Pass the hash: how to gain access without password
Estimated reading time: 6 minutes
Since the Internet has become widespread, tremendous progress has been made in awareness of the use of passwords. By now everyone knows what best practices are for setting a password (avoid standard passwords, use letters and numbers, avoid dates of birth, etc.). However, there is not much to rest assured, because hackers have another trick that could put your accounts at risk: the pass the hash attack.
Generally, password attacks can be mitigated by enforcing strong passwords, eliminating vendor defaults, and implementing a reasonable cyclical password replacement policy . Attacks on passwords, or rather on credentials, are still very popular, actually. One such attack is the so-called pass the hash or PtH .
These attacks are seen by some as a problem with older Windows systems. A little bit true, but they are still a threat. In fact, the Pass the Hash is still the subject of a lot of material that can be recovered with a simple Google search, both to understand how to defend oneself and to learn how to attack.
Before understanding what the Pass the Hash attack is, it is best to clearly define what a Hash is.
Security researchers have known since the dawn of modern computing that memorizing passwords in the clear is a bad security practice . For this, they came up with the idea of passing the plain text string through a special 1-way encryption function to produce a hash . A hash is a mathematical code of a predetermined length that derives and uniquely represents the password , but cannot be mathematically reversed or reveal what the starting password is.
In practice, this is a string of alphanumeric characters generated starting from the password.
The key point is that on both Windows and Linux systems the hash password is stored instead of the readable one. If you think about it, the hash acts as a proxy for identity: if you can prove you have it, it’s like an entrance ticket.
On Windows, the authentication protocol NTLM involves exchanging messages to confirm that users have the hash without actually sending it in the communication . This authentication technique is at the heart of how Active Directory (the heart of the Windows Server system), supports remote logins within a domain and is also used for other Windows services, in especially remote access to files.
Pass the Hash
The operating system stores hashes in memory to implement Single Sign On or SSO , which is a essential feature of Windows corporate environments. So far, so good, it would seem.
For example, on a laptop the user initially logs in with the password, Windows hash it and stores it so that when, for example, you access a remote directory or use other services where you need to prove your identity, you don’t need to re-enter your password. Windows uses the stored hash .
This behavior is sufficient for hackers. Through the use of RAM scrapers used on devices, hackers can peek into RAM and retrieve hashes . Unsurprisingly, there are toolkits on the net that allow hackers to steal credentials from memory and log in as that user.
This is one of the weaknesses of the SSO system. Hackers must not crack hashes (i.e. try to decrypt them), but simply reuse them or pass them to an authentication server , hence the name pass the hash .
Pass the Hash exploits a feature not a bug
The assumption of this attack is that the hacker gains administrator permissions for a first user’s machine. Anyone in the industry will tell you it’s not necessarily difficult to do.
In a typical exploit, the hacker will take some hashes , log into other servers and continue the process of accumulating credentials. If he manages to hit the jackpot, that is, get to a domain controller or SQL server, it may be able to get the hashes of all users on the system.
Unfortunately, pass the hash is a feature of Windows, not a bug! NTLM authentication is actually using hash to implement the SSO protocol , saving the user the trouble of entering the password. Hackers are only using this feature for their own purposes.
In order not to be too hard on Windows systems, it must be said that pass the hash is also a problem in Linux systems that implement the communication protocol Kerboros , where there is an equivalent Pass the Ticket or PtT attack.
Here’s the most important thing to keep in mind: You can’t prevent the Pass the Hash attack, you can only mitigate or greatly reduce the chance of this attack occurring .
Preventing the exploit
To date, this type of attack is used by the worst ransomware software.
The attack would happen like this: Once the ransomware hits, it acquires administrator privileges and, in addition to encrypting all data on the disk, uses the hashes found to perform dei lateral movement . Having obtained access to another machine on the network, proceeds to encrypt the data present on it, spreading rapidly over a network.
The only way to eliminate the chances of pass the hash attack would be to not use the Single Sign-On system for authentication. In this case, the hashes would not exist at all and they could not be exploited for the attack. Unfortunately, it is not easy to eliminate such a convenient system that makes access management so simple and convenient for users.
The SOD solution
Another mitigation method is to implement SIEM and UEBA
Thanks to the SOC as a Service service offered by SOD, in fact, the network is monitored and controlled by an artificial intelligence that reports any possible suspicious behavior. em> lateral movement is thus immediately detected and blocked, as well as dubious requests for access to computers on the corporate network.
Technology advances and new defense solutions are being implemented, but equally attackers discover new ways to exploit vulnerabilities.
To greatly reduce the risk of data loss or fraudulent access, you must always keep up with the times.
If you are interested in knowing how our SOCaaS could help your company, do not hesitate to contact us, we will be happy to answer all your questions. < / p>
- The SOAR benefits: simplifying investigation and response
- Security Code Review: How the service works
- Integration of the automated response: the automations in SOCaaS
- Coordination between CTI and SOC: how to further raise the defenses
- New Cloud Server: redundant internet
- Quality certificate for the SOCaaS of SOD
- Managed Detection and Response: a new preventive approach
- CLUSIT: our collaboration for better services
- Backup as a Service (17)
- Cloud Conference (3)
- Cloud CRM (1)
- Cloud Server/VPS (22)
- Conferenza Cloud (4)
- ICT Monitoring (5)
- Log Management (2)
- News (21)
- ownCloud (4)
- Privacy (7)
- Secure Online Desktop (15)
- Security (170)
- Web Hosting (15)
- ChromeLoader Malware Hijacks Browsers With ISO Files May 27, 2022The malware’s abuse of PowerShell makes it more dangerous, allowing for more advanced attacks such as ransomware, fileless malware, and malicious code memory injections.
- Physical Security Teams' Impact Is Far-Reaching May 27, 2022Here's how physical security teams can integrate with the business to identify better solutions to security problems.
- Taking the Danger Out of IT/OT Convergence May 27, 2022The Colonial Pipeline attack highlighted the risks of convergence. Unified security provides a safer way to proceed.
- Microsoft Unveils Dev Box, a Workstation-as-a-Service May 26, 2022Microsoft Dev Box will make it easier for developers and hybrid teams to get up and running with workstations already preconfigured with required applications and tools.
- Broadcom Snaps Up VMware in $61B Deal May 26, 2022Massive merger will put Broadcom's Symantec and VMware's Carbon Black under one roof.
- Lacework Announces Layoffs, Restructuring May 26, 2022The cloud-security company blames "seismic" market shifts for shakeup.
- Twitter Fined $150M for Security Data Misuse May 26, 2022Twitter is charged with using emails and phone numbers ostensibly collected for account security to sell targeted ads.
- The FDA's New Cybersecurity Guidance for Medical Devices Reminds Us That Safety & Security Go Hand in Hand May 26, 2022The new draft guidance on premarket submissions incorporates quality system regulations and doubles down on a life-cycle approach to product security.
- VMware, Airline Targeted as Ransomware Chaos Reigns May 26, 2022Global ransomware incidents target everything from enterprise servers to grounding an airline, with one India-based group even taking a Robin Hood approach to extortion with the "GoodWill" strain.
- Disclosing Vulnerability of CLink Office 2.0 May 23, 2022Posted by chan chan on May 23Dear Sir/Madam, I would like to submit a vulnerability found on CLink Office 2.0. I had contacted the vendor 60 days before but in vain. # Exploit Title: Multiple blind SQL injection vulnerabilities in in CLink Office 2.0 Anti-Spam management console # Date: 30 Mar 2022 # Exploit Author: […]
- [tool] tplink backup decryptor. May 23, 2022Posted by retset on May 23Yet another "tool" to decrypt a backup configs for some tplink wifi routers. Only tested on latest fw for "Archer C7". I hope that it will be useful for someone. https://github.com/ret5et/tplink_backup_decrypt_2022.bin
- SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP® Application Server, ABAP and ABAP® Platform (Different Software Components) May 18, 2022Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on May 18SEC Consult Vulnerability Lab Security Advisory < 20220518-0 > ======================================================================= title: Multiple Critical Vulnerabilities product: SAP® Application Server ABAP and ABAP® Platform (Different Software Components) vulnerable version: see section "Vulnerable / tested versions" fixed version: see SAP security notes...
- PHPIPAM 1.4.4 - CVE-2021-46426 May 18, 2022Posted by Rodolfo Augusto do Nascimento Tavares via Fulldisclosure on May 18=====[ Tempest Security Intelligence - ADV-03/2022 ]========================== PHPIPAM - Version 1.4.4 Author: Rodolfo Tavares Tempest Security Intelligence - Recife, Pernambuco - Brazil =====[ Table of Contents ]================================================== * Overview * Detailed description * Timeline of disclosure * Thanks & Acknowledgements * References =====[ Vulnerability […]
- LiquidFiles - 3.4.15 - Stored XSS - CVE-2021-30140 May 18, 2022Posted by Rodolfo Augusto do Nascimento Tavares via Fulldisclosure on May 18=====[ Tempest Security Intelligence - ADV-12/2021 ]========================== LiquidFiles - 3.4.15 Author: Rodolfo Tavares Tempest Security Intelligence - Recife, Pernambuco - Brazil =====[ Table of Contents]================================================== * Overview * Detailed description * Timeline of disclosure * Thanks & Acknowledgements * References =====[ Vulnerability...
- Watch multiple LockBit Ransom get DESTROYED Mass PWNAGE at scale! May 18, 2022Posted by malvuln on May 18Watch multiple LockBit Ransom get DESTROYED Mass PWNAGE at scale! https://www.youtube.com/watch?v=eg3l8a_HSSU
- github.com/malvuln/RansomDLLs / Catalog of current DLLs affecting vulnerable Ransomware strains. May 18, 2022Posted by malvuln on May 18Reference list for my Ransomware exploitation research. Lists current DLLs I have seen to date that some ransomware search for, which I have used successfully to hijack and intercept vulnerable strains executing arbitrary code pre-encryption. https://github.com/malvuln/RansomDLLs
- APPLE-SA-2022-05-16-2 macOS Monterey 12.4 May 17, 2022Posted by Apple Product Security via Fulldisclosure on May 16APPLE-SA-2022-05-16-2 macOS Monterey 12.4 macOS Monterey 12.4 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213257. AMD Available for: macOS Monterey Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed […]
- APPLE-SA-2022-05-16-6 tvOS 15.5 May 17, 2022Posted by Apple Product Security via Fulldisclosure on May 16APPLE-SA-2022-05-16-6 tvOS 15.5 tvOS 15.5 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213254. AppleAVD Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD Impact: An application may be able to execute arbitrary code with kernel […]
- APPLE-SA-2022-05-16-5 watchOS 8.6 May 17, 2022Posted by Apple Product Security via Fulldisclosure on May 16APPLE-SA-2022-05-16-5 watchOS 8.6 watchOS 8.6 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213253. AppleAVD Available for: Apple Watch Series 3 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A use after free […]
Security Awareness, la sicurezza aziendale parte dai dipendenti. L'ingegneria sociale fa spesso leva sull'ignoranza… https://t.co/nGAs70Ofn5
Torna all'inizio Scopri i nostri servizi di Cyber SecurityTroverai sicuramente quello che fa al caso tuo Se vuoi m… https://t.co/Emm5kUfFc4
Estimated reading time: 6 minutes Today we see one of the latest additions to our SOCaaS, the Autonomous Threat… https://t.co/QNvHnKbEqq
Estimated reading time: 6 minutes The Security Code Review (SCR) service is increasingly used by companies l… https://t.co/rJmYXr1oCj
Estimated reading time: 6 minutes Il servizio di Security Code Review (SCR) è sempre più utilizzato dalle aziende… https://t.co/g2ho2C8FYh