By Sıla Özeren • May 08, 2023
Related Content
January 2, 2023 • Attack Path Validation
How to Exploit Attack Paths Like an Advanced Attacker
READ MOREThe Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
Adversarial attacks on systems can often bypass traditional access controls by utilizing alternate authentication materials such as password hashes, Kerberos tickets, and application access tokens. This technique, identified as T1550 in the MITRE ATT&CK framework, allows attackers to move laterally within an environment and gain unauthorized access to a target system.
This blog provides a detailed description of the Pass-the-Hash (PtH) (T1550.002) attack as a sub-technique of the Use Alternate Authentication Material.
|
The Complete
|
Pass the Hash (T1550.002)
Pass-the-Hash (PtH) is an identity-based attack that is leveraged by attackers to gain access to additional systems and privileges within a network once they have already compromised the system.
In a typically Pass-the-Hash scenario, adversaries
- gain initial access to a target network,
- steals/dumps “hashed” user credentials,
- uses dumped credentials
to create a new user session on the compromised host.
The Pass-the-Hash (PtH) attack is distinct from other credential theft attacks, as it specifically targets a vulnerability in the system design of the Windows New Technology LAN Manager (NTLM) authentication protocol. This approach enables authentication to a remote system by utilizing the pre-computed hash of a valid user's password, rather than the plaintext password itself.
The NTLM protocol, which serves as a single sign-on method, employs a challenge-response system to verify a user's identity without requiring their password. When a user logs into a Windows system using NTLM, the system generates an NTLM hash of the user's password without employing the salting technique that would typically enhance the security of hashed passwords stored on servers and domain controllers.
As a result, adversaries do not need to use third-party cracking tools or engage in time-consuming cracking operations, since the plaintext version of the password is not necessary for the PtH attack to succeed.
Hence, if an attacker obtains the NTLM hash of a user's password through means such as extracting it from lsass.exe memory or from the %systemroot%\system32\config\SAM file, capturing it during network transmissions, or dumping it from a backup or image of a system, they can utilize the hashed password by passing the hash to a remote system that recognizes the compromised user's account.
Depending on the privileges and level of access of the compromised user, adversaries may gain full system access and successfully perform lateral movement attacks.
Tools and Techniques to Perform Pass the Hash (PtH) Attacks
Pass-the-Hash (PtH) attacks can be executed by utilizing various publicly available tools, such as Mimikatz [1] and evil-winrm [2], as well as built-in PowerShell cmdlets. Attackers often employ these tools or commands to extract the hash from the memory of a compromised system and then use it to gain access to other systems on the network.
In this blog, we will be talking about how adversaries leverage Mimikatz to perform a Pass-the-Hash attack. To learn more about how adversaries leverage other tools, such as evil-winrm and PowerShell, visit our The Complete Active Directory Security Handbook e-book.
Mimikatz
The usage of Mimikatz for the Pass-the-Hash attack consists of three main steps.
Step 1: Stealing the password hash
To dump a list of recently logged-on users and their OS credentials, adversaries often use the sekurlsa module in Mimikatz, which leverages a number of different techniques to extract authentication information from LSASS memory, including parsing memory structures and using Windows APIs. The "logonpasswords" function of this module specifically extracts login session data such as saved password hashes and cached credentials. This can include the current user's logon information, as well as information for other users who have logged onto the same machine.
Note that before leveraging the sekurlsa::logonpasswords command, attackers need to run the privilege::debug command so that the Mimikatz can run properly. By default, LSASS runs with high integrity and is protected from being debugged by unauthorized processes. However, by enabling the debugger privilege, the attacker can bypass this protection and access LSASS memory to extract the logon session data.
Below, you will find an example output of step one.
PS> .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" |
Having this NTLM hash, it is time for adversaries to jump to the second stage.
It is important to note that Mimikatz is not the only way to dump NTLM hashes. Adversaries often leverage other built-in command-line applications or third-party tools, such as ProcDump [3] and Gsecdump [4], for credential dumping.
Step 2: Authentication through the stolen password hash
This is the main step where the adversary passes the hash to impersonate the user and gain access to the remote system.
The "sekurlsa::pth" command in Mimikatz is a feature that facilitates "Pass the Hash" attacks. This technique allows an attacker to authenticate to a remote system by using a captured NTLM hash of a user's password, without the need for the actual password. To execute this command, the attacker must provide only the following parameters:
- /user: (the username),
- /domain: (the domain name), and
- /ntlm: (the NTLM hash of the user's password).
Note that Windows passwords are not only limited to the NTLM protocol, but may also use popular block encryption algorithms like AES-128 and AES-256 for password storage. In such cases, adversaries would need to use the /aes128: or /aes256: parameters instead of /ntlm:.
PS> .\mimikatz.exe "sekurlsa::pth /user:Alice /domain:domain.com /ntlm:a0c8746a6efc7782c7c19c55185145be" |
Notice how easily we gained access to a remote system without knowing only the username and NTLM hash of the victim’s password.
Step 3: Accessing resources through new user account
In the third step, the attacker uses the newly obtained user account to expand their network access. For instance, the adversary can use a command-line utility called PsExec to perform remote code execution on another host.
For instance, the attacker can run the following command to run the "cmd.exe" process on the remote machine with an internal IP address "192.168.52.146":
psexec.exe \\192.168.52.146 cmd.exe |
Mimikatz is not the only way to perform a Pass-the-Hash attack. Adversaries often use the PowerShell, too.
Detection Methods for the Pass the Hash Attack
In this section, a set of Event IDs is presented that can be used to detect a possible Pass-the-Hash attack [5], [6], [7], [8]. These Event IDs are generated by the Windows operating system and include valuable information about system activities. By monitoring these Event IDs and analyzing the Key Description Fields, security teams can identify potential security incidents and take appropriate measures to mitigate the risk.
Event ID 1 - Process Create.
-
Key Description Fields: LogonId, ParentProcessId, ParentImage, CurrentDirectory, CommandLine, IntegrityLevel, ParentCommandLine, ParentCommandLine, UtcTime, ProcessId, User, Hashes, Image
Event ID 5 - Process terminated.
-
Key Description Fields: UtcTime, ProcessId:, Image
Event ID 10 - Process accessed.
-
Key Description Fields: SourceThreadId, TargetProcessId, GrantedAccess, SourceImage, TargetImage
Event ID 4624 - An account was successfully logged on.
-
Key Description Fields: Account Name, Account Domain, Logon ID
Event ID 4663 - An attempt was made to access an object.
-
Key Description Fields: Process ID, Access Mask, Account Domain, Object Name, Process Name, Object Type, Logon ID, Handle ID
Event ID 4672 - Special privileges assigned to new logon.
-
Key Description Fields: Security ID, Account Name, Account Domain
Event ID 4688 - A new process has been created.
-
Key Description Fields: Required Label, Account Domain, Source Process Name, New Process Name, Token Escalation Type, New Process ID, Source Process ID
References
[1] “GitHub - ParrotSec/mimikatz,” GitHub. [Online]. Available: https://github.com/ParrotSec/mimikatz. [Accessed: Feb. 07, 2023]
[2] “GitHub - Hackplayers/evil-winrm: The ultimate WinRM shell for hacking/pentesting,” GitHub. [Online]. Available: https://github.com/Hackplayers/evil-winrm. [Accessed: Feb. 07, 2023]
[3] “ProcDump - Sysinternals.” [Online]. Available: https://learn.microsoft.com/en-us/sysinternals/downloads/procdump. [Accessed: Feb. 07, 2023]
[4] “gsecdump.” [Online]. Available: https://jpcertcc.github.io/ToolAnalysisResultSheet/details/gsecdump.htm. [Accessed: Feb. 07, 2023]
[5] “mimikatz > sekurlsa::logonpasswords.” [Online]. Available: https://jpcertcc.github.io/ToolAnalysisResultSheet/details/Mimikatz_sekurlsa-logonpasswords.htm. [Accessed: Feb. 09, 2023]
[6] “Detecting Lateral Movement through Tracking Event Logs.” [Online]. Available: https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf. [Accessed: Feb. 09, 2023]
[7] J. Warren, “How to Detect Pass-the-Hash Attacks” [Online]. Available: https://blog.netwrix.com/2021/11/30/how-to-detect-pass-the-hash-attacks/. [Accessed: Feb. 09, 2023]
[8] “Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques.” [Online]. Available: https://scadahacker.com/library/Documents/White_Papers/Microsoft%20-%20Mitigating%20Pass-the-Hash%20(PtH)%20Attacks%20and%20Other%20Credential%20Theft%20Techniques_English.pdf. [Accessed: Feb. 09, 2023]