What is a Pass-The-Hash Attack?

What is a Pass-The-Hash Attack
Pass-the-Hash is an attack method that uses the hash value of a password to authenticate against a system. Through vulnerabilities in the system or in the authentication protocols, the hash value can be read out with tools and used for authentication. The attack method can be used in various operating system environments such as Windows or Linux.

What is a pass-the-hash attack?

Pass-the-Hash is an attack method in the computer environment. It is abbreviated as PtH. The method uses the hash value of a password to authenticate against a computer, server, or service. A readable password is not necessary for authentication. From an attacker’s point of view, the hash value replaces the user’s password and eliminates the need for brute force attacks on the actual password.

Due to vulnerabilities in the operating system or in the authentication protocol, the hash value can be read with special tools such as Mimikatz, for example, from the Windows working memory. In both Windows and Linux environments, PtH attacks are used by hackers to penetrate systems or networks. Numerous exploits exist in which the PtH attack method is implemented. Windows 10 has technical precautions in place to prevent PtH.

READ:  What is Bitlocker Used For?

Technical sequence of a PtH attack

Systems with password-based authentication methods usually do not store the readable password, but a hash value calculated from the password using a one-way function. During authentication, the hash value is determined from the password entered by the user and compared with the hash value previously stored in the system.

If the two hash values match, the user is authenticated to the system. If the hash values are stored statically, it is sufficient for the attacker to capture the hash value in order to authenticate himself with a specific identity. It is not necessary to steal the readable password or to determine it from the hash value.

Especially systems with so-called LM or NTLM authentication and support for single sign-on (SSO) procedures are vulnerable to PtH attacks. Before a hacker can authenticate himself with the hash value, he must read it out of the system. Various tools exist that determine the hash value using the following methods:

  • Reading from the cache.
  • Reading from a user database
  • Reading the hash value on a network connection during authentication
  • Reading out certain areas of the working memory

Mimikatz as a tool for pass-the-hash attacks

A very well-known and freely available tool for PtH attacks on Windows systems is Mimikatz. The tool is able to read password hash values or passwords in clear text from the memory of the Windows client on computers with certain Windows versions.

READ:  What is The Tor Network?

In addition to Pass-the-Hash, it supports other methods such as Pass-the-Ticket, Over-Pass-the-Hash (Pass-the-Key), Kerberos Golden Ticket, Kerberos Silver Ticket, or Pass-the-Cache.

Protection against Pass-the-Hash attacks

To protect against pass-the-hash attacks, the latest operating system versions and authentication protocols should be installed. Windows 10, for example, secures stored hash values with a credential guard and the use of virtualization techniques. For normal work on a computer, an identifier with administrator rights should never be used, but rather a restricted user account.

After completing administrative work on the computer, the administrator must log off from the system promptly. If authentication is performed via network connections, these must be secured and encrypted. Since PtH exploits are often sent to users by e-mail, e-mail access for administrator accounts should be avoided.