pass the hash attack prevent

A pass the hash (PtH) attack is an online exploit in which a malicious actor steals a hashed user credential — not the actual password itself — and uses the hash to trick the authentication mechanism into creating a new authenticated session within the same network.

A pass the hash attack doesn’t end once the new authenticated session is created. The attacker’s goal with that initial “spoofed” session is to allow for lateral movement. Lateral movement means that the malicious actors use the hashed credential to extract more information and credentials to move laterally between devices and accounts. They do this in the hopes of escalating their user permissions to access critical systems, like the network administrator account. And that’s when the real fun begins…

There’s a lot to unpack from those first two paragraphs. And we’re going to do just that. This article looks at what pass the hash attacks are, how they work, and what you can do about them.

How do pass the hash attacks work?

Hashes

To understand how a pass the hash attack works, we first need to understand what hashes are and how they’re used in Identity and Access Management (IAM) systems and information security in general. A hash is a mathematical function that converts a string of data into ciphertext.

There are a several different hashing algorithms, though Argon2i is often the go-to for hashing passwords. As an example of hashing in practice, we’ll use an Argon2 generator to convert the password “catonmat” to a hash value. This gives:

$argon2i$v=19$m=12,t=3,p=1$ZnpybTRjbmhiMjQwMDAwMA$4L2KRgQemvI9btAfhw7HUg

Hashing is a one-way function in that the hash cannot be “decrypted” to reveal the original string. Hashes are used to validate passwords, among other things.

When you log into a system, it runs the same hash function used when you first created your login credentials. If the resulting hashes match, the system authenticates you. For example, suppose your password is “Fido123” (that’s a terrible password, by the way). That password’s hash — using the Argon2i hash function — would be:

$argon2i$v=19$m=12,t=3,p=1$cnNmMWJqbDNybzAwMDAwMA$QRgRlvxsr9PN16bjRRChug

As far as the authentication mechanism is concerned, your password is

$argon2i$v=19$m=12,t=3,p=1$cnNmMWJqbDNybzAwMDAwMA$QRgRlvxsr9PN16bjRRChug

rather than “Fido123.”

Hashes provide security benefits because they prevent storing credentials in plain text. The password “Fido123” will never be saved to the system. Hashes are also practical for Single-Sign-On (SSO) systems. Once a user has logged in to the network, the SSO system can use the username and password hash combination to continuously authenticate them as they go about their work and log into other applications and servers.

That all sounds great, but there are issues. Suppose a malicious actor can access the hash; they can then use it to impersonate the user across the SSO environment and create authenticated sessions in their name.

Not only that, but any remote users that log into that machine will have their hashes stored in the system. If the system administrator happened to have logged into that machine, there’s a very valuable hash stored in that machine’s memory.

Either way, the attacker can pass the hash from one login to another. They can then harvest other hashed passwords they find as they move from application to application and from machine to machine. And each new machine may be loaded with valuable hashes. With hash harvesting and lateral movement within the network, the attacker could gain access to the most critical parts of your IT infrastructure.

Microsoft Windows more at risk

While Pass-the-Hash attacks can technically occur on any operating system, they’re more common on Microsoft Windows systems. In Windows, pass the hash attacks can exploit Windows’ implementation of SSO through Lan Manager (LM), Kerberos, and other authentication protocols. When a user creates a password in Windows, the password itself isn’t stored; it’s instead hashed, and the hash is stored on the local machine.

Attackers can obtain hashes through scraping a system’s active memory, infecting a machine with malware, and other techniques.

Possible attack flow

  1. The attacker compromises a low-level workstation through phishing, malware, etc.
  2. The workstation contains hashes used for the current user as well as other users that may have logged into the workstation directly or remotely. The attacker extracts all of these hashes from memory. But notably, they don’t find the domain administrator’s hash.
  3. The attacker then uses PtH to login into every other workstation for which they obtained a hash. That is done automatically and is referred to as a hash spray attack.
  4. As the above happens, a list of local and domain account hashes will be extracted.
  5. Eventually, with some luck, one of the workstations will have a privileged domain account hash in memory which will be used to gain access to databases, file servers, and domain controllers.

Pass the hash attacks tend to be one of the more successful online attacks. One of the reasons for this high success rate is that the attacker doesn’t need to trick a member of your IT team into compromising their credentials. They simply need to find a way to compromise a device or user account within the network. This can be done through a phishing campaign or by otherwise infecting a user with malware.

If your IT administrator enters their privileged account credentials onto your machine, their password will be stored in memory as a hash even if connecting remotely. If an attacker can compromise and access your device, they will be able to capture the IT admin’s hash. They’ll then be in a position to create an authenticated session masquerading as the systems administrator without ever needing to know their actual password.

Risks of pass the hash attacks

The risks of pass the hash attacks are difficult to qualify. Actually, they may be difficult to qualify because they’re too easy to qualify – if that makes any sense at all…

Because a pass the hash attack’s potential for damage is tied to the permissions level of the compromised credentials (the stolen hashes), the risks could be almost anything, from data loss to complete takeover and everything in between.

That includes, but isn’t limited to:

And the list goes on…

Real-world pass the hash attack example

Electrobas & Copel

In February 2021, Centrais Eletricas Brasileiras (Eletrobras) and Companhia Paranaense de Energia (Copel), two major Brazilian electric utilities companies, announced that they fell victim to ransomware attacks. The ransomware attacks were made possible by a pass the hash attack.

Malicious actors were able to extract password hashes from the Active Directory (AD) database — specifically, the NTDS.dit file. Once the attackers had the hashes in their possession, they proceeded to move laterally through the user permissions chain until they could extract hashes that had permissions elevated enough to pull off the ransomware attack.

How to mitigate pass the hash attacks

The way to mitigate the risks of pass the hash attacks is different for users than for System Administrators. We’ll provide tips for both.

For System Administrators

Pass the hash attacks are challenging to detect and prevent because they use legitimate network protocols and credentials. Hence, your best bet is to make it harder for the compromised accounts to be used for lateral movement and permissions escalation.

Enable Defender Windows Credential Guard

Windows Defender Credential Guard is a security tool included in Microsoft Windows 10 and above that can be used to mitigate pass the hash attacks. It hardens the Local Security Authority Subsystem Service (LSASS) — a Windows process that enforces the security policy on the system — by running the process within a secured sandbox using virtualization.

Disable Lan Management (LM) hashes

Windows stores passwords using an LM hash and a Windows NT hash. According to Microsoft, the LM hash is weaker than the Windows NT hash and is vulnerable to brute force attacks.

Limit the number of accounts with admin rights

Administrative privileges are required to extract hashes from LSASS, so limiting the number of admin accounts within your organization just makes sense. The fewer admin accounts you have, the harder it will be to pull off pass the hash attacks over your network.

Don’t use Remote Desktop Protocol (RDP) to manage user workstations

Many RDP applications keep copies of your hashes, expanding your attack surface to pass the hash attacks. In one experiment, researchers created an exposed RDP honeypot and recorded approximately 3.5 million login attempts over three months. The lesson is: use a console tool that allows you to connect to remote computers rather than using RDP.

Designate hardened admin machines

Always have admins performing admin tasks from highly secure, trusted computers to further limit your attack surface.

Use Microsoft Local Administrator Password Solutions (LAPS)

LAPS is another native Windows security tool that you can enable to make sure that the local admin account uses a different complex password for every computer it logs into. It makes lateral movement much more difficult for an attacker.

Put firewall rules in place to prevent pass the hash attacks

Of course, you should be using a firewall. But you want to make sure to use it in a way that mitigates pass the hash attacks. While many, if not most, users within your organization may need to connect to remote file servers and domain controllers, they typically don’t need to connect to other end-user devices. Make sure to configure your firewall with rules to prevent these lateral connections. That will also make lateral movement more difficult for the attacker.

Provide security awareness training

Security training for your staff will help you mitigate pass the hash attacks, as well as many other types of attacks. In terms of explicitly mitigating pass the hash attacks, such training will help your users spot the initial phishing email or other social engineering techniques used to obtain the first set of credentials needed for network access. The better prepared your staff is, the lower the risks of pass the hash attacks.

Limit domain admin account permissions

You want to limit domain admin account permissions to domain controllers and delegate other admin functions to other accounts. That will limit the value of a compromised account. Also, don’t allow any single user to be the local administrator of multiple systems.

Use a security information and event management (SIEM) system

A security information and event management (SIEM) system will allow you to monitor authorization and access logs and detect unusual patterns of activities that could indicate an account compromise. The sooner a breach is detected, the less damage it can do.

Automate frequent password changes for system admins

Frequently changing your admin credentials make pass the hash attacks much harder to pull off. This practice will limit an attacker’s time window to do severe damage if they manage to access the admin’s hash.

Block NTLM over SMB

In 2023, Microsoft added a new Windows 11 feature that allowed admins to prevent pass-the-hash attacks by blocking outbound NTLM over SMB using Group Policy and PowerShell . This prevents users’ hashed passwords being sent to a remote server hosting the SMB share.

For users

These are primarily common-sense tips that can help you avoid various online threats. However, the first three points are directly related to mitigating pass the hash attacks.

  • Log out and reboot your computer – When you’re done using your computer, log out of your session and reboot the machine. That will clear the hashes from memory.
  • Don’t open attachments in emails without knowing who the sender is and confirming with them that they sent you the email in question and they know what the attachment is.
  • Don’t click links (URLs) in emails unless you’re sure you know who sent the URL, what its destination is, and that the sender is not being impersonated. Even then, make sure to scrutinize the link. Is it an HTTP or an HTTPS link? The overwhelming majority of legitimate sites use HTTPS today. And of course, check the link for incorrect spelling (faceboook instead of facebook or goggle instead of google)? If you can get to the destination without using the link, you should do that instead.
  • Use an antivirus program. And only buy well-reviewed and genuine antivirus software from legitimate vendors. Keep your antivirus updated and regularly perform frequent scans.
  • Keep your operating system updated. The latest OS updates contain the latest security patches. Make sure they’re installed as soon as possible.
  • Use a firewall – All major operating systems have a built-in incoming firewall, and all commercial routers on the market provide a built-in NAT firewall. Make sure these are enabled. They may well protect your system if you click a malicious link.
  • Never click on pop-ups. Ever. You never know where they’ll take you.
  • If your browser displays a warning about a website you are trying to access, take the warning seriously and get your information elsewhere. If you clicked a link that was sent to you by email or SMS, it might be sending you to a malicious site to retrieve an infected file. Don’t be too quick to disregard your computer’s warning prompts.

Wrap-up

So that’s the deal with pass the hash attacks. They’re rather nasty because they’re difficult to detect and stop – they use valid credentials to do their damage. By being aware of the attacks and implementing the above tips for both System Administrators and the organization’s workforce, you can effectively lower your odds of falling victim to such an attack.

As always, stay safe (and protect your hashes).