Modern systems store passwords in hashed format. An attacker can send a system stolen hashes to authenticate into private applications without a plaintext password. A pass-the-hash (PtH) attack doesn’t require brute forcing the hash value to plaintext. Instead, an attacker uses a user’s current session or obtains hashes from memory, usually from malware.
What Is Pass the Hash?
When passwords are created, the operating system stores them in memory using cryptographically secure hashes. The database of hashes shouldn’t be accessible to user programs, but malware is authored to bypass security and scrape memory for these passwords. After a user authenticates, the password might be stored in memory so that the user can authenticate into applications as they work on a particular machine.
Pass-the-hash attacks obtain authenticated user hashes and use them to gain access to sensitive data or applications in the context of the user account. PtH attacks essentially impersonate the user and take advantage of authorization protocols like Kerberos, which are used to create tickets assigned to authorized users. Tickets tell the system to allow access, so with a user hash, an attacker—usually in the form of malware—also has access to the targeted application.
How Pass-the-hash Attacks Work
Attackers first need to obtain hashes. This is usually done through malware. Malware can be delivered to a target using drive-by downloads or phishing where high-privileged users are tricked into installing it on their system. Ideally, for the attacker, a user with administrator access to the system installs the malware. The malware then scrapes memory for active user accounts and their hashes.
With hashes, the malware then makes lateral moves across the network, impersonating the authenticated user. Most PtH attacks work with single sign-on (SSO) systems where the same user credentials authenticate accounts into multiple systems. The targeted system might validate user credentials, but the stolen hashes solve this problem. Malware then has access to any system or data as the stolen hash’s corresponding user account.
Common Targets and Vulnerabilities
Windows machines are the most common targets for PtH attacks. In Windows, New Technology LAN Manager (NTLM) is a Microsoft security protocol used to authorize users across multiple network applications. NTLM is vulnerable to pass-the-hash (PtH) attacks because it stores user passwords as hashes without a salt, which is a random string of characters added to a password to block brute-force attacks on the hash. Attackers can easily capture these hashes from a compromised system and use them to authenticate as the user without needing to know the original password, effectively allowing them to "pass the hash" to access other systems and resources without needing to crack the password itself. This makes NTLM a prime target for credential theft attacks
NTLM is still available for backward compatibility on older Windows operating systems, so new versions of a domain controller could still be vulnerable to PtH. Any Windows operating system and service is vulnerable to PtH if it uses backward compatibility with NTLM. In 2022, Microsoft Exchange servers were compromised using a lateral move after Windows servers were compromised by malware and PtH.
Impact of Pass-the-hash Attacks
Without monitoring, anti-malware software, and intrusion detection, a PtH attack could persist for months. Authentication into lateral systems is performed using legitimate credentials, so the attack goes unnoticed if simple authentication and authorization monitoring is in place. The total impact from PtH depends on the hash’s authorization.
A stolen hash from a high-privileged user could grant access to sensitive information and result in a large data breach. Malware could give a remote attacker access to the local system, or it could steal data and send it to a third-party server. Stolen data could lead to costly compliance fines and litigation with additional costs in the containment and eradication of the malware.
Prevention and Mitigation Strategies
Limiting users to only the data and applications necessary to perform their job is the first step to reduce damage from a PtH attack. Following the least-privilege principle contains malware and keeps it from accessing all areas of the environment. Users should be trained to recognize phishing and potential malware to reduce incidents stemming from malicious emails and websites. Segmenting and tiering network architecture protects critical systems from being compromised by less secure systems.
Intrusion detection and monitoring systems are beneficial for identifying potential threats from PtH. If malware does get installed on a local machine, intrusion detection will identify suspicious traffic patterns. Also, disabling NTLM when it is not needed renders some malware ineffective at stealing hashes.
Tools and Technologies for Defense
Windows has a couple of internal tools to prevent a pass-the-hash attack. Credential Guard isolates hashes and puts barriers against malware and other memory scrapers. Windows also has internal anti-malware applications to identify known threats and stop them from installing.
Microsoft offers Local Administrator Password Solution (LAPS) to force unique passwords for administrators. Administrators using the same password across the network environment leave all systems with the same password open to a compromise after a single hash is stolen. Auditing user credentials and Active Directory can identify accounts with too many permissions and possible unauthorized access.
Conclusion
Prevention of malware injection is the first step in protecting your environment from any threat including PtH. Ensure your users are aware of phishing dangers and educate high-privilege users on the dangers of downloading software from unknown sources. Avoid using NTLM if you work with Windows, but be sure to install anti-malware software to stop PtH malware from stealing data should attackers bypass security.
If your environment suffers a PtH attack, Pure Storage has recovery and resilience solutions to help with data recovery. Learn more about SafeMode™ Snapshots and how they can help you mitigate risk.
