SimplicIT Blog

I just came across a fascinating method of privilege escalation using the Windows pass-the-hash toolkit to modify your current logon credentials.

• Physical access to a workstation is required – for only about 20 minutes. A traveling laptop with VPN would even be sufficient, though write access to the file system from a bootable CD or USB drive is required.
• Also required is a local administrator account with a pre-defined password on all workstations throughout the domain. In my experience, this is a standard practice for Windows administrators.
• Finally, a domain administrator has to be actively logged on to a server (non-DC) or a workstation.

From there it’s simple: NO social engineering, NO password stealer, NO password cracker, NO malicious code, NO exploiting zero-day or already patched vulnerabilities.

This is really an impressive hack and should encourage administrators to rethink some of their behaviors. Many security conscious admins will have encrypted hard drives, limit boot devices, etc… but few have likely fully addressed the security implications of using a global password for the local administrator account. (I’ve already written and deployed a script to change the password to a hash computed by combining the computer name with a password.)