A Closer Look at Pass the Hash, Part I

We’ve done a lot of blogging at the Metadata Era warning you about basic attacks against passwords. These can be mitigated by enforcing strong passwords, eliminating vendor defaults, and enabling reasonable lockout settings in Active Directory. But don’t rest yet! Hackers have another password trick that’s much more difficult to defend against.

Advanced password, or more precisely, credential attacks are still very popular and, unfortunately, quite effective. Known generically as pass-the-hash or PtH, these attacks are seen by some as more of an issue with older Windows systems.  Somewhat true, but they’re still very much a menace: PtH is the subject of presentations at recent Black Hat conferences,  several white papers from Microsoft’s own Trustworthy Computing division, and a security bulletin from the NSA (for what it’s worth!).

What’s a Hash?

Security researchers have known almost since the beginning of modern computing that storing plain-text passwords is a poor security practice. Instead, they came up with the idea of passing the plaintext string through a special 1-way encryption function to produce a hash. You can read more about hashes in Rob’s excellent posts on the subject.

The key point is that in both Windows (and Linux systems too) the hashed password is stored instead of the readable password.  If you think about this a little, the hash acts as a proxy for identity—if you can prove you have it, it’s your ticket in.

In Windows, the NTLM authentication protocol involves exchanging messages to validate that users have the hash without actually sending the hash over the wire. This authentication technique is at the center of how Active Directory supports remote logins within a domain and is also used for other Windows services, most significantly remote file access

By the way, vulnerabilities in earlier implementations of NTLM—since corrected—have led some to believe that PtH attacks are a thing of the past. Not only is PtH still viable but the same idea—grabbing hashes from disk or memory—can also be used against more sophisticated Kerboros authentication.

Don’t Crack the Hash, Pass it

Windows caches the hashed passwords in memory to implement Single Sign On or SSO, which is an essential feature of Windows enterprise environments.  So far, so good.

For example, on my Varonis laptop, I logon once with my password, Windows hashes it and stores the code—currently 128-bits in NTLMv2— in memory  so that when, say, I mount a remote directory  or use other services where I need to prove my identity, I don’t have to re-enter my password— Windows instead uses the cached hash.

And that is enough of an opening for hackers to exploit. We’ve seen other attacks, most significantly with RAM scrapers used on Point-of-Sale devices, where hackers use easily available software to peek into this memory.  Not surprisingly there are toolkits out there that will let hackers grab the credentials from memory, and log them in as that user—see SANS’ Why Crack When You Can Pass the Hash.

And that’s one of the major benefits of SSO, so to speak, for hackers: they don’t have to crack the hashes, they just re-use or pass them to an authenticating server!

PtH: It’s a Feature, Not a Bug

The assumption that this attack makes is that the cyber thief gains administrator-level permissions for a user’s machine. Any expert will tell you, that’s not necessarily difficult to pull off, as we’ve seen in the Target hack.

In a typical exploit, the hacker will grab some hashes, log onto other servers, and continue the process of stockpiling credentials. If they hit the jackpot—a domain controller or SQL server—they may able to get the hashes of just about everyone.

As an aside, we don’t know exactly how Snowden obtained employee logon credentials—social engineering likely played a part. But his admin-level access would have made PtH a very good choice to extract the credentials of those with a higher security clearance than him.

Unfortunately, pass-the-hash is a feature of Windows! After all, the underlying NTLM authentication is effectively passing the hash to implement SSO, saving you from password entry fatigue. Hackers are just exploiting this feature for their own purposes. Not to be too hard on Windows, PtH is also an issue in Linux systems that implement Kerboros , where you have an equivalent pass-the-ticket or PtT attack.

Here’s the most important takeaway: you can’t prevent PtH, you can only mitigate or greatly reduce the possibility of this attack occurring.

Hold that thought and we’ll take up PtH mitigation through smart configurations of Active Directory and other services in the next post.

Image Credit: Mattia Luigi Nappi