Pass the Hash

What is pass the hash?

While a pass the hash attack is relatively easy to implement, the consequences can be catastrophic, including business information theft, sensitive data deletion, malware installation, etc.

When has pass the hash attack method occur?

The first pass the hash attack example was described in 1997 by Paul Ashton, who managed to access the Samba SMB client just by using the password hash without a password itself.

In 2007, the first pass the hash toolkit was published on the web. It has a functionality to change the username, domain name and password hash, which were cached by the local security authentication server after user authentication. With this toolkit, thread actors could perform a pass the hash attack using standard Windows tools and thus bypass the system’s built-in authentication tools.

Pass the hash: how it all started?

The need to confirm user’s identity before performing any action on the computer would significantly reduce the efficiency of work. To prevent it, there are various systems for authenticating users and controlling their access, both within a specific workplace and within a working group (domain).

To let the user perform a specific action, the system needs to make sure the user is who he is and then allow or deny the requested action. Usually, the system makes it sequentially. First, the user confirms his identity, for example, by entering a password; second, he gets access rights to system resources. Identity verification can be done in different ways: by entering a password, smart card, biometrics, and so on. However, in all cases, if the user provides the system with unique information that only he should know, the identity is confirmed.

After the identity is verified, the system continues to use this verification to allow or deny the user to perform actions in accordance with the access rights set for him by the administrator. Thus, the user does not need to enter a password, scan a fingerprint, or enter a pin code each time.

To make the working process seamless and safe, the system needs to ensure the secure storage of the entered passwords. It is achieved by hashing passwords and storing them in process memory or on a hard disk.

Important: further, we will consider a pass the hash attack in relation to the Microsoft Windows OS, because these operating systems are more common in use and often attacked by using a pass the hash method. However, a pass the hash attack is applicable to the Linux and Unix operating systems as well.

What are hash and hashing?

Terms hash and hashing are crucial for understanding pass the hash attacks. Hashing implies transforming data by using a mathematical algorithm. As a result, the data is displayed as a string of characters called hash.

The term hash stands for a unique sequence of characters of a certain length, not the encoded data itself. For example, if we hash a file with this article, we will get a string of characters. But if this paragraph is removed from the article, then the hash line will be completely different. In this regard, hashing is often used to verify the authenticity of a file.

The hash on Windows might look like this:

administrator:1000:abdd13a12b3451abcdda1ba123bcd12ee:abc551122abcd251da124abcd2abcd23:::

The line above consists of four sections:

1. Username;
2. Relative numeric ID;
3. LM hash (used on legacy systems up to and including Windows Vista/Server 2008);
4. NTLM hash (NT Lan Manager).

So, the system uses a hash instead of a password to authenticate the user.

Hashes for user authentication are usually stored in the LSASS.exe, or Local Security Authority Subsystem, process. However, other locations for storing hashes are also possible, for example, the SAM (Security Accounts Manager) file, which is stored on the computer’s hard drive.

Another term needed to understand a pass the hash method is the salt. It means a random set of characters added to the hash in order to protect it from being cracked. The NTLM hash doesn’t contain a salt, so it’s vulnerable to a pass the hash attack.

NTLM authentication protocol

Pass the hash attacks are based on obtaining the NTLM cache and then using it for personal gain to escalate the user’s access rights.

NTLM is a single sign-on (SSO) tool that uses a challenge-response mechanism to authenticate a user. The NTLM protocol is a sequential exchange of messages between the server and the user. In the initial NTLM version used in early versions of Windows OS, three messages are sent:

1. NEGOTIATE_MESSAGE sent by a user to establish a connection and request access;
2. CHALLENGE_MESSAGE sent by a server to identify the client;
3. AUTHENTICATE_MESSAGE sent by a client to prove its identity.

Being vulnerable to pass the hash attacks, the NTLM protocol was replaced with the more secure Kerberos protocol since Windows 2000. However, NTLM continues to be in use to ensure the compatibility of “old” and “new” systems within the same infrastructure.

Pass the hash attack

Windows prompts the user for a password, converts it to a hash, and stores it in process memory or on the hard drive to use the hash for further authentication.

In the systems using the NTLM protocol, the password is equivalent to its hash. Thus, by extracting the “user_name:hash” pair, the attacker can authenticate on remote servers under the guise of the user whose data he got.

The stored hashes remain unchanged from session to session until the user changes the password. It allows an attacker to move between remote servers and collect more user data.

Pass the hash attack process

The pass the hash attack process can be divided into four steps.

Step 1 – access the computer

Pass the hash attack starts with gaining access to the computer where the hash is stored. There are many ways to do so, but the most obvious of them are:

1. Help of an insider to install malicious software.
2. Social engineering. An email with phishing link to download a gift certificate is a prime example of this method.
3. Physical access to a computer as a result of an external attack.

Step 2 – collecting hashes

In order to collect hashes, threat actors commonly use several methods:

1. Extracting data from SAM. Cached passwords of authenticated users can be stored in local SAM databases. Anyone with administrator rights or special software can read SAM databases. However, administrator can disable cached hashes storing in SAM, so this extraction method may not always work.
2. Retrieving hashes from LSASS.exe. This method can be used for the entire domain compromise as the LSASS.exe process stores the data of users who, for example, logged into the system via remote desktop protocol.
3. Analysing traffic during challenge-response authentication. This way allows threat actors to obtain encrypted hashes, so they need to use brute force methods to obtain the full data.

There are also less common methods used for extracting passwords or password hashes, such as extraction from memory dump files, system hibernation file (hiberfil.sys) and virtual machine swap files (.vmem).

To perform the second step, the threat actor needs the WinDbg package, Mimikatz, and, in the case of a virtual machine, a utility to convert the virtual machine’s paging file to a dump. (vm2dmp and similar).

Step 3 – Substitution of hashes

For the last step, attackers use the following special software for pass the hash: Mimikatz, Metasploit, Gsecdump, Windows Credentials Editor (WCE), fgdump, and pwdump7. Many of these tools enable threat actors to obtain both password hashes and passwords themself. Also, the pass the hash software has the functionality of performing other types of attacks aimed at the Kerberos protocol, such as pass the ticket, Kerberos golden ticket, and Kerberos silver ticket.

How to protect against pass the hash attacks?

Even an organization with extensive and complex infrastructures can completely prevent the risk of a pass the hash attack. For effective pass the hash detection and prevention, it is recommended to take the following steps:

• Disable the NTLM/LM authentication protocol to increase security. However, some systems can not work without using these protocols.
• Protect users from phishing. Social engineering is a common way for threat actors to install malware on a user’s machine. To prevent it, use corporate mail protection systems, such as Group-IB Business Email Protection.
• Use protection against malware. To defend against pass the hash attacks, organizations can employ local protection tools or more complex intelligent systems that analyze user behavior, such as Group-IB Managed XDR.
• Benefit from of intrusion monitoring systems (IDS/IPS). Actions during a pass the hash attack can be analyzed by a monitoring system to prevent further attacks. For example, the system might detect an authentication attempt from an unusual client address, or an event where psexec creates a shell and sends it back over the network. Such systems allow you to take the required measures in time.
• Avoid duplicating passwords for local administrators. This will prevent the spread of pass the hash attacks.
• Avoid using remote desktop protocol. The LSASS.exe process contains password hashes of domain members who connect using RDP. If the domain administrator used RDP, an attacker can get a hash of his password.
• Isolate critical systems. All machines that store sensitive data should be isolated and inaccessible to a pass the hash attack.
• Disable Windows account caching to prevent an attacker from accessing hashes in memory.
• Employ full disk encryption to protect against extraction of hashes and passwords from databases.
• Maintain a minimum sufficient number of administrators. The fewer administrators, the less likely that their data will be compromised.
• Use the principles of least privilege.
• Install security patches in time.
• Disable a debugger to prevent an attacker from extracting hashes from process memory.

We recommend that you take the steps outlined in this article, followed by a comprehensive enterprise security audit to identify hidden security gaps that could allow attackers to attack using pass the hash or other equally destructive techniques.