Check other parts
- Pass-the-Hash attack : compromise whole corporate networks P1
- Pass-the-Hash attack : compromise whole corporate networks P3
In this part, we will go deep and discover what exactly is happening behind the scenes when you log on to a Windows machine.
Sue is a domain administrator. When Sue provides her username and password to log on her laptop, those credentials are fed to a process that is responsible for producing the Single-Sign On experience (Local Security Authority “LSASS”). LSASS hosts number of plugins, each one supports a protocol that Windows supports. Here are some of those plugins that are related to SSO:
So what happens during logon, is that Sue’s raw credentials (username and password) are presented to each one of those plugins to prepare the SSO experience. So for NTLM, it takes the username and password and generate a one way hash value (NTOWF value) and keeps that in memory.
The Digest protocol needs to keep the actual password in memory to support SSO.
Kerberos takes the password, contact a domain controller and get a Ticket-Granting-Ticket (TGT) and also collection of Service Tickets.
For the duration of Sue’s session, each plugin keeps its version of the credential in memory to support SSO.
So when Sue tries to access a network resource, the LSASS is asked if it can authenticate without prompting Sue for credentials, Kerberos for example says “I can do that, here is a service ticket”.
If an attacker gets admin access to your machine, he can pull all your password hashes. Attacker can use those hashes without knowing the actual password, and authenticate as you in the network and move from machine to machine.
The name Pass-the-Hash is just a historical name when the attack was targeted to NT hashes, but it applies also to Kerberos. Attacker can steal the Kerberos ticket and use it as it uses the hash.
Smart card authentication does not defend you against this type of attack. Smart card is a great way to bind authentication with a physical object. You can give your password over the phone to someone, but you cannot do that with smart card. However, if I steal your ticket that represents a smart card logon, then I can get the same access you have with that Kerberos ticket.
It goes beyond that. Microsoft demonstrate a sample pass-the-hash attack as per the following:
- John logs on his machine where malware is running, and open a UNC path, then may be log off.
- The malware runs a tool called (Windows Credentials Editor) that connects to the Local Security Authority on the same machine and gets all hashes and service tickets.
- Malware can run this free tool (Windows Credentials Editor) to connect to the UNC using the Kerberos ticket captured and authenticates as John.
The funny thing, if the malware can take the actual password hash, it can connect to any resource to the network using that hash. While if the malware captures a service ticket, it can only access the network resource that that service ticket is pointing to.