by peter


Pass the Hash Explained


Risk Rating: CRITICAL
Likelihood: 5/5
Impact: 5/5


    Pass the Hash Overview

    A Pass the Hash attack is a technique whereby an attacker captures a password hash (as opposed to the password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems. The threat actor doesn’t need to decrypt the hash to obtain a plain text password.

    The pass the Hash attack is one of the commonest attacks in use by penetration testers when conducting infrastructure level penetration tests for organisations.

    What you need to know about Pass the Hash

    For a Pass the Hash attack to succeed, the perpetrator must first gain local administrative access on a computer to lift the hash. Once the attacker has a foothold, they can move laterally with relative ease, lifting more credentials and escalating privileges along the way.

    Implementing the following security best practices will help eliminate, or at least minimise, the impact of a Pass the Hash attack:

    • Least Privilege Security Model: Limits the scope and mitigates the impact of a Pass the Hash attack by reducing an attacker’s ability to escalate privileged access and permissions. Removing unnecessary admin rights will go a long way to reducing the threat surface for this and many other types of attacks.
    • Password Management Solutions: Rotating passwords frequently (and/or after a known credential compromise) can condense the window of time during which a stolen hash may be valid. By automating password rotation to occur after each privileged session, you can completely thwart Pass the Hash attacks and exploits relying on password reuse.
    • Separation of Privileges: Separating different types of privileged and non-privileged accounts can reduce the scope of usage for administrator accounts, reducing the risks of compromise and opportunities for lateral movement.

    Detecting the attack is very simple for environments that are monitored with a Security Operations Center and where an XDR agent is in use.

    How Pass the Hash attacks happens

    Pass the Hash attacks exploit the authentication protocol, as the hash of the password remains static for every session until the password is rotated. Attackers commonly obtain hashes by scraping a system’s active memory and other techniques.

    While the attacks can occur on Linux, Unix, and other platforms, they are most prevalent on Windows systems. In Windows, Pass the Hash exploits Single Sign-On (SS0) through NT Lan Manager (NTLM), Kerberos, and other authentication protocols. When a password is created in Windows, it is hashed and stored in the Security Accounts Manager (SAM), Local Security Authority Subsystem (LSASS) process memory, the Credential Manager (CredMan) store, a ntds.dit database in Active Directory, or elsewhere. When a user logs onto a Windows workstation or server, they essentially leave behind their password credentials.

    Attack Sources

    Pass the Hash attacks are only ever going to occur where authentication mechanisms pass across the network. You should ensure that all authentication traffic is protected.