Title: "Pass-the-hash toolkit for Windows"
Presenter: H. Ochoa
Date: Sept. 30/Oct. 1
Abstract:
The “pass-the-hash” technique, first published in 1997 by Paul Ashton, allows attackers to use captured NTLM hashes to authenticate to remote hosts without having to decrypt those hashes to obtain the cleartext password. All these years this technique has been performed using modified smb clients (e.g.: samba) or third-party implementations of the SMB/CIFS protocol. This means that after successfully authenticating to a remote host using the pass-the-hash technique, functionality available to attackers/penetration testers is limited to what is implemented by these clients.
The pass-the-hash toolkit is the first public implementation of this technique for the Windows platform. It allows attackers/penetration testers to perform the technique from a Windows machine (e.g.: by changing the current local logon session credentials or by creating a new local logon session with the desired credentials: username/domain/NTLM hashes) and then, once authenticated, use native
Windows administration utilities (made by Microsoft or a third-party) to access remote services, gaining access to all the functionality provided by the native utilities, without limitations.
This presentation will describe how the different tools included in the
toolkit were implemented, and will explain how to use the toolkit during a penetration test.
