What is a Pass the Hash Attack?
Today, passwords are widely used for security. Attacks such as Dictionary, Brute Force can be used to crack these passwords and the password can be found openly. But we may not need to just convert passwords into plain text to hack a system. We can also take place in systems with passwords that have been summarized by passing certain functions. These attacks Pass the hash appears as. Pass the hash attack was first mentioned by researcher Paul Ashton in 1997. Its purpose is to allow the attacker to access the system by using password hashes, even if they cannot access unencrypted passwords, to spread within the domain and to increase the rights to the owner.
How to Make a Pass the Hash Attack?
In Windows systems, user authentication passwords are stored in a hash form using the NT Hash algorithm. The attacker first aims to obtain the LM or NTLM hash key kept in memory after gaining authorized access to the system.
LM: It is a password hash that was used in Windows systems but is not actively used today, but is supported in order to prevent incompatibilities that may arise with old systems.
NTLM: Weaknesses in LM have been fixed and is the password hash used in Windows systems.
Different tools are used to obtain password hashes. As an example, we can give the mimikatz tool. in detail before What is Mimikatz? (https://www.infinitumit.com.tr/mimikatz-ssp-nedir-2/), this vehicle was mentioned in our article. When attackers get these password hashes, they can access the system even if they don't have the password in clear text, and then they can upgrade their authority. Attackers can take a place in the system with the existing user without creating a new user.
Precautions Against Pass the Hash Attack
Pass The Hash We can take measures to avoid the attack. The foremost of these is to provide awareness training to employees.
- Authorizations given to users should be audited and regulated.
- NTLMv2 or Kerberos should be preferred over LM and NTLM.
- Users with high privileges and end user computers should not be connected.
- Activities and log records should be monitored.
- Authentication on critical systems must be done with 2FA.
- Inactive user accounts should be checked.
Also, this type of attack infiltration It is a commonly used method in testing. Available on our Infinitum IT Youtube channel Is Your Active Directory Environment Secure? (https://www.youtube.com/watch?v=TqxvgOunCyI&ab_channel=InfinitumLabs) This type of attack and its precautions are mentioned in detail in our video.