This article discusses “What is Pass the Hash Attack and how to mitigate the attack”. A Pass the Hash (PTH) attack is a technique whereby an attacker captures a password hash as opposed to the password itself (characters) thereby gaining access (authentication) to the networked systems. This technique is used to steal credentials and enable lateral movement within a network. In a Windows environment, the challenge-response model used by NTLM security is abused to enable a malicious user to authenticate as a valid domain user without knowing their password. Please see Bidding Farewell to NTLM in favour of Kerberos, and how to disable automatic Windows updates.
Now that Kerberos has replaced NTLM as the preferred authentication method for Windows domains, NTLM is still enabled in many Windows domains for compatibility reasons. And so, pass-the-hash attacks remain an effective tool in the hands of attackers. It is worth noting that there are other attacks associated with Keberos such as Pass the ticket and Kerberos-brute force attacks etc.
I will be discussing this in my next guide. Below are some articles relating to this topic: NT LAN Manager: How to prevent NTLM credentials from being sent to remote servers, Active Directory Authentication methods:How do Kerberos and NTLM work, and How to configure a service account for Kerberos delegation.
Understanding Password Attack
As is widely acknowledged, passwords are the most commonly employed security tool in the world today. Therefore weak passwords will present great security challenges for your organization. Also, password attacks such as password guessing or password cracking are often time-consuming attacks. Tools that make use of precomputed hashes reduce the time needed to obtain passwords.
Nonetheless, there are storage costs and time requirements involved in the creation of these precompiled tables, commonly known as rainbow tables. In a Pass the Hash Attack, the goal is to use the hash directly without cracking the password thereby making time-consuming password attacks less attractive.
Here are some related guides: Local Administrators Account lockout is now available, and Windows 11 Hardware and Software Requirements: How to upgrade to Windows 11, and how to enable or disable Windows Defender Credential Guard.
Note: Systems that support Single Sign-On (SSO) are also susceptible to Pass the Hash Attack because Windows keeps hashes in LSASS memory which is being consumed by SSO. The attack is based on gaining access to services on behalf of the user through a single sign-on with the help of the read-out password hash value, which serves as authentication.
How are passwords stored?
Passwords are sometimes stored in plaintext or are reversibly encrypted, and are sometimes stored in a hash form. A hashing function takes in an input and convert it to an output that becomes irreversible. In Windows the Security Account Manager (SAM) manages Users account passwords which the Windows Local Security Authority Subsystem (LSASS) also uses.
I’d also like to emphasize that passwords in Windows aren’t stored in plain text; they are rather stored as a hash value. A password hash is a one-way derivation of the plaintext password and only changes when a user changes his password. As shown below, the file system is the location of the information file.
The storage takes place in the following ways: LM (LandMan) Hash, NTLM Hash, Memory, Reversibly Encrypted, and Cached-credentials hash. With tools such as “mimikatz” it is possible to carry out attacks in order to read out password hashes, which can then be used. In this form of attack, the attacker can gain administrative access to your PC and access all your password hashes.
He (the attacker) can as well use those hashes without knowing the actual password to authenticate as you in the network, and even move from machine to machine (servers or clients). Below are the five primary ways that the Windows operating system uses to store passwords to authenticate users.
1 – LM Hash
In earlier versions of Windows, the default state was for the LM hash to be stored and transmitted.
However, in Windows Vista and above, the LM hash was no longer stored by default, nor is it used by default during network authentication.
Instead, the newer versions use the NTLMv2 hash as the default authentication method. LM hash has the following weakness.
The limit to password length is 14 characters and the password is case-insensitive which decreases the keyspace available for the users to choose their passwords from.
2 – NTLM Hash
The NTLM hash algorithm is relatively simpler than the LM hash. It takes the password, hashes it using the MD4 algorithm, then stores it and can support very long passwords (127 characters on Windows 2000 and later systems).
Note: NTLMv2 improves upon LM and NTLM hashes and their weaknesses. It uses the NT hash; however, it also includes a client challenge in the computation. NTLMv2 also includes timestamps which make it immune to reply attacks.
3 – Cached Credentials
The cached credential is a term used to describe the process of storing the domain login credentials so that a user can log in locally to a domain member without connecting to a domain controller (e.g. the domain became unavailable).
Windows caches users’ password hashes (NT hash, and LM hash) in a memory location whenever a user logs on interactively or via terminal service. This location is accessible only by the operating system, and any process acting as the operating system.
The operating system uses this cached hash to authenticate the user whenever the user tries to access a network resource, and that resource requires authentication.
Note: The memory location is purged as soon as the user locks his system or logs off.
5 – Reversibly Encrypted
In this form, passwords are reversibly encrypted when stored. This encryption is reversible as such revealing the clear-text password(s). This form of disables password storage by default.
How are passwords used for?
NTLM is the old-fashioned way and Kerberos is the newest form of network authentication. NTLM is less secure, and Kerberos is more secure. Kerberos is an integral part of Active Directory and has been present since Windows 2000.
Note: Both authentication methods are widely in use today regardless of your Windows version. You might think that since you’re running Windows 2008R2 or later, you are only using Kerberos, but that is exactly not true as Windows share “NET USE * \MyFileShare” is based on using NTLM authentication, and not Kerberos. Many apps also use NTLM authentication.
Kerberos is a set of services only used in a domain environment when a NetBIOS name or DNS name is used to connect. Therefore, If a user connects to a resource via IP, then Kerberos will not be used, rather NTLMv2 will be used instead to authenticate the user.
Note: NTLMv2 as a hash is vulnerable to precomputed hash attacks just like any other hash when salt is not used. However, an NTLMv2 hash is not stored in Windows, it is generated on the fly.
NTLMv2 authentication uses both the client nonce and the server nonce/challenge to calculate the response, unlike NTLM authentication, which uses a fixed server challenge. This calculation process eliminates the possibility of precomputed attacks against NTLMv2.
How can passwords be attacked?
There are numerous ways to obtain the clear-text password of users. Below are the two popular attacks “online and offline attacks”. There are other forms of attacks against passwords such as key loggers, shoulder-surfing, social engineering, etc.
1 – Online Password Attack (Password Guessing)
An online password attack, also known as password guessing, is the process of attempting to find passwords by trying to log in. Online password attacks are relatively slow. A true brute-force attack takes a lot longer. Under these conditions, trying millions of passwords simply isn’t an option.
2 – Offline Password Attack (Password Cracking)
An offline password attack, also known as password cracking, is possible when the attacker has captured the password hash. In this attack, the attacker will start cracking the password by creating a hash of a password or a challenge-response sequence and comparing it to the hash or response that he captured.
If the attacker finds a match, then the attempt to crack the hash is successful.
Precomputed hash attack
Precomputed attacks, also known as rainbow table attacks, are a type of offline attack where a file houses password hashes for rapid comparison and retrieval. The size of this file can be very large, for example storing all LM hashes requires 310 terabytes of storage.
Using Dr. Phillippe Oechslin’s time-memory trade-off drastically reduces the amount of storage space required to hold the hashes, to 17 gigabytes. Precomputed hashes can greatly decrease the time needed to crack passwords. In fact, they can decrease the time required to find a password from months or weeks to just a few hours or even minutes.
The technical attack sequence
Password hashes are equivalent to clear-text passwords. If the attacker manages to obtain the hash, he can simply use it to gain access to a system without the need to know the password used to create it. This attack is the “PTH” attack.
The PTH uses an iterative two-step process to gain control of a user account and access to all resources and permissions of that account. First, an attacker would have to gain local administrator access to a computer. The second step is to try to extend access to other computers.
1. Steal one or more authentication data from the compromised computer. Password hashes are loaded into the Local Security Authority Subsystem (Lsass). LSASS runs as the executable %SystemRoot%\System32\Lsass.exe, which is responsible for user authentication, among other things. Using hash dumping tools, an attacker can dump the passwords' hashes for further use. It is important to note that dumping password hashes from the Windows SAM database or from memory requires administrative privileges.
Reuse the stolen credentials for access to other computer systems and services. Only account credentials that are stored on a computer can be stolen, including domain user accounts and service accounts. Accounts that have never been logged into the system are not visible.
For this reason, this sequence is repeated several times if necessary in order to access the targeted computer system with the required rights.
With the Mimikatz program (tool), it is possible to read passwords from the SAM database as SYSTEM users under Windows using the “sekurlsa” command. It contains SHA1, NTLM or LM hash values of user passwords. Note: Accounts that have never been logged into the system are not visible to the attacker.
How to defend against Pass the Hash Attacks
A simple security update cannot fix or prevent a pass-the-hash attack or credential theft and reuse. In order for “PTH Attacks” to be effectively reduced and mitigate the attackers from using the hash values to move from one system to another target system, system administrators MUST restrict users’ access authorizations.
A change to the storage of logon information, for example to the Windows LSASS process, only requires that attackers modify existing tools such as Mimikatz for support. The most effective defence strategy is making the utilization of compromised accounts difficult for lateral movement and escalation. To achieve this, restrict or remove the following options.
Enable Windows Credential Guard
Windows Credential Guard helps protect the LSASS process by putting it into a secure sandbox using virtualization. This is available on Windows 10 Enterprise and from Server 2016.
User Account Privilege Management
- Administrative privileges are necessary to extract hashes from LSASS or other process memory. Thus, limiting accounts with administrative rights reduces vulnerability to attacks.
- Implement Microsoft Local Administrator Password Solutions (LAPS) to ensure unique complex passwords for local administrator accounts on all devices. This mitigates lateral movement by potential attackers in your network.
- Implement segmentation in your network, VLANs come in handy in this regard. In some networks, end-user devices need to connect to file servers and domain controllers but not to other end-user devices. Therefore configuring the firewall rules to prevent these lateral connections and so hinder the lateral movement of attackers.
- Security Awareness training will help your employees stay ahead of all forms of phishing emails (social engineering) techniques.
Access Control Measures
- Restrict local administrative access from multiple systems.
- Limit domain admin account permissions to domain controllers. It is advisable to delegate other admin functions to different accounts, thus limiting the value of account compromise.
- Utilize SIEM tools like SCOM and Azure Monitor to monitor authorization and access logs. These tools can automatically detect abnormal access patterns, potentially indicating compromised accounts.
- Monitor for rapid horizontal movement of accounts. Compromised hashes can help attackers search for network accesses. Identifying it in real time will help avoid the spread allow by removing the workstation from the network.
BYOD and Email Security
- For Bring-your-own-device (BYOD) users, avoid local administrative login as the users have absolute control of their devices. Also, avoid adding the domain user account to the local admin group thereby making lateral movement possible.
- Employ a robust SPAM filter to thwart phishing scams. If on a budget, explore open-source options like Proxmox email gateway and others. This is the entry point of many attacks. If you can prevent the email from reaching the user, you’ll remove the mindless temptation to click a link.
- Avoid duplicate local admin passwords by creating unique passwords for each local admin account. You can use a password manager to help in retrieving these unique passwords. Examples are Pleasant password manager and ManageEngine Password manager.
- Use anti-malware endpoint protection.
You can help assess the resilience of your network against lateral movement and pass the hash attacks through an internal penetration test or a Red Team exercise (where a team of penetration testers simulate the actions of malicious attackers in an attempt to find and compromise valuable assets in your network.
Please see Repair or Uninstall Azure AD Connect: How to uninstall Azure AD Connect, the Methods for Integrating Azure Active Directory with on-Premise Active Directory, and PetitPotam attack on Active Directory Certificate Services: How to mitigate NTLM Relay PetitPotam attack on AD CS.
I hope you found this blog post on what is Pass the Hash Attack and how to mitigate the attack helpful. If you have any questions, please let me know in the comment session.