pass the hash attack

A pass the hash attack is an expoit in which an attacker steals a hashed user credential and, without cracking it, reuses it to trick an authentication system into creating a new authenticated session on the same network.

To execute a pass the hash attack, the attacker first obtains the hashes from the targeted system using any number of hash-dumping tools. Then he or she uses a pass the hash tool to place the obtained hashes on a Local Security Authority Subsystem Service. This often fools a Windows-based authentication system into believing that the attacker's endpoint is that of the legitimate user, and will automatically provide the required credentials when the attacker tries to access the targeted system. This can all be accomplished without any need for the original password.

To mitigate the threat of a pass the hash attack, organizations should ensure domain controllers can only be accessed from trusted systems without Internet access. Two-factor authentication that uses tokens should also be enforced, as well as the principle of least privilege. Organizations should closely monitor hosts and traffic within their networks for suspect activity.

Typically, pass the hash attacks are directed at Windows systems, but can also work against other OSes in some instances and any authentication protocol such as Kerberos. Windows is especially vulnerable to these attacks because of its single sign-on (SSO) function that allows users to enter the password once to access all resources. SSO requires the users' credentials to be cached within the system, making it easier for attackers to access.

A 2009 report from SANS shows how the use of pass the hash attacks combined with client-side exploitation could be employed by attackers to compromise an organization's internal network and steal important data.


This was last updated in February 2015

Continue Reading About pass the hash attack

Dig Deeper on Hacker tools and techniques: Underground hacking sites