What is pass the hash attack?

Pass the hash is a technique that allows an attacker to authenticate to a remote server using the LM and/or NTLM hash of a user’s password, eliminating the need to crack/brute-force the hashes to obtain the clear text password (which is normally used to authenticate).

In the context of NTLM authentication, Windows password hashes are similar to plain text passwords, so rather than trying to crack them offline, hackers can easily use them to obtain unauthorized access.

Hernan Ochoa issued methods for performing the pass-the-hash technique natively in Windows by changing at runtime the username, domain name, and password hashes stored in memory. The technique enables attackers to pass-the-hash using Windows native applications like Windows Explorer to access remote shares, administrative tools like Active Directory Users and Computers, and any other Windows native application that uses NTLM authentication.

Ochoa also published a new method to dump NTLM credentials cached in memory by the Windows authentication subsystem. This method dumps credentials including those of users who logged in remotely and interactively to a computer, such as using RDP.

The method has become very popular between pen testers and hackers because it can enable the compromise of the entire Windows domain after compromising a single computer.

Related posts

How to Improve Your Cyber Resilience by Strengthening User Privileges

The Dark Side of Viral Content: How Negative Reviews Can Snowball

Testing Gaming Monetization: Walking the Line Between Profit and Player Experience