MITRE ATT&CK vulnerability spotlight: Pass-the-hash
Since the first appearance of pass-the-hash (PtH) in the nineties, this lateral movement tactic has been helping attackers leverage credentials to authenticate a user without having access to the user’s cleartext password.
This article will discuss what the PtH hacking technique is, some basic concepts to help novice hackers better understand how this attack works, how to detect PtH and how to defend against PtH, as well as providing some tips on how to mitigate this infamous authentication trick. This article will provide a high-level look at this hacking technique but will stay low-level enough to heighten your understanding of how PtH work.
MITRE and ATT&CK
MITRE is a not-for-profit corporation dedicated to solving problems for a safer world. Beginning as a systems engineering company in 1958, MITRE has added new technical and organization capabilities to its knowledge base — including cybersecurity.
To this end, MITRE released the MITRE ATT&CK list as a globally accessible knowledge base of adversary techniques and tactics based upon real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for cybersecurity product/service community, the private sector and government use.
What is pass-the-hash?
PtH is a hacking technique that authenticates a user even when the actor performing the technique does not have access to the user’s password. This is done through bypassing standard user authentication by moving the authentication directly to the portion of authentication that deals with the password hash.
More specifically, the technique steals the underlying NTLM or LanMan hash of the user’s password stored in stored in the Windows SAM file located in %SystemRoot%/system32/config/SAM. PtH is typically performed using tools such as Mimikatz and Metasploit.
A little on passwords
Not to “rehash” the issue (yes, pun intended), but to understand this hacking technique you first have to understand a little about passwords. When a user creates a password, this password is not sitting in some file on your computer in cleartext waiting to be used (what an attractive target for an attacker!). Rather, a hash is created which resides in an authentication server host; whenever the password is correctly used, the password is converted to a hash. The host compares this hash with the hash stored for the password and if they match the user is granted access. Simple, secure, effective.
Well, maybe not as secure as originally thought.
This hash may even lead to a talented hacker gaining access to the entire network if they are launching a systematic attack. This catastrophizing potentiality would work like this.
Let’s say there are ten machines on a network, where the attacker only has the hash for user 1 (using machine 1) and machine 10 is the only machine with access to the domain controller. The attacker can use user 1’s hash to authenticate to all connected machines and then will keep authenticating to different machines until they get to machine 10. At this point, the domain controller is in the proverbial crosshairs and your entire network has been placed at risk. This is the stuff of information security nightmares.
How to detect pass-the-hash attacks
The leading method to detect a PtH event is to audit logon and credential events for suspicious activity. Here is what a PtH event looks like when auditing a situation where there is a lateral movement between machines:
- Looking at Microsoft Event Security Logs, you find either Microsoft Event Security Log ID 4624, or 4624 in conjunction with 4740 (lockout)
- Event level is information
- Authentication is NOT a domain and not anonymous
- Security ID is null
Another way to detect PtH is to use an intrusion detection system (IDS). The key to the IDS approach to detection is that you will not be detecting the initial PtH contact on your network. Rather, you will be better able to determine what actions attackers take once inside your network. When you can determine the next steps attackers will likely take, you can be much more effective in detection and better positioned to appropriately respond.
How to defend against a pass-the-hash attack
There are several methods you can use to defend a network against a PtH attack, although the best approach would be a layered approach where multiple methods are employed.
- Isolation of machines with sensitive information: This should be done at all times. Make use of tight firewall and router configurations to ensure only trusted hosts have access to this information
- Two-factor authentication: Relying on a traditional password is, in many ways, the way of the past. Enforcing two-factor authentication method will be the most effective way of stopping this lateral movement technique
- Restrict administrator access: Make sure that only employees who need the administrator password have it and change the administrator password frequently
Mitigation of pass-the-hash attacks
Cyberattacks happen daily and unfortunately, they may include the PtH attack you are trying to defend against. Below are some tips to help you better mitigate PtH.
- Eliminate overlapping credentials, permissions and account access
- Apply Microsoft patch KB2871997, which will limit default access of local administrator accounts
- Eliminate local administrator accounts (where appropriate)
- Change all passwords frequently and use a stringent password policy
- Use GPO to apply UAC restrictions to local account network logons
The pass-the-hash attack uses a weakness of Microsoft where passwords in a Windows environment are not salted. This does not just give attackers the key to one machine, but rather the keys to the kingdom in many cases.
The sad point about this whole thing is the fact that this type of attack is as much a legitimate threat today as it was in 1997. The best way to handle a PtH attack is to act proactively and apply the defense and mitigation techniques explored above before a PtH attack happens to you.