A Pass the Hash (PTH) attack is a technique whereby an attacker captures a password hash as opposed to the password itself (characters) thereby gaining access (authentication) to the networked systems. This technique is used to steal credentials and enable lateral movement within a network. In a Windows environment, the challenge-response model used by NTLM security is abused to enable a malicious user to authenticate as a valid domain user without knowing their password. Now that Kerberos has replaced NTLM as the preferred authentication method for Windows domains, NTLM is still enabled in many Windows domains for compatibility reasons. And so, pass-the-hash attacks remain an effective tool in the hands of attackers. It is worth noting that there are other attacks associated with Keberos such as Pass the ticket and Kerberos-brute force attacks etc. I will be discussing this in my next guide. Below are some articles relating to this topic: NT LAN Manager: How to prevent NTLM credentials from being sent to remote servers, Active Directory Authentication methods:How do Kerberos and NTLM work, and How to configure a service account for Kerberos delegation.
If you are interested in passing your CISSP exam and would love to gain and improve your technical skills, please subscribe to my blog posts. In this way, you will be notified of similar posts in the future. Please refer to these Microsoft guides (link1 and link2) for more information on how to secure your identity infrastructure. Here are some related guides: Local Administrators Account lockout is now available, and Windows 11 Hardware and Software Requirements: How to upgrade to Windows 11, and how to enable or disable Windows Defender Credential Guard.
As we all know, passwords are the most commonly used security tool in the world today. Therefore weak passwords will present great security challenges for your organization. Also, password attacks such as password guessing or password cracking are often time-consuming attacks. Tools that make use of precomputed hashes reduce the time needed to obtain passwords. However, there is storage cost and time consumption related to the generation of those precompiled tables (rainbow tables). In a Pass the Hash Attack, the goal is to use the hash directly without cracking the password thereby making time-consuming password attacks less attractive.
Note: Systems that support Single Sign-On (SSO) are also susceptible to Pass the Hash Attack because Windows keeps hashes in LSASS memory which is being consumed by SSO. The attack is based on gaining access to services on behalf of the user through a single sign-on with the help of the read-out password hash value, which serves as authentication.
How are passwords stored?
Passwords are sometimes stored in plaintext or are reversibly encrypted, and are sometimes stored in a hash form. A hashing function is designed to take an input and convert it to an output that cannot be reversed. User accounts passwords in Windows are managed in the Security Account Manager (SAM) and used by the Windows Local Security Authority Subsystem (LSASS). I will also like to point out that passwords aren’t stored in plain text in Windows but as a HASH value. A password hash is a one-way derivation of the plaintext password and only changes when a user changes his password. This information is saved in the file system as shown in the location below.
The storage takes place in the following ways: LM (LandMan) Hash, NTLM Hash, Memory, Reversibly Encrypted, and Cached-credentials hash. With tools such as “mimikatz” it is possible to carry out attacks in order to read out password hashes, which can then be used. In this form of attack, the attacker can gain administrative access to your PC and access all your password hashes. He (the attacker) can as well use those hashes without knowing the actual password to authenticate as you in the network, and even move from machine to machine (servers or clients). Below are the five primary ways that the Windows operating system uses to store passwords to authenticate users.
1 – LM Hash
In earlier versions of Windows, the LM hash was typically stored and transmitted by default. But in Windows Vista and above, the LM hash was no longer stored by default, nor is it used by default during network authentication. Instead, the newer versions use the NTLMv2 hash as the default authentication method. LM hash has the following weakness. the password length is limited to 14 characters and the password is case-insensitive which decreases the keyspace available for the users to choose their passwords from.
2 – NTLM Hash
The NTLM hash algorithm is relatively simpler than the LM hash. It takes the password, hashes it using the MD4 algorithm, then stores it and can support very long passwords (127 characters on Windows 2000 and later systems).
Note: NTLMv2 improves upon LM and NTLM hashes and their weaknesses. It uses the NT hash; however, it also includes a client challenge in the computation. NTLMv2 also includes timestamps which make it immune to reply attacks.
3 – Cached Credentials
The cached credential is a term used to describe the process of storing the domain login credentials so that a user can log in locally to a domain member without being connected to a domain controller (e.g. the domain became unavailable).
Windows caches users’ password hashes (NT hash, and LM hash) in a memory location whenever a user logs on interactively or via terminal service. This location is accessible only by the operating system, and any process acting as the operating system. The operating system uses this cached hash to authenticate the user whenever the user tries to access a network resource, and that resource requires authentication.
Note: The memory location is purged as soon as the user locks his system or logs off.
5 – Reversibly Encrypted
In this form, passwords are stored reversibly encrypted. This encryption can be reversed and the clear-text password(s) can be revealed. This form of password storage is disabled by default.
How are passwords used?
NTLM is the old-fashioned way and Kerberos is the newest form of network authentication. NTLM is less secure, Kerberos is more secure. Kerberos is an integral part of Active Directory and has been present since Windows 2000.
Note: Both authentication methods are widely in use today regardless of your Windows version. You might think that since you’re running Windows 2008R2 or later, you are only using Kerberos, but that is exactly not true as Windows share “NET USE * \MyFileShare” is based on using NTLM authentication, and not Kerberos. Many apps also use NTLM authentication.
Kerberos is a set of services only used in a domain environment when a NetBIOS name or DNS name is used to connect. Therefore, If a user connects to a resource via IP, then Kerberos will not be used, rather NTLMv2 will be used instead to authenticate the user.
Note: NTLMv2 as a hash is vulnerable to precomputed hash attacks just like any other hash when salt is not used. However, an NTLMv2 hash is not stored in Windows, it is generated on the fly. NTLMv2 authentication uses both the client nonce and the server nonce/challenge to calculate the response, unlike NTLM authentication, which uses a fixed server challenge. This calculation process eliminates the possibility of precomputed attacks against NTLMv2.
How can passwords be attacked?
There are numerous ways to obtain the clear-text password of users. Below are the two popular attacks “online and offline attacks”. There are other forms of attacks against passwords such as key loggers, shoulder-surfing, social engineering, etc.
1 – Online Password Attack (Password Guessing)
An online password attack, also known as password guessing, is the process of attempting to find passwords by trying to log in. Online password attacks are relatively slow. A true brute-force attack takes a lot longer. Under these conditions, trying millions of passwords simply isn’t an option.
2 – Offline Password Attack (Password Cracking)
An offline password attack, also known as password cracking, is used when the attacker has captured the password hash. In this attack, the attacker will start cracking the password by creating a hash of a password or a challenge-response sequence and comparing it to the hash or response that he captured. If a match is found, the attempt to crack the hash is considered successful.
Precomputed hash attack
Precomputed attacks are a form of offline attack and are also referred to as the rainbow table attack. The password hashes are stored in a file. The size of this file can be very large, for example storing all LM hashes requires 310 terabytes of storage. Using Dr. Phillippe Oechslin’s time-memory trade-off drastically reduces the amount of storage space required to hold the hashes, to 17 gigabytes. Precomputed hashes can greatly decrease the time needed to crack passwords. In fact, they can decrease the time required to find a password from months or weeks to just a few hours or even minutes.
The technical attack sequence
Password hashes are equivalent to clear-text passwords. If the attacker manages to obtain the hash, he can simply use it to gain access to a system without the need to know the password used to create it. This type of attack is known as the “PTH” attack. The PTH uses an iterative two-step process to gain control of a user account and access to all resources and permissions of that account. First, an attacker would have to gain local administrator access to a computer. The second step is to try to extend access to other computers.
1. Steal one or more authentication data from the compromised computer. Password hashes are loaded into the Local Security Authority Subsystem (Lsass). LSASS runs as the executable %SystemRoot%\System32\Lsass.exe, which is responsible for user authentication, among other things. Using hash dumping tools, an attacker can dump the passwords' hashes for further use. It is important to note that dumping password hashes from the Windows SAM database or from memory requires administrative privileges.
2. Reuse the stolen credentials for access to other computer systems and services. Only account credentials that are stored on a computer can be stolen, including domain user accounts and service accounts. Accounts that have never been logged into the system are not visible. For this reason, this sequence is repeated several times if necessary in order to access the targeted computer system with the required rights. With the Mimikatz program (tool), it is possible to read passwords from the SAM database as SYSTEM users under Windows using the "sekurlsa" command. It contains SHA1, NTLM or LM hash values of user passwords. Note: Accounts that have never been logged into the system are not visible to the attacker.
How to defend against Pass the Hash Attacks
Credential theft and reuse cannot be fixed with a mere security update. In order for “PTH Attacks” to be effectively reduced and mitigate the attackers from using the hash values to move from one system to another target system, users’ access authorizations MUST be restricted. A change to the storage of logon information, for example to the Windows LSASS process, only requires that attackers modify existing tools such as Mimikatz for support. The best defense is to make it harder for the compromised accounts to be used for lateral movement and escalation and must be deprived of the following options.
Enable Windows Credential Guard
Windows Credential Guard helps protect the LSASS process by putting it into a secure sandbox using virtualization. This is available on Windows 10 Enterprise and from Server 2016.
- Extracting hashes from LSASS or another processes memory requires administrative privilege, therefore reducing the number of accounts with administrative rights makes compromised accounts less susceptible to attacks.
- Use Microsoft Local Administrator Password Solutions (LAPS) to ensure the local administrator account of all the devices use a different complex password. This will help mitigate the lateral movement by attackers within your network.
- Implement segmentation in your network, VLANs come in handy in this regard. In some networks, end-user devices need to connect to file servers and domain controllers but not to other end-user devices. Therefore configuring the firewall rules to prevent these lateral connections and so hinder the lateral movement of attackers.
- Security Awareness training will help your employees stay ahead of all forms of phishing emails (social engineering) techniques.
- Restrict local administrative access from multiple systems.
- Limit domain admin account permissions to domain controllers. It is advisable to delegate other admin functions to different accounts, thus limiting the value of account compromise.
- Monitor authorization and access logs using SIEM tools (I recommend using SCOM and Azure Monitor etc) to automatically detect unusual patterns of access which may indicate account compromise.
- Monitor for rapid horizontal movement of accounts. Compromised hashes will be used to search for network accesses. Identifying it in real time will allow the workstation to be removed from the network and avoid the spread.
- For Bring-your-own-device (BYOD) users, avoid local administrative login as the users have absolute control of their devices. Also, avoid adding the domain user account to the local admin group thereby making lateral movement possible.
- Use a good SPAM filter that prevents phishing scams (if you do not have money for enterprise solutions, there are so many open source technologies out there such as Proxmos email gateway, etc.) This is the entry point of many attacks. If you can prevent the email from reaching the user, you’ll remove the mindless temptation to click a link.
- Avoid duplicate local admin passwords by creating unique passwords for each local admin account. You can use a password manager to help in retrieving these unique passwords. Examples are Pleasant password manager and ManageEngine Password manager.
- Use anti-malware endpoint protection.
You can help assess the resilience of your network against lateral movement and pass the hash attacks through an internal penetration test or a Red Team exercise (where a team of penetration testers simulates the actions of malicious attackers in an attempt to find and compromise valuable assets in your network.
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.