By Lesley Kipling, Forensic Security expert, Microsoft Global Business Support
Hi, Lesley here from the customer facing Security Incident Response team at Microsoft.
We wanted to take some time out to discuss the prevalent Pass-the-Hash (PtH) attacks we’re seeing and to highlight all of the information we have published around this threat – with more on its way – so you can protect yourselves and your business.
So, what is a hash and why do we care? Windows never stores clear text passwords on disk, instead storing the output of a one way mathematical process involving a cryptographic algorithm to convert the clear text password to its hash value. Exactly which algorithm is used and how many iterations of the function is performed depends on the authentication mechanism being used in Windows, more detail here.
Because of this, the original attacks on passwords consisted of attempting to crack them, guess them or even just asking for them. The latter involves the techniques of social engineering, which many consider to be the greatest threat to information technology security, as it uses deception to target a systems most vulnerable component; its users. Cracking is where an attacker will try methods such as brute force guessing, pattern matching or a dictionary attack to expose the clear text password in order to impersonate a user to gain unauthorised access to a system. These attacks led to the great debate of passphrases vs passwords, but one which we won’t get into here as there is a full discussion elsewhere. Then along came the type of attack that renders the debate if not quite pointless (the old techniques haven’t gone away) at least a little redundant. This was the arrival of Pass-the-Hash attacks, which ushered in a new era of script kiddie attacks. Simply, attackers do not need access to our passwords; in most cases replaying the hash of that password will achieve their goal and without all that guessing, cracking, and general skull sweat. Now, if you can’t crack it you can just pass it.
To be clear though, in order to be able to perform this style of attack, the attacker must already have administrative access to the system on which the hashes are stored, making Pass-the-Hash a post-exploitation attack. This means the attacker still has to work out how to compromise the system initially but, once in with the requisite privileges, elevation to domain or enterprise administrator is normally just a matter of time where poor administrative controls have been implemented. For example, if a domain administrator logs on to any workstation using this highly privileged account, and that workstation is compromised, then the potential for full Active Directory compromise has been realised.
How do you protect yourself against this attack? Good credential hygiene is essential. Strictly limit the number of highly privileged accounts in a domain and audit for their use. Never log on to a production machine as administrator except when maintenance requires it; also ensure that domain administrator accounts only log on to domain controllers and only when required to perform administrative tasks and even then, only for the time required to perform that task; do not set every local administrator account to the same password and consider the security concerns of using Group Policy Preferences detailed here. Another import consideration is to keep your systems up to date with updates and, in the context of this discussion, especially those that can result in local privilege escalation.
All of these mitigations have one primary purpose and that is to limit the potential for elevation of privilege. For a full overview of PtH attacks take a look at the whitepaper here. Although PtH may not be the number 1 security risk to Active Directory environments, lateral movement and poor credential hygiene eventually leads to elevation of privilege inside Active Directory, which is.
The GBS Security team hopes this information will prove useful. Look out for regular blogs from members of the team on what we’re seeing in the trenches.
Did you find this article helpful? If so, let us know via the comments box below or on @TechNetUK