What is a Pass-the-Hash attack?
An attacker uses a Pass-the-Hash (PtH) attack to steal a “hashed” user credential without having to crack it to get the original password. This enables the attacker to use a compromised account without getting the plain text password or revealing the password with a brute-force attack.
Once in possession of the attacker, the hash is reused to fool an authentication system into creating a new authenticated session on the same network. And, because password hashes don’t usually change when the password itself is changed, Pass-the-Hash can easily provide extra time for the attacker to roam a network without being detected.
Cybercriminals use PtH to traverse a network, seeking to extract additional information and credentials after compromising a device such as a server or remote laptop. By moving laterally between devices and accounts, attackers can use Pass-the-Hash to gain the proper credentials, such as an administrator account on a domain controller, and eventually escalate their domain privileges to access more sensitive data. The movement executed during a Pass-the-Hash attack relies on a remote software program such as malware.
Cybersecurity Incident Response Template
Pass-the-Hash attacks and Windows
Windows systems are typically the favored target of Pass-the-Hash attacks, though they can also compromise other operating systems such as Linux and Unix.
Because of its SSO function, Windows is a prime target since it only requires users to enter their passwords once to access all resources. SSO also requires its users' credentials to be cached within the system, making it easier for attackers to access.
NTLM hashes are fixed-length codes derived from passwords used to authenticate users. The Windows system does not send or save user passwords over the network. Instead, it stores passwords as encrypted NTLM hashes representing the password but can't be reverse-engineered.
Gaining admin privileges from a compromised account, the attackers can use the Pass-the-Hash vulnerability to “trick” the Windows system into accepting them as legitimate users. Once malware is deployed on a compromised Windows machine, the NTLM hash can be used instead of a password to access any number of resources and search out other accounts to take over and gain higher privileges.
How to protect against Pass-the-Hash attacks
While Windows 10 has put safeguards against these system vulnerabilities, Pass-the-Hash detection is a challenge, and attacks are still a viable method for cybercriminals to compromise endpoints and exploit networks.
Pass-the-Hash attacks can only work if an attacker gets access to your network. Protecting network privileged access is essential to preventing PtH exploitation.
One method is to create separate privileged and non-privileged accounts so that your IT admins can use a standard account without privileged network access for their day-to-day tasks, such as checking email. This means they can only use something like a domain admin account when privileged access is necessary.
You can also require that password policies on domain admin accounts be much stricter than other accounts and require complex passwords for domain admin accounts and rotating them frequently.
Ultimately, you want to implement a strategy of least privilege that restricts access to privileged accounts. You also should look for solutions that enable endpoint application control and enforce least privilege by eliminating the need for privileged passwords from your end users’ Windows workstations.