepared: Yet Another Remote Windows Hashing Attack

Opportunities for remote password hash-stealing methods continue to plague Microsoft products and you need to appropriately defend against them.

Since at least 2018, I’ve been presenting and writing about how easy it is for a remote attacker to steal Windows password hashes across the Internet and then start “cracking” them offline into their plaintext equivalents. This includes this article (https://www.csoonline.com/article/566783/i-can-get-and-crack-your-password-hashes-from-email.html) I wrote for CSO Online in January 2019.

You can see a recorded demo of the involved attack here (https://blog.knowbe4.com/kevin-mitnick-demos-password-hack-no-link-click-or-attachments-necessary) by the late, great, Kevin Mitnick. He was KnowBe4’s Chief Hacking Officer and simply an infamous hacking extraordinaire until his untimely passing due to cancer in July of last year. Kevin was the first person to show me this type of attack. I was startled by how easy it was to perform. It changed how I saw password hash attacks and my recommended password policies.

The Password Hash Problem

If an attacker can obtain your password’s cryptographic hash, they can reuse them in “pass-the-hash” (PtH) attacks or “crack” (i.e., guess at) them to obtain their plaintext equivalents. This can be a problem in any OS and authentication system, but is far more popular with attackers and prevalent on Microsoft Windows, Microsoft products/services, and Active Directory.

Traditionally, obtaining someone’s password hash was not easy. The attacker had to first gain access to the user’s device and obtain an elevated security context (i.e., Administrator, root, Domain Administrator, LocalSystem, etc.) to begin to have a chance at obtaining the hashes. Then the hacker had to use that elevated access and a hacking tool, like pwdump, to extract (i.e., “dump”) the hashes to a plaintext file that was then fed into a password hash cracking tool, like hashcat (https://hashcat.net/hashcat/) or John the Ripper (https://www.openwall.com/john/).

Once a hacker has a password hash, they can guess at it as fast as their hardware and software combination (sometimes called a password cracking “rig”) will allow. Today, password hash cracking is often done at speeds exceeding many trillions of guesses per second (TH/s). Many publicly known password hash cracking solutions can guess tens of trillions of guesses a second. It is known/believed that many organizations have the capability to do more than 100 trillion guesses per second, although it has not been publicly confirmed. It is estimated by password hash cracking experts that anyone can buy 100 TH/s password hash cracking capability with cloud computers within the budget of many, many adversaries.

How long do you think your password would stand up to someone guessing at its hash-equivalent trillions of times a second?

And you really don’t need super-fast hash-cracking rigs to guess at passwords. I have friends in professional penetration testing teams, with far less capability (less than 1 TH/s), who routinely crack human-generated passwords up to 18-characters long, everyday, for a living.

The Traditional Caveat

But any attack that begins with, “First, you obtain admin access…” isn’t really that much of an exciting exploit. If you’ve got admin access you can do nearly anything, and extracting password hashes is just one of the victim’s many worries. For over two decades, when someone tried to make me worry about password hash cracking (or pass-the-hash) attacks, I replied with something akin to “Meh.”

But Turns Out You Often Don’t Need Admin to Steal Windows Password Hashes

Then Kevin Mitnick showed me how anyone could send an email to someone and get their computer to send back the victim’s Windows credential password hash without them doing a thing. This blew my mind!

These types of attacks often work because of a Microsoft authentication method known as “Windows Integrated Authentication” or “WIA”. Depending on the source, it is also known as integrated Windows Authentication (or IWA). Microsoft enabled IWA in Microsoft Windows, browsers, other Microsoft applications (like Microsoft Outlook) and services (like NetBIOS).

Basically, when Windows (or an app/service supporting WIA) connects to a WIA-supporting server/service requiring authentication, Windows, if allowed, will respond with the user’s logon name and a LM/NTLM challenge-response logon handshake. It’s all done in the background, so that the user doesn’t see the logon request or response. The app/service, on the user’s behalf, just does what it needs to do and the authentication process is hidden. It makes using Windows and network-based Windows app/services easier to use. Without it, the user might be asked, again and again, to re-logon using their Windows logon when accessing drive shares and Windows services/server/applications. Believe me, it would be a pain.

WIA is supported on most major browsers and other operating systems, so they can silently connect to Microsoft networks, servers, and services if needed. So, it’s not just a “Windows thing”.

Here's more detail on IWA: https://en.wikipedia.org/wiki/Integrated_Windows_Authentication.

Hackers quickly learned they could “trick” Windows and other IWA-enabled apps and services into revealing the user’s password hash back when Microsoft first publicly released IWA in Windows 2000. For hackers, this was a godsend. No longer did they need to get on the device (locally or remotely), get elevated access, and then manually extract the password hashes using a special hacker tool. Now, they could just politely ask Windows for the hashes remotely and Windows would give them to the hacker a second or two later. No admin needed. No hacking tools to be detected by antivirus software.

By the days of Internet Explorer 6.0 in 2001 (it could have been earlier), Microsoft added a default feature which would make Microsoft Windows, Internet Explorer, and other apps automatically decline to use IWA by default if the server/service requesting it was not on the user’s local network. This was a good risk fix as it still allowed Windows to work fairly seamless on the local network, but didn’t allow remote hacker abuse.

I had known of this protective feature well before Kevin showed me his demo of how to exploit IWA using a rogue link embedded in an email back in 2018. I was blown away that Kevin’s hack (which used a hacker trick involving file:///) would work even when Windows was configured not to share the IWA off the local network. All Kevin had to do is send a regular-looking (or even blank-looking) email, which the user didn’t even have to open. Kevin’s trick worked in “Preview mode” without any future user intervention. It worked with Microsoft Outlook and with whatever Microsoft 0365 was called back then. It worked with other email clients, but the user would have to be tricked into clicking on a rogue link first.

It was one of many times I was forced to say mea culpa to one of Kevin’s many hacks when I had first previously declared they would not work.

Microsoft had released a security patch in 2017 to close this particular known vulnerability, but because it could cause problems with wanted legitimate functionality and required more than just applying the patch. So, Microsoft didn’t require it. Instead, it was optional, which meant almost no one applied the patch. So, even many years later, anyone could exploit the file:/// bug. It became something I talked about and demo’d for years. It rarely failed to scare people who learned about it.

It turns out there are sorts of ways to “trick” Windows (or another app) into divulging Windows logon password hashes. Some involve Windows or another Microsoft application. Others involve a third-party program. I, myself, had discovered on my own how to remotely steal Windows password hashes using a rogue link embedded in an Adobe PDF document.

By default, Adobe Acrobat will warn users before opening any embedded links. But I found out that Kevin’s file:/// trick worked to bypass that warning and would simply connect to the remote website and reveal the user’s Windows password hash. I could send a PDF document that the victim opened, which revealed their Windows logon hash to me. I was only able to use it in demonstrations for a month before someone else discovered it, reported it to Adobe, and it was patched (https://sensorstechforum.com/adobe-cve-2019-7089-second-patch/).

I was a bit heartbroken to have one of the few zero days I had discovered taken away before I could report it. I was experimenting with it, trying to fully document how it could be used and triggered before I reported it, but someone else got the glory. But I was also very glad that it had been found, reported, and fixed, even if my name wasn’t on the fix. ?

So, up to 2019, I only knew of two ways to trigger steal password hashes remotely across the Internet. There are a bunch of other related ways to steal Windows password hashes if the attacker can get on the same network as the victim (often involving SMB), but those attacks don’t interest me any more than the ones that require that the attacker first get admin access. Those are more ho-hum, boring attacks.

But I started to look for and document any time there was a new vulnerability announced that allowed a remote attacker across the Internet to steal someone’s password hash. Turns out that there’s at least one or two announced most years. Here are some of the more notable instances over the last few years:

2020

Zoom-related announced on 4/2/20: https://www.bleepingcomputer.com/news/security/zoom-lets-attackers-steal-windows-credentials-run-programs-via-unc-links/

News report of a real-world attack on 4/22/2020: https://blogs.manageengine.com/it-security/2020/04/22/breaking-down-the-san-francisco-airport-hack.html

2021

Similar attack method, that requires local network access first: https://therecord.media/new-petitpotam-attack-forces-windows-hosts-to-share-their-password-hashes/.

Another real-world example from April 2021: https://blog.lumen.com/newly-discovered-watering-hole-attack-targets-ukrainian-canadian-organizations/.

2023

One in May 2023 was announced (https://securityaffairs.com/146061/security/zero-click-flaw-windows.html).

In September 2023, Microsoft announced another one, this time involving Microsoft Word: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36761.

In November 2023, another researcher found a similar exploit involving Microsoft Access (https://research.checkpoint.com/2023/abusing-microsoft-access-linked-table-feature-to-perform-ntlm-forced-authentication-attacks/). This one worked with MS-Access files and even the RTF file format.

In frustration and the name of education, I wrote this similar article: https://www.dhirubhai.net/pulse/all-ways-your-nt-hash-can-stolen-roger-grimes-izmle/. It discusses the same subject, plus added discussion about just as critical Kerberoasting attacks. (https://www.bordergate.co.uk/what-you-need-to-know-about-kerberoasting/ .

But the pain did not stop in 2023.

2024

And now in 2024, we have our latest remote Windows hash stealing instances:

Released on 3/18/24: https://thehackernews.com/2024/03/apt28-hacker-group-targeting-europe.html

Released on 4/9/24: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20670

All this is to say that attackers routinely and consistently figure out ways to steal your Windows password hashes remotely over the Internet. You must assume your password hashes can be remotely extracted and cracked, and defend against those types of attacks.

Defenses

Here are many of the ways you can use to defend yourself against remote password hash theft attacks:

Education

Educate both admins and users about these types of attacks. Hopefully, it will make the next recommendations you need to implement more easily accepted with fewer arguments…maybe.

Use and Require Strong Passwords

This means truly randomly-generated passwords that are 12-characters or longer. Most of the time, you should be using a password manager to do this. It allows you to create and use strong passwords that are unique for every website and service. If you create your own passwords (and they are not truly randomly-generated) then they need to be at least 20-characters long and not use the standard, tired, average password “complexity” composition where the first character is capitalized and all complexity and numbers are placed at the end. If you do that, you’re just begging to be successfully cracked.

Note: This does not work against pass-the-hash attacks where they simply reuse your hash to gain access, although those types of attacks usually require access on the device or local network to work.

Block Involved Ports With a Firewall

Most remote password hash thefts involve services that should not be working off the local network (e.g., NetBIOS, EFSPRC, Network Discovery, etc.). Enable local- and network-based firewalls to prevent communication of these types of “local services” from communicating over the network. Enabling the local firewall only isn’t enough, as today’s user is often mobile and not on the corporate network where network-based firewalls do the lion’s share of the blocking.

Note: The ports I would block to and from the Internet include NetBIOS: UDP 137 & 138, TCP 139 & 445; LLMNR: UDP & TCP 5535; LDAP: UDP/TCP 389 & 636; SQL: TCP 1433; TCP 21; SMTP: TCP 25 & 587; POP: TCP 110 & 995; IMAP: TCP 143 & 99.

Keep Up On Patches

Every time a remote password hash theft trick is revealed, the vendor patches it. But remember, the patch may not be automatically pushed to you. You may have to search for and apply it.

Use Phishing-Resistant MFA

Use PHISHING-RESISTANT MFA. It’s harder to steal your password hash when you don’t have a password. Actually, on Windows systems and networks, even if you use MFA, there will be a “password” hash associated with your account and used behind the scenes after you logon. But that hash will be derived from a truly random, long password and will probably be uncrackable (but still available for pass-the-hash attacks).

If you don’t know what I mean by PHISHING-RESISTANT MFA, read these related articles I’ve written:

Don’t Use Easily Phishable MFA and That’s Most MFA!

https://www.dhirubhai.net/pulse/dont-use-easily-phishable-mfa-thats-most-roger-grimes

My List of Good, Strong MFA

https://www.dhirubhai.net/pulse/my-list-good-strong-mfa-roger-grimes

Why Is the Majority of Our MFA So Phishable? and US Government Says to Use Phish-Resistant MFA

https://www.dhirubhai.net/pulse/why-majority-our-mfa-so-phishable-roger-grimes and https://blog.knowbe4.com/u.s.-government-says-to-use-phishing-resistant-mfa

To summarize, extracting Microsoft Windows logon hashes doesn’t always require local, admin, access and special hacking tools. Sometimes all it takes is an email. Defend accordingly.