Vulnerability Walkthrough – Pass the Hash

In this blog, we will look at one of the attacks we use on almost every internal penetration test, pass the hash. Many times, to make managing devices easier and because this account is rarely used, IT Teams will set the local administrator account to the same password on all devices across the organization. The problem is that, even if it’s a super strong password, once one device is compromised an attacker has access to all systems that share that same password, even without actually knowing the cleartext password. Let’s look at this in more detail.

Collecting the Local Administrator Hash

The first thing an attacker needs to perform this attack is the hash of the local administrator account. An attacker can get this in a variety of ways. The most common way is by getting a user to click on a link they shouldn’t have and gaining full control over that user’s workstation. If that user is a local administrator on their own machine (and in most organization’s this is still the case), the attacker can dump the contents of the local SAM file, which contains the hashed passwords for every local account on the machine. Let’s see this in action with the image below.

An attacker gains access to a victim’s machine and dumps the hashes of all local accounts.

Hash Fundamentals

OK so before we learn how to pass the hash, let’s cover some basics about what a hash actually is and how Windows authentication works. In its most basic form, a hashing is a type of one-way encryption (yes, I know hashing is not technically encryption and vice versa but stay with me here). One-way meaning I can change the input string into a set of resultant characters, but I shouldn’t ever be able to turn the hash back into the cleartext input string. So lets look at an example of this:

Password123 –> Hashed using NTLM –> 58A478135A93AC3BF058A5EA0E8FDB71

So your Window’s computer saves the hashed values of your local account passwords, but not the cleartext passwords. This way, when you log into your computer, an overly simplified version of what is happening is:

  1. Type in your username and password and hit enter.
  2. Your computer takes Password123 — computes the hash –> 1as2cd2fasd343as445566.
  3. Then the computer opens the SAM file and finds the entry with the username that corresponds to the user trying to log in.
  4. Now it compares the hash. If the hash it calculated from the password you entered matches the hash it saved when you setup the account, you login successfully. If not, you get an error.

Now from this, you can see that this hash is pretty important and needs to be protected. One of the areas where we need authentication is when you try to access a system over the network. When you access a file on a shared drive, you need to authenticate to prove you are allowed to view that file. Similarly, when you try to Remote Desktop to a machine across the network, you need to authenticate to that system. However, we don’t want these hashes flying across the network because they are synonymous with passwords so we need to find a way to make the authentication only good for one-time use. To do that, Window’s systems use NetNTLMv2. Lets look at how that works in comparison:

  1. You try to open a file on the shared drive, which requires certain permissions.
  2. The Server (hosting the shared drive) will send you a challenge (ex: 112233445566).
  3. Your system takes that challenge and performs a computation with the challenge and your hash to come up with a new unique value based on the challenge.
  4. You send that newly computed NetNTLMv2 hash to the server hosting the shared drive that you are requesting access to.
  5. The server then performs that same calculation with your saved hash and the challenge it originally provided.
  6. If they match, you are granted access.

Obviously this is a bit more complex in a real Active Directory environment, but that is enough of a basic understanding for you to understand how this attack works.

Pass the Hash Attack

Once an attacker has access to this hash, they can take this version of a password offline and attempt to crack it. Check out this blog for why an offline password attack is much more effective. However, in the first example we looked at above where we dumped the NTLM hash directly from the SAM file, we don’t even need to crack the hash if we don’t want to, since there’s not challenge baked into it. It is the same NTLM hash that is stored on any computer using that same username/password combo. Therefore, we can use that hash in a pass the hash attack.

In a pass the hash attack, I don’t know the cleartext value of the password and I don’t need to. I can pass that hash and the username directly to a computer over SMB and it will authenticate me. This is because there’s no challenge-response process occurring, and the server is just taking that hash and comparing to the hash it has stored for the password. Here is a picture of what this looks like:

Once a hash is known, it can be used in a pass the hash attack to gain access to other devices that have the same password.

Preventing Pass the Hash Attacks

As you can see from the above example, pass the hash attacks take advantage of the way Windows systems were designed to operate. Therefore, preventing pass the hash attacks require you to prevent access to the hash in the first place or limiting the number of places where that hash can be used. The following steps should be considered:

  • Use a unique, strong, local administrator password for each device on the network. Microsoft has a free tool, the Local Administrator Password Solution (LAPS), to help you do this.
  • Follow the principal of least privilege. Your users should not be local administrators of their own computer. This will increase the burden on your IT team, however, it is a vital part of securing your network.
  • Ensure you have a behavior-based anti-virus solution in place that can help detect and prevent these types of attacks.