Defeating Pass-the-Hash: Separation of Powers

Black Hat USA 2015

Presented by: Seth Moore, Baris Saydag
Date: Wednesday August 05, 2015
Time: 11:30 - 12:20
Location: Mandalay Bay EF

The harvest and reuse of symmetric credentials has become a linchpin of system breaches. Under the guise of Pass-the-Hash, attackers are adept at reusing not only passwords, but derivatives such as hashes and keys. Windows 10 brings strong isolation of these artifacts, defeating Pass-the-Hash attacks originating from clients.

Legacy protocols such as Kerberos and NTLM are broadly deployed and will be vulnerable to attack for many years to come. Business needs dictate that Pass-the-Hash mitigations must work within the limitations of these protocols. In such an environment, how can Pass-the-Hash be stopped?The answer is a new level of OS isolation, based on virtualization technology. Hashes, keys, and other secrets are sequestered within physical memory not even the kernel may read. If an attacker cannot read the secrets, the attacker cannot reuse them.In this talk, we give an overview of the isolation technology. In addition, we answer questions such as: How does Windows 10 guarantee isolation of secrets? How does this go beyond simple client security? Can this even be achieved without major protocol revisions?

Seth Moore

Seth Moore is a software developer at Microsoft Corporation, where he works on the Windows authentication protocols. Though he has 13 years of developer experience, Seth is a relative newcomer to the security space, spending only the last two years working on protocols. Seth's focus within protocols has been primarily focused on defending against pass the hash attacks, with an eye on guarding known-vulnerable, legacy protocols such as NTLM and Kerberos.

Baris Saydag

After finishing his master's degree in computer science, Baris Saydag joined Turkish Airlines as a network planning engineer. Although devising reliable and secure networks that must scale internationally was a lot of fun, in 2004, he followed his lifetime dream and joined Microsoft. After a few interesting testing projects, Baris found his way to the security field in 2006 and has been contributing to Windows security ever since. During that time, he developed a C-language based fuzzing compiler, helped responding to numerous MSRC cases by finding variants and ensuring a thorough job has been done, trained new hire MS employees, suggested and led development of several security features in Windows.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats