Pass-The-Hash Attacks

Pass-The-Hash Attacks: Understanding the Risks and Implementing Countermeasures

June 7, 2023

Introduction:

In the ever-evolving realm of technology and the interconnectedness it fosters, security concerns persist as a formidable challenge. While popular culture often portrays hackers with swift access to entire networks, the reality is far more complex. Attackers typically commence their conquest with low-level user accounts and progressively elevate their privileges to seize control of networks. A prominent technique employed in this endeavor is the pass-the-hash attack.

Overview of Pass-The-Hash Attack:

  • The pilfering of a hashed user credential characterizes a pass-the-hash attack, negating the need to crack the hash for the original password.
  • Armed with the stolen credential, the attacker can authenticate themselves without knowledge of the plain-text password or resorting to brute-force methods.
  • Leveraging the obtained hash, the attacker crafts a new authenticated session on the same network, capitalizing on the fact that password hashes are often left unchanged when passwords are modified. This grants the attacker extended covert access to traverse the network undetected.
  • Pass-the-hash attacks commonly exploit malware or other remote software.

How Does a Pass-The-Hash Attack Operate?

  • Executing a pass-the-hash attack necessitates an understanding of hashes and their role in identity and access management (IAM) systems, as well as broader information security practices.
  • Hashes, mathematical functions transforming data into unreadable ciphertext, act as a one-way process, rendering the retrieval of the original data impossible.
  • Hashes frequently serve as a mechanism for password verification. When logging into a system, the user’s entered password undergoes the same hash function. If the resultant hash aligns with the stored hash, authentication is granted.
  • Although this approach seems secure, vulnerabilities arise. When an attacker gains access to the hash, they can impersonate the user within the Single-Sign-On (SSO) environment, initiating sessions replete with unbridled access. Additionally, valuable hashes can be extracted from a system’s memory when a system administrator logs in, thus enabling the reuse of the same hash for multiple logins and facilitating lateral movement within the network.

Who Is Vulnerable to These Attacks?

  • Organizations employing Windows New Technology LAN Manager (NTLM) and Windows Server clients face susceptibility to pass-the-hash attacks, particularly within the context of zero trust security.
  • NTLM, a Microsoft security mechanism ensuring authorized access while preserving communication privacy, deploys a challenge-response protocol, allowing users to log in using only their network name and a challenge answer, thereby circumventing the need for their password.
  • Inherent flaws in the manner in which NTLM handles password hashing and salting make it vulnerable. The absence of salting, the inclusion of a random string of characters in the hashed password to bolster security, permits an attacker to authenticate a session solely with the password hash, obviating the requirement for the actual password.
  • Furthermore, NTLM encryption lacks the integration of recent algorithmic and encryption advancements, compromising its overall security.
  • Despite Kerberos supplanting NTLM as the primary authentication protocol in Windows 2000 and subsequent Active Directory (AD) domains, NTLM endures on all Windows systems to ensure compatibility with older clients and servers. NTLM assumes network authentication roles in scenarios like Windows 2000 domain environments housing legacy systems or when authenticating local logins with hosts beyond a domain.

Risks Posed by Pass-The-Hash Attacks:

Pass-the-hash attacks engender a multitude of risks, which vary depending on the privileges tied to the compromised credentials. These risks include:

  • Unauthorized access to computer systems.
  • Unauthorized dissemination of confidential or corporate data.
  • Ransomware attacks encrypting files.
  • Invasion of privacy.
  • Significant modifications to files.
  • Loss of internet connectivity.
  • Users being locked out of their accounts.
  • Redirection to malicious URLs.
  • Initiation of malicious software installation.

Detecting Pass-The-Hash Attacks:

Detecting pass-the-hash attacks presents challenges for enterprises, as NTLM authentication occurs across every workstation and server. Nonetheless, several detection methods can prove helpful:

  • Vigilant monitoring of NTLM authentications, with particular emphasis on remote connections and scrutiny of alterations in user behavior patterns, such as accessing an unusually high number of endpoints or interacting with previously unvisited endpoints.
  • Endpoint Detection and Response solutions excel at identifying processes generating malicious handles, such as hash extraction from the LSASS.exe process, necessitating malware endowed with specific permissions.
  • Active Directory hash extraction demands privileged access and the employment of supplementary tools like DCSync and NTDS.dit hash extraction. Detection methodologies for these attacks are expounded upon in their respective Attack Catalog sections.

An Illustrative Real-World Incident:

Real-world instances of pass-the-hash attacks manifest in incidents like the ransomware assaults launched against Brazil’s prominent power utilities, Centrais Eletricas Brasileiras (Eletrobras) and Companhia Paranaense de Energia (Copel), in February 2021. In these instances, pass-the-hash techniques enabled the attackers to procure password hashes stored within the Active Directory (AD) database, specifically the NTDS.dit file. Armed with the pilfered hashes, the malefactors gradually elevated their privileges until they amassed sufficient authority to initiate the ransomware onslaught.

Mitigating Pass-The-Hash Attacks:

Mitigating pass-the-hash attacks necessitates coordinated efforts from system administrators and users. The following recommendations are invaluable:

For System Administrators:

  • Enable Windows Credential Guard in Windows 10 and subsequent versions. Windows Credential Guard ensures that the Local Security Authority Subsystem Service (LSASS) operates within a virtualized sandbox, rendering it impervious to pass-the-hash attacks.
  • Disable the storage of Lan Manager (LM) hashes, as they remain susceptible to brute-force attacks.
  • Restrict the number of admin accounts within your organization, as fewer admin accounts escalate the difficulty of pass-the-hash attacks.
  • Administer user workstations without employing Remote Desktop Protocol (RDP) programs, which store password hashes and broaden the attack surface for pass-the-hash attacks. Instead, employ console tools to connect to remote computers.
  • Bolster the security of admin machines, thus reducing the attack surface.
  • Implement Microsoft Local Administrator Password Solutions (LAPS) to ensure unique and intricate passwords for local admin accounts accessing each computer. This measure heightens the challenge for attackers engaging in lateral movement.
  • Employ firewalls to curtail lateral movement within the network, permitting solely necessary connections to remote file servers and domain controllers.

For Users:

  • Log out and reboot your computer after use to eliminate stored hashes.
  • Exercise caution when opening email attachments, verifying both the sender and content.
  • Exercise prudence when clicking on links in emails, scrutinizing the sender’s trustworthiness and assessing the URL for any discrepancies or typographical errors.
  • Source antivirus software exclusively from reputable providers, keeping it updated and performing regular scans.
  • Maintain up-to-date operating systems with the latest security patches.
  • Enable and configure firewalls on your computer to bolster protection.
  • Refrain from clicking on pop-ups, as their destinations often remain unknown.
  • Exercise caution when visiting websites, and consider seeking information from alternative sources if a website raises concerns.
  • Treat computer warnings seriously, avoiding dismissiveness.

Conclusion:

Pass-the-hash attacks pose a significant threat as they exploit legitimate credentials. Understanding the intricacies of these attacks and implementing the recommended measures for both system administrators and users can help minimize the risk of becoming a target. Prioritize security, safeguard your password hashes, and remain vigilant. Take the necessary precautions to shield your systems and data.

Jake Wert
CISO
Private Matrix

#PassTheHashAttacks #Cybersecurity #InformationSecurity #DigitalThreats #NetworkSecurity #Hashing #Authentication #NTLM #WindowsSecurity #ZeroTrust #Risks #Mitigation #DetectingAttacks #EndpointSecurity #ActiveDirectory #RealWorldIncident #Ransomware #PrivilegedAccess #WindowsCredentialGuard #LateralMovement #UserAwareness #DataProtection #Vigilance #SecureSystems #StaySafeOnline