Pass-the-Hash attack : compromise whole corporate networks P1

Check other parts

“Microsoft confirms that 99% of cases reported to Microsoft consulting services for corporate networks being owned by a malware, is by using this technique.”

Pass-the-Hash = Single-Sign-On

Any system that supports Single-Sign On (SSO) is affected by the Pass-the-Hash attack.

SSO = somebody uses his credentials to log on to a system, and some form of that credentials or the actual credential allows him to go and access other resources without retyping his credentials. This benefit of not having to retype your credential every time you access network resources like the corporate SharePoint site, comes with a problem that if an attacker get access to your machine, he can use those stored credentials and access the network using your identity.

In other words, if you want SSO, pass-the-hash attack is something that cannot be fixed and you have to accept.

There are two types of pass-the-hash attack:

  • Credential reuse: using the saved credentials on the system on which it was saved.
  • Credential theft: taking the saved credential to another system and using it from there and allow attacker to spread over the network.

Single-Sign-On Explained

  1. John logs on his laptop by entering his username and password.
  2. John gets a user session on that laptop, and Windows verifier, in case of Windows, it is a one way hash (NT one way function), creates the hash for the password.
  3. Now John can access a file server, and when doing this, the file server will send challenge/response to John to prove his identity, and John proves that by using that one way function (password hash)
  4. Now, John gets a session on the file server.Pass-the-Hash 1

Pass-the-Hash Technique

  •  Step 1 : we have Fred. He logs on to his laptop and got a user session, so he has the one hash value of his password stored on the system. Now an attacker gets over his laptop, or Fred runs a malware, or Fred himself is malicious. Now the malware creates a user session using Fred’s one way hash password. Fred can now log off and has his session destroyed, but the malware has Fred’s one way function (his hash) in its own session and it can go around the network as Fred.

Pass-the-Hash 2

  • Step 2 : now, the malware will perform some kind of port scan and discovery to identify targets. Sounds like Jo’s laptop is an interesting target, so let us try to authenticate to it using Fred’s credentials. Assuming that Fred can access Jos laptop, a user session is created for Fred on Jo’s laptop.

Pass-the-Hash 3

  • Step 3:  what is worse if Fred has administrative rights on Jo’s laptop. With such administrative rights, the malware can harvest (steal) Jo’s credentials. If Jo is a domain admin, then the malware has now domain admin rights. Now the malware can access for example a File Server using Jo credentials and now the whole network is compromised.Pass-the-Hash 4


Password hashes for all local accounts are stored locally on all Windows computers, hashes for all domain accounts are stored on all domain controllers for a Windows domain, and hashes for currently-logged-in users whether local or domain are usually stored in memory in the computer the user is logged into (some exceptions apply

5 comments on “Pass-the-Hash attack : compromise whole corporate networks P1

  1. Pingback: Windows 8.1 Security Improvements – RestrictedAdmin RDP | Ammar Hasayen - Blog

  2. Pingback: The new RestrictedAdmin RDP – Security Trade-Off and Pass-the-Hash Exposure | Ammar Hasayen - Blog

  3. Pingback: Notes on Windows LSA, Secure Channel, NTLM, etc. «

  4. Pingback: Pass-the-Hash attack : compromise whole corporate networks P2 | Ammar Hasayen - Blog

  5. Pingback: Pass-the-Hash attack : compromise whole corporate networks P3 | Ammar Hasayen - Blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s