644 - Use of Captured Hashes (Pass-the-Hash (PtH))

When authenticating via LM or NTLM, an authenticating account's plaintext credentials are not required by the protocols for successful authentication. Instead, the hashed credentials are used to determine if an authentication attempt is valid. If an adversary can obtain an account's hashed credentials, the hash values can then be passed to a system or service to authenticate, without needing to brute-force the hashes to obtain their cleartext values. Successful Pass The Hash attacks result in the adversary fully authenticating as the targeted account, which can further allow the adversary to laterally move within the network, impersonate a legitimate user, and/or download/install malware to systems within the domain. This technique can be performed against any operating system that leverages the LM or NTLM protocols even if the operating system is not Windows-based, since these systems/accounts may still authenticate to a Windows domain.

| MITRE ATT&CK | Use Alternate Authentication Material: Pass the Hash |

Techniques

  1. Explore

    • Acquire known Windows credential hash value pairs: The adversary must obtain known Windows credential hash value pairs of accounts that exist on the domain.

    • An adversary purchases breached Windows credential hash value pairs from the dark web.

    • An adversary conducts a sniffing attack to steal Windows credential hash value pairs as they are transmitted.

    • An adversary gains access to a Windows domain system/files and exfiltrates Windows credential hash value pairs.

    • An adversary examines outward-facing configuration and properties files to discover hardcoded Windows credential hash value pairs.

  2. Experiment

    • Attempt domain authentication: Try each Windows credential hash value pair until the target grants access.

    • Manually or automatically enter each Windows credential hash value pair through the target's interface.

  3. Exploit

    • Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain

    • Spoofing: Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.

    • Data Exfiltration: The adversary can obtain sensitive data contained within domain systems or applications.

Steps to Conduct a PtH Attack

The following example shows how PtH attacks can be leveraged to conduct lateral movement and perform discovery commands in a compromised domain environment.

  1. Explore

    • Acquire known Windows credential hash value pairs: Pass the Hash attacks are considered a post-compromise technique as access to a valid credential hash value is required. The credential obtained for this example is an Domain Administrator NTLM hash.

  2. Experiment

    • Attempt domain authentication: Using the obtained credential hash, authenitcation must be attempted. The CrackMapExec framework will be used to achieve this, using the smb pass the hash module

    crackmapexec smb 172.16.1.31 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0

# Additionally, the cracked hash can be used as a plaintext password
crackmapexec smb 172.16.1.31 -u Administrator -p Password01

  3. Exploit

    • Data Exfiltration: For this example, a files from network shares will be downloaded

    # Dumping all files from accessible shares
crackmapexec smb 172.16.1.31 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 -M spider_plus -o READ_ONLY=false

Sources

  1. CAPEC-644: Use of Captured Hashes (Pass The Hash)

Previous560 - Use of Known Domain CredentialsNext633 - Token Impersonation

Last updated