What happens when a malicious user has access to more than just an NTLM hash?
What is WDigest?
Digest Authentication is a challenge/response protocol that was primarily used in Windows Server 2003 for LDAP and web-based authentication. It utilizes Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges to authenticate. At a high level, a client requests access to something, the authenticating server challenges the client, and the client responds to the challenge by encrypting its response with a key derived from the password. The encrypted response is compared to a stored response on the authenticating server to determine if the user has the correct password. Microsoft provides a much more in-depth explanation of WDigest, how it works, and some of its uses here.
Why Does it Matter?
Windows security auditing should be a priority for everyone, understanding how your endpoints are configured and what doors they may be opening for malicious users is pertinent to protecting any environment. This is where WDigest comes into play, something to be concerned with related to WDigest is that it stores passwords in clear-text, in memory. If a malicious user has access to an endpoint and is able to run a tool like Mimikatz, not only would they get the hashes currently stored in memory, but they’d also be able to get the clear-text password for the accounts as well. This is obviously a concern because now not only are they able to leverage an attack like pass-the-hash, but they’d also now have the username and password available to try to logon to things like Exchange, internal web sites, etc.
Here is an example of what an attacker would see when dumping credentials in memory with a tool like Mimikatz; the user “TestA” used remote desktop to log onto this machine, and because the specific configuration around WDigest is configured in an insecure manner, not only are they seeing an NTLM hash for the account, but the clear-text password “Password123” as well.
What Can Be Done?
Fortunately, Microsoft released a security update (KB2871997) that allows users to configure a setting in the registry that would prevent clear-text passwords from being stored in memory. Before doing that, however, one thing you may want to do is look into the event logs on your domain controllers and servers. Server event ID 4624 and Domain Controller event ID 4776 will highlight users logging in with the ‘Authentication Package: WDigest’. Once you’re sure that you’re able to make this change without impacting your environment, you’ll want to look at the server you’re trying to secure. For Windows 7, 8, Server 2008 R2 and Server 2012, you must install the aforementioned security update and then you’ll want to set the following registry key to 0:
The easiest way to do this would be through group policy, but a quick script would work:
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0
Once you’ve pushed the security update, and the registry key update to all of your servers, you can ensure you’ve done it successfully by querying the registry to see that it exists and is not set to 1.
reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential
By default, later versions of Windows (8.1+ and 2012 R2+) do not require the security update, or the setting of this value to 0, as the default is 0 when not present. However, you would want to ensure that there haven’t been any manual modifications of this value that set it back to 1. Once you’ve changed the value of this setting, an attacker dumping credentials out of memory wouldn’t get the clear-text credential and would see this:
Here’s a chart to help you determine if you need to take action on your endpoints:
WDigest in Review
A configuration related to WDigest could hinder the security of your environment, specifically on the endpoint, by allowing an attacker to steal clear-text credentials from memory. There are measures you can take to remediate this and ensure that your endpoints and credentials are more secure. Microsoft’s security update (KB2871997) addresses the issue on older versions of Windows, whereas newer versions should be secured by default. Checking the registry on all of your Windows endpoints for this WDigest setting should be a priority, as the loss of credentials could lead to loss of sensitive information. One way to do this would be through quick command-line queries against all your hosts, but a quicker way would be to automate this type of auditing against your endpoint and have this data presented to you in an easy to consume report.
StealthAUDIT for Windows offers this functionality and more in an easy to use, scalable solution that will assist in auditing your entire infrastructure.
Click here to learn more about StealthAUDIT for Windows.
Don’t miss a post! Subscribe to ‘The Insider Threat Security’ Blog here:
Kevin Joyce is a Senior Technical Product Manager at Stealthbits Technologies. He is responsible for building and delivering on the roadmap of Stealthbits products and solutions.
Kevin is passionate about cyber-security and holds a Bachelor of Science degree in Digital Forensics from Bloomsburg University of Pennsylvania.