Dr. Microsoft, How I learned to stop worrying and love NTLM. presented at ToorCamp 2014

by Barrett Weisshaar, David "videoman" Bryan,

Summary : In 2012 Microsoft published an 82 page paper, “Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques”, that includes policies and procedures around protecting from and mitigating Pass-the-Hash attacks. These procedures place the responsibility on the system administrators, and users. They also say little about the underlying issue of the flawed authentication.
Adopting policies and procedures is a good way to mitigate these attacks, however we believe the focus should be on moving forward and making NTLM obsolete in the enterprise environment. NTLM authentication has been the cornerstone of Windows authentication for over a decade, with NTLMv2 and client/server challenges being the pinnacle of development. A strong and complex password can make cracking harder, but it’s not fool proof.
Despite that, the existence of relay and Pass the Hash techniques/tools undermines nearly all of the mechanisms of NTLMv2. We will demonstrate some of the vectors that we have found to be the most useful in the course of every day security testing. Once domain access is obtained, it’s only a matter of time before it’s game over.