Pass the hash Giacomo Lanzi

Pass the hash: how to gain access without password

Estimated reading time: 6 minutes

Since the Internet has become widespread, tremendous progress has been made in awareness of the use of passwords. By now everyone knows what best practices are for setting a password (avoid standard passwords, use letters and numbers, avoid dates of birth, etc.). However, there is not much to rest assured, because hackers have another trick that could put your accounts at risk: the pass the hash attack.

Generally, password attacks can be mitigated by enforcing strong passwords, eliminating vendor defaults, and implementing a reasonable cyclical password replacement policy . Attacks on passwords, or rather on credentials, are still very popular, actually. One such attack is the so-called pass the hash or PtH .

These attacks are seen by some as a problem with older Windows systems. A little bit true, but they are still a threat. In fact, the Pass the Hash is still the subject of a lot of material that can be recovered with a simple Google search, both to understand how to defend oneself and to learn how to attack.

pass the hash password

The hashes

Before understanding what the Pass the Hash attack is, it is best to clearly define what a Hash is.

Security researchers have known since the dawn of modern computing that memorizing passwords in the clear is a bad security practice . For this, they came up with the idea of passing the plain text string through a special 1-way encryption function to produce a hash . A hash is a mathematical code of a predetermined length that derives and uniquely represents the password , but cannot be mathematically reversed or reveal what the starting password is.

In practice, this is a string of alphanumeric characters generated starting from the password.

The key point is that on both Windows and Linux systems the hash password is stored instead of the readable one. If you think about it, the hash acts as a proxy for identity: if you can prove you have it, it’s like an entrance ticket.

On Windows, the authentication protocol NTLM involves exchanging messages to confirm that users have the hash without actually sending it in the communication . This authentication technique is at the heart of how Active Directory (the heart of the Windows Server system), supports remote logins within a domain and is also used for other Windows services, in especially remote access to files.

Pass the Hash

The operating system stores hashes in memory to implement Single Sign On or SSO , which is a essential feature of Windows corporate environments. So far, so good, it would seem.

For example, on a laptop the user initially logs in with the password, Windows hash it and stores it so that when, for example, you access a remote directory or use other services where you need to prove your identity, you don’t need to re-enter your password. Windows uses the stored hash .

This behavior is sufficient for hackers. Through the use of RAM scrapers used on devices, hackers can peek into RAM and retrieve hashes . Unsurprisingly, there are toolkits on the net that allow hackers to steal credentials from memory and log in as that user.

This is one of the weaknesses of the SSO system. Hackers must not crack hashes (i.e. try to decrypt them), but simply reuse them or pass them to an authentication server , hence the name pass the hash .

pass the hash login

Pass the Hash exploits a feature not a bug

The assumption of this attack is that the hacker gains administrator permissions for a first user’s machine. Anyone in the industry will tell you it’s not necessarily difficult to do.

In a typical exploit, the hacker will take some hashes , log into other servers and continue the process of accumulating credentials. If he manages to hit the jackpot, that is, get to a domain controller or SQL server, it may be able to get the hashes of all users on the system.

Unfortunately, pass the hash is a feature of Windows, not a bug! NTLM authentication is actually using hash to implement the SSO protocol , saving the user the trouble of entering the password. Hackers are only using this feature for their own purposes.

In order not to be too hard on Windows systems, it must be said that pass the hash is also a problem in Linux systems that implement the communication protocol Kerboros , where there is an equivalent Pass the Ticket or PtT attack.

Here’s the most important thing to keep in mind: You can’t prevent the Pass the Hash attack, you can only mitigate or greatly reduce the chance of this attack occurring .

Pass the hash

Preventing the exploit

To date, this type of attack is used by the worst ransomware software.

The attack would happen like this: Once the ransomware hits, it acquires administrator privileges and, in addition to encrypting all data on the disk, uses the hashes found to perform dei lateral movement . Having obtained access to another machine on the network, proceeds to encrypt the data present on it, spreading rapidly over a network.

The only way to eliminate the chances of pass the hash attack would be to not use the Single Sign-On system for authentication. In this case, the hashes would not exist at all and they could not be exploited for the attack. Unfortunately, it is not easy to eliminate such a convenient system that makes access management so simple and convenient for users.

The SOD solution

Another mitigation method is to implement SIEM and UEBA , and set up centralized network control with a SOC .

Thanks to the SOC as a Service service offered by SOD, in fact, the network is monitored and controlled by an artificial intelligence that reports any possible suspicious behavior. em> lateral movement is thus immediately detected and blocked, as well as dubious requests for access to computers on the corporate network.

Technology advances and new defense solutions are being implemented, but equally attackers discover new ways to exploit vulnerabilities.

To greatly reduce the risk of data loss or fraudulent access, you must always keep up with the times.

If you are interested in knowing how our SOCaaS could help your company, do not hesitate to contact us, we will be happy to answer all your questions. < / p>

Useful links:



More Articles…

Categories …


RSS darkreading

RSS Full Disclosure

  • Microsoft leak of PlayReady developer / Warbird libs June 21, 2024
    Posted by Security Explorations on Jun 21Hello All, On Jun 11, 2024 Microsoft engineer posted on a public forum information about a crash experienced with Apple TV service on a Surface Pro 9 device [1]. The post had an attachment - a 771MB file (4GB unpacked), which leaked internal code (260+ files [2]) pertaining to […]
  • Business Logic Flaw and Username Enumeration in spa-cartcmsv1.9.0.6 June 16, 2024
    Posted by Andrey Stoykov on Jun 15# Exploit Title: Business Logic Flaw and Username Enumeration in spa-cartcmsv1.9.0.6 # Date: 6/2024 # Exploit Author: Andrey Stoykov # Version: # Tested on: Ubuntu 22.04 # Blog: Description - It was found that the application suffers from business logic flaw - Additionally the application is vulnerable […]
  • APPLE-SA-06-10-2024-1 visionOS 1.2 June 12, 2024
    Posted by Apple Product Security via Fulldisclosure on Jun 11APPLE-SA-06-10-2024-1 visionOS 1.2 visionOS 1.2 addresses the following issues. Information about the security content is also available at Apple maintains a Security Releases page at which lists recent software updates with security advisories. CoreMedia Available for: Apple Vision Pro Impact: An app may be […]
  • CyberDanube Security Research 20240604-0 | Multiple Vulnerabilities in utnserver Pro/ProMAX/INU-100 June 9, 2024
    Posted by Thomas Weber via Fulldisclosure on Jun 09CyberDanube Security Research 20240604-0 ------------------------------------------------------------------------------- title| Multiple Vulnerabilities product| SEH utnserver Pro/ProMAX / INU-100 vulnerable version| 20.1.22 fixed version| 20.1.28 CVE number| CVE-2024-5420, CVE-2024-5421, CVE-2024-5422 impact| High homepage|
  • SEC Consult SA-20240606-0 :: Multiple critical vulnerabilities in Kiuwan SAST on-premise (KOP) & cloud/SaaS & Kiuwan Local Analyzer (KLA) June 9, 2024
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jun 09SEC Consult Vulnerability Lab Security Advisory < 20240606-0 > ======================================================================= title: Multiple critical vulnerabilities product: Kiuwan SAST on-premise (KOP) & cloud/SaaS Kiuwan Local Analyzer (KLA) vulnerable version: Kiuwan SAST
  • Blind SQL Injection - fengofficev3.11.1.2 June 9, 2024
    Posted by Andrey Stoykov on Jun 09# Exploit Title: FengOffice - Blind SQL Injection # Date: 06/2024 # Exploit Author: Andrey Stoykov # Version: # Tested on: Ubuntu 22.04 # Blog: Steps to Reproduce: 1. Login to application 2. Click on "Workspaces" 3. Copy full URL 4. Paste the HTTP GET request into […]
  • Trojan.Win32.DarkGateLoader (multi variants) / Arbitrary Code Execution June 9, 2024
    Posted by malvuln on Jun 09Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: Contact: malvuln13 () gmail com Media: Threat: Trojan.Win32.DarkGateLoader (multi variants) Vulnerability: Arbitrary Code Execution Description: Multiple variants of this malware look for and execute x32-bit "urlmon.dll" PE file in its current directory. Therefore, we can...
  • SQL Injection Vulnerability in Boelter Blue System Management (version 1.3) June 9, 2024
    Posted by InfoSec-DB via Fulldisclosure on Jun 09Exploit Title: SQL Injection Vulnerability in Boelter Blue System Management (version 1.3) Google Dork: inurl:"Powered by Boelter Blue" Date: 2024-06-04 Exploit Author: CBKB (DeadlyData, R4d1x) Vendor Homepage: Software Link: Version: 1.3 Tested on: Linux Debian 9 (stretch), Apache 2.4.25, MySQL >= 5.0.12 CVE:...
  • CyberDanube Security Research 20240528-0 | Multiple Vulnerabilities in ORing IAP-420 May 30, 2024
    Posted by Thomas Weber via Fulldisclosure on May 29CyberDanube Security Research 20240528-0 ------------------------------------------------------------------------------- title| Multiple Vulnerabilities product| ORing IAP-420 vulnerable version| 2.01e fixed version| - CVE number| CVE-2024-5410, CVE-2024-5411 impact| High homepage| found| 2024-01-19 by| T. Weber...
  • HNS-2024-06 - HN Security Advisory - Multiple vulnerabilities in Eclipse ThreadX May 30, 2024
    Posted by Marco Ivaldi on May 29Hi, Please find attached a security advisory that describes multiple vulnerabilities we discovered in Eclipse ThreadX (aka Azure RTOS). * Title: Multiple vulnerabilities in Eclipse ThreadX * OS: Eclipse ThreadX < 6.4.0 * Author: Marco Ivaldi * Date: 2024-05-28 * CVE IDs and severity: * CVE-2024-2214 - High - […]