Difference between revisions of "Pass-the-Hash (PtH)"

[Disclamer: this Wiki page is just an explanation of how Pass-The-Hash attack works and how it can be carried out and is done only for educational purposes. The author does not hold any responsibility for any misuse of the information included in this Wiki page and advises not to use it for any illegal actions nor in any way that could be harmful to any person or entity.]

Introduction

Generally, passwords are essential for today's security standards. Every account, client or server must have a password which protects sensible data from not authorized parties. Despite the importance of keeping passwords securely, people do still not take this term into consideration as much as needed. Therefore, in 2016, the Windows Defender Credential Guard, a tool included with Windows 10, was released. Consequently, the system becomes more resistant to "Pass The Hash" attacks.

Pass-the-hash is a method used by cyberattackers to authenticate themselves to servers, even if they do not have the real password in plaintext! The Attacker gets access to servers or services by using the hash value of the needed password. Further, due to the weakness of operating systems, like Windows or Linux or authentication protocols like NTLM, the hash value can be read out easily with some special tools.

The authentication protocols authenticate the user by checking the hash of the password instead of the password itself. Hence the hashing algorithm always resolves to the same hash as long as the password is not changed.

This allows the attackers to focus on obtaining the hash, which is a lot easier than trying to get the password using brute-force.

While the attack is more common on windows servers environments, it is still possible to attack, for example, a Linux server that is using the same vulnerable protocols that we are going to discuss.

Pass-the-Hash Attack

It is almost a day-to-day activity these days that administrators and even regular users authenticate to remote servers. Since remote servers nowadays are most likely to have valuable information stored, it is only natural to allow access only to authorized users.

To do this, engineers have to come up with protocols that authenticate and challenge users to prove that they are who they say they are, usually by providing a password.

Most of these protocols would hash the password on the client-side and then send the hashed password over the network to authenticate. The flaw here is that a mere hashing of a password would yield the same hash every time, as long as both the password and the hashing algorithm remain the same.

This would turn the hash itself into an equivalent of that password, and it would lose its meaning. Before we start having a look at how this attack works and how can we mitigate it, let us have a look at the way the passwords are stored and the protocols themselves, and how they work.

Password Storage

There are two primary ways passwords are hashes in Windows before being stored in one of several locations. The original hash OWF used was the LM hash - aka Lan Manager hash. This algorithm was appropriate for its time but as technology increases, so must the standards for passwords. This is when the NT hash, often referred to as NTLM hash, was introduced. This is the modern way of how passwords are stored on Windows systems and can be obtained by dumping the Security Account Manager (SAM) database or with tools like mimikatz. They are also stored on domain controllers in the NTDS file and can be used for the pass the hash attack, as we will see later in this article. The NT hash algorithm is simply the MD4 hash of the password and is 16 bytes (128 bits) long.

New Technology LAN Manager (NTLM)

NTLM stands for New Technology LAN Manager and was developed by Microsoft, therefore it is mostly implemented in Microsoft products. It is an authentication protocol that gives users access to required services by authenticating them to remote servers. The first version of NTLM, NTLMv1, turned out to have many issues that made it very insecure over time.

Some of these vulnerabilities in its algorithms and protocols were:

• No distinguishing between capital and small letters, i.e., case-insensitive.
• It did not allow long passwords, but only up to 14 chars.
• Only 56 Bit out of 128 Bits were used for the key

As we can see, by knowing today's security standards, there is no need to say why the entire protocol was weak and prone to attacks. All this and more have led to the development of a successor called NTLMv2. It is used for Single-Sign-On (SSO), which means that the user only needs to enter the password once to access a particular service or system.

With Windows 10, NTLMv2 was used by default. NTLMv2 is a slightly more secure authentication protocol that includes things such as a timestamp and a username together with a nonce. Whereas the NTLMv1 uses a 16-byte random number challenge, the NTLMv2 provides a variable-length challenge. Although these changes do improve the security of the protocol by helping to mitigate offline relay attacks, but leave NTLMv2 exposed to other NTLMv1 vulnerabilities and therefore still does not meet the standards required today. It still uses the MD4 hash, which by today's standards is not satisfactory, and saves the hashes unsalted on the local machine, before sending it salted over the wire. New authentication suites such as Kerberos help mitigate many of these vulnerabilities. Kerberos adds more security measures such as relying on a third server to authenticate both parties, so the client and the server are certain they are communicating with the correct opposites.

Authentication Steps - Network Resource

This setup uses an authentication server, here called Domain Controller, which knows all the users and their corresponding hash value of the password, in order to verify them.

1. The user enters the password of the account
2. The username and the hash of the password get stored in RAM in a process called LSASS (more to that later)
3. The client now sends a request to the network resource in order to access it
4. The server responds with a CHALLENGE message (usually a 16-bit number) to identify the client
5. The client encrypts the challenge with the NTLM hash of the password and sends it back to the server
6. The server sends the username, the encrypted challenge, and the plain challenge to the authentication server
7. The authentication server decrypts the message from the client and compares the values
8. If the challenges match, the authentication server informs the server, which then grants the client access

Functionality

There are a couple of ways to do a PtH attack:

• Compromising a Host and reading out Hashes locally
  • Windows stores hashes of currently logged-in domain and local users in memory, in a process called Local Security Authority Subsystem Service (LSASS)
  • The hashes of currently logged out local users are stored in a registry file or also called the Security Account Manager (SAM)
• Sniffing the network for any hashes that are being transferred

To read out the LSASS process or the SAM, the program needs local admin rights. Thus, the user has to be tricked into executing it with the according rights.

Tools

There are some tools which can be used to perform the ”Pass The Hash” attack. Consequently, two of the most popular tools are introduced :

• samdump2
• mimikatz

Samdump2

samdump2 tool was designed to get dumps of Windows password hashes, namely Windows XP, NT, and 2k, and as the name suggests it does this by taking a dump of the SAM file using something called syskey, which is a feature in Windows that is supposed to strengthen the SAM database by adding and an additional layer of encryption.

Mimikatz

Mimikatz, on the other hand, tries to extract hashes, PIN codes, as well as passwords in plain text from memory. It is a much stronger tool since it allows a wider variety of other attacks that are mainly focused on playing with the weak security of Windows systems that use the protocols mentioned above. Mimikatz is also one of few tools that got updated after Windows Defender Credential Guard (WDCG) was enabled by default with Windows 10. WDCG made access to the LSASS process extremely difficult. This concludes the set of tools that are going to be used in the accompanying demonstration of this essay to demonstrate how PtH attack works when using these tools.

Mitigation and preventive measures

Over the years, many improvements to the vulnerable protocols in question have been released, and more and more studies are being done by Microsoft [5] and other institutions to mitigate this attack. Some of the mitigation techniques that are mentioned in these studies are:

1. Protecting the accounts that have high privileges by adding more restrictions to them like not having email accounts.
2. Removing administrative privileges to local accounts and then restricting these accounts to help to prevent the attackers from taking advantage of such accounts.
3. Adding firewall rules that would restrict the incoming traffic to the server.
4. Correlating Authentication Services.

This is by no means an exhaustive list, simply a guide in the proper direction. Other principles like security by obscurity, by hiding the LSASS memory location, are not viable options in this case. This is due to the fact that the IT security field is so vast and the knowledge of Windows infrastructure so known, that it would be found again very quickly. Additionally, some more recommendations are listed below:

Other recommendations:

1. Do not let highly privileged accounts browse the Internet
2. Standard users should be removed from the local Administrators group
3. Ensure that administrative accounts do not have email addresses
4. Update operating system and applications
5. Limit the amount of privileged domain accounts and their use
6. Domain controllers must be secured and managed

Demonstration using mimikatz

In our scenario, we have two computers that belong to different domains but are inside the same intranet network, let us say one belongs to the administrators' domain, and the second one belongs to the employees' domain.

All that is left now is for someone from the employee domain, to ask someone from the administrators' domain to install something on their PC using their admin account.

When the administrator logs in to the employee's pc, the hash value is saved locally in the LSASS process. Now the attack is ready to be carried out.

Because the employee knows a way to become a local admin he downloads mimikatz, executes it, and types the following:

privilege::debug;

This command grant mimikatz debug rights which are also needed.

sekurlsa::logonpasswords;

This would then show a dump of all the NTLM hashes that are stored on the system, and of course, it also includes the NTLM hash of the domain administrator.

Now the employee can use the information of that admin (username, domain, and NTLM hash) to authenticate to other clients and servers in that domain using mimikatz:

sekurlsa::pth /user:USER /domain:DOMAIN /ntlm:NTLM_HASH /run:cmd

After this, a cli should open with administrative privileges and the employee is able to extract any information he or she wants.

Furthermore, the hash value of the password can even be cracked. If the password is not secure enough such as ”123456789”, you can find out the actual password by using a random free password hash cracker on the internet. This is the reason being, why passwords should be taken much more into consideration.

Conclusion

The pass-the-hash attack can be a horrifying attack given what kind of privileges it gives the attacker in the case of a successful attack, but this is not the end of the mitigation methods that were implemented with a regular update to the system it should mitigate the attack and protect servers against it. Also, there is a server lining, in that it pushes forward the security of Windows servers and lets the developers focus on improving them to let system administrators have much more secure servers to deal with. Although , it cannot be ruled out completely that attackers would find a new approach to exploit vulnerabilities in authentication protocols.

Sources

• https://github.com/gentilkiwi/mimikatz
• https://linux.die.net/man/1/samdump2
• https://www.sans.org/reading-room/whitepapers/testing/pass-the-hash-attacks-tools-mitigation-33283
• https://www.microsoft.com/en-us/download/details.aspx?id=36036
• https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/a4f28e01-3df1-4fd1-80b2-df1fbc183f21
• https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2016/2871997?redirectedfrom=MSDN
• https://ieeexplore.ieee.org/document/7474171
• https://www.sans.org/reading-room/whitepapers/testing/pass-the-hash-windows-10-39170
• https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/ntlm-user-authentication
• https://www.sans.org/white-papers/33283/