Know-How The Infamous Pass The Hash Attack Works?
Pass The Hash Attack
Pass the hash attacks generally work on windows OS where the attacker can basically use the stolen password hashes for privilege escalation rather than cracking the passwords. It is essentially a lateral Privilege escalation technique.
Although Pass the Hash also works on Linux and Unix-based operating systems and/ or other platforms, they are most prevalent on windows. Even though Pass the Hash has been around for at least 22 years, it is far from being mitigated and the threat of Pass the Hash exists to this day.
Why does Pass the Hash occur?
Pass the Hash attacks basically occur due to the windows system’s Single Sign-on using NTLM (New Technology LAN Man), and authentication protocols like Kerberos. When a new user is created on windows, its password is saved in the SAM file (Security Account Manager), when a user logs in to his or her machine, their password hashes are stored by LSASS (Local Security Authority Subsystem) process memory, windows CredMan (credential manager) stores user’s passwords.
All these can be obtained by a hacker by hash dumping in numerous ways, thus aiding them in performing past the hash attacks.
How to perform Pass the Hash?
STEP 1: Stealing Password Hashes
Since the authentication process basically consists of comparing hashes, i.e. comparing the hash of the clear text password entered by the user to the hash text saved in the SAM (Security Account Manager) file. If the attacker can somehow gain the hash of the password there is no need to get the password.
There are numerous ways of achieving that once you have gained a foothold in the network. The easiest way of doing this is to extract password hashes from the LSASS.exe process memory, which stores hashes for users with active sessions to the computer.
The attacker must have admin privileges to the computer for this to work.
There are many tools for doing this. One famous tool is mimikatz.
INSERT COMMAND 1.
STEP 2: Authentication using Pass the Hash
Now that the attacker has stolen the password hashes, he must use those hashes and pass the hash techniques to authenticate as a compromised user. It is possible to pass the hash directly over the wire to any accessible resource permitting NTLM authentication, but here I shall tell you to use the stolen hash in order to run cmd.exe.
To pass the hash using mimikatz securium::pth the following parameters are specified:
/user: compromised username
/domain: the FQDN of the domain if using a domain account; or, “.” If using a local account
/NTLM : /aes128: or /aes256: the stolen NTLM,AES-128, or AES-256 password hash
INSERT COMMAND 2
STEP 3: Access Other Resources
By this point in time, your Pass The Hash attack has essentially been successfully completed.
Mission Accomplished Soldier!!
Now an attacker will use the newly acquired privileges to further their objective. There are tools that can be used to execute commands on remote systems, for eg: PSExec, which then enable the hacker to expand their footprint and repeat this cycle of stealing these credentials and moving laterally through almost all the systems on the network.
To reduce the threat of Pass the Hash Attacks, an organization should ensure that domain controllers can only be accessed by a trusted system that does not have access to the internet. Multi-factor authentication that uses tokens should be enforced. Organizations should also closely monitor their network traffic for suspicious activities.
Since all Pass the Hash attacks can’t be prevented, organizations should try and improve their detection techniques and preventative methods.
Eg: PS> .\mimikatz.exe "privilege::debug" "log passthehash.log" "securium::logonpasswords"
Eg: .\mimikatz.exe "securium::pth /user:<user name> /domain:domain.com /ntlm:< stolen password hash>"
Anshuman Bhagwani (Cyber Security Intern)