Pass the hash
Encyclopedia
Pass the hash is a hacking technique that allows an attacker to authenticate to a remote server/service by using the underlying NTLM
NTLM
In a Windows network, NTLM is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users....

 and/or LM hash
LM hash
LM hash, LanMan, or LAN Manager hash was the primary hash that Microsoft LAN Manager and Microsoft Windows versions prior to Windows NT used to store user passwords...

 of a user's password, instead of using the cleartext password as is normally the case.

After an attacker obtains a valid user name and user password hashes values (somehow, using different methods and tools), he or she is then able to use that information to authenticate to a remote server/service using NTLM authentication without the need to brute-force the hashes to obtain the cleartext password (as it was required before this technique was published).

This technique can be performed against any server/service accepting NTLM authentication, whether it is running on a machine with Windows, *Unix, or any other operating system.

Description

On systems/services using NTLM authentication, users' passwords are never sent in cleartext
Plaintext
In cryptography, plaintext is information a sender wishes to transmit to a receiver. Cleartext is often used as a synonym. Before the computer era, plaintext most commonly meant message text in the language of the communicating parties....

 over the wire. Instead, they are provided to the requesting system, such as a domain controller
Domain controller
On Windows Server Systems, a domain controller is a server that responds to security authentication requests within the Windows Server domain...

, as a hash
Hash function
A hash function is any algorithm or subroutine that maps large data sets to smaller data sets, called keys. For example, a single integer can serve as an index to an array...

 in a response to a challenge-response authentication
Challenge-response authentication
In computer security, challenge-response authentication is a family of protocols in which one party presents a question and another party must provide a valid answer to be authenticated....

 scheme.

Native Windows applications ask users for the cleartext password, then call APIs
Application programming interface
An application programming interface is a source code based specification intended to be used as an interface by software components to communicate with each other...

 like LsaLogonUser that convert that password to one or two hash values (the LM and/or NT hashes) and then send that to the remote server during NTLM authentication.Note that Windows may use Kerberos authentication by default. Observation of this mechanism has shown that the cleartext password is not required to complete network authentication successfully, only the hashes are needed.

If an attacker has the hashes of a user's password, he/she does not need to brute-force the cleartext password; he/she can simply use the hash of an arbitrary user account that he has harvested and execute a side channel attack
Side channel attack
In cryptography, a side channel attack is any attack based on information gained from the physical implementation of a cryptosystem, rather than brute force or theoretical weaknesses in the algorithms...

 to authenticate against a remote system and impersonate that user. In other words, from an attacker's perspective, hashes are functionally equivalent to the original passwords that they were generated from.

History

The pass the hash technique was originally published by Paul Ashton in 1997 and consisted of a modified Samba
Samba (software)
Samba is a free software re-implementation, originally developed by Andrew Tridgell, of the SMB/CIFS networking protocol. As of version 3, Samba provides file and print services for various Microsoft Windows clients and can integrate with a Windows Server domain, either as a Primary Domain...

 SMB
Server Message Block
In computer networking, Server Message Block , also known as Common Internet File System operates as an application-layer network protocol mainly used to provide shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network. It also provides an...

 client that accepted user password hashes instead of cleartext passwords (Later versions of Samba and other third-party implementations of the SMB and NTLM procotols also included the functionality).

This implementation of the technique was based on an SMB stack created by a third-party (e.g.: Samba and others), and for this reason suffered from a series of limitations from a hacker's perspective, including limited and/or partial functionality: The SMB protocol has continued to evolve over the years, this means that third-parties creating their own implementation of the SMB protocol need to implement changes and additions to the protocol after they are introduced by newer versions of Windows/SMB (historically by reverse engineering, which is very complex and time consuming). This means that even after performing NTLM authentication successfully using the pass the hash technique, tools like Samba's SMB client might not have implemented the functionality the attacker might want to use. This meant that it was difficult to attack Windows programs that use DCOM/RPC.

Also, because attackers were restricted to using third-party clients when carrying out attacks, it was not possible to use built-in Windows applications, like Net.exe or the Active Directory Users and Computers tool amongst others, because they asked the attacker/user to enter the cleartext password to authenticate, and not the corresponding password hash value.

In 2008, Hernan Ochoa published a tool called the "Pass-the-Hash Toolkit" that allowed 'pass the hash' to be performed natively on Windows. It allowed the user name, domain name, and password hashes cached in memory by the Local Security Authority to be changed at runtime after a user was authenticated — this made it possible to 'pass the hash' using standard Windows applications, and thereby to undermine fundamental authentication mechanisms built into the operating system.

The tool also introduced a new technique which allowed dumping password hashes cached in the memory of the lsass.exe
Local Security Authority Subsystem Service
Local Security Authority Subsystem Service , is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens...

 process (not in persistent storage on disk), which quickly became widely used by penetration test
Penetration test
A penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders and malicious insiders...

ers (and attackers). This hash harvesting technique is more advanced than previously used techniques (e.g. dumping the local Security Accounts Manager database (SAM) using pwdump and similar tools), mainly because usernames/domain/password hashes values stored in memory could include credentials of domain users (and domain administrators) that logged into the machine. For example, the hashes of authenticated domain users that are not stored persistently in the local SAM can also be dumped. This makes it possible for a penetration tester (or attacker) to compromise a whole Windows domain after compromising a single machine that was a member of that domain. Furthermore, the attack can be implemented instantaneously and without any requirement for expensive computing resources to carry out a brute force attack.

This toolkit has subsequently been superseded by "Windows Credential Editor", which extends the original tool's functionality and operating system support. Some antivirus vendors classify the toolkit as malware.

Hash harvesting

Before an attacker can carry out a pass-the-hash attack, he/she must obtain the password hashes of the target user accounts. To this end, penetration testers/attackers can harvest password hashes using a number of different methods:
  • Hashes/credentials can be dumped from the SAM by anyone who has Administrator-level privileges on a machine. The caching of hashes/credentials can however be disabled by administrators, so this technique does not always work.
  • Dumping the local users account database (SAM). This database only contains user accounts local to the particular machine that was compromised. For example, in a domain environment, the SAM database of a machine will not contain domain users, only users local to that machine that more likely will not be very useful to authenticate to other services on the domain.
  • Sniffing LM and NTLM challenge-response dialogues between client and servers, and later brute-forcing captured encrypted hashes (since the hashes obtained in this way are encrypted, it is necessary to perform a brute-force attack to obtain the actual hashes).
  • Dumping authenticated users' credentials stored by Windows in the memory of the lsass.exe process. The credentials dumped in this way may include those of domain users/administrators, such as those logged in via RDP
    Remote Desktop Protocol
    Remote Desktop Protocol is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to another computer. The protocol is an extension of the ITU-T T.128 application sharing protocol. Clients exist for most versions of Microsoft Windows , Linux, Unix, Mac OS...

    . This technique may therefore be used to obtain credentials of user accounts that are not local to the compromised computer, but rather originate from the security domain that the machine is a member of.

Mitigations

Any system using LM or NTLM authentication in combination with any protocol (SMB, FTP, RPC, HTTP etc.) is at risk from this attack. The exploit is very difficult to defend against, because there are countless exploits in Windows and applications running on Windows that can be used by an attacker to elevate
Privilege escalation
Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user...

 their privileges and then carry out the hash harvesting that facilitates the attack. Furthermore, it may only require one machine in a Windows domain to not be configured correctly or be missing a security patch for an attacker to find a way in. A wide range of penetration testing tools are furthermore available to automate the process of discovering a weakness on a machine.

There is no single defence against the technique, so standard defence in depth
Defense in Depth (computing)
Defense in depth is an information assurance concept in which multiple layers of security controls are placed throughout an information technology system...

 practices apply - for example use of firewall
Firewall
Firewall may refer to:* Firewall , a barrier inside a building or vehicle, designed to limit the spread of fire, heat and structural collapse...

s, intrusion prevention systems, 802.1x authentication
IEEE 802.1X
IEEE 802.1X is an IEEE Standard for port-based Network Access Control . It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN....

, IPsec
IPsec
Internet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...

, antivirus software
Antivirus software
Antivirus or anti-virus software is used to prevent, detect, and remove malware, including but not limited to computer viruses, computer worm, trojan horses, spyware and adware...

, full disk encryption
Disk encryption
Disk encryption is a special case of data at rest protection when the storage media is a sector-addressable device . This article presents cryptographic aspects of the problem...

, reducing the number of people with elevated privileges, pro-active security patching etc. Preventing Windows from storing cached credentials may limit attackers to obtaining hashes from memory, which usually means that the target account must be logged into the machine when the attack is executed. Allowing domain administrators to log into systems that may be compromised or untrusted will create a scenario where the administrators' hashes become the targets of attackers; limiting domain administrator logons to trusted domain controllers can therefore limit the opportunities for an attacker. The principle of least privilege
Principle of least privilege
In information security, computer science, and other fields, the principle of least privilege, also known as the principle of minimal privilege or just least privilege, requires that in a particular abstraction layer of a computing environment, every module must be able to access only the...

 suggests that a least user access (LUA) approach should be taken, in that users should not use accounts with more privileges than necessary to complete the task at hand. Configuring systems not to use LM or NTLM can also strengthen security, but newer exploits are able to forward Kerberos tickets in a similar way. Limiting the scope of debug
Debugger
A debugger or debugging tool is a computer program that is used to test and debug other programs . The code to be examined might alternatively be running on an instruction set simulator , a technique that allows great power in its ability to halt when specific conditions are encountered but which...

 privileges on system may frustrate some attacks that inject code
Code injection
Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by an attacker to introduce code into a computer program to change the course of execution. The results of a code injection attack can be disastrous...

or steal hashes from the memory of sensitive processes.

External links

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK