On a pretty consistent basis, SmartCard and Multi-factor Authentication (MFA) technologies are brought up when discussing Pass-the-Hash/Pass-the-Ticket with customers. Many customers believe they do not need to worry about such attacks as they have non-repudiation.
However, what Smartcard was set to solve was before Pass-the-Hash/Ticket was a real thing! At that time, the threat was really against brute force attacks—weak or common passwords meant less time to compromise the plaintext password. Rainbox tables also became a thing, so entropy of the NTLM hash itself became important.
Then Pass-the-Hash became a thing which Mimikatz and Windows Credential Editor (WCE) made popular. Here, the adversary doesn’t even care anymore about the entropy of the NTLM hash, they simply harvest it and replay it. But without a smartcard, how is that possible? Well, SmartCard Required for Interactive Logon (SCRIL) has two very important words in it: “Interactive Logon”. Interactive Logons are only 2 types of logons that can occur:
What does this mean? I can steal the NTLM hash and move laterally with that credential via the other logon types! Don’t try to prevent SCRIL-enabled users from only doing these two logons either—this will break things like allowing them to manage devices and be productive employees by automating some of their own tasks. Better yet, lets focus on the problem.
What a better way to do that then a quick video?
So now what do we do with this, knowing the actual risk?
Well first, first step is knowledge. Next step, lets see how we can roll those NTLM hashes. We will provide two solutions below. And of course, we fully recommend our customers and anyone focused on targeted attacks to leverage Advanced Threat Analytics!
Here, a script is provided that discovers your Smartcard Required Interactive Logon (SCRIL) users, and turns the SCRIL-bit off and on. It is this time when the NTLM-hash is randomized.
Domain Functional Level (DFL) 2016 includes a new feature to help get past some of the limitations of the PowerShell script. This is fully supported by Microsoft and we recommend anyone who is using Smartcard Required for Interactive Logon (SCRIL) to turn this bit on!
For more on this:
https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/whats-new-in-credential-protection
Welp, that is the quick and dirty on this topic. Please do check out Advanced Threat Analytics to discover this and other attacks in your environment by focusing on Identity. Leave questions in the comments!