I wanted to start this post with a recap about the history of Pass-the-Hash (PTH) attacks and how they were a major threat; yet, is no longer today. I really did.
In the last few weeks, I have been modeling behaviors of users in NTLM rich environments, only to learn that Pass-the-Hash still goes undetected after all those years. Further, NTLM is here to stay, at least for a while longer.
Having said that, with user behavior analytics (UBA) solutions, CISOs and security professionals can finally rest.
Dude, it’s 2015…
The truth is, I didn’t expect NTLM to live this long. It’s still alive and well either as a main, a fallback or a secondary authentication mechanism for companies of all sizes – ranging from fortune 1,000 to the smallest of shops. Due to their prevalence, PTH attacks remain very much relevant in today’s corporate environment.
What is Pass-the-Hash attack?
Pass-the-Hash is an attack technique that exploits a weakness in the NTLM authentication protocol, which essentially enables an attacker to steal the hashed password of the victim user, and re-using it to authenticate to the target resources such as servers, workstations, file shares…you name it.
Microsoft describes the NTLM authentication scheme in a simplified way, here the gist of it:
1. A user accesses a client computer and provides a domain name, user name, and password. The client computes a cryptographic hash of the password and discards the actual password.
2. The client sends the user name to the server plain text.
3. The server generates a 16-byte random number,
nonce, and sends it to the client.
4. The client encrypts this challenge with the hash of the user’s password and returns the result to the server. This is called the
5. The server sends the following three items to the domain controller:
– User name
– Challenge sent to the client
– Response received from the client
6. The domain controller uses the user name to retrieve the hash of the user’s password from the Security Account Manager database. It uses this password hash to encrypt the challenge.
7. The domain controller compares and computes the encrypted challenge it calculated (in step 6) to the response computed by the client (in step 4). If they are identical, authentication is successful.
The above flow describes the NTLM authentication scheme, and clearly shows at no point is there a verification of any entity relationships other than the fact that a respective user presenting a valid hash. There’s also no requirement for a unique identity for the duration of the login. Therefore, by harvesting hashes from clients/servers, an attacker only needs to know the user and hash (not even the original password) in order to authenticate against a suceptible server.
What can you do about it ?
It’s impossible to completely prevent Pass-the-Hash attacks from happening. There simply isn’t any enforcement in the protocol itself to require a certain user coming from a specific machine with a unique hash that is only available for the duration of that session (like
Kerberos offers). This means detection is king. What we have learned is by modeling the behavior of users, coroporate assets and the natural binds between them, it becomes easy to detect deviations and stop attacks.
The user behavior analytics (UBA) space, can clearly detect attacks that have previously gone unnoticed for years.