Pass the hash. Sounds like something you would hear at a family breakfast. I like corned beef hash as much as anyone, but the kind of hash we’re talking about here is the sort that can get you into all kinds of problems if you are vulnerable to this. It’s a new attack vector that is getting more attention these days, and you should be aware of it. Pass the Hash (or PtH) attacks are a form of credential theft that can have devastating consequences, as they can be used for both lateral attacks and privilege escalation attacks. Here’s what you need to know.
A credential theft attack is a way for an attacker to gain control of another user’s credentials. Usually, they go after the credentials of privileged users, like domain admins or server admins. But sometimes, the credentials of an end user are all they need to start their process, working their way up until they get some really juicy creds. Never think that a regular end user without rights to anything other than their workstation is not of value to an attacker.
Once an attacker has some account, really any account, that gives them access to any system, they have a foothold they can use to start a privilege escalation attack. That can either be to elevate the privileges of the account they currently control, or it can be to use that account to get access to a more privileged account.
If an attacker has privileges to one system, they may be able to leap frog from that one to another system. That’s a lateral attack. It doesn’t mean they are elevating their existing credentials…merely using them to gain access to other systems that the credential will have access to.
Hashes are one-way mathematical computations of values that theoretically cannot be reversed to determine the original value. So if I have the hash of your password, I cannot use that to figure out your password. Of course, if I have the hash of every possible password you might have used (see Rainbow Tables) then I can just cross-reference your hash to figure out your password. Or if another system will accept the hash as valid authentication credentials, then it is just as effective as having those credentials. And that is where PtH comes into play.
Pass the Hash
In a Pass the Hash attack, an attacker already has control of a workstation or server! That is critical to understand. This isn’t capturing NTLMv2 hashes on the network…this starts with the attacker convincing some end user to install software on their workstation, or exploiting a vulnerability on a server and installing software that sits there, running, waiting, until an admin logs on. Whether it’s over the network or interactively, if an admin authenticates on the compromised machine, then the malicious software running on the machine can grab the hash of the admin’s credentials, and use that to make a lateral attack against any other machine on the network to which those credentials have privileges.
Some of the more effective mitigations recommended by Microsoft include the following. These and other recommendations can be found at http://aka.ms/pth.
Restrict and protect high privileged domain accounts – Restricts the ability of administrators to inadvertently expose privileged credentials to higher risk computers.
Restrict and protect local accounts with administrative privileges – Restricts the ability of attackers to use local administrator accounts or their equivalents for lateral movement PtH attacks.
Restrict inbound traffic using the Windows Firewall – Restricts attackers from initiating lateral movement from a compromised workstation by blocking inbound connections on all workstations with the local Windows Firewall.
For more on Pass The Hash, including additional recommendations on how to mitigate this attack, see the Microsoft resources at http://aka.ms/pth and the whitepaper “Mitigating Pass the Hash (PtH) Attacks and Other Credential Theft Techniques” which can be downloaded by clicking here.