What Is a Pass-The-Hash Attack? Explained by Wallarm

Overview of Pass-The-Hash Attack

A "hashed" user qualification can be stolen via a PtH attack, which does not require the invader to crack the hash in order to obtain the unique PIN. The hacker can then use the hacked account without having access to the basic text PIN or being able to execute a brute-force assault to realize the PIN.

Once an invader obtains the hash, they can use it to create a new authorized assembly on the identical net. To add insult to injury, it can provide an attacker some extra time to prowl a network undetected because password hashes don't typically update when the password itself is altered.

After hacking a device like a server or isolated laptop, cybercriminals utilize it to move laterally across a network in search of new information and permits. Invaders can utilize it to acquire access to higher-level resources by hopping from device to device and account to account in order to collect enough hashes to unlock a higher-level account, such as an overseer on a domain regulator. A PtH attack is carried out with the assistance of malware or other distant software.

‍

How Does a Pass the Hash Attack Work?

PtH attacks require an understanding of hashes and their usage in IAM systems as well as broader information security practices. A string of information can be transformed into unreadable ciphertext with the help of a mathematical purpose called a hash. A hash cannot be reverse-engineered to recover the original string because it is a one-way purpose.

In order to verify the authenticity of a password, hashes are often employed. The same hash function is used to verify your identity each time you log in to a scheme. Validation is granted if the hashes produced are the same. Say, for argument's sake, your password is "Fido123" (which, by the way, is a poor password). The hash of such password might be 536498465. You should not use "Fido123" as your password because that will not work with the verification scheme; instead, use 5364984657.

Because they are not able to store passwords in plain text, hashes are a privacy measure. The handler's current password of "Fido123" will never be stored in the system. Single-Sign-On (SSO) systems benefit from hashes as well because of their usability. After a person log into the net, the SSO system can use the hashed version of their username and PIN to validate them whenever they access any other services or resources on the network.

This may seem ideal, but there are complications. If an attacker obtains the hash, they can assume the user's identity in the SSO environment and launch sessions in their name with full access privileges.

Further, the system will keep a record of the hashes of any remote users who log in to that computer. An extremely valuable hash may be saved in the machine's memory if the system administrator had logged in there.

In either case, an attacker can reuse the same hash for multiple logins. If they are able to successfully travel from application to application and computer to machine, they will have ample opportunity to harvest further hashed passwords. Moreover, useful hashes may be preloaded onto each fresh system. An attacker could compromise your most vital IT systems by mining for hashes and then moving laterally across your network to get them.

‍

Who Is Vulnerable to These Attacks?

Most companies using Windows New Technology LAN Manager (NTLM) and Windows Server clients are susceptible to PtH attacks with zero trust. 

Microsoft's NTLM security mechanisms ensure that only authorized users may access protected resources while keeping all communications between those users private. To confirm the user's identity without requesting a password, NTLM uses a challenge-response protocol, making it possible for users to log in with just their network name and a challenge answer.

Several flaws in the way NTLM handled password hashing and salting are well-documented. When using NTLM, the password is not "salted," meaning that an additional random string of characters is not added to the hashed password to make it more secure. This means that attackers can authenticate a session with just the password hash, rather than the actual password.

The encryption used by NTLM also doesn't make use of recent developments in algorithms and encryption, which would otherwise greatly strengthen its security.

Even though Kerberos has replaced NTLM as the primary authentication protocol in Windows 2000 and later Active Directory (AD) domains, NTLM is still included on all Windows systems to ensure compatibility with older clients and servers. Network authentication with a Windows 2000 domain, for instance, is handled using the NTLM protocol for computers still running Windows 95, Windows 98, or Windows NT 4.0. Meanwhile, Windows 2000 clients will use NTLM for accessing resources in Windows 2000 and older domains and authenticating Windows NT 4.0 and earlier servers. To authenticate local logons with hosts outside of a domain, NTLM is also utilized.

‍

Risks Of Passing a Hash Attack

PtH attacks have murky risks that are hard to quantify. In fact, it's possible that they're challenging to qualify because they're too easy to qualify.

Risks associated with a PtH attack range from data loss to complete takeover, depending on the permissions level of the compromised credentials (POLP).

That ranges from but is not limited to:

• Hacking into computer systems
• Disseminating confidential or corporate data online
• Ransomware is an online attack method that encrypts files
• Invasion of privacy
• Substantial file changes
• Going without internet
• Users are locked out of their accounts.
• sends visitors to harmful URLs
• initiating the installation of malicious software

‍

How To Detect Pass-The-Hash Attack?

It might be difficult for enterprises to pass the hash attacks detection since NTLM authentication is handled by every workstation and server.

• Monitor NTLM authentications (especially for distant connections) for changes in patterns of user behaviour, such as a user accessing an abnormally large number of endpoints or a user accessing endpoints for the first time.
• Hash extraction from the LSASS.exe process on an endpoint requires malware to get a handle with PROCESS VM OPERATION and PROCESS VM WRITE permissions. In order to detect processes that generate malicious handles, Endpoint Detection and Response solutions can keep a close eye out.
• Active Directory hash extraction requires privileged access and additional tools like DCSync and NTDS.dit hash extraction. On their respective Attack Catalog sections, detection methods are discussed.

‍

An Example of An Attack in The World

Copel and Electrobas

Pass the hash attack example: Two of Brazil's largest power utilities, Centrais Eletricas Brasileiras (Eletrobras) and Companhia Paranaense de Energia (Copel), reported being hit by ransomware in February 2021. Using a Pass the hash attack enabled the ransomware attacks.

Password hashes were stolen from the Active Directory (AD) database, more especially the NTDS.dit file, by malicious actors. Once the hashes were in the hands of the attackers, they lateralized their way up the user rights chain until they were able to extract hashes with sufficient privileges to launch the ransomware.

‍

How To Mitigate a Pass the Hash Attack

There is a distinction in how System Administrators and users can protect themselves from PtH attacks. Helpful hints for either will be provided.

1. For System Administrators

Because they exploit standard network protocols and user credentials, pass the hash attacks are difficult to spot and stop. Thus, to prevent lateral movement and permissions escalation, make compromised accounts tougher to utilize.

• Enable Defender Windows Credential Guard

Windows Defender Credential Guard can prevent PtH attacks in Windows 10 and later. Running the Local Security Authority Subsystem Service (LSASS), a Windows service that enforces security rules, in a virtualized sandbox protects it.

• Disable Lan Management hashes

Windows stores passwords in LM and NT hashes. Microsoft claims that brute force assaults can break the LM hash.

• Limit admin accounts

Limiting admin accounts in your business makes logical as LSASS hash extraction requires administrative rights. Passing hash attacks via your network is tougher with fewer admin accounts.

• Manage user workstations without RDP

RDP programs save your hashes, increasing your outbreak surface to pass hash assaults. Use a console tool to connect to distant computers.

• Harden admin machines

To reduce your attack surface, make admins use secure PCs for admin tasks.

• Microsoft Local Administrator Password Solutions

It is another natural Windows privacy function that ensures the local admin account has a separate complicated password for each computer it enters into. Attackers find lateral movement harder.

• Firewalls prevent PtH attacks.

Use a firewall. Use it to prevent PtH attacks. Most users in your business need to attach to distant file servers and sphere regulators, but not to other end-user devices. Firewall rules should block these lateral associates. The invader will also have trouble lateralizing.

• Security training

Staff privacy exercise can prevent PtH attacks and other assaults. Such exercise will enable your users recognize the first phishing email or other social engineering practices used to get network access identifications, explicitly minimizing PtH attacks. These assaults decrease with staff preparation.

• Limit domain admin account rights

These capabilities control and assign admin duties to other accounts. A negotiated account will lose value. Don't let a person administer several systems locally.

2. For Users

These are mostly common-sense strategies to avoid online risks. The first three facts unswervingly mitigate PtH attacks.

• After using your computer, log out and reboot it. That erases hashes.
• Open email attachments only after verifying the sender and the attachment's content.
• Click links (URLs) in emails only if you know who sent them, their destination, and that the despatcher is not being mimicked. Still, check the link. HTTP or HTTPS? Most genuine sites use HTTPS. Review the link for typos like faceboook instead of facebook or goggle instead of google. Instead of using the link, get there without it.
• Only acquire authentic antivirus software from reputable sources. Update your antivirus and scan frequently.
• Update your OS, updated OSes provide security patches. Install them ASAP.
• Practice a firewall — All chief operating systems and commercial routers have built-in inbound and NAT firewalls. Enable these. Clicking a dangerous link may guard your PC.
• Never click pop-ups, ever. Their destinations are unknown.
• Take a website cautionary carefully and acquire your information elsewhere. Email or SMS links may take you to a nasty site to download an infected file. Avoid ignoring computer warnings.

‍

Conclusion

That's pass-the-hash assaults, because they exploit genuine identifications, they're unpleasant. Being aware of the assaults and applying the aforementioned advice for System Managers and the organization's personnel can reduce your odds of being attacked. Always be safe and guard your hashes.