Pass the hash is one of most prevalent techniques used in targeted attacks today, due to its ease of use and effectiveness. Despite this prevalence, many organizations do misunderstand how the attack works and remain vulnerable. In this post, I will describe how a pass the hash attack works and provide some effective ways to prevent its occurrence and effectiveness on your enterprise.
What is Pass the Hash?
Pass the hash is an architectural vulnerability inherent to any single sign-on authentication system that uses symmetric authentication. The vulnerability of symmetric authentication comes from its need to be able to compare an authenticator value to a known value stored in a database. In the Windows world, a value referred to as the password hash is used to authenticate the user to resources when utilizing protocols such as NTLM. To provide single sign-on, the hash must be accessible throughout the user’s logon session. In Windows, this value is encrypted and stored within the Local Security Authentication Subsystem (lsass.exe) process for reuse when authenticating to resources that trust the domain which the user is a member of. Pass the hash attacks work by debugging the lsass.exe process, then retrieving and reusing password hashes from users who perform interactive logons to the affected machine.
Pass the hash attacks are used to gain additional access to the network. It is important to note that this attack occurs after an attacker establishes access to a computer on the network using an account which possesses the “Debug Programs” (seDebug) right. By default, only local administrators possess this access. Once compromised, any user account which performs an interactive logon to the machine should be considered compromised. Pass the hash tools enable the attacker to replace the identity which an application runs under with that of the stolen credential. This credential will remain valid until the user’s password is changed.
A successful pass the hash attack will provide the attacker with a credential of a user account with more access to their target than they possess while running as the infected user or computer. An attacker has a few ways to increase the likelihood that they will acquire one of these credentials: get the user to contact support to help them with their computer, or use local administrator accounts (either the user’s current account or a local administrator account with a shared password) to increase the breadth of their search.
Preventing Pass the Hash
The following sections provide a few ways for an organization to prevent or reduce the utility of a pass the hash attack.
Reducing Local Administrator and seDebug Access
The most important change an organization can make to prevent pass the hash (as well as many other forms of attacks and malware) is to reduce local administrator access to the computer. A user with local administrator membership to their computer entrusts the confidentiality and integrity of the domain, as well as any that trust it, to their judgment. Although reducing this level of access does not eliminate risk, it reduces risk significantly.
From a pass the hash standpoint, it is more specifically important to reduce any accounts which possess the “Debug Programs” (a.k.a. seDebug) right as this is a requirement for the attack.
For a pass the hash attack to be successful, the attacker must obtain a credential which is more valuable than the one they care currently able to utilize. This credential may be one which has additional administrative access, or one that is able to access data which the attacker is interested in.
Credential tiering is a process by which services are organized into rings based on the value of the credentials used to administer the service(s) which the computer provides. An attacker’s most valuable target is one which provides them administrative access over directory services, such as the “Domain Admins” group. Credentials with this sort of access should only be allowed to perform interactive logons to machines within that tier. Additionally, computers within that tier should not allow accounts from a lower tier access.
Credential tiering can be performed in two ways: through organizational policy or through configuration. Although organizational policy may seem effective, it is very easy for an administrator to inadvertently perform an interactive logon onto a lower tier system. For this reason, it is recommended that these accounts be assigned the “Deny Interactive Logon” right on any machines which are not necessary for administration. Additionally, machines which exist in an elevated tier should not be used for surfing the Internet and, if possible, prevent lower tier accounts from accessing them by limiting access rights.
Randomized Local Administrator Account Passwords
An attacker is likely to monitor multiple computers to increase the likelihood that they will obtain an elevated credential. One configuration they are likely to capitalize on is shared local administrator account credentials. If a local administrator password is shared between multiple computers, the attacker can perform lateral traversal and infect these computers.
One way to prevent lateral traversal is to randomize the passwords assigned to local accounts on workstations. This randomization limits the value of the local administrator account to only the current PC.
Other ways to prevent lateral traversal include disabling local accounts and preventing them from being able to access the computer over the network through user rights.
Utilize a Password Vaulting System
Password hashes are only valuable as long as the password does not change. As such, another technique to prevent pass the hash is to limit the period of time a credential is valid by changing the password after use. To simplify this effort, many companies offer password vaulting solutions which let users check administrative accounts out for use. Once checked out, the password is provided to the user, then later reset by the vaulting solution.