From a malicious standpoint, stealing and using legitimate credentials to gain access is more likely to go undetected as an attacker attempts to move through a network. Dropping a trojan or exploiting a vulnerability can certainly gain you initial access, but authorised credentials help you navigate laterally under the radar.
According to Verizon’s 2020 Data Breach Investigations Report, using stolen credentials is the second most common activity conducted by attackers during a breach. Here we’ll look at the practice of ‘credential dumping’.
What is credential dumping?
Credential dumping is a technique whereby an attacker scours a compromised computer for credentials in order to carry out further attacks. The fact that this is an unfamiliar attack method only underscores the importance of understanding it better.
There are a variety of places within operating systems where credentials are stored. If an attacker can gain access to those parts of the system, they can attempt to copy and “dump” the credentials.
Credential dumping is possible because software and operating systems store passwords in memory, databases or files. The operating system will initially request a password, but then use the cached password for successive logins, saving the user from having to enter it again.
Tools of the trade
Problems arise when an attacker gains low-level access to a computer. Credentials can then be harvested with various credential dumping tools. Although there are several tools an attacker can wield to steal credentials, Mimikatz, which was first released in 2007 by Benjamin Delpy, is the most popular. Its purpose was to highlight a flaw in the Windows LSASS process, which stores credentials to streamline access to system resources. The flaw in question was eventually fixed, yet Mimikatz has evolved to become a dual use tool, used by both security professionals and malicious actors.
Using the credentials
Once an attacker has gathered credentials, how do they use them? It’s pretty straightforward when it comes to user names and passwords that have been stolen through phishing or keylogging, or have been stolen and successfully decrypted.
However, not all credentials can easily be decrypted. There’s a group of attack techniques centred around using these credentials as is. For instance, consider that many user names and passwords are encrypted (aka “hashed”) on the authenticating server. When you log in, they generally decrypt the password on the server and compare them. Another way to compare is to encrypt the password that arrives, then compare it to the encrypted password on file. Either way, if there’s a match, access is granted.
If an attacker manages to steal user credentials, but can’t decrypt them, they can attempt to pass them to the authentication server. If the server simply compares the two hashed passwords, and if they match, access is granted. This technique is often called “passing the hash”.
There are a number of similar authentication attacks. For instance, an attacker could also dump Kerberos tickets from a compromised system, then use them to attempt to log in. As a variation of the overall theme, this attack is called “pass the ticket”.
There are plenty of variations out there. An attacker can “overpass the hash”, by which they pass a hash to an NT LAN manager in the hopes that it will pass them back a Kerberos ticket, which they can then use to log into network resources. There are also techniques that can grant them “golden” and “silver” Kerberos tickets which, as the names suggest, offer elevated privileges and access throughout a network administered by Kerberos.
What to do
Fortunately, there are many ways to defend against credential dumping:
Monitor access to LSASS services and SAM databases.
Watch for command-line arguments used in credential dumping attacks.
On domain controllers, monitor logs for unscheduled activity.
Look for unexpected and unassigned connections from IP addresses to known domain controllers.
Cisco offers a broad solution set for monitoring and protecting your environment against credential dumping attacks. Products such as Cisco Secure Endpoint, Cisco Duo, and Cisco Identity Services Engine can help to keep your environment secure.
This article originally appeared as a ‘Threat of the Month’ article at: blogs.cisco.com/security/stealing-passwords-with-credential-dumping
To learn more, visit the Cisco Secure homepage: