Hacking Book | Free Online Hacking Learning


microsoft update in may

Posted by patinella at 2020-02-24

In May, Microsoft released its monthly security update on May 13, which includes kb2871997 and kb2928120 knowledge based articles (kb2871997 is not even security bulletin). These two updates should not be ignored for both the penetration tester as an attack and the administrator as a defense. Kb2871997 is for the famous PTH (pass the hash attack), and kb2928120 is for the GPP (group policy preference). Please refer to the previous reports of freebuf. Let's take a look at Craig's analysis.


This update, known as "PTH killer", will make the local account no longer be used for remote access system, no matter network logon or interactive login. This includes using psexec tools or even IPC to remotely browse C $. On the surface, it effectively reduces the threat in some attack scenarios. For example, after a machine is captured, dump all the hashes, find the local administrator's hash, and then take it to attack other machines in the network that use the same password. Often the whole network is controlled in this way.

However, in Craig's test, it is found that all the above situations are true, but the only exception is the default administrator (SID 500) account. Please note that the name of administrator is changed, and its sid is still 500. As long as it is still Sid 500, the previous attack methods are still effective.

Therefore, as a defense administrator, you should disable the default local admin account, then re create the regular local user account, and add it to the administrator group. If the administrator does this, the local hash that the hacker dumps to will no longer be effective in the network replay, no matter the hash or the actual credentials. The administrator account is disabled by default in Windows 7, but Craig found that in some enterprise environments, the administrator account will be enabled again, only with a new name, that is to say, Sid 500, so this patch will not help you.

Craig has been tested with WMI and psexec_command in MSF and PowerShell, with the same result - all local account accesses have been denied, except for Sid 500. The hash of domain hashes and Sid 500 can still pass the hash.

As you can see in the figure below, you can still execute psexec in a member of the domain environment under test, using an account with Sid or 500, although it is already named renamedadmin,

As shown in the figure below, for renamedadmin, pass the hash attack is still valid, but rdptest is not.

As you can see in the figure below, rdptest is in the local Administrators group, but it is not Sid 500 anymore.


When it comes to kb2871997, we have to say that mimikatz, which is usually used to capture the administrator's clear text password after the administrator has connected to the system with RDP. Before the kb2871997 patch, even if the administrator exits the RDP connection correctly, rather than just closing the connection window, he can still use mimikatz to get the clear text password at any time. After the kb2871997 patch, as long as you are a normal log off RDP connection, the credentials in the memory will be cleared. However, if the connection window is only closed, the mikatz attack is still effective. Craig's test found that the system will not immediately clear the credentials in memory, but there will be no credentials in about 30 seconds.


Besides, GPP comes from the official saying that "some group policy preferences can store passwords. This feature will be removed because passwords stored in this way are not secure. ".

The following group policy preferences will no longer allow saving user names and passwords:

This affects the behavior of any existing group policy objects (GPOs) in the environment that depend on the passwords contained in these preferences. It also prevents the creation of new group policy preferences by using this feature.

For drive mapping, local users and groups, and services, you may be able to achieve similar goals with other more secure features in windows.

For scheduled tasks and data sources, you will not be able to achieve what you can achieve with the insecure group policy preference password feature.

Craig test found that if you go to the admin account created before after completing this patch, double-click it to send a warning message

Click continue to see that the password is still there, but it can't be modified. The code part is grayed out.

When you create a new account, you can no longer set the password.

Original text: