Pass-the-Hash Attack (PtH)

What is a Pass-the-Hash (PtH) Attack?

Link copied

A Pass-the-Hash (PtH) attack is a technique where an attacker captures a password hash (as opposed to the password characters). The threat actor then passes it through for authentication and lateral access to other networked systems. With this technique, the threat actor doesn’t need to decrypt the hash to obtain a plain text password. PtH attacks exploit the authentication protocol, as the passwords hash remains static for every session until the password is rotated. Attackers can obtain hashes by scraping a system’s active memory, along with other techniques.

While Pass-the-Hash attacks can occur on Linux, Unix, and other platforms, they are most prevalent on Windows systems. In Windows, PtH exploits Single Sign-On (SSO) through NT Lan Manager (NTLM), Kerberos, and other authentication protocols. When a password is created in Windows, it is hashed and stored in one of the following locations:

• The Security Accounts Manager (SAM)

• The Local Security Authority Subsystem (LSASS) process memory

• A Credential Manager (CredMan) store

• A ntds.dit database in Active Directory

• Or elsewhere

When a user logs onto a Windows workstation or server, they essentially leave behind their password credentials.

A pass-the-ticket attack is a similar password-based attack but instead, the threat actor steals a Kerberos ticket-granting ticket (TGT). Once the TGT has been stolen from one identity, they can then use it to impersonate that user on a network. This tactic bypasses authentication mechanisms and enables the attacker to gain illicit access to resources.

How to Prevent Pass-the-Hash Attacks

Link copied

For a PtH attack to succeed, the perpetrator must first gain local administrative access on a computer to lift the hash. Once the attacker has a foothold, they can move laterally with relative ease, lifting more credentials and escalating privileges along the way.

Implementing the following security best practices will help eliminate, or at least minimize, the impact of a PtH attack:

• Least Privilege Security Model: Limits the scope and mitigates the impact of a PtH attack by reducing an attacker's ability to escalate privileged access and permissions. Removing unnecessary admin rights goes a long way in reducing the threat surface for PtH and many other types of attacks.
• Password Management Solutions: Rotating passwords frequently (and/or after a known credential compromise) can condense the window of time during which a stolen hash remains valid. By automating password rotation to occur after each privileged session, you can completely thwart PtH attacks and other exploits that rely on password reuse. The use of one-time-passwords (OTPs) can also mitigate PtH threats, as an OTP may only be valid for a single login session.
• Separation of Privileges: Separating different types of privileged and non-privileged accounts can reduce the scope of usage for administrator accounts. It reduces the risks of compromise and opportunities for lateral movement.

Learn how BeyondTrust can protect you against pass-the-hash, pass-the-ticket, kerberoasts, and other identity-based threats. Contact us today.