From LedHed's Wiki
Jump to: navigation, search

Overview

Pass the Hash (PtH) is the process of using an NTLM password hash in place of a user's credentials (username/password). It is an exploit commonly used by hackers and penetration testers to gain access to resources. PtH is ideal because it doesn't require a password to be cracked (Brute force cracking a long complex password can take time).


PtH steps

  1. Attacker obtains Local Admin rights to a domain computer by getting the victim to execute malicious code (from a website, email, or application). This malicious code exploits vulnerabilities in unpatched Operating Systems or applications. In rare cases the code takes advantage of zero-day exploits where no patch is available. With Local Admin credentials, the attacker obtains password hashes from the local SAM database looking for privileged account hash (Domain Admin for example).
  2. If a privileged account hash is not in the local SAM database, the attacker uses the obtained hashes to connect to other computers on the network and exploit their local SAM database, this is known as "Lateral Movement". The attacker continues this process until they find a privileged account hash.
  3. Once a privileged account hash is obtained, the attacker has accomplished "Privileged Escalation". This allows the attacker access to sensitive information such as Credit Card numbers, Personal Health Information, Employee Records (SSNs, birth dates, ...), or Intellectual Property.

Note: Domain Admin, Enterprise Admin, etc... are accounts that are most desirable to attackers because it typically grants them access to all domain joined computers. It is important to note that other privileged accounts are also desirable such as DBA accounts and Mail admin accounts, just to name a few.


Mitigation

  • Install Windows 10 and enable Device Guard & Credential Guard.
  • Install a reputable Antivirus and keep it updated.
  • Install OS and Application updates regularly.
  • Use App Locker.
  • Require password changes as often as possible. At least every 90 days for end users and more often for high privilege accounts such as Domain Admins, Server Operators, and Support Desk.
  • Employ Principals of Least Privilege.
  • Disable cached logons for workstations (this may not be ideal for laptops).
  • Don't allow end users to be Local Admins.
  • Require a unique password for every computer's Local Admin account (Use LAPS).
  • Require System Admins to be standard users, and have separate accounts for Domain and Server administration tasks.
  • Don't allow Domain Admins to login to workstations or servers (only Domain Controllers).
  • Don't allow Server Operators to login to Domain Controllers or Workstations.
  • Prevent Privileged accounts from accessing the internet or email.
  • Harden workstations and servers using Security templates like the ones provided by The Center for Internet Security. CIS Benchmarks can be found here.
  • Use Remote Management Tools that don't leave a password hash on the remote computer (RSAT, MMC, PowerShell). Remote Desktop leaves hashes on remote computers.
  • Firewall critical servers (like Domain Controllers) so that remote access and management is only allowed from Privileged Access Workstations. See PAW
  • ...


Reference

https://technet.microsoft.com/en-us/security/dn785092