Pass the hash Giacomo Lanzi

Pass the hash: how to gain access without password

Estimated reading time: 6 minutes

Since the Internet has become widespread, tremendous progress has been made in awareness of the use of passwords. By now everyone knows what best practices are for setting a password (avoid standard passwords, use letters and numbers, avoid dates of birth, etc.). However, there is not much to rest assured, because hackers have another trick that could put your accounts at risk: the pass the hash attack.

Generally, password attacks can be mitigated by enforcing strong passwords, eliminating vendor defaults, and implementing a reasonable cyclical password replacement policy . Attacks on passwords, or rather on credentials, are still very popular, actually. One such attack is the so-called pass the hash or PtH .

These attacks are seen by some as a problem with older Windows systems. A little bit true, but they are still a threat. In fact, the Pass the Hash is still the subject of a lot of material that can be recovered with a simple Google search, both to understand how to defend oneself and to learn how to attack.

pass the hash password

The hashes

Before understanding what the Pass the Hash attack is, it is best to clearly define what a Hash is.

Security researchers have known since the dawn of modern computing that memorizing passwords in the clear is a bad security practice . For this, they came up with the idea of passing the plain text string through a special 1-way encryption function to produce a hash . A hash is a mathematical code of a predetermined length that derives and uniquely represents the password , but cannot be mathematically reversed or reveal what the starting password is.

In practice, this is a string of alphanumeric characters generated starting from the password.

The key point is that on both Windows and Linux systems the hash password is stored instead of the readable one. If you think about it, the hash acts as a proxy for identity: if you can prove you have it, it’s like an entrance ticket.

On Windows, the authentication protocol NTLM involves exchanging messages to confirm that users have the hash without actually sending it in the communication . This authentication technique is at the heart of how Active Directory (the heart of the Windows Server system), supports remote logins within a domain and is also used for other Windows services, in especially remote access to files.

Pass the Hash

The operating system stores hashes in memory to implement Single Sign On or SSO , which is a essential feature of Windows corporate environments. So far, so good, it would seem.

For example, on a laptop the user initially logs in with the password, Windows hash it and stores it so that when, for example, you access a remote directory or use other services where you need to prove your identity, you don’t need to re-enter your password. Windows uses the stored hash .

This behavior is sufficient for hackers. Through the use of RAM scrapers used on devices, hackers can peek into RAM and retrieve hashes . Unsurprisingly, there are toolkits on the net that allow hackers to steal credentials from memory and log in as that user.

This is one of the weaknesses of the SSO system. Hackers must not crack hashes (i.e. try to decrypt them), but simply reuse them or pass them to an authentication server , hence the name pass the hash .

pass the hash login

Pass the Hash exploits a feature not a bug

The assumption of this attack is that the hacker gains administrator permissions for a first user’s machine. Anyone in the industry will tell you it’s not necessarily difficult to do.

In a typical exploit, the hacker will take some hashes , log into other servers and continue the process of accumulating credentials. If he manages to hit the jackpot, that is, get to a domain controller or SQL server, it may be able to get the hashes of all users on the system.

Unfortunately, pass the hash is a feature of Windows, not a bug! NTLM authentication is actually using hash to implement the SSO protocol , saving the user the trouble of entering the password. Hackers are only using this feature for their own purposes.

In order not to be too hard on Windows systems, it must be said that pass the hash is also a problem in Linux systems that implement the communication protocol Kerboros , where there is an equivalent Pass the Ticket or PtT attack.

Here’s the most important thing to keep in mind: You can’t prevent the Pass the Hash attack, you can only mitigate or greatly reduce the chance of this attack occurring .

Pass the hash

Preventing the exploit

To date, this type of attack is used by the worst ransomware software.

The attack would happen like this: Once the ransomware hits, it acquires administrator privileges and, in addition to encrypting all data on the disk, uses the hashes found to perform dei lateral movement . Having obtained access to another machine on the network, proceeds to encrypt the data present on it, spreading rapidly over a network.

The only way to eliminate the chances of pass the hash attack would be to not use the Single Sign-On system for authentication. In this case, the hashes would not exist at all and they could not be exploited for the attack. Unfortunately, it is not easy to eliminate such a convenient system that makes access management so simple and convenient for users.

The SOD solution

Another mitigation method is to implement SIEM and UEBA , and set up centralized network control with a SOC .

Thanks to the SOC as a Service service offered by SOD, in fact, the network is monitored and controlled by an artificial intelligence that reports any possible suspicious behavior. em> lateral movement is thus immediately detected and blocked, as well as dubious requests for access to computers on the corporate network.

Technology advances and new defense solutions are being implemented, but equally attackers discover new ways to exploit vulnerabilities.

To greatly reduce the risk of data loss or fraudulent access, you must always keep up with the times.

If you are interested in knowing how our SOCaaS could help your company, do not hesitate to contact us, we will be happy to answer all your questions. < / p>

Link utili:

Share


RSS

More Articles…

Categories …

Tags

RSS Dark Reading

RSS Full Disclosure

  • Disclosing Vulnerability of CLink Office 2.0 May 23, 2022
    Posted by chan chan on May 23Dear Sir/Madam, I would like to submit a vulnerability found on CLink Office 2.0. I had contacted the vendor 60 days before but in vain. # Exploit Title: Multiple blind SQL injection vulnerabilities in in CLink Office 2.0 Anti-Spam management console # Date: 30 Mar 2022 # Exploit Author: […]
  • [tool] tplink backup decryptor. May 23, 2022
    Posted by retset on May 23Yet another "tool" to decrypt a backup configs for some tplink wifi routers. Only tested on latest fw for "Archer C7". I hope that it will be useful for someone. https://github.com/ret5et/tplink_backup_decrypt_2022.bin
  • SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP® Application Server, ABAP and ABAP® Platform (Different Software Components) May 18, 2022
    Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on May 18SEC Consult Vulnerability Lab Security Advisory < 20220518-0 > ======================================================================= title: Multiple Critical Vulnerabilities product: SAP® Application Server ABAP and ABAP® Platform (Different Software Components) vulnerable version: see section "Vulnerable / tested versions" fixed version: see SAP security notes...
  • PHPIPAM 1.4.4 - CVE-2021-46426 May 18, 2022
    Posted by Rodolfo Augusto do Nascimento Tavares via Fulldisclosure on May 18=====[ Tempest Security Intelligence - ADV-03/2022 ]========================== PHPIPAM - Version 1.4.4 Author: Rodolfo Tavares Tempest Security Intelligence - Recife, Pernambuco - Brazil =====[ Table of Contents ]================================================== * Overview * Detailed description * Timeline of disclosure * Thanks & Acknowledgements * References =====[ Vulnerability […]
  • LiquidFiles - 3.4.15 - Stored XSS - CVE-2021-30140 May 18, 2022
    Posted by Rodolfo Augusto do Nascimento Tavares via Fulldisclosure on May 18=====[ Tempest Security Intelligence - ADV-12/2021 ]========================== LiquidFiles - 3.4.15 Author: Rodolfo Tavares Tempest Security Intelligence - Recife, Pernambuco - Brazil =====[ Table of Contents]================================================== * Overview * Detailed description * Timeline of disclosure * Thanks & Acknowledgements * References =====[ Vulnerability...
  • Watch multiple LockBit Ransom get DESTROYED Mass PWNAGE at scale! May 18, 2022
    Posted by malvuln on May 18Watch multiple LockBit Ransom get DESTROYED Mass PWNAGE at scale! https://www.youtube.com/watch?v=eg3l8a_HSSU
  • github.com/malvuln/RansomDLLs / Catalog of current DLLs affecting vulnerable Ransomware strains. May 18, 2022
    Posted by malvuln on May 18Reference list for my Ransomware exploitation research. Lists current DLLs I have seen to date that some ransomware search for, which I have used successfully to hijack and intercept vulnerable strains executing arbitrary code pre-encryption. https://github.com/malvuln/RansomDLLs
  • APPLE-SA-2022-05-16-2 macOS Monterey 12.4 May 17, 2022
    Posted by Apple Product Security via Fulldisclosure on May 16APPLE-SA-2022-05-16-2 macOS Monterey 12.4 macOS Monterey 12.4 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213257. AMD Available for: macOS Monterey Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed […]
  • APPLE-SA-2022-05-16-6 tvOS 15.5 May 17, 2022
    Posted by Apple Product Security via Fulldisclosure on May 16APPLE-SA-2022-05-16-6 tvOS 15.5 tvOS 15.5 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213254. AppleAVD Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD Impact: An application may be able to execute arbitrary code with kernel […]
  • APPLE-SA-2022-05-16-5 watchOS 8.6 May 17, 2022
    Posted by Apple Product Security via Fulldisclosure on May 16APPLE-SA-2022-05-16-5 watchOS 8.6 watchOS 8.6 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213253. AppleAVD Available for: Apple Watch Series 3 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A use after free […]

Customers

Newsletter