644 - Use of Captured Hashes (Pass-the-Hash (PtH))
Last updated
Last updated
When authenticating via LM or NTLM, an authenticating account's plaintext credentials are not required by the protocols for successful authentication. Instead, the hashed credentials are used to determine if an authentication attempt is valid. If an adversary can obtain an account's hashed credentials, the hash values can then be passed to a system or service to authenticate, without needing to brute-force the hashes to obtain their cleartext values. Successful Pass The Hash attacks result in the adversary fully authenticating as the targeted account, which can further allow the adversary to laterally move within the network, impersonate a legitimate user, and/or download/install malware to systems within the domain. This technique can be performed against any operating system that leverages the LM or NTLM protocols even if the operating system is not Windows-based, since these systems/accounts may still authenticate to a Windows domain.
| MITRE ATT&CK | |
Explore
Acquire known Windows credential hash value pairs: The adversary must obtain known Windows credential hash value pairs of accounts that exist on the domain.
An adversary purchases breached Windows credential hash value pairs from the dark web.
An adversary conducts a sniffing attack to steal Windows credential hash value pairs as they are transmitted.
An adversary gains access to a Windows domain system/files and exfiltrates Windows credential hash value pairs.
An adversary examines outward-facing configuration and properties files to discover hardcoded Windows credential hash value pairs.
Experiment
Attempt domain authentication: Try each Windows credential hash value pair until the target grants access.
Manually or automatically enter each Windows credential hash value pair through the target's interface.
Exploit
Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain
Spoofing: Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.
Data Exfiltration: The adversary can obtain sensitive data contained within domain systems or applications.
The following example shows how PtH attacks can be leveraged to conduct lateral movement and perform discovery commands in a compromised domain environment.
Explore
Acquire known Windows credential hash value pairs: Pass the Hash attacks are considered a post-compromise technique as access to a valid credential hash value is required. The credential obtained for this example is an Domain Administrator NTLM hash.
Experiment
Attempt domain authentication: Using the obtained credential hash, authenitcation must be attempted. The CrackMapExec framework will be used to achieve this, using the smb pass the hash module
Exploit
Data Exfiltration: For this example, a files from network shares will be downloaded