Pass the Hash attack -who's problem is it anyway?


This intro is purely for people who are not from information security and have not heard of this attack, although that's rare. So straight from the Microsoft  pass the hash whitepapers.


What is the PtH attack? The Pass-the-Hash (PtH) attack and other credential theft and reuse types of attack use an iterative two stage process. First, an attacker must obtains local administrative access on at least one computer.. Second, the attacker attempts to increase access to other computers on the network by:

1. Stealing one or more authentication credentials (user name and password or password hash belonging to other accounts) from the compromised computer.

2. Reusing the stolen credentials to access other computer systems and services. This sequence is often repeated multiple times during an actual attack to progressively increase the level of access that an attacker has to an environment.


Why we are talking about hashes, once again from white paper


A password hash is a direct one-way mathematical derivation of the password that changes only when the user’s password changes. Depending on the authentication mechanism, either a password hash or a plaintext password can be presented as an authenticator to serve as proof of the user’s identity to the operating system


Some Back Ground Now

While preparing for a security certification some time back, I studied about cryptography. I loved the interesting details of one way hashes, the way they are created  and that they are one way and cant be reversed.Although there is something called birthday attack, that can happen to them, which is in fact about a chance that two numbers can have same hash. Initially I thought its something really strong and unbreakable. My friend Junaid who was my team mate, this is when we were not part of the IR(incident Response ) team. Junaid told me he had heard that these hashes can be broken and they get stolen through a attack called pass the hash.  I could not believe when he said hashes were breakable and there was something called pass the hash attack. After hearing about it, I really got curious and read about it. Found huge material about it, our internal as well as on the internet explaining it.

Why I am writing about it ? What's the point ?

Usually, if  we are talking about it, in an incident response scenario, this means couple of things, this is a targeted attack. A targeted attack has few stages and this stage is, in which  the attacker is already inside the network and trying to get passwords of high privilege or administrator's passwords, to get control over the most important assets of an organisation they are attacking. This attack has huge history and there is so much written about it, but still not many have heard of it. The pass the hash whitepapers from Microsoft is really detailed document. It explains what is this attack. what are the Risk factors and then provides detailed mitigation steps. Irony is that when document is really detailed and structured and little on lengthier side, Some People do not actually read it. But if We are really serious about mitigating it, in our network environment then we should read it thoroughly.

A myth or wrong perception that "This is only related to windows environment, Linux based machines don't have this problem"

I had a discussion around this myth with someone .I  provided detailed answers to them, explaining that its lateral issue of a luxury requirement which has become necessity called "single sign on" and not a Bug, that any OS vendor shall fix it. Its a universal problem and not just windows or Linux problem.This problem is operating system independent i.e. pass the hash attacks happen on all operating systems .Since most organisations are on windows domain, more you hear about it in relation to windows domain. There is another fact, this happens only when best security practices are not followed as given in whitepaper. 

So what is single sign on?

 I once asked this question to a very senior colleague in our Edge team during our WAP training sessions(a completely different topic).  Answer I got was, depends on scenario and then explanation(keeping ADFS in picture) of those scenarios was quite long.

But I will make it easy and according to our context. I will explain it the way I explained to one of network admins, who were discussing this issue with me. Explanation, which is very simple is, if a user logs on to his machine, in the domain network, then tries to access  printer on the network or files on fileserver at that moment, if we remove single sign on from the picture, every time this user tries to access these and other such network resources, she will get authentication prompt, to enter her credentials to access that resource. These days most of such resources are on the network and not local to machine. So it will make a user's life really difficult, if she has to enter the credentials every time she accesses a resource on the network.

Process or Service that helps in single sign on

In windows operating system, there is a service or process called LSASS, which stores the logged on user's password hash in its memory, it uses it when logged on user tries to access an resource on the network , user is asked for credentials. LSASS provides this password hash behind the scenes and user is not even aware of this. So this single sign on happens without the users knowledge.He keeps accessing network resources without getting prompted for authentication. Sweet!!

That's what attackers know as well.They use various techniques discussed in the pass the hash attack whitepaper, to get a regular(non power/non admin) user's credentials.One of the technique is called phishing, which is used  for credential theft . So  by using such a technique attacker gets the credentials of a user and then elevate his privilege. Then they install tools like mimikatz or WCE , then get hold of logged on users password hashes as well as Kerberos tickets . Then make lateral network movement with high privileged account credentials, to get control over the more important assets of the organisation. Then they kind of own the precious resources on the network.

A question, Can we do something with LSASS to not remember or cleanup the logged on users credentials after log off?

Answer to that is, yes we can, Following article

in following section explains it

LSA Credential Cleanup & Other Changes

a. Removal of credentials after logoff

As outlined in Microsoft’s Pass-the-hash whitepaper, Windows caches the credentials of a user in the LSASS process whenever the user logs in. This includes the user’s clear-text password, the users NT/LM password hash, and the users Kerberos TGT/Session key. When the user logs off, the credentials should be cleared out of memory. Prior to this update, this was not always the case. This issue preventing credentials from being cleared is now fixed, credentials will always be cleared from memory after a user logs off.


As we know its like a Cat and mouse game between attackers and security professionals defending against them, Microsoft has added another feature called LSASS protection explained in following article

 Relevant excerpts from the article are below

What is LSASS protection?


This topic for the IT professional explains how to configure additional protection for the Local Security Authority (LSA) process to prevent code injection that could compromise credentials.

The LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies. The Windows 8.1 operating system provides additional protection for the LSA to prevent reading memory and code injection by non-protected processes. This provides added security for the credentials that the LSA stores and manages. The protected process setting for LSA can be configured in Windows 8.1, but it cannot be configured in Windows RT 8.1. When this setting is used in conjunction with Secure Boot, additional protection is achieved because disabling the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry key has no effect.

How you can enable it ?


To enable LSA protection on a single computer

1.            Open the Registry Editor (RegEdit.exe), and navigate to the registry key that is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.

2.            Set the value of the registry key to: "RunAsPPL"=dword:00000001.

3.            Restart the computer.


To enable LSA protection using Group Policy


  •          Open the Group Policy Management Console (GPMC).
  •          Create a new GPO that is linked at the domain level or that is linked to the organizational unit that contains your computer accounts. Or you can select a GPO that is already deployed.
  •          Right-click the GPO, and then click Edit to open the Group Policy Management Editor.
  •          Expand Computer Configuration, expand Preferences, and then expand Windows Settings.
  •          Right-click Registry, point to New, and then click Registry Item. The New Registry Properties dialog box appears.
  •          In the Hive list, click HKEY_LOCAL_MACHINE.
  •          In the Key Path list, browse to SYSTEM\CurrentControlSet\Control\Lsa.
  •          In the Value name box, type RunAsPPL.
  •          In the Value type box, click the REG_DWORD.
  •          In the Value data box, type 00000001.
  •          Click OK.

As i said earlier, white paper is still the key. Why ? lets assume even after following above steps , if an attacker using phishing attack is able to get a user’s credentials. Then attacker is able to get to a user’s machine on the domain ,then elevates his privileges, if organisation is not following security best practices explained in pass the hash white paper. Attacker then can install tools like mimikatz or WCE(windows credentials editor), then using them monitor and possibly get and save hashes of logged on user.

So it becomes really important to follow the mitigations mentioned in pass the hash whitepaper to be secure.

Disclaimer : These are purely My thoughts and this document is still work in progress, as I would keep adding either parts to series or adding to this document. There are important discussions about Local admin account and common password usage for it and making life easy for an attacker, to make lateral movement and Irony of admins who need such a thing to manage their things easily . That there is an awesome solution to that problem called SLAM solution, I will write about it later.

Comments (0)

Skip to main content