Pass the hash

Last updated

In computer security, pass the hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user's password, instead of requiring the associated plaintext password as is normally the case. It replaces the need for stealing the plaintext password to gain access with stealing the hash.

Contents

The attack exploits an implementation weakness in the authentication protocol, where password hashes remain static from session to session until the password is next changed.

This technique can be performed against any server or service accepting LM or NTLM authentication, whether it runs on a machine with Windows, Unix, or any other operating system.

Description

On systems or services using NTLM authentication, users' passwords are never sent in cleartext over the wire. Instead, they are provided to the requesting system, like a domain controller, as a hash in a response to a challenge–response authentication scheme. [1]

Native Windows applications ask users for the cleartext password, then call APIs like LsaLogonUser [2] that convert that password to one or two hash values (the LM or NT hashes) and then send that to the remote server during NTLM authentication. [Notes 1] [3]

If an attacker has the hashes of a user's password, they do not need the cleartext password; they can simply use the hash to authenticate with a server and impersonate that user. [4] [5] [6] [ permanent dead link ] In other words, from an attacker's perspective, hashes are functionally equivalent to the original passwords that they were generated from.

History

The pass the hash technique was originally published by Paul Ashton in 1997 [6] and consisted of a modified Samba SMB client that accepted user password hashes instead of cleartext passwords. Later versions of Samba and other third-party implementations of the SMB and NTLM protocols also included the functionality.

This implementation of the technique was based on an SMB stack created by a third-party (e.g., Samba and others), and for this reason suffered from a series of limitations from a hacker's perspective, including limited or partial functionality: The SMB protocol has continued to evolve over the years, this means that third parties creating their own implementation of the SMB protocol need to implement changes and additions to the protocol after they are introduced by newer versions of Windows and SMB (historically by reverse engineering, which is very complex and time-consuming). This means that even after performing NTLM authentication successfully using the pass the hash technique, tools like Samba's SMB client might not have implemented the functionality the attacker might want to use. This meant that it was difficult to attack Windows programs that use DCOM or RPC.

Also, because attackers were restricted to using third-party clients when carrying out attacks, it was not possible to use built-in Windows applications, like Net.exe or the Active Directory Users and Computers tool amongst others, because they asked the attacker or user to enter the cleartext password to authenticate, and not the corresponding password hash value.

In 2008, Hernan Ochoa published a tool called the "Pass-the-Hash Toolkit" [7] that allowed 'pass the hash' to be performed natively on Windows. It allowed the user name, domain name, and password hashes cached in memory by the Local Security Authority to be changed at runtime after a user was authenticated — this made it possible to 'pass the hash' using standard Windows applications, and thereby to undermine fundamental authentication mechanisms built into the operating system.

The tool also introduced a new technique which allowed dumping password hashes cached in the memory of the lsass.exe process (not in persistent storage on disk), which quickly became widely used by penetration testers (and attackers). This hash harvesting technique is more advanced than previously used techniques (e.g. dumping the local Security Accounts Manager database (SAM) using pwdump and similar tools), mainly because hash values stored in memory could include credentials of domain users (and domain administrators) that logged into the machine. For example, the hashes of authenticated domain users that are not stored persistently in the local SAM can also be dumped. This makes it possible for a penetration tester (or attacker) to compromise a whole Windows domain after compromising a single machine that was a member of that domain. Furthermore, the attack can be implemented instantaneously and without any requirement for expensive computing resources to carry out a brute force attack.

This toolkit has subsequently been superseded by "Windows Credential Editor", which extends the original tool's functionality and operating system support. [8] [9] Some antivirus vendors classify the toolkit as malware. [10] [11]

Hash harvesting

Before an attacker can carry out a pass-the-hash attack, they must obtain the password hashes of the target user accounts. To this end, penetration testers and attackers can harvest password hashes using a number of different methods:

Mitigations

Any system using LM or NTLM authentication in combination with any communication protocol (SMB, FTP, RPC, HTTP etc.) is at risk from this attack. [1] The exploit is very difficult to defend against, due to possible exploits in Windows and applications running on Windows that can be used by an attacker to elevate their privileges and then carry out the hash harvesting that facilitates the attack. Furthermore, it may only require one machine in a Windows domain to not be configured correctly or be missing a security patch for an attacker to find a way in. A wide range of penetration testing tools are furthermore available to automate the process of discovering a weakness on a machine.

There is no single defense against the technique, thus standard defense in depth practices apply [12] – for example use of firewalls, intrusion prevention systems, 802.1x authentication, IPsec, antivirus software, reducing the number of people with elevated privileges, [13] pro-active security patching [14] etc. Preventing Windows from storing cached credentials may limit attackers to obtaining hashes from memory, which usually means that the target account must be logged into the machine when the attack is executed. [15] Allowing domain administrators to log into systems that may be compromised or untrusted will create a scenario where the administrators' hashes become the targets of attackers; limiting domain administrator logons to trusted domain controllers can therefore limit the opportunities for an attacker. [12] The principle of least privilege suggests that a least user access (LUA) approach should be taken, in that users should not use accounts with more privileges than necessary to complete the task at hand. [12] Configuring systems not to use LM or NTLM can also strengthen security, but newer exploits are able to forward Kerberos tickets in a similar way. [16] Limiting the scope of debug privileges on system may frustrate some attacks that inject code or steal hashes from the memory of sensitive processes. [12]

Restricted Admin Mode is a new Windows operating system feature introduced in 2014 via security bulletin 2871997, which is designed to reduce the effectiveness of the attack. [17]

See also

Notes

  1. Note that Windows may use Kerberos authentication by default.

Related Research Articles

<span class="mw-page-title-main">Password</span> Used for user authentication to prove identity or access approval

A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services that a typical individual accesses can make memorization of unique passwords for each service impractical. Using the terminology of the NIST Digital Identity Guidelines, the secret is held by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.

In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of the account is not the determining factor; on Unix-like systems, for example, the user with a user identifier (UID) of zero is the superuser, regardless of the name of that account; and in systems which implement a role-based security model, any user with the role of superuser can carry out all actions of the superuser account. The principle of least privilege recommends that most users and applications run under an ordinary account to perform their work, as a superuser account is capable of making unrestricted, potentially adverse, system-wide changes.

<span class="mw-page-title-main">Server Message Block</span> Network communication protocol for providing shared access to resources

Server Message Block (SMB) is a communication protocol used to share files, printers, serial ports, and miscellaneous communications between nodes on a network. On Microsoft Windows, the SMB implementation consists of two vaguely named Windows services: "Server" and "Workstation". It uses NTLM or Kerberos protocols for user authentication. It also provides an authenticated inter-process communication (IPC) mechanism.

In cryptanalysis and computer security, password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system in scrambled form. A common approach is to repeatedly try guesses for the password and to check them against an available cryptographic hash of the password. Another type of approach is password spraying, which is often automated and occurs slowly over time in order to remain undetected, using a list of common passwords.

The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1, 10 and 11 that stores users' passwords. It can be used to authenticate local and remote users. Beginning with Windows 2000 SP4, Active Directory authenticates remote users. SAM uses cryptographic measures to prevent unauthenticated users accessing the system.

Integrated Windows Authentication (IWA) is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services, Internet Explorer, and other Active Directory aware applications.

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

On Microsoft Servers, a domain controller (DC) is a server computer that responds to security authentication requests within a Windows domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.

LAN Manager is a discontinued network operating system (NOS) available from multiple vendors and developed by Microsoft in cooperation with 3Com Corporation. It was designed to succeed 3Com's 3+Share network server software which ran atop a heavily modified version of MS-DOS.

SMBRelay and SMBRelay2 are computer programs that can be used to carry out SMB man-in-the-middle (mitm) attacks on Windows machines. They were written by Sir Dystic of Cult of the Dead Cow (cDc) and released March 21, 2001 at the @lantacon convention in Atlanta, Georgia. More than seven years after its release, Microsoft released a patch that fixed the hole exploited by SMBRelay. This fix only fixes the vulnerability when the SMB is reflected back to the client. If it is forwarded to another host, the vulnerability can be still exploited.

In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product. The NTLM protocol suite is implemented in a Security Support Provider, which combines the LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in a single package. Whether these protocols are used or can be used on a system which is governed by Group Policy settings, for which different versions of Windows have different default settings.

Data Protection Application Programming Interface (DPAPI) is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory, the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy. A detailed analysis of DPAPI inner-workings was published in 2011 by Bursztein et al.

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

pwdump is the name of various Windows programs that outputs the LM and NTLM password hashes of local user accounts from the Security Account Manager (SAM) database and from the Active Directory domain's users cache on the operating system.

Security Support Provider Interface (SSPI) is a component of Windows API that performs security-related operations such as authentication.

<span class="mw-page-title-main">User (computing)</span> Person who uses a computer or network service

A user is a person who utilizes a computer or network service. A user often has a user account and is identified to the system by a username . Some software products provide services to other systems and have no direct end users.

In computing, runas is a command in the Microsoft Windows line of operating systems that allows a user to run specific tools and programs under a different username to the one that was used to logon to a computer interactively. It is similar to the Unix commands sudo and su, but the Unix commands generally require prior configuration by the system administrator to work for a particular user and/or command.

SAP Logon Tickets represent user credentials in SAP systems. When enabled, users can access multiple SAP applications and services through SAP GUI and web browsers without further username and password inputs from the user. SAP Logon Tickets can also be a vehicle for enabling single sign-on across SAP boundaries; in some cases, logon tickets can be used to authenticate into 3rd party applications such as Microsoft-based web applications.

Credential Guard is a virtualization-based isolation technology for LSASS which prevents attackers from stealing credentials that could be used for pass the hash attacks. Credential Guard was introduced with Microsoft's Windows 10 operating system. As of Windows 10 version 20H1, Credential Guard is only available in the Enterprise edition of the operating system.

References

  1. 1 2 Chris Hummel (12 October 2009). "Why Crack When You Can Pass the Hash?". SANS Institute.{{cite journal}}: Cite journal requires |journal= (help)
  2. "LsaLogonUser". Microsoft. 7 September 2011. Retrieved 25 October 2011.
  3. "How Interactive Logon Works". Microsoft. 22 January 2009. Retrieved 25 October 2011.
  4. "What is a Pass-the-Hash Attack (PtH)?". BeyondTrust. 2023-08-04. Archived from the original on 2024-05-15. Retrieved 2024-06-23.
  5. Lenaerts-Bergmans, Bart (2024-02-21). "What is a Pass-the-Hash Attack?". crowdstrike.com. Archived from the original on 2024-04-07. Retrieved 2024-06-23.
  6. 1 2 Daniel Stirnimann (9 August 2010). "Windows Attack — Gain Enterprise Admin Privileges in 5 Minutes" (PDF). Compass Security AG. Retrieved 10 October 2010.
  7. Hernan Ochoa (2 July 2008). "What is Pass-The-Hash Toolkit?" . Retrieved 20 October 2011.
  8. Hernan Ochoa (2011). WCE Internals. RootedCON.
  9. Hernan Ochoa (2011). "Windows Credentials Editor (WCE) F.A.Q." Amplia Security. Retrieved 25 October 2011.
  10. "SecurityRisk.WinCredEd". Symantec. 21 March 2011. Archived from the original on April 13, 2012. Retrieved 25 October 2011.
  11. "HackTool:Win32/Wincred.A". Microsoft. 1 October 2011. Retrieved 25 October 2011.
  12. 1 2 3 4 Bashar Ewaida (21 January 2010). "Pass-the-hash attacks: Tools and Mitigation". SANS Institute.{{cite journal}}: Cite journal requires |journal= (help)
  13. Roger Grimes (26 July 2011). "Stop pass-the-hash attacks before they begin". InfoWorld. Retrieved 25 October 2011.
  14. Rob Kraus; Brian Barber; Mike Borkin; Naomi Alpern (2010). Seven Deadliest Microsoft Attacks. Syngress. pp. 12–14. ISBN   978-1-59749-551-6.
  15. "Preventing Pass-the-Hash Attacks and Cached Credential Attacks". Berkley Lab Computer Protection Program. Retrieved 20 October 2011.
  16. "Microsoft Windows Kerberos 'Pass The Ticket' Replay Security Bypass Vulnerability". securityfocus.com. 13 August 2010. Archived from the original on 12 March 2016. Retrieved 20 October 2010.
  17. "Microsoft Security Advisory 2871997". 14 October 2022.