Pass the hash is a technique that allows an attacker to authenticate to a remote server using the LM and/or NTLM hash of a user’s password, eliminating the need to crack/brute-force the hashes to obtain the clear text password (which is normally used to authenticate).
In the context of NTLM authentication, Windows password hashes are similar to plain text passwords, so rather than trying to crack them offline, hackers can easily use them to obtain unauthorized access.
Hernan Ochoa issued methods for performing the pass-the-hash technique natively in Windows by changing at runtime the username, domain name, and password hashes stored in memory. The technique enables attackers to pass-the-hash using Windows native applications like Windows Explorer to access remote shares, administrative tools like Active Directory Users and Computers, and any other Windows native application that uses NTLM authentication.
Ochoa also published a new method to dump NTLM credentials cached in memory by the Windows authentication subsystem. This method dumps credentials including those of users who logged in remotely and interactively to a computer, such as using RDP.
The method has become very popular between pen testers and hackers because it can enable the compromise of the entire Windows domain after compromising a single computer.
Latest posts by Unallocated Author (see all)
- Another Commercial WordPress Plugin Gets Exploited - February 17, 2019
- A Further 127 Million User Records Found For Sale on The Dark Web - February 15, 2019
- Google Play Store Malicious App Detection Up By Over 50% - February 14, 2019