In the labyrinth of cybersecurity, various attack techniques lurk around every corner. Among these are the Overpass-the-Hash and Pass-the-Hash attacks, both of which are potent tools exploited by cybercriminals to infiltrate networks. This article aims to demystify these techniques, offering a comprehensive overview of their mechanics, the tools used to execute them, and effective countermeasures.
Understanding Hash Authentication
Before delving into the attacks themselves, it’s crucial to grasp the concept of password hashing. A password hash is an encrypted version of a password, created through a repeatable and one-directional algorithm. This means that the same password will always generate an identical hash, and there’s no feasible method to revert the hash back to the original password.
Hashing is a fundamental element in authenticating a user, as it validates a user’s identity without transmitting their actual password across the network. Notably, password hashes play an integral role in the Microsoft NTLM (NT LAN Manager) challenge-response authentication protocol.
Hash Authentication Procedure
The NTLM authentication process involves several steps:
- The user enters their username and password on their device.
- The device runs a standard hashing algorithm on the password to generate a password hash.
- The device sends a logon request, which includes the username but neither the password nor the password hash, to the nearest domain controller (DC).
- The DC responds by sending a random number known as a logon challenge.
- The device uses the password hash to encrypt the logon challenge and sends the encrypted result, or response, back to the DC.
- The DC verifies the response by comparing it with its own encryption of the logon challenge using the stored password hash for the username. If the results match, the user is authenticated.
Unpacking Pass-the-Hash Attacks
Armed with an understanding of hash authentication, we can now explore Pass-the-Hash (PtH) attacks. In a PtH attack, an adversary circumvents the need for a user’s cleartext password by using the user’s password hash to authenticate themselves. This allows them to access network resources and potentially escalate their privileges.
The process of a PtH attack can be summarized as follows:
- The adversary obtains the user’s password hash. This can be achieved by compromising admin privileges on a device and extracting password hashes from the LSASS (Local Security Authority Subsystem) process memory, or by stealing the ntds.dit database file from a DC and extracting the hashes.
- The adversary uses a hacking tool, such as Mimikatz, to send a logon request and respond to the DC’s logon challenge using the stolen password hash.
Delving into Overpass-the-Hash Attacks
An Overpass-the-Hash (OtH) attack is a hybrid of the PtH attack and a Pass-the-Ticket (PtT) attack. In an OtH attack, the adversary uses the NTLM hash of a user account to generate a Kerberos ticket, which they use to authenticate themselves and gain access to network resources.
The steps of an OtH attack are:
- The adversary obtains the NTLM password hash for a user account, typically using a tool like Mimikatz.
- The adversary uses the NTLM hash to perform an OtH attack, passing the hash into the Kerberos authentication provider using RC4 encryption.
Tools of the Trade
When executing these attack types, adversaries commonly employ tools like Mimikatz and Rubeus. Mimikatz, in particular, can extract AES keys in multiple ways and enables the creation of Kerberos tickets using other user information, such as their AES keys.
Detecting the Attacks
Detecting PtH and OtH attacks can be challenging due to their stealthy nature. However, by closely monitoring endpoint logs for specific event IDs and implementing pass-the-ticket detection techniques, administrators can spot suspicious activity that may indicate an attack.
Protecting Against Attacks
While entirely eliminating the risk of PtH and OtH attacks may be unfeasible, several strategies can significantly bolster an organization’s defenses:
- Auditing logon activity: Regularly auditing logon activity can help detect repeated failed logon attempts or other suspicious behavior.
- Implementing attack path management: This limits the damage an adversary can do with a stolen password hash by reducing their ability to move laterally within the network.
- Enabling firewalls: Using firewalls on all machines can prevent peer-to-peer subnet jumping from one host to others.
- Auditing endpoint traffic: Monitoring endpoints for traffic production can help detect PtH attacks.
- Protecting Tier Zero assets: These assets, which include domain controllers and backup servers, should be placed in a protected subnet and their traffic managed with a firewall.
- Implementing Credential Guard: Available from Windows Server 2016, Credential Guard uses virtualization-based security to protect NTLM password hashes and other credentials.
- Avoiding RDP: Using the Remote Desktop Protocol (RDP) leaves password hashes in memory, which can be exploited in a PtH attack. Opt for a more modern and secure remote access tool instead.
- Using managed service accounts (MSAs): MSAs provide automatic password management, changing service account passwords (and their hashes) regularly.
- Implementing Microsoft LAPS: The Local Administrator Password Solution (LAPS) from Microsoft simplifies the management of local admin passwords across devices, enabling the use of a unique local admin password on each machine.
- Using privileged access workstations (PAWs): Privileged accounts should only log into secure administrative workstations, preventing their password hashes from being left behind in memory on workstations.
- Regular patching: Keeping endpoints patched limits the opportunities for attackers to gain entry into systems.
In conclusion, while PtH and OtH attacks are formidable threats, understanding their mechanics, the tools used to execute them, and the strategies for countering them can significantly enhance an organization’s cybersecurity posture. A layered approach to security, incorporating auditing, attack path management, endpoint monitoring and more, can provide a robust defense against these and other cyber threats.