Pass-the-hash attacks: Examples and prevention

After gaining access to the system, an attacker aims to expand their reach by targeting multiple systems within the same network (a malicious technique known as “lateral movement”).

Pass-the-hash attacks typically target businesses and organizations and can be carried out for various reasons, from stealing sensitive information to spreading malware. More often than not, the ultimate goal of pass-the-hash attacks is financial gain.

The main target of pass-the-hash attacks is typically organizations that use the Windows New Technology LAN Manager (NTLM). The NTLM is a Microsoft security protocol suite that authenticates users and keeps their activity confidential. NTLM authentication relies on single sign-on (SSO), meaning users can access multiple applications with a single set of login credentials. Most businesses use SSO tools to provide a streamlined experience for those working for the company.

However, the NTLM has several known password-hashing vulnerabilities. In NTLM authentication, passwords that the server and domain controller store are not “salted” (salting is a process where a random string of characters is added to a hashed password to increase its security). Because of this, malicious parties that have a user’s password hash don’t need anything else to log in and access the system.

While NTLM has mainly been replaced by more secure authentication systems (such as Windows 2000 and Active Directory), it remains a part of Windows systems for compatibility reasons. Some older devices running on Windows 95, 98, or NL 4.0 still use the NTLM protocol for authentication because they don’t support more modern protocols.

When talking about passwords, a hash is a cryptography technique that transforms your plaintext password (what you typed in) into a string of symbols. For example, the password “security123” may have the hash “192837465.”

This password will always generate the same password hash, and no matter how hard someone tries, there is no way to transform the hash back into the cleartext password. Hashing is an effective way to protect your passwords and authenticate accounts. Most systems won’t store your password in plaintext because it would be considered unsafe.

However, in pass-the-hash attacks, cybercriminals don’t need to decode hashed passwords — they can simply use them in their hashed form to access accounts, resources, and more. Let’s delve into how these attacks work.

A pass-the-hash attack has several stages, from stealing credentials to accessing network resources. Here’s a detailed explanation.

Step 1: Stealing user credentials

The first step in a pass-the-hash attack is getting hold of a user’s password so the attacker can access their account and extract the hashes. This stage may involve social engineering techniques (e.g., phishing) or keylogging. For example, the hacker may contact someone in an organization pretending to be from the IT team and get the user to “confirm” their username and password.

While pass-the-hash attacks typically involve this stage, they may also happen without it. For example, hackers may target systems they’ve already compromised or buy hashes on leaked credential databases.

Step 2: Extracting hashed password

Once the attacker gains access to the compromised account with the stolen credentials, they may use various techniques to extract password hashes. They may scrape the active memory of the compromised system or explore system files and configuration settings to find valid password hashes.

It’s common for hackers to use specialized hash-dumping tools to extract password information from a target computer or network. These tools typically store passwords in a specific format (such as the Windows Security Account Manager database).

Step 3: Using the hash to access systems

The final step in pass-the-hash attacks is using the stolen password hashes to access the system as legitimate users would. They never need the user’s password in actual form — just the hash is enough to log in and gain user access.

The attacker can impersonate the user from one system application to the next (known as lateral movement) while at the same time collecting more hashes (i.e., hash harvesting) across the network.

By gathering additional password hashes, attackers give themselves many potential ways back into the system. From the hacker’s perspective, it’s like having a backup plan with multiple backdoors. Let’s look at the ways hackers get hold of user credentials for pass-the-hash attacks.

Hackers can get users’ credentials in many ways, including social engineering attacks. Here’s a detailed overview of how they steal user information for a pass-the-hash attack.

Phishing attacks

Phishing involves someone trying to get details out of you by pretending to be a trustworthy entity (e.g., someone from the IT department). These attacks can also get users to complete actions, including updating their account information. If a hacker does it well, a phishing attack can become an effective first stage of a pass-the-hash attack.

Keyloggers

Keyloggers are software or hardware tools that record everything you do on a keyboard. Cybercriminals use them to collect various types of information, including passwords. Keyloggers can also be used in the first stage of a pass-the-hash attack.

Brute-force attacks

Brute force attacks are when hackers try every possible combination with the aim of correctly guessing your password. While it sounds difficult to do, using weak or common passwords makes brute-force attacks more than possible. The shorter the password, the easier it is to guess.

Mimikatz

Mimikatz is a tool that extracts credentials from Windows systems, including password hashes and plaintext passwords. While it was created for cybersecurity expert use, it has unfortunately become a popular tool among pass-the-hash hackers.

Pass the ticket

The Mimikatz tool can also be used for pass-the-ticket (PtT) attacks, where an attacker uses a stolen or fake Kerberos ticket to access computer systems. Kerberos is a computer network security protocol used for secure authentication and communication between devices. Attackers can get Kerberos tickets in many ways, e.g., stealing them from a hacked user’s computer or finding them in computer memory.

Overpass the hash

Overpass the hash, also known as pass-the-key technique, is when a hacker steals hashed passwords and the encryption keys that protect them. Typically, these keys are stored on the same system. When the attacker gets hold of them, they can decrypt the password hashes and actually read plaintext passwords. Fortunately, overpass-the-hash attacks are more difficult to carry out and are less common.

A successful pass-the-hash attack can have severe consequences, so knowing how to prevent it is key. Even though hackers typically target business and organization networks, it is the people in those organizations that usually provide the way in. Here are some main ways to prevent a pass-the-hash attack.

• Limit account privileges. Organizations should ensure that only the employees who absolutely need to access a resource can do so. The principle of least privilege (POLP) comes into place here — it’s a security practice where users have limited access rights based on their job roles. By adopting this principle, companies ensure their employees can complete their jobs without having access to the systems they don’t need.
• Privileged access management (PAM). PAM is a cybersecurity practice that focuses on controlling and monitoring access to privileged accounts within an organization. Privileged accounts are the ones with more permissions, e.g., senior IT management or administrative accounts. PAM solutions help companies to closely monitor these accounts and enforce strict rules to minimize the risk of breaches.
• Use strong passwords. If you care about your privacy and security, using strong passwords should be your ground rule. Using weak or short passwords makes it much easier for attackers to guess them and gain access to your accounts. Always use long, complex passwords or passphrases. Here’s more on passwords vs. passphrases.
• Enable multi-factor authentication. Organizations need to ensure that employees use two-factor authentication every time they want to log in. 2FA is an effective measure that can prevent attackers from logging in, even if they’ve somehow managed to steal a user’s credentials. Two-factor authentication is always a good idea — at work and on your personal accounts.
• Regularly patch and update systems. Installing regular updates is something every company and individual should do if they want to stay safe online. By installing updates and patches whenever possible or whenever they become available, you can make systems more secure and address vulnerabilities that PtH attacks could target.

Let’s look at some real-life examples of pass-the-hash attacks to understand the impact they can have. Here are some of the most well-known attacks where cybercriminals used pass-the-hash techniques.

• Target breach. In December 2013, the busiest time of the year for retailers worldwide, cybercriminals launched an attack on Target, one of the biggest American retailers. The attackers used various password attack techniques, including pass the hash, to breach and move through Target’s internal network. The breach exposed 40 million user credit and debit card accounts.
• Sony Pictures hack. In November 2014, a group of hackers compromised the Sony Pictures network and leaked some confidential data. The information included employee data, emails, and unreleased films and scripts. While the cybercriminals used several malicious techniques, pass the hash was one of the attack methods.
• U.S. Office of Personnel Management (OPM) breach. The OPM attack was one of the most significant cybersecurity breaches involving the U.S. government. During the breach, which took place in 2014 and 2015, hackers exposed the personal information of millions of federal government employees.

Here are some of the most frequently asked questions about pass-the-hash attacks.

What can hackers do with hashed passwords?

Hackers can cause significant damage to organizations and individuals with hashed passwords. If they successfully crack a hashed password, they may gain unauthorized access to user accounts and steal sensitive information. They may also use the stolen information for ransomware attacks, where the organization has to pay large sums of money to regain the sensitive data hackers have stolen and encrypted.

What are some indicators of a pass-the-hash attack?

Telling whether hashed passwords have been stolen can be tricky, but there are some signs to watch out for. If a pass-the-hash attack has occurred, you may see unusual account activity, multiple failed login attempts, or changed account privileges.