What is pass the hash attack?

Pass the hash is a technique that allows an attacker to authenticate to a remote server using the LM and/or NTLM hash of a user’s password, eliminating the need to crack/brute-force the hashes to obtain the clear text password (which is normally used to authenticate).

In the context of NTLM authentication, Windows password hashes are similar to plain text passwords, so rather than trying to crack them offline, hackers can easily use them to obtain unauthorized access.

Hernan Ochoa issued methods for performing the pass-the-hash technique natively in Windows by changing at runtime the username, domain name, and password hashes stored in memory. The technique enables attackers to pass-the-hash using Windows native applications like Windows Explorer to access remote shares, administrative tools like Active Directory Users and Computers, and any other Windows native application that uses NTLM authentication.

Ochoa also published a new method to dump NTLM credentials cached in memory by the Windows authentication subsystem. This method dumps credentials including those of users who logged in remotely and interactively to a computer, such as using RDP.

The method has become very popular between pen testers and hackers because it can enable the compromise of the entire Windows domain after compromising a single computer.

Related posts

The Future of Mobile Security: Emerging Threats and Countermeasures

From Concept to Launch: Ensuring Cybersecurity in Product Development

What Exactly is Telematics? The Technology That’s Changing How We Drive