+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

What is a pass the hash attack?

Pass the hash is a technique used to steal credentials and enable lateral movement within a target network. In Windows networks, the challenge-response model used by NTLM security is abused to enable a malicious user to authenticate as a valid domain user without knowing their password.  Even though Kerberos has replaced NTLM as the preferred authentication method for Windows domains, NTLM is still enabled in many Windows domains for compatibility reasons. And so, pass the hash attacks remain an effective tool in the hands of skilled attackers.

How NTLM authentication works

NTLM is a ‘challenge and response’ based protocol.  A user is authenticated not with their password but with a hash of their password.  The password hash is static – it only changes if the user changes their password.  The password hash is stored in several places within the Windows network – if an attacker can obtain a copy of a user’s hash, they can impersonate that user and authenticate as that user.

When a user authenticates with NTLM, the following happens:

  1. The user enters their username and password.
  2. The client software generates a hash of password (and discards the cleartext password).
  3. The username is sent to the target system requesting authentication.
  4. A security challenge is returned which the client encrypts using the password hash and then sends back.
  5. The target system passes the encrypted response to the Domain Controller who also encrypts the challenge with its copy of the user’s password hash – if it matches then the user is authenticated.

If an attacker can obtain a copy of a user’s password hash, they are then able to commence an NTLM authentication starting from step 3 of the process above.

How Pass the hash attacks work

The attacker must first obtain access to the network through some other technique such as using phishing emails for credential theft.  Pass the hash is a post-compromise technique for further credential theft and lateral movement.

Windows uses a Single Sign On model for user authentication.  Once a user has provided their password once and the NTLM hash has been calculated, the hash is retained in memory for the rest of the session so subsequent authentication requests to different network resources do not need to keep prompting for the user’s credentials.

Because the NTLM hash is stored in memory, attackers can potentially extract the hash with the right tools, such as Mimikatz.

For logged on users, the NTLM hash is stored within the memory of the LSASS process on each computer. It is also retained in the memory of RDP server software.  (The hash is retained by the RDP server until the user session logs out – but if the user simply disconnects the hash is retained and the user is still considered logged in.  Thus, for RDP environments it is important to train users to Logoff their RDP sessions not simply disconnect.)

The NTLM hash is also stored within the NTDS.dit file on the domain controller or can be obtained by a DCSync attack which tricks a Domain Controller into syncing its store of hashes with malicious software impersonating another Domain Controller.

Attackers use the stolen credentials to further investigate the network and repeat the cycle of credential theft and lateral movement to ever increase their access footprint within the target network.

Tools such as PSExec can be used to execute commands on target systems using the stolen credentials to install malware or exfiltrate data.

 

What are Pass the Ticket Attacks

The Kerberos security system, which was intended to be the more secure replacement for NTLM in Active Directory, is vulnerable to a similar style of attack called Pass the Ticket.

Kerberos tickets, like NTLM hashes, can be used to authenticate access requests to network resources and can also be stolen from the memory of the LSASS process using tools such as Mimikatz. There are two kinds of Kerberos ticket: Ticket Service Tickets (TST) which grant access to a particular network resource (such as a file share) or Ticket Granting Tickets which can be used to request TST to any resource the user is authorised to access on the network.

 

Defending against pass the hash attacks

Pass the hash and Pass the Ticket attacks are hard to defend against and detect, because they make use of legitimate network protocols.  The best defence is to make it harder for the compromised accounts to be used for lateral movement and escalation:

  • Enable Windows Credential Guard – which protects the LSASS process by putting it into a secure sandbox using virtualisation – available on Windows 10 Enterprise and Server 2016 onwards.
  • Extracting hashes from LSASS or another processes memory requires administrative privilege – so reducing the number of accounts with admin rights makes compromised accounts less useful to attackers.
  • Use Microsoft Local Administrator Password Solutions (LAPS) to ensure the local admin account for every computer uses a different complex password, hindering lateral movement by attackers.
  • In many environments, end user devices need to connect to file servers and domain controllers but not to other end user devices – so configure firewall rules to prevent these lateral connections and so hinder lateral movement of attackers.
  • Security Awareness training will help your staff not fall for the initial phishing email or social engineering techniques used to obtain the first set of credentials needed for network access.
  • Do not allow users to be local administrators for multiple systems
  • Limit domain admin account permissions to domain controllers – delegate other admin functions to different accounts, thus limiting the value of any one compromised account.
  • Monitor authorisation and access logs using SIEM tools to automatically detect unusual patterns of access which may indicate account compromise.

You can help assess the resilience of your network against lateral movement and pass the hash attacks through an internal penetration test or a Red Team exercise (where a team of penetration testers mimic the actions of malicious attackers in an attempt to find and compromise valuable assets in your network).

 

 

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.