I wanted to start this post with a recap about the history of Pass-the-Hash (PTH) attacks and how they were a major threat; yet, is no longer today. I really did.
In the last few weeks, I have been modeling behaviors of users in NTLM rich environments, only to learn that Pass-the-Hash still goes undetected after all those years. Further, NTLM is here to stay, at least for a while longer.
Having said that, with user behavior analytics (UBA) solutions, CISOs and security professionals can finally rest.
Dude, it’s 2015…
The truth is, I didn’t expect NTLM to live this long. It’s still alive and well either as a main, a fallback or a secondary authentication mechanism for companies of all sizes – ranging from fortune 1,000 to the smallest of shops. Due to their prevalence, PTH attacks remain very much relevant in today’s corporate environment.
What is Pass-the-Hash attack?
Pass-the-Hash is an attack technique that exploits a weakness in the NTLM authentication protocol, which essentially enables an attacker to steal the hashed password of the victim user, and re-using it to authenticate to the target resources such as servers, workstations, file shares…you name it.
Microsoft describes the NTLM authentication scheme in a simplified way, here the gyst of it:
2. The client sends the user name to the server plain text.
3. The server generates a 16-byte random number,
nonce, and sends it to the client.
4. The client encrypts this challenge with the hash of the user’s password and returns the result to the server. This is called the
– Challenge sent to the client
– Response received from the client
7. The domain controller compares and computes the encrypted challenge it calculated (in step 6) to the response computed by the client (in step 4). If they are identical, authentication is successful.
The above flow describes the NTLM authentication scheme, and clearly shows at no point is there a verification of any entity relationships other than the fact that a respective user presenting a valid hash. There’s also no requirement for a unique identity for the duration of the login. Therefore, by harvesting hashes from clients/servers, an attacker only needs to know the user and hash (not even the original password) in order to authenticate against a suceptible server.
What can you do about it ?
Kerberos offers). This means
detection is king. What we have learned is by modeling the behavior of users, coroporate assets and the natural binds between them, it becomes easy to detect deviations and stop attacks.