Very interesting and informative blog posing on Aorato

Smart Card’s Pass-the-Hash perils does not stop at its false sense of security. In order to support systems that require NTLM authentication, Windows needs to generate an NTLM hash. Since Smart Card does not have a password to derive the hash from, Windows engineer decided to artificially generate an NTLM hash for Smart Card users. The problem: this token, which is password equivalent, NEVER EXPIRES. This is not a implementation bug, as a Microsoft’s official white paper states it explicitly: “If the account has been configured with the attribute Smart Card required for interactive logon, then the NT hash is a random value calculated when that attribute was enabled for the account. This password hash is provided to the client computer during the smartcard logons process by the domain controller. This password hash that is automatically generated when the attribute is set does not change

Therefore, a malware that was able to grab the NTLM hash of a Smart Card’s user, steals her identity forever. The victim would have been better off had she used a password to login to the infected machine, as at least that password would have been expired eventually (typically after 90 days) and the malware would have lost the grip on her identity.


Related links: