WDigest Clear-Text Passwords: Stealing More Than a Hash

WDigest Clear-Text Passwords: Stealing More Than a Hash

What happens when a malicious user has access to more than just an NTLM hash? What is WDigest? Digest Authentication is a challenge/response protocol that was primarily used in Windows Server 2003 for LDAP and web-based authentication. It utilizes Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges to authenticate. At a high level, a client requests access to something, the authenticating server challenges the client, and the client responds to the challenge by encrypting its response with…

Read More Read More

RID Hijacking: When Guests Become Admins

RID Hijacking: When Guests Become Admins

Securing Windows workstations and servers should be a priority for any organization; preventing a machine from getting compromised and being used to move laterally within an environment is a major concern. What happens when a machine is already compromised? A persistence method called ‘RID Hijacking’ is a way for an attacker to persist within your environment by granting the Guest account, or another local account, local administrator privileges by ‘hijacking’ the RID (relative identifier) of the Administrator account. Creating persistence…

Read More Read More

Start a Free StealthAUDIT® Trial!

No risk. No obligation.