Acquire current user hashes without admin privileges presented at defcon 2014

by Anton Sapozhnikov,

Summary : If an attacker has only user level access to an infected machine inside corporate internal network, that means he or she has quite a limited number of ways to get the password of that user. Already known techniques require additional network access or great amount of luck. Having no access to internal network and absence of admin privileges is a common case during spear phishing attacks and social engineering activities. This talk will cover a brand new technique to grab credentials from a pwned machine even without admins privileges. The technique is possible due to a design flaw in the Windows SSPI implementation. A proof of concept tool will also be presented.