Passing the Hash Like It's 1999! - Exabeam

Passing the Hash Like It’s 1999!

May 12, 2015


Reading time
3 mins

I wanted to start this post with a recap about the history of Pass-the-Hash (PTH) attacks and how they were a major threat; yet, is no  longer today. I really did.

In the last few weeks, I have been modeling behaviors of users in NTLM rich environments, only to learn that Pass-the-Hash still goes undetected after all those years. Further, NTLM is here to stay, at least for a while longer.

Having said that, with user behavior analytics (UBA) solutions, CISOs and security professionals can finally rest.

Dude, it’s 2015… 

The truth is, I didn’t expect NTLM to live this long. It’s  still alive and well either as a main, a fallback or a secondary authentication mechanism for companies of all sizes – ranging from fortune 1,000 to the smallest of shops. Due to their prevalence, PTH attacks remain very much relevant in today’s corporate environment.

What is Pass-the-Hash attack?

Pass-the-Hash is an attack technique that exploits a weakness in the NTLM authentication protocol, which essentially enables an attacker to steal the hashed password of the victim user, and re-using it to authenticate to the target resources such as servers, workstations, file shares…you name it.

Microsoft describes the NTLM authentication scheme in a simplified way, here the gist of it:


1. A user accesses a client computer and provides a domain name, user name, and password. The client computes a cryptographic hash of the password and discards the actual password.

2. The client sends the user name to the server plain text.

3. The server generates a 16-byte random number,
challenge or
nonce, and sends it to the client.

4. The client encrypts this challenge with the hash of the user’s password and returns the result to the server. This is called the

5. The server sends the following three items to the domain controller:

– User name

– Challenge sent to the client

– Response received from the client

6. The domain controller uses the user name to retrieve the hash of the user’s password from the Security Account Manager database. It uses this password hash to encrypt the challenge.

7. The domain controller compares and computes the encrypted challenge it calculated (in step 6) to the response computed by the client (in step 4). If they are identical, authentication is successful.

The above flow describes the NTLM authentication scheme, and clearly shows at no point is there a verification of any entity relationships other than the fact that a respective user presenting a valid hash. There’s also no requirement for a unique identity for the duration of the login. Therefore, by harvesting hashes from clients/servers, an attacker only needs to know the user and hash (not even the original password) in order to authenticate against a suceptible server.

What can you do about it ?

It’s impossible to completely prevent Pass-the-Hash attacks from happening. There simply isn’t any enforcement in the protocol itself to require a certain user coming from a specific machine with a unique hash that is only available for the duration of that session (like
Kerberos offers). This means detection is king. What we have learned is by modeling the behavior of users, coroporate assets and the natural binds between them, it becomes easy to detect deviations and stop attacks.

The user behavior analytics (UBA) space, can clearly detect attacks that have previously gone unnoticed for years.

Similar Posts

What’s New in Exabeam Product Development – November 2022

Exabeam News Wrap-up – December 1, 2022

Exabeam Achieves ISO 27017 and ISO 27018 Certifications

Recent Posts

Fourth-gen SIEM is New-Scale SIEM: Cloud-native SIEM at Hyperscale

The New CISO Podcast: Solving Security Puzzles

Understanding UEBA: From Scored Events to Stories

See a world-class SIEM solution in action

Most reported breaches involved lost or stolen credentials. How can you keep pace?

Exabeam delivers SOC teams industry-leading analytics, patented anomaly detection, and Smart Timelines to help teams pinpoint the actions that lead to exploits.

Whether you need a SIEM replacement, a legacy SIEM modernization with XDR, Exabeam offers advanced, modular, and cloud-delivered TDIR.

Get a demo today!