May Microsoft patch KB2871997 and KB2928120 vulnerability exploitation Analysis

On October 13, May, Microsoft released a monthly Security update, containing two knowledge base articles: KB2871997 and KB2928120 Knowledgeased (whereas KB2871997 is not even Security Bulletin ). These two updates cannot be ignored for both the Penetration Tester and the defender. KB2871997 for the famous PTH (pass the hash attack method ). Let's take a look at this analysis by security researcher Craig.

KB2871997

This update, known as the "PTH killer", will make the local account no longer available for remote access to the system, whether it is network logon or interactive login, this includes using the javasxec tool or even IPC to remotely browse C $. On the surface, this effectively reduces the threat in some attack scenarios. For example, after a machine is attacked, dump all the hash data, find the hash data of the local administrator, and attack other machines in the network with the same password, the entire network is usually controlled.

However, it was found in Craig's test that all of the above situations are correct, but the default Administrator (SID 500) Account is the only exception. Please note that the administrator has been renamed, its SID is still 500. As long as it is SID 500, the previous attack method is still valid.

Therefore, the administrator of the Defender should disable the default local admin account, create a new regular local user account, and add it to the Administrator group. If the Administrator does this, the local hash that the hacker dumps will no longer be valid in network replay, whether it is hash or the actual credentials. In Windows 7, the Administrator account is disabled by default, but Craig finds that this Administrator account is often enabled in some enterprise environments, but a new name is changed, that is, SID 500 is still used, this patch will not help you.

Craig tested WMI and javasxec_command in MSF and powershell, with the same results-all local account access was deny, except SID 500. The hash of Domain hashes and SID 500 can still pass the hash.

As you can see, you can still execute the dig xec command in a member of the testing domain environment, using an account of SID or 500, although it is already named renamedAdmin,

As shown in, for renamedAdmin, the pass the hash attack is still effective, but rdptest is ineffective.

You can see that rdptest is in the local administrator group, but it is not SID 500 anymore.

=

Mimikatz

What I have to say about KB2871997 is mimikatz, which has already captured the Administrator's RDP connection to the system. Then, you can use mimikatz to get the Administrator's plaintext password. Before KB2871997 patch, even if the Administrator correctly exits the RDP connection and does not close the connection window, he can still use mimikatz to obtain the plaintext password at any time. After the KB2871997 patch, as long as you are normal log off your RDP connection, the credentials in the memory will be cleared. However, if you close the connection window, the mimikatz attack is still effective. Craig's test showed that the system would not immediately clear the credentials in the memory, but the credentials would not be available in about 30 seconds.

 

In response to Craig's statement, Xiao Bian found that after Craig's test for a few days, mimimikatz released an updated version mimikatz 2.0 alphahttps: // protocol, and the updated version indicates that it can cope with KB2871997. "Pass-The-eKeys now also working on Windows 7/8 if KB2871997 installed" is life quite promising!

KB2928120

In addition, GPP comes from the official saying that "passwords can be stored in certain group policy preferences. This function will be deleted because the password stored in this method is not secure.

The following group of policy preferences no longer allow saving the user name and password:

1. Drive ing 2, local user and group 3, scheduled Task 4, Service 5, data source

This affects the behavior of any existing Group Policy object (GPO) that depends on the passwords in these preferences. It also prevents the use of this function to create new group policy preferences.

For drive ing, local users and groups, and services, you may be able to achieve similar goals through other more secure features in Windows.

For "scheduled tasks" and "Data Sources", you cannot achieve the goal achieved through the insecure group policy preference password function.

Craig test found that if the patch is completed, and then go to the admin account created previously, double-click it to send a warning message.

Click continue and you will see that the password is still there, but it cannot be changed. The password is grayed out.

When you create another account, you cannot set a password.

References:

Http://www.pwnag3.com/2014/05/what-did-microsoft-just-break-with.html