Pass-the-Hash (PtH)

From Embedded Lab Vienna for IoT & Security
Revision as of 23:43, 20 December 2020 by DAmon (talk | contribs) (Updated the document)
Jump to navigation Jump to search

[Disclamer: this Wiki page is just an explanation of how Pass-The-Hash attack works and how it can be carried out and is done only for educational purposes. The author does not hold any responsibility for any misuse of the information included in this Wiki page and advises not to use it for any illegal actions nor in any way that could be harmful to any person or entity.]

Introduction

Pass-the-hash is a method used by hackers to authenticate themselves to servers even if they do not have the password! The technique makes use of a flaw in the user-authentication protocols, such as NTLM and LM.

The authentication protocols authenticate the user by checking the hash of the password instead of the password itself. Hence the hashing algorithm always resolves to the same hash as long as the password is not changed.

This allows the attackers to focus on obtaining the hash, which is a lot easier than trying to get the password using brute-force.

While the attack is more common on windows servers environments, it is still possible to attack, for example, a Linux server that is using the same vulnerable protocols that we are going to discuss.

Pass-the-Hash Attack

It is almost a day-to-day activity these days that administrators and even regular users authenticate to remote servers. Since remote servers nowadays are most likely to have valuable information stored, it is only natural to allow access only to authorized users.

To do this, engineers have to come up with protocols that authenticate and challenge users to prove that they are whom they say they are, usually by providing a password.

Most of these protocols would hash the password on the client-side and then send the hashed password over the network to authenticate. The flaw here is that a mere hashing of a password would yield the same hash every time, as long as both the password and the hashing algorithm remain the same.

This would turn the hash itself into an equivalent of that password, and it would lose its meaning. Before we start having a look at how this attack works and how can we mitigate it, let us have a look at the protocols themselves and how they work.

NTLM

NTLM stands for NT LAN Manager, and was developed by Microsoft, therefore it is mostly implemented in Microsoft products. It is an authentication protocol that authenticate users to remote servers, so they can access them. The first version of NTLM turned out to have many issues that made it very insecure over the time.

Some of these vulnerabilities in its algorithms and protocols were:

  • No distinguishing between capital and small letters, i.e., case-insensitive.
  • It did not allow long passwords, but only up to 14 chars.
  • Only 56 Bit out of a 128 Bit where used for the key

As we can see, by knowing today's security standards, there is no need to say why the entire protocol was weak and prone to attacks. All this and more have lead to the development of a successor called NTLMv2. It is used for Single-Sign-On (SSO), so User only need to enter the password once in order to access the network resource.

With Windows 10, NTLMv2 was used by default.


Authentication Steps - Network Resource

This setup uses an authentication server, here called Domain Controller, which knows all the users and their corresponding hash value of the password, in order to verify them.

Ntlm-authentication-steps.jpg

  1. The user enters the password of the account
  2. The username and the hash of the password get stored in RAM in a process called LSASS (more to that later)
  3. The client now sends a request to the network resource in order to access it
  4. The server responds with a CHALLENGE message (usually a 16-bit number) to identify the client
  5. The client encrypts the challenge with the NTLM hash of the password and sends it back to the server
  6. The server sends the username, the encrypted challenge and the plain challenge to the authentication server
  7. The authentication server decrypts the message from the client and compares the values
  8. If the challenges match, the authentication server informs the server, which then grants the client access


Functionality

There are a couple of ways to do a PtH attack:

  • Compromising a Host and reading out Hashes locally
    • Windows stores hashes of currently logged in domain and local users in memory, in a process called Local Security Authority Subsystem Service (LSASS)
    • The hashes of currently logged out local users are stored in a registry file or also called the Security Account Manager (SAM)
  • Sniffing the network for any hashes that are being transferred

To readout the LSASS process or the SAM, the program needs local admin rights. Thus, the user has to be tricked into executing it with the according rights.

Tools

PtH attack can be carried out using a set of tools. Some of the most popular tools to carry out the PtH attack are:

  • samdump2
  • mimikatz

samdump2

samdump2 tool was designed to get dumps of Windows password hashes, namely Windows XP, NT, and 2k, and as the name suggests it does this by taking a dump of the SAM file using something called syskey, which is a feature in Windows that is supposed to strengthen the SAM database by adding and an additional layer of encryption.

mimikatz

Mimikatz tool, on the other hand, tries to extract hashes, PIN codes, as well as passwords in plain text from memory. It is a much stronger tool since it allows a wider variety of other attacks that are mainly focused on playing with the weak security of Windows systems that use the protocols mentioned above. Mimikatz is also one of few tools that got updated, after Windows Defender Credential Guard (WDCG) was enabled by default with Windows 10. WDCG made the access to the LSASS process extremely difficult. This concludes the set of tools that are going to be used in the accompanying demonstration of this essay to demonstrate how PtH attack works when using these tools.

Mitigation

Over the years, many improvements to the vulnerable protocols in question have been released, and more and more studies are being done by Microsoft [5] and other institutions to mitigate this attack. Some of the mitigation techniques that are mentioned in these studies are:

  1. Protecting the accounts that have high-privileges by adding more restrictions to them.
  2. Removing administrative privileges to local accounts and then restricting these accounts to help to prevent the attackers from taking advantage of such accounts.
  3. Adding firewall rules that would restrict the incoming traffic to the server.
  4. Correlating Authentication Services.

Demonstration using mimikatz

In our scenario, we have two computers that belong to different domains but are inside the same intranet network, let us say one belongs to the administrators' domain, and the second one belongs to the employees' domain.

All that is left now is for someone from the employee domain, to ask someone from the administrators' domain to install something on their PC using their admin account.

When the administrator logs in to the employee's pc, the hash value is saved locally in the LSASS process. Now the attack is ready to be carried out.

Because the employee knows a way to become local admin he downloads mimikatz, executes it and types the following: 

privilege::debug;

This command grant mimikatz debug rights which are also needed. 

sekurlsa::logonpasswords;

This would then show a dump of all the NTLM hashes that are stored on the system, and of course, it also includes the NTLM hash of the domain administrator.

Now the employee can use the information of that admin (username, domain, and NTLM hash) to authenticate to other clients and servers in that domain.

Conclusion

The pass-the-hash attack can be a horrifying attack given what kind of privileges it gives the attacker in the case of a successful attack, but this is not the end of the mitigation methods that were implemented with a regular update to the system it should mitigate the attack and protect servers against it. Also, there is a server lining, in that it pushes forward the security of Windows servers and let the developers focus on improving them to let system administrators have much more secure servers to deal with.

Sources

Retrieved from "https://wiki.elvis.science/index.php?title=Pass-the-Hash_(PtH)&oldid=5343"