Pass-the-Hash Attack: Exploiting NTLM Authentication in Active Directory

Introduction to Pass-the-Hash Attacks

Pass-the-Hash (PtH) is a lateral movement technique that allows an attacker to authenticate to a remote system or service using the underlying NTLM hash of a user's password, instead of the plaintext password itself. This technique is particularly dangerous in Active Directory environments, where it can lead to rapid privilege escalation and domain compromise.

How Pass-the-Hash Works

Pass-the-Hash exploits a fundamental aspect of NTLM authentication: the hash itself is used as the authenticator. Here's a step-by-step breakdown of how a Pass-the-Hash attack typically unfolds:

1. An attacker gains access to a system and obtains NTLM password hashes, often through techniques like credential dumping.
2. Instead of cracking the hash to obtain the plaintext password, the attacker uses the hash directly for authentication.
3. The attacker presents this hash to other systems or services for authentication, effectively impersonating the user.
4. If successful, the attacker gains access to the target system with the privileges of the impersonated user.

Tools Used for Pass-the-Hash Attacks

Several tools are commonly used to perform Pass-the-Hash attacks:

Mimikatz: A powerful post-exploitation tool that can extract plaintext passwords, hashes, and Kerberos tickets from memory.
Impacket: A collection of Python classes for working with network protocols, including modules for Pass-the-Hash attacks.
CrackMapExec: A Swiss Army knife for pentesting networks, featuring Pass-the-Hash capabilities.
Metasploit: The popular penetration testing framework includes modules for Pass-the-Hash attacks.

Command Examples for Pass-the-Hash Attacks

Here are some command examples demonstrating Pass-the-Hash attacks using different tools:

mimikatz # sekurlsa::logonpasswords

Use Mimikatz to dump logon passwords and hashes

python3 psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 [email protected]

Use Impacket's psexec.py to perform a Pass-the-Hash attack

crackmapexec smb 192.168.1.0/24 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0

Use CrackMapExec to perform a Pass-the-Hash attack across a subnet

Detecting Pass-the-Hash Attacks

Detecting Pass-the-Hash attacks can be challenging, but there are several indicators and techniques that can help:

Monitor for multiple failed logon attempts followed by a successful one, especially from different source systems.
Look for successful logons with NTLM authentication where the account has no recent failed logon attempts.
Analyze Windows Event logs, particularly Event ID 4624 (successful logon) and 4625 (failed logon).
Implement and monitor honeypot accounts that should never be used for legitimate authentication.
Use advanced security information and event management (SIEM) solutions with user behavior analytics capabilities.

Command Examples for Detection

Here are some command examples to help detect potential Pass-the-Hash attacks:

Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624} | Where-Object {$_.Properties[8].Value -eq 3}

PowerShell command to retrieve successful NTLM authentications (logon type 3)

wevtutil qe Security /q:"*[System[(EventID=4624)] and EventData[Data[@Name='LogonType']='3']]" /f:text

Use wevtutil to query for successful NTLM authentications

Mitigating Pass-the-Hash Attacks

While it's challenging to completely prevent Pass-the-Hash attacks, several mitigation strategies can significantly reduce the risk:

Implement the principle of least privilege to limit the impact of compromised accounts.
Use strong, unique passwords for all accounts, especially privileged ones.
Implement multi-factor authentication (MFA) wherever possible.
Regularly rotate passwords, particularly for service and administrator accounts.
Use Microsoft's Local Administrator Password Solution (LAPS) to manage local admin passwords.
Implement network segmentation to limit lateral movement capabilities.
Use Credential Guard in Windows 10 and Windows Server 2016+ to protect against credential theft.
Disable NTLM authentication where possible and monitor its usage.
Implement Protected Users security group for highly privileged accounts.
Regularly patch and update systems to address known vulnerabilities.

Command Examples for Mitigation

Here are some command examples to help implement mitigation strategies:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 1 -Type DWord

Enable LSA Protection to prevent Mimikatz from dumping credentials

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value 0 -Type DWord

Enable Restricted Admin mode to prevent clear-text credentials from being cached

Install-WindowsFeature -Name FS-Resource-Manager

Install LAPS on a Windows Server

Conclusion

Pass-the-Hash attacks remain a significant threat in Active Directory environments. By understanding how these attacks work, implementing robust detection mechanisms, and following best practices for mitigation, organizations can significantly reduce their exposure to this risk. Remember, security is an ongoing process, and staying informed about the latest attack techniques and defense strategies is crucial in maintaining a strong security posture.