What is a pass the hash attack?
A pass the hash attack is an exploit in which an attacker steals a hashed user credential and -- without cracking it -- reuses it to trick an authentication system into creating a new authenticated session on the same network.
Pass the hash is primarily a lateral movement technique. This means that hackers are using pass the hash to extract additional information and credentials after already compromising a device. By laterally moving between devices and accounts, attackers can use pass the hash to gain the right credentials to eventually escalate their domain privileges and access more influential systems, such as an administrator account on the domain controller. Most of the movement executed during a pass the hash attack uses a remote software program, such as malware.
Typically, pass the hash attacks are directed at Windows systems but can also work against other operating systems (OSes) in some instances and any authentication protocol, such as Kerberos. Windows is especially vulnerable to these attacks because of its single sign-on (SSO) function that allows users to enter the password once to access all resources. SSO requires the users' credentials to be cached within the system, making it easier for attackers to access.
How does a pass the hash attack work?
To execute a pass the hash attack, the attacker first obtains the hashes from the targeted system using any number of hash-dumping tools, such as fgdump and pwdump7. The attacker then uses these tools to place the obtained hashes on a Local Security Authority Subsystem Service (LSASS).
Pass the hack attacks are often directed at Windows machines due to the security vulnerability of the New Technology Local Area Network Manager (NTLM) hashes once admin privileges have been obtained. These attacks often trick a Windows-based authentication system into believing that the attacker's endpoint is that of the legitimate user and will automatically provide the required credentials when the attacker tries to access the targeted system. This can all be accomplished without any need for the original password.
The NTLM hashes -- fixed-length mathematical codes derived from the passwords -- are the key to pass the hash attacks. They enable the attacker to use compromised domain accounts without extracting the plaintext password. This is because computer OSes, such as Windows, never actually send or save user passwords over their network. Instead, these systems store passwords as encrypted NTLM hashes, which represent the password but can't be reverse-engineered.
NTLM can still be used in place of the password to access various accounts and resources on the network. For an attacker to be able to access the LSASS, they need to successfully compromise a computer to the point where the malware can run with local admin rights. This is one of the greatest obstacles for pass the hash attacks.
Once a Windows-based machine is compromised and the deployed malware is granted access to the local usernames and NTLM hashes, the attacker can choose whether to hunt for more credentials or attempt to access network resources using the credentials of elevated users.
For example, by gathering more user credentials, an attacker can retrieve the credentials of users who either have separate accounts on the Windows machine -- such as a service account -- or have remote access to the computer as a logon administrator. Remote information technology (IT) admins who log onto the compromised Windows machine will expose their username and NTLM hash to the now integrated malware. An attacker who has an IT administrator's credentials can move laterally through networked devices.
Lateral movement is an effective way to search for users with elevated privileges, such as administrative rights to protected resources. Privilege escalation can be obtained by finding the credentials of an administrator with greater administrative access. For example, a pass the hash attacker could locate the login credentials of the domain administrator through lateral movement. Recognizing their elevated privileges, hackers can start running processes as a domain administrator on the domain controller. These elevated resources could also include customer databases, source code depositories and email servers.
Prior to Windows 10, there were few obstacles in the way of a hacker obtaining NTLM hashes from a compromised Windows machine. Windows 10 addressed these weaknesses by adding a security feature known as Microsoft Windows Defender Credential Guard (WDCG). Using virtualization-based security technology, WDCG can isolate the LSASS -- allowing only trusted, privileged applications to access and interact with data. Virtualizing the LSASS means that malicious applications can no longer access the NTLM hashes, even while they are running with full admin rights. And, while efforts have been made to safeguard NTLM hashes and the LSASS in later versions, pass the hash is still a viable method of data breach that companies should be aware of.
Read more about how WDCG secures login data here.
How to mitigate a pass the hash attack
To mitigate the threat of a pass the hash attack, organizations should ensure domain controllers can only be accessed from trusted systems without internet access. Two-factor authentication that uses tokens should also be enforced, as well as the principle of least privilege. Organizations should closely monitor hosts and traffic within their networks for suspect activity.
A 2019 report from One Identity found that 95% of its 1,000 respondents experienced a direct business effect from pass the hash attacks on their organization. About 40% of these attacks resulted in lost revenue, and 70% incurred increased operational costs.
Because pass the hash exploits the features and capabilities of the NTLM protocol, the threat of pass the hash attacks cannot be eliminated completely. Once an attacker compromises a computer, pass the hash becomes only one of the malicious activities that can be executed. Unfortunately, there are many ways for hackers to remotely compromise a computer -- and they are constantly evolving. For that reason, cybersecurity measures won't be 100% effective, and this is why multiple mitigation techniques are often used at once.
Read more here about different types of security threats and how to handle them.
Recognizing that not all pass the hash attacks can be prevented, companies can try to improve their detection strategies, as well as their preventative measures. Workstation logs are one of the most common ways to reliably monitor administrative activity. These logs can track privilege assignments, as well as successful login attempts. Target server logs and domain controller logs are useful for the same reasons.