RDP Credential Caching - PTH / PTT

  • 168 Views
  • Last Post 13 March 2017
decrosby posted this 31 January 2017

Hi,

There is a LOT of documentation out there detailing credential exposurese, particularly those detailing the caching in LSASS of password artifacts. I have a specific question wrt RDP and how credentials are exposed during logon and logoff.

Q. When I mstsc /v to a remote server (same or using a set of different credentials) is there any caching of the password locally or remotely. My reading tells me that there will be no source caching (for different credentials) but there will be caching on the target server for the duration of the session and potentially sometime after if I dont log off cleanly. This applies to using a username / password and token based authentication too as this is just getting a hash..

Expert opinions welcome / helpful!

Order By: Standard | Newest | Votes
Bharathian posted this 31 January 2017

Hi,

 

I think it caches locally, Microsoft has brought a new feature for securing credentials over remote desktop for Server 2016.

 

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/remote-credential-guard

 

 

show

decrosby posted this 31 January 2017

P.65a27fbb-58eb-4ad4-900b-70776e88a84c {

MARGIN: 0cm 0cm 0pt

}

LI.65a27fbb-58eb-4ad4-900b-70776e88a84c {

MARGIN: 0cm 0cm 0pt

}

DIV.65a27fbb-58eb-4ad4-900b-70776e88a84c {

MARGIN: 0cm 0cm 0pt

}

TABLE.65a27fbb-58eb-4ad4-900b-70776e88a84cTable {

MARGIN: 0cm 0cm 0pt

}

DIV.Section1 {

page: Section1

}





















Hi,

 

If this MSFT documentation is authoritative

http://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating%20Pass-the-Hash%20(PtH)%20Attacks%20and%20Other%20Credential%20Theft%20TechniquesEnglish.pdf

 

Then it would suggest that there is credential caching at both ends. I understand that my initial logon to my source will have some caching and in reading this

the remote end will have a cache of the credentials I use to connect with (these could be different but that’s irrelevant) too. The link you provide suggests that remote credential guard fixes that remote caching but infers that maybe it gets cached locally

on the source – “Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection”



 

Woods and trees!

 

show

Dima Razbornov posted this 31 January 2017

On both side, this is quite right. PTH / PTT can be avoided only with Windows 2016

Bharathian posted this 01 February 2017

Hi,

 

I have not looked into that details yet. It could be both end as well. In client side, there is a credential guard feature can be enabled in the

Windows 10. In this case we can be of more secure on either sides.

 

 

show

kebabfest posted this 01 February 2017

This is interesting in conjunction with the kerberos timeout thread. I use multiple rdp sessions currently on a system which doesn't have a gpo to kill idle sessions.
Even if I change my password the old idle sessions will automatically go straight in.

show

ken posted this 02 February 2017

When you reconnect your idle session, you put your new password into the dialogue box, right?

 

The session would be reconnected based on your SID, I would imagine, which hasn’t changed.



 

show

rwf4 posted this 02 February 2017

We had this explicitly demonstrated by our PFE when we did a SLAM engagement with MS last year.

 

It is cached locally and there are indeed reusable credentials in the local (and remote) LSA session in a default config of lower OS levels unless you are using

WIN10/S2016 and Credential Guard.

 

Mitigations are available in KB2871997 /

2871997 etc for lower OS’s.

 

I started with



https://blogs.technet.microsoft.com/srd/2014/06/05/an-overview-of-kb2871997/ and followed where it led :-)

 

One thing I found interesting at the time was that even if a remote login failed because of user rights, the credentials could be harvested if the host was

compromised

 

















































































Connection


method



Logon type



Reusable credentials on destination



Comments



Log on at console



Interactive









Includes hardware remote access / lights-out cards and network KVMs.



RUNAS



Interactive









 



RUNAS /NETWORK



NewCredentials









Clones current LSA session for local access, but uses new credentials when connecting to network resources.



Remote Desktop (success)



RemoteInteractive



         √



If the remote desktop client is configured to share local devices and resources, those may be compromised as well.



Remote Desktop (failure - logon type was denied)



RemoteInteractive



-



By default, if RDP logon fails credentials are only stored very briefly. This may not be the case if the computer is compromised.



 

 

 

show

darren posted this 02 February 2017

Bob-

Are you using Protected Users? I’m curious if it causes any compatibility issues?



 

Darren

 

show

rwf4 posted this 03 February 2017

Hi Darren-

 

We are about to test. I am also curious and haven’t seen a lot of evidence either way.

 

Tier 0 segmentation and PAWS were higher priorities. What few Privileged accounts remain are very constrained and use JIT/JEA so we’ve come a long way..

 

--bob

 

show

decrosby posted this 13 March 2017

P.a4dedc12-4e9d-4fed-a960-2042d4b3fb77 {

MARGIN: 0cm 0cm 0pt

}

LI.a4dedc12-4e9d-4fed-a960-2042d4b3fb77 {

MARGIN: 0cm 0cm 0pt

}

DIV.a4dedc12-4e9d-4fed-a960-2042d4b3fb77 {

MARGIN: 0cm 0cm 0pt

}

TABLE.a4dedc12-4e9d-4fed-a960-2042d4b3fb77Table {

MARGIN: 0cm 0cm 0pt

}

DIV.Section1 {

page: Section1

}





















Hi,

 

Did the group prove through testing exactly where creds remained / were exposed?

 

Thanks.

 

Damian.

 

show

Close