Pass the Hash - ties2/Red-Team GitHub Wiki

In the field of cybersecurity, a common technique for attackers to move laterally within a network is known as "Pass the Hash" (PtH). This technique involves stealing a hashed password from one system and using it to authenticate on another system, without actually knowing the plaintext password. PtH attacks have been used in many high-profile breaches, including the Target and Sony hacks. In this essay, we will explore the technical details of PtH attacks, the various methods used to perform these attacks, and the measures that can be taken to prevent or detect them.

  • Technical Details: The concept of a hashed password is simple: instead of storing the actual plaintext password, a one-way function is used to generate a unique hash value for each password. When a user logs in, their plaintext password is hashed and compared against the stored hash value. If the hashes match, the user is authenticated. This method provides a layer of security, as even if the password database is compromised, the attacker would not be able to obtain the plaintext passwords.

However, in PtH attacks, the attacker doesn't need the plaintext password. Instead, they steal the hashed password and use it to authenticate on another system. This works because the same password is often used across multiple systems or services, and the hash values are identical.

There are several methods used to steal hashed passwords. One common method is to use a tool like Mimikatz, which is designed to extract credentials from memory. Another method is to use a keylogger or other malware to capture the password as it is being typed.

Once the attacker has the hashed password, they can use it to authenticate on other systems. This is possible because many authentication protocols, such as NTLM and Kerberos, rely on the hash value of the password rather than the plaintext password itself. By sending the hashed password in place of the plaintext password, the attacker can bypass authentication and gain access to the targeted system.

  • Methods of PtH Attacks: There are several methods used to perform PtH attacks, each with its own strengths and weaknesses. Some of the most common methods include:

  • Pass the Hash with NTLM: This method involves using the NTLM authentication protocol to pass the hashed password to a target system. This method is often used to target legacy systems that don't support Kerberos authentication.

  • Pass the Hash with Kerberos: This method involves using the Kerberos authentication protocol to pass the hashed password to a target system. This method is more secure than using NTLM, as it uses mutual authentication to verify the identity of the client and server.

  • Over-pass the Hash: This method involves using a tool like Mimikatz to extract the plaintext password from memory, and then using that password to generate a new hash for the target system. This method is more complex than traditional PtH attacks, but it allows the attacker to bypass systems that have implemented countermeasures to prevent PtH attacks.

  • Prevention and Detection: Preventing PtH attacks can be challenging, as the attacker doesn't need to know the plaintext password to gain access to a system. However, there are several measures that can be taken to reduce the risk of PtH attacks:

  • Use strong passwords: The use of strong passwords that are unique to each system or service can prevent the attacker from being able to use the same hash value across multiple systems.

  • Implement multi-factor authentication: The use of multi-factor authentication can make it more difficult for attackers to use stolen credentials to gain access to a system.

  • Disable NTLM: Disabling NTLM authentication can prevent attackers from using this method to pass the hash.

  • Monitor for PtH attacks: Monitoring for PtH attacks can help detect and respond to these attacks before they result in a data breach.