Your Knowledge Center for all Active Directory Security-Related Research

Pass-the-Hash

Overview
Pass-the-Hash (PtH) is an attack method where the adversary steals the hashed credentials of a user (or a computer) in order to authenticate, via NTLM, to various enterprise resources.

NTLM Background
NTLM is an authentication protocol used by Microsoft. All Windows versions older than Windows XP SP3 use NTLM as their default. Newer versions of Windows still use NTLM for backwards compatibility.

The NTLM authentication protocol works in the following manner:

PtH (1) 

 

  1. The user provides a Domain Name, username and password to access their computer.
    The computer computes a cryptographic hash of the password and discards the actual password.
  2. When the user attempts to access the server, the computer sends the username to the server in cleartext. 
  3. The server generates a 16-byte random number, called a “challenge”, and sends it to the user.
  4. The user encrypts this challenge using its password hash and returns it to the server (aka “response”)
  5. The server sends the following three items to the Domain Controller:
    a. User Name
    b. Challenge sent to the client
    c. Response received from the client
  6. The Domain Controller uses the username to retrieve the hash of the user’s password from the Security Account Manager database. It uses this password hash to encrypt the challenge.
  7. The Domain Controller compares the encrypted challenge it computed (in step 6) to the response computed by the client (in step 4). If they are identical, authentication is successful and the Domain Controller notifies the server.

From the above, it is clear that when an attacker steals the password’s hash then the attacker can impersonate the user (or computer) – authenticating on the user’s behalf – while all communication appears to be legitimate.

Pass-the-Hash Attacks in the Wild
Despite PtH ticket being an “old” attack, first published in 1997, the automation of hacking has allowed it to become much more prevalent. For example, common tools such as WCE and Metasploit have support to carry out PtH attacks in an automated manner.

Additionally, PtH is considered one of the key steps in many APT attacks. To quote Infoworld: “PTH goes hand-in-hand with the types of infamous APT (advanced persistent threat) attacks that have staggered companies such as RSA, Sony, Dupont”

Failed Attempts at Mitigating Pass-the-Hash Attacks
Defenses have aimed to take control of PtH attacks, but unfortunately, all have been defeated one by one. These include: 

  • Limiting access to the computer’s memory to retrieve the hash
    Since the hashes are stored in memory, many attacks relied on accessing the computer’s memory. This measure aims to block attack attempts which directly retrieve the hash from the memory. However, there are other ways to gain access to the hash such as side channel attacks, and a MitM (SMBRelay) attack within the organization.

 

  • Anti-Virus (AV) tools and Intrusion Prevention Systems (IPS) 
    AV tools and IPS are based on signatures and look for the known fingerprints of common exploitation tools. However, tool variations and usage of lesser-known tools defeat the common signature patterns. Additionally, as mentioned earlier, stealing the hash does not necessarily need to be done by reading the computer memory.

 

  • Disabling and restricting admin accounts
    This solution is not realistic in an enterprise environment. Consider a daily backup procedure on various computers; specific tasks that require admin privileges; or even mistakes made by IT admins, such as implementing a 3rd party product that uses the Domain Admin account. In each of these scenarios, the process is run under the Admin account and ultimately leaves the password hash on the computer.

 

  • Fortification measures features in Windows 8.1
    While Microsoft’s attempts are laudable – they do not eliminate the problem. First, it takes years, if at all, for an enterprise to update all their systems to the new operating system. Following the common paradigm “if it works, don’t break”, it can be expected that legacy and highly sensitive systems continue to run old processes to avoid any compatibility issues. Furthermore, since the release of Windows 8.1 there were already publications of PtH attacks defeating the defense measures within several systems, such as RDP’s “Restricted Mode”.

 

  • Monitoring the activity of privileged users
    The problem at hand is not only privileged users. For example, consider the case of an office admin. A PtH attack against the office admin might not enable the attacker direct access to the employee salary tables, to the salary billing server or to the company board’s activities. However, the office admin is likely to have direct access to the CEO’s calendar in order to schedule meetings. Inadvertently, that office admin had become a direct channel to the compromise of the CEO’s machine.

 

  • Tracking the changes to Active Directory
    Tracking changes to Active Directory will not help at all against this attack. The activity within the network looks precisely the same as legitimate activity. No changes whatsoever happen within Active Directory. There are no deletions/ updates/ additions of user – just normal user authentication activity.

 

  • Randomly changing passwords of privileged users
    The philosophy behind these measures is to try and mitigate an attack were it occurring against privileged users. However, this philosophy suffers from various shortcoming:

 

    • Cannot detect an attack. Accordingly, it is not possible to signify whether the mitigation measure is in fact successful or not.

 

    • Cover only privileged accounts. As specified in previous mitigation techniques, focusing only on   privileged users leave a blind spot which attackers exploit

 

    • Apply only to specific login scenarios such as RDP, SSH and FTP. Other login scenarios as simple as logging into the organizational work stations, or to 3rd party products are not supported.

 

    • A subset of Pass-the-Hash (PtH) attacks – for example, SMBRelay – can bypass these measures. This attack subset acts as a Man in the Middle which actively intercepts SMB communications. Once an entity is initially authenticated, the attacker can continue to intercept the communication regardless of any password change.

 

    • Under certain scenarios, Active Directory saves a history of the passwords. Ultimately, this leaves a window of opportunity for an attacker to use the old hash even if the password is reset.

 

    • Require complicated deployments. In a large organization, enforcing a random password change requires dedicated IT and security personnel, the customization of internal products and ultimately may take months to fully deploy.

 

Detecting Pass-the-Hash Attacks
It is important to recognize that PtH attacks are typically persistent and carried out by motivated attackers, thus cannot be prevented. Time has shown that prevention of sophisticated attacks is not a viable solutions. Enterprises should focus on the detection of PtH attacks through a variety of measures, such as:

  • Learning all entities’ behaviors (privileged and non-privileged) in the organization, including their interactions with other entities. 
  • Recognizing anomalous activity such as an entity accessing a resource outside of the organizational hours and unusual interactions between entities 
  • Detecting and alerting on AD-related protocol violations

 

Further reading: 

Windows Challenge/Response (NTLM)

Pass the Hash and Other Credential Theft and Reuse: Preventing Lateral Movement and Privilege Escalation

New “Restricted Admin” feature of RDP 8.1 allows pass-the-hash