[Disclamer: this Wiki page is just an explanation of how Pass-The-Hash attack works and how it can be carried out and is done only for educational purposes. The author does not hold any responsibility for any misuse of the information included in this Wiki page and advises not to use it for any illegal actions nor in any way that could be harmful to any person or entity.]
Pass-the-hash is a method used by hackers to authenticate themselves to servers even if they do not have the password! The technique makes use of a flaw in the user-authentication protocols, such as NTLM and LM. The authentication protocols authenticate the user by checking the hash of the password instead of the password itself. Hence the hashing algorithm always resolves to the same hash as long as the password is not changed. This allows the attackers to focus on obtaining the hash, which is a lot easier than trying to get the password using brute-force, for example.
Even though an attacker still needs to acquire the hash in some way to carry out the attack, it is still far easier to get hold of a hash instead of the actual password.
While the attack is more common on windows servers environments, it is still possible to attack if, for example, a Linux server was using the same vulnerable protocols that we are going to discuss. Moreover, even though Microsoft tried to improve the situation by introducing new restrictions to improve how credentials are managed.
It is almost a day-to-day activity these days that administrators and even regular users authenticate to remote servers. Since remote servers nowadays are most likely to have valuable information stored, it is only natural to allow access only to authorized users. To do this, engineers have to come up with protocols that authenticate and challenge users to prove that they are whom they say they are, usually by providing a password.
Most of these protocols would hash the password on the client-side and then send the hashed password over the network to authenticate. The flaw here is that a mere hashing of a password would yield the same hash every time, as long as both the password and the hashing algorithm remain the same.
This would turn the hash itself into an equivalent of that password, and it would lose its meaning. First and foremost, and before we start having a look at how this attack works and how can we mitigate it, let us have a look at the protocols themselves and how they work, to have a better understanding of how the attackers came to found the flaws in their logic and were able to harness these flaws into an attack that would gain them access to servers which they should not have access to in the first place. NTLM and LM are authentication protocols that are used to authenticate users to remote servers.
NTLM and LM
LM stands for LAN Manager, and it is an old network operating system (NOS) that turned out to have many issues that we are going to mention below. This NOS was developed by IBM and Microsoft in the late 80s and have had many revisions to improve it until it was finally dropped in the mid-90s.
LM used to authenticate using a hashing method called the "LM hashing algorithm," but it had so many vulnerabilities that rendered it obsolete.
Some of these vulnerabilities in its algorithms and protocols were:
- No distinguishing between capital and small letters, i.e., case-insensitive.
- It did not allow long passwords, but only up to 14 chars.
- The hash was calculated for half of the characters only, meaning the password would be broken to two seven chars password, and then the hash would be calculated for each.
- If the number of characters that are used in a password was less than seven chars, it would always produce the same constant hash value no matter what password was used.
As we can see, by knowing today's security standards, there is no need to say why the entire protocol was weak and prone to attacks. All this and more have to lead to the development of a successor called NTLM. However, this successor also had its problems as we are going to see later on.
NTLM consist of three steps:
- The client would send a NEGOTIATE MESSAGE to the server to establish a connection with it.
- The server would respond with a CHALLENGE MESSAGE to identify the client.
- The client sends back an AUTHENTICATE MESSAGE to the server.
This all sounds nice until we know that NTLM stored hashed passwords unsalted on the server, which renders the hashes to be a replacement of the passwords in the sense that you can use the hash as if it was a password and login with it, and since getting hold of a hash is much easier (at least relatively) than getting hold of a password, it compromised all systems that used this kind of protocol.
To carry out PtH attack, we must first get a username and the hash assigned to it, and there are a couple of ways to do this in what is called "Hashes Harvesting," an example of methods used to harvest hashes include but are not limited to:
- Attacking the caches to find any cached hashes.
- Sniffing the network for any hashes that are being transferred using weak protocols.
- Having a dump of the memory somehow, e.g., through social engineering.
After getting hold of some caches, the attacker then starts by using some tools that we are going to discuss in the next chapter.
PtH attack can be carried out using a set of tools, but all of this, of course, can only be done after having harvested some hashes. Some of the most popular tools to carry out the PtH attack are:
samdump2 tool was designed to get dumps of Windows password hashes, namely Windows XP, NT, and 2k, and as the name suggests it does this by taking a dump of the SAM file using something called syskey, which is a feature in Windows that is supposed to strengthen the SAM database by adding and an additional layer of encryption.
Mimikatz tool, on the other hand, tries to extract hashes, PIN codes, as well as passwords in plain text from memory. It is a much stronger tool since it allows a wider variety of other attacks that are mainly focused on playing with the weak security of Windows systems that use the protocols mentioned above. This concludes the set of tools that are going to be used in the accompanying demonstration of this essay to demonstrate how PtH attack works when using these tools.
Over the years, many improvements to the vulnerable protocols in question have been released, and more and more studies are being done by Microsoft  and other institutions to mitigate this attack. Some of the mitigation techniques that are mentioned in these studies are:
- Protecting the accounts that have high-privileges by adding more restrictions to them.
- Removing administrative privileges to local accounts and then restricting these accounts to help to prevent the attackers from taking advantage of such accounts.
- Adding firewall rules that would restrict the incoming traffic to the server.
- Correlating Authentication Services.
Demonstration using mimikatz
In our scenario, we have two computers that belong to different domains but are inside the same intranet network, let us say one belongs to the administrators' domain, and the second one belongs to the employees' domain.
All that is left now is for someone from the employee domain to ask someone from the administrators' domain to install something on their PC using their admin account, and then the attack is ready to be carried out.
The employee adds a local account on his PC, and downloads mimikatz and types the following:
This would escalate the mimikatz privilege and use the local admin account.
This would then show a dump of all the NTLM hashes that are stored on the system, and of course, it should include the NTLM hash of the person who used his admin account from the administrators' domain on that PC
Now all that is left is for the employee to copy the information of that admin (username, domain, and NTLM hash) and replace the values in the following command line.
sekurlsa::pth /user:USER /domain:DOMAIN /ntlm:NTLM /run:cmd.exe;
The pass-the-hash attack can be a horrifying attack given what kind of privileges it gives the attacker in the case of a successful attack, but this is not the end of the mitigation methods that were implemented with a regular update to the system it should mitigate the attack and protect servers against it. Also, there is a server lining, in that it pushes forward the security of Windows servers and let the developers focus on improving them to let system administrators have much more secure servers to deal with.