Posted by:
root
8 years, 1 month ago
In researching pass-the-hash attacks, we discovered that when Microsoft implemented "Restricted Admin" mode they inadvertantly enabled pass-the-hash attacks via RDP 8.1. This attack tool is now included in Kali Linux and probably other tools.
This attack shows the weakness in the design of the system. The hash exists to make the system usable. It is a design feature. Since MS can't remove the password from their software, they have a number of fixes, patches and configuration options that try to secure it.
Isn't it better to get rid of, or at least minimize, the lifetime of the password? WiKID does this with our native AD 2FA solution. The hash is only good for the life of the passcode.
If an attacker is trying to pass-the-hash while the admin is logged in, the admin will actually see the request for the RDP session! If they wait, the hash will no longer be valid.
In the past it seems as if the market was saying that pass-the-hash was a big problem, but smart cards were not worth the effort and expense. Now you can have essentially the same functionality using your smartphone and WiKID for $24 per admin per year.
Share on Twitter Share on Facebook
Recent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)