Skip to Main Content

Pass the Hash

What Is Pass the Hash?

Pass the hash (PtH) is an attack technique that is both extremely simple and dangerous when left unmitigated. An attacker does not need to crack a complex password in order to successfully execute an attack, it only needs to resend the password hash obtained elsewhere without cracking the password itself. Any system that only requires a password hash for authentication gives an attacker with the hashed password the same power as if they had the cleartext passwords.

Windows systems have some of the most well known and easy to exploit PtH attacks with NTLM hashes through Local Security Authorization Subsystem (Lsass). An attacker can use weak administrative protections on one machine in order to compromise the password hashes saved in Lsass, then pivot to other more secure systems via a simple PtH attack. If a domain admin has logged in even once to a compromised system, it is possible to use pass the hash in order to compromise the rest of the network by using the login to dump hashes at the domain level, giving away the keys to the network.

How To Mitigate

Since pass the hash attacks are based on obtaining administrative access to dump the system’s hashes, guarding against these are a first line of defense. However, since any software that uses LM/NTLM authentication over the network is vulnerable to a PtH attack, defense in depth remains a prime strategy.

Cached Credentials

The reason an attacker is able to dump so many hashes from a compromised system is due to credential caching. This means that up to 25 of the most recent logins in post Windows 2008 systems (10 in pre-2008 systems) will be indefinitely saved on the system, which likely includes a domain administrator’s login. The number of cached logins is modified in the registry entry HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\Current Version\Winlogon\ as CachedLogonsCount. The value is typically set to 25 by default, but should be changed to either 0 or 1 (since caching zero logins can cause cluster nodes to fail)

Disabling LM/NTLM

NTLM has been succeeded by NTLMv2, which is a hardened version of the original NTLM protocol. NTLMv2 includes a time-based response,which makes simple pass the hash attacks impossible. In order to only allow NTLMv2, change the registry entry HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LMCompatibilityLevel. The LMCompatibilityLevel option takes a value between 0-5, but only a value of 5 will only allow NTLMv2 authentication while refusing any LM and NTLM requests. While Windows Vista only allows NTLMv2, Windows 7 and beyond leaves this option as undefined.

Limiting User Access/Privilege

Since dumping hashes only requres administrative privileges, any active user with administrative rights can be compromised and used to dump password hashes. Even if your organization has disabled LM/NTLM authorization, these hashes can still be cracked using rainbow tables/brute forced to their cleartext equivalents. Generally, most software exploits can only be executed on an admin account in the first place, so implementing least privilege shrinks your attack surface and creates a more stable and secure environment overall. Least privilege can be enforced in a variety of ways, but the best way do so is to 

 

Further Reading

SANS on Pass the Hash attacks (download)

CachedLogonsCount Reference

LmCompatibilityLevel Reference