Difference between revisions of "Pass-the-Hash (PtH)"

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search
m
(Updated the document)
Line 1: Line 1:
[Disclamer: this Wiki page is just an explanation of how Pass-The-Hash attack works and how it can be carried out and is done only for educational purposes. The author does not hold any responsibility for any misuse of the information included in this Wiki page and advises not to use it for any illegal actions nor in any way that could be harmful to any person or entity.]
[Disclamer: this Wiki page is just an explanation of how Pass-The-Hash attack works and how it can be carried out and is done only for educational purposes.  
The author does not hold any responsibility for any misuse of the information included in this Wiki page and advises not to use it for any illegal actions nor in any way that could be harmful to any person or entity.]


== Introduction ==  
== Introduction ==  


Pass-the-hash is a method used by hackers to authenticate themselves to servers even if they do not have the password! The technique makes use of a flaw in the user-authentication protocols, such as NTLM and LM. The authentication protocols authenticate the user by checking the hash of the password instead of the password itself. Hence the hashing algorithm always resolves to the same hash as long as the password is not changed. This allows the attackers to focus on obtaining the hash, which is a lot easier than trying to get the password using brute-force, for example.
Pass-the-hash is a method used by hackers to authenticate themselves to servers even if they do not have the password! The technique makes use of a flaw in the user-authentication protocols, such as NTLM and LM.


Even though an attacker still needs to acquire the hash in some way to carry out the attack, it is still far easier to get hold of a hash instead of the actual password.
The authentication protocols authenticate the user by checking the hash of the password instead of the password itself. Hence the hashing algorithm always resolves to the same hash as long as the password is not changed.  


While the attack is more common on windows servers environments, it is still possible to attack if, for example, a Linux server was using the same vulnerable protocols that we are going to discuss. Moreover, even though Microsoft tried to improve the situation by introducing new restrictions to improve how credentials are managed.
This allows the attackers to focus on obtaining the hash, which is a lot easier than trying to get the password using brute-force.
 
While the attack is more common on windows servers environments, it is still possible to attack, for example, a Linux server that is using the same vulnerable protocols that we are going to discuss.


== Pass-the-Hash Attack ==
== Pass-the-Hash Attack ==


It is almost a day-to-day activity these days that administrators and even regular users authenticate to remote servers. Since remote servers nowadays are most likely to have valuable information stored, it is only natural to allow access only to authorized users. To do this, engineers have to come up with protocols that authenticate and challenge users to prove that they are whom they say they are, usually by providing a password.
It is almost a day-to-day activity these days that administrators and even regular users authenticate to remote servers.  
Since remote servers nowadays are most likely to have valuable information stored, it is only natural to allow access only to authorized users.
To do this, engineers have to come up with protocols that authenticate and challenge users to prove that they are whom they say they are, usually by providing a password.


Most of these protocols would hash the password on the client-side and then send the hashed password over the network to authenticate. The flaw here is that a mere hashing of a password would yield the same hash every time, as long as both the password and the hashing algorithm remain the same.
Most of these protocols would hash the password on the client-side and then send the hashed password over the network to authenticate.  
The flaw here is that a mere hashing of a password would yield the same hash every time, as long as both the password and the hashing algorithm remain the same.


This would turn the hash itself into an equivalent of that password, and it would lose its meaning. First and foremost, and before we start having a look at how this attack works and how can we mitigate it, let us have a look at the protocols themselves and how they work, to have a better understanding of how the attackers came to found the flaws in their logic and were able to harness these flaws into an attack that would gain them access to servers which they should not have access to in the first place. NTLM and LM are authentication protocols that are used to authenticate users to remote servers.
This would turn the hash itself into an equivalent of that password, and it would lose its meaning. Before we start having a look at how this attack works and how can we mitigate it, let us have a look at the protocols themselves and how they work.


=== NTLM and LM ===
=== NTLM ===


LM stands for LAN Manager, and it is an old network operating system (NOS) that turned out to have many issues that we are going to mention below. This NOS was developed by IBM and Microsoft in the late 80s and have had many revisions to improve it until it was finally dropped in the mid-90s.
NTLM stands for NT LAN Manager, and was developed by Microsoft, therefore it is mostly implemented in Microsoft products.
It is an authentication protocol that authenticate users to remote servers, so they can access them. The first version of NTLM turned out to have many issues that made it very insecure over the time.


LM used to authenticate using a hashing method called the "LM hashing algorithm," but it had so many vulnerabilities that rendered it obsolete.
Some of these vulnerabilities in its algorithms and protocols were:


* No distinguishing between capital and small letters, i.e., case-insensitive.
* It did not allow long passwords, but only up to 14 chars.
* Only 56 Bit out of a 128 Bit where used for the key
As we can see, by knowing today's security standards, there is no need to say why the entire protocol was weak and prone to attacks.
All this and more have lead to the development of a successor called NTLMv2. It is used for Single-Sign-On (SSO), so User only need to enter the password once in order to access the network resource.
With Windows 10, NTLMv2 was used by default.


Some of these vulnerabilities in its algorithms and protocols were:


# No distinguishing between capital and small letters, i.e., case-insensitive.
=== Authentication Steps - Network Resource ===
# It did not allow long passwords, but only up to 14 chars.
# The hash was calculated for half of the characters only, meaning the password would be broken to two seven chars password, and then the hash would be calculated for each.
# If the number of characters that are used in a password was less than seven chars, it would always produce the same constant hash value no matter what password was used.


As we can see, by knowing today's security standards, there is no need to say why the entire protocol was weak and prone to attacks.
This setup uses an authentication server, here called Domain Controller, which knows all the users and their corresponding hash value of the password, in order to verify them.
All this and more have to lead to the development of a successor called NTLM. However, this successor also had its problems as we are going to see later on.


NTLM consist of three steps:
[[File:Ntlm-authentication-steps.jpg|850px]]


# The client would send a NEGOTIATE MESSAGE to the server to establish a connection with it.
# The user enters the password of the account
# The server would respond with a CHALLENGE MESSAGE to identify the client.
# The username and the hash of the password get stored in RAM in a process called LSASS (more to that later)
# The client sends back an AUTHENTICATE MESSAGE to the server.
# The client now sends a request to the network resource in order to access it
# The server responds with a CHALLENGE message (usually a 16-bit number) to identify the client  
# The client encrypts the challenge with the NTLM hash of the password and sends it back to the server
# The server sends the username, the encrypted challenge and the plain challenge to the authentication server
# The authentication server decrypts the message from the client and compares the values
# If the challenges match, the authentication server informs the server, which then grants the client access


This all sounds nice until we know that NTLM stored hashed passwords unsalted on the server, which renders the hashes to be a replacement of the passwords in the sense that you can use the hash as if it was a password and login with it, and since getting hold of a hash is much easier (at least relatively) than getting hold of a password, it
compromised all systems that used this kind of protocol.


=== Functionality ===
=== Functionality ===


To carry out PtH attack, we must first get a username and the hash assigned to it, and there are a couple of ways to do this in what is called "Hashes Harvesting," an example of methods used to harvest hashes include but are not limited to:
There are a couple of ways to do a PtH attack:


# Attacking the caches to find any cached hashes.
* Compromising a Host and reading out Hashes locally
# Sniffing the network for any hashes that are being transferred using weak protocols.
** Windows stores hashes of currently logged in domain and local users in memory, in a process called Local Security Authority Subsystem Service (LSASS)
# Having a dump of the memory somehow, e.g., through social engineering.
** The hashes of currently logged out local users are stored in a registry file or also called the Security Account Manager (SAM)
* Sniffing the network for any hashes that are being transferred


After getting hold of some caches, the attacker then starts by using some tools that we are going to discuss in the next chapter.
To readout the LSASS process or the SAM, the program needs local admin rights. Thus, the user has to be tricked into executing it with the according rights.


== Tools ==
== Tools ==


PtH attack can be carried out using a set of tools, but all of this, of course, can only be
PtH attack can be carried out using a set of tools.
done after having harvested some hashes.
Some of the most popular tools to carry out the PtH attack are:
Some of the most popular tools to carry out the PtH attack are:


# samdump2
* samdump2
# mimikatz
* mimikatz


=== samdump2 ===
=== samdump2 ===
Line 70: Line 84:
Mimikatz tool, on the other hand, tries to extract hashes, PIN codes, as well as passwords in plain text from memory.
Mimikatz tool, on the other hand, tries to extract hashes, PIN codes, as well as passwords in plain text from memory.
It is a much stronger tool since it allows a wider variety of other attacks that are mainly focused on playing with the weak security of Windows systems that use the protocols mentioned above.
It is a much stronger tool since it allows a wider variety of other attacks that are mainly focused on playing with the weak security of Windows systems that use the protocols mentioned above.
Mimikatz is also one of few tools that got updated, after Windows Defender Credential Guard (WDCG) was enabled by default with Windows 10. WDCG made the access to the LSASS process extremely difficult.
This concludes the set of tools that are going to be used in the accompanying demonstration of this essay to demonstrate how PtH attack works when using these tools.
This concludes the set of tools that are going to be used in the accompanying demonstration of this essay to demonstrate how PtH attack works when using these tools.


Line 86: Line 101:
In our scenario, we have two computers that belong to different domains but are inside the same intranet network, let us say one belongs to the administrators' domain, and the second one belongs to the employees' domain.
In our scenario, we have two computers that belong to different domains but are inside the same intranet network, let us say one belongs to the administrators' domain, and the second one belongs to the employees' domain.


All that is left now is for someone from the employee domain to ask someone from the administrators' domain to install something on their PC using their admin account, and then the attack is ready to be carried out.
All that is left now is for someone from the employee domain, to ask someone from the administrators' domain to install something on their PC using their admin account.
 
When the administrator logs in to the employee's pc, the hash value is saved locally in the LSASS process. Now the attack is ready to be carried out.


The employee adds a local account on his PC, and downloads mimikatz and types the following:
Because the employee knows a way to become local admin he downloads mimikatz, executes it and types the following:


  privilege::debug;
  privilege::debug;


This would escalate the mimikatz privilege and use the local admin account.
This command grant mimikatz debug rights which are also needed.


  sekurlsa::logonpasswords;
  sekurlsa::logonpasswords;


This would then show a dump of all the NTLM hashes that are stored on the system, and of course, it should include the NTLM hash of the person who used his admin account from the administrators' domain on that PC
This would then show a dump of all the NTLM hashes that are stored on the system, and of course, it also includes the NTLM hash of the domain administrator.
 
Now all that is left is for the employee to copy the information of that admin (username, domain, and NTLM hash) and replace the values in the following command line.


sekurlsa::pth /user:USER /domain:DOMAIN /ntlm:NTLM /run:cmd.exe;
Now the employee can use the information of that admin (username, domain, and NTLM hash) to authenticate to other clients and servers in that domain.  


== Conclusion ==
== Conclusion ==
Line 111: Line 126:
* https://linux.die.net/man/1/samdump2
* https://linux.die.net/man/1/samdump2
* https://www.sans.org/reading-room/whitepapers/testing/pass-the-hash-attacks-tools-mitigation-33283
* https://www.sans.org/reading-room/whitepapers/testing/pass-the-hash-attacks-tools-mitigation-33283
* https://docs.microsoft.com/en-us/previous-versions/technet-magazine/cc160954(v=msdn.10)?redirectedfrom=MSDN
* https://www.microsoft.com/en-us/download/details.aspx?id=36036
* https://www.microsoft.com/en-us/download/details.aspx?id=36036
* https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/a4f28e01-3df1-4fd1-80b2-df1fbc183f21
* https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2016/2871997?redirectedfrom=MSDN
* https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2016/2871997?redirectedfrom=MSDN
* https://ieeexplore.ieee.org/document/7474171
* https://ieeexplore.ieee.org/document/7474171
* https://www.aspheute.com/english/20040105.asp
* https://www.sans.org/reading-room/whitepapers/testing/pass-the-hash-windows-10-39170
*


[[Category:Documentation]]
[[Category:Documentation]]

Revision as of 23:43, 20 December 2020

[Disclamer: this Wiki page is just an explanation of how Pass-The-Hash attack works and how it can be carried out and is done only for educational purposes. The author does not hold any responsibility for any misuse of the information included in this Wiki page and advises not to use it for any illegal actions nor in any way that could be harmful to any person or entity.]

Introduction

Pass-the-hash is a method used by hackers to authenticate themselves to servers even if they do not have the password! The technique makes use of a flaw in the user-authentication protocols, such as NTLM and LM.

The authentication protocols authenticate the user by checking the hash of the password instead of the password itself. Hence the hashing algorithm always resolves to the same hash as long as the password is not changed.

This allows the attackers to focus on obtaining the hash, which is a lot easier than trying to get the password using brute-force.

While the attack is more common on windows servers environments, it is still possible to attack, for example, a Linux server that is using the same vulnerable protocols that we are going to discuss.

Pass-the-Hash Attack

It is almost a day-to-day activity these days that administrators and even regular users authenticate to remote servers. Since remote servers nowadays are most likely to have valuable information stored, it is only natural to allow access only to authorized users.

To do this, engineers have to come up with protocols that authenticate and challenge users to prove that they are whom they say they are, usually by providing a password.

Most of these protocols would hash the password on the client-side and then send the hashed password over the network to authenticate. The flaw here is that a mere hashing of a password would yield the same hash every time, as long as both the password and the hashing algorithm remain the same.

This would turn the hash itself into an equivalent of that password, and it would lose its meaning. Before we start having a look at how this attack works and how can we mitigate it, let us have a look at the protocols themselves and how they work.

NTLM

NTLM stands for NT LAN Manager, and was developed by Microsoft, therefore it is mostly implemented in Microsoft products. It is an authentication protocol that authenticate users to remote servers, so they can access them. The first version of NTLM turned out to have many issues that made it very insecure over the time.

Some of these vulnerabilities in its algorithms and protocols were:

  • No distinguishing between capital and small letters, i.e., case-insensitive.
  • It did not allow long passwords, but only up to 14 chars.
  • Only 56 Bit out of a 128 Bit where used for the key

As we can see, by knowing today's security standards, there is no need to say why the entire protocol was weak and prone to attacks. All this and more have lead to the development of a successor called NTLMv2. It is used for Single-Sign-On (SSO), so User only need to enter the password once in order to access the network resource.

With Windows 10, NTLMv2 was used by default.


Authentication Steps - Network Resource

This setup uses an authentication server, here called Domain Controller, which knows all the users and their corresponding hash value of the password, in order to verify them.

Ntlm-authentication-steps.jpg

  1. The user enters the password of the account
  2. The username and the hash of the password get stored in RAM in a process called LSASS (more to that later)
  3. The client now sends a request to the network resource in order to access it
  4. The server responds with a CHALLENGE message (usually a 16-bit number) to identify the client
  5. The client encrypts the challenge with the NTLM hash of the password and sends it back to the server
  6. The server sends the username, the encrypted challenge and the plain challenge to the authentication server
  7. The authentication server decrypts the message from the client and compares the values
  8. If the challenges match, the authentication server informs the server, which then grants the client access


Functionality

There are a couple of ways to do a PtH attack:

  • Compromising a Host and reading out Hashes locally
    • Windows stores hashes of currently logged in domain and local users in memory, in a process called Local Security Authority Subsystem Service (LSASS)
    • The hashes of currently logged out local users are stored in a registry file or also called the Security Account Manager (SAM)
  • Sniffing the network for any hashes that are being transferred

To readout the LSASS process or the SAM, the program needs local admin rights. Thus, the user has to be tricked into executing it with the according rights.

Tools

PtH attack can be carried out using a set of tools. Some of the most popular tools to carry out the PtH attack are:

  • samdump2
  • mimikatz

samdump2

samdump2 tool was designed to get dumps of Windows password hashes, namely Windows XP, NT, and 2k, and as the name suggests it does this by taking a dump of the SAM file using something called syskey, which is a feature in Windows that is supposed to strengthen the SAM database by adding and an additional layer of encryption.

mimikatz

Mimikatz tool, on the other hand, tries to extract hashes, PIN codes, as well as passwords in plain text from memory. It is a much stronger tool since it allows a wider variety of other attacks that are mainly focused on playing with the weak security of Windows systems that use the protocols mentioned above. Mimikatz is also one of few tools that got updated, after Windows Defender Credential Guard (WDCG) was enabled by default with Windows 10. WDCG made the access to the LSASS process extremely difficult. This concludes the set of tools that are going to be used in the accompanying demonstration of this essay to demonstrate how PtH attack works when using these tools.

Mitigation

Over the years, many improvements to the vulnerable protocols in question have been released, and more and more studies are being done by Microsoft [5] and other institutions to mitigate this attack. Some of the mitigation techniques that are mentioned in these studies are:

  1. Protecting the accounts that have high-privileges by adding more restrictions to them.
  2. Removing administrative privileges to local accounts and then restricting these accounts to help to prevent the attackers from taking advantage of such accounts.
  3. Adding firewall rules that would restrict the incoming traffic to the server.
  4. Correlating Authentication Services.

Demonstration using mimikatz

In our scenario, we have two computers that belong to different domains but are inside the same intranet network, let us say one belongs to the administrators' domain, and the second one belongs to the employees' domain.

All that is left now is for someone from the employee domain, to ask someone from the administrators' domain to install something on their PC using their admin account.

When the administrator logs in to the employee's pc, the hash value is saved locally in the LSASS process. Now the attack is ready to be carried out.

Because the employee knows a way to become local admin he downloads mimikatz, executes it and types the following: 

privilege::debug;

This command grant mimikatz debug rights which are also needed. 

sekurlsa::logonpasswords;

This would then show a dump of all the NTLM hashes that are stored on the system, and of course, it also includes the NTLM hash of the domain administrator.

Now the employee can use the information of that admin (username, domain, and NTLM hash) to authenticate to other clients and servers in that domain.

Conclusion

The pass-the-hash attack can be a horrifying attack given what kind of privileges it gives the attacker in the case of a successful attack, but this is not the end of the mitigation methods that were implemented with a regular update to the system it should mitigate the attack and protect servers against it. Also, there is a server lining, in that it pushes forward the security of Windows servers and let the developers focus on improving them to let system administrators have much more secure servers to deal with.

Sources

Retrieved from "https://wiki.elvis.science/index.php?title=Pass-the-Hash_(PtH)&oldid=5343"