Skip links

Pass-the-Hash Attacks and How to Prevent them in Windows Domains



In the movies, hackers typically enter a few keystrokes and gain access to entire networks in a matter of seconds. In the real world however, attackers often start out with nothing more than a low-level user account and then work to gain additional privileges that will allow them to take over the network.

One of the methods that is commonly used to acquire these privileges is a pass-the-hash attack.

Behind the scenes of the password hash

In order to understand how a pass-the-hash attack works, you must first understand how password hashes are used.

When you assign a password to a system, that password is not actually stored on the system. Instead, the operating system uses a mathematical formula to compute a hash for the password. The hash is what is stored, not the actual password.

When you log into the system, the authentication engine uses the same mathematical formula to compute a hash for the password that you entered and compares it to the stored hash. If the two hashes match one another then the password is assumed to be correct, and access is granted.

The important takeaway from this is that as far as the system is concerned, the hash is the password.

An attacker who wants to gain access to a system doesn’t always need to know a user’s password. They just need to have access to the password hash that is already stored within the system. From the hacker’s perspective, having access to a password hash is essentially the same as having access to the password.

Password hashing is a commonly used technique to protect passwords but not all password hash technologies are equal. This post outlines the three main types of password hashing techniques and how to change which one your Active Directory is using.

What happens when the hash is compromised

As previously noted, cyber criminals who want to take over a network typically use a basic user account as their initial point of entry. They might purchase stolen credentials off the dark Web, infect the user with password stealing malware, or use any number of other techniques to acquire a user’s password.

Once the hacker has access to a low-level user’s password (the actual password, not the hash), their next priority is to log in as that user and then look for ways to elevate their permissions. This is where the pass-the-hash attack comes into play.

Pass-the-hash prevalence in Windows OS

Pass-the-hash attack can be used on a variety of systems, but most commonly target Windows systems. The reason why Windows is a favorite target is because Windows systems contain password hashes for everyone who has ever logged into that system. It doesn’t matter if a user has logged into a system locally or if they used an RDP session. Their hash will still be stored on the system.

When the hacker logs into a system, they search the system for any password hashes that may exist in hopes that an administrator has logged in at some point. If no admin level hashes are present, then the hacker will perform a hash spray attack in which they use stolen password hashes to log into every other workstation and extract its password hashes.

Eventually the attacker will likely find a system that contains an admin level hash. That hash can then be used to gain access to domain controllers, application servers, file servers, and other sensitive resources.

Five steps to prevent a pass-the-hash attack in your network

Unfortunately, pass-the-hash attacks are difficult to detect since these attacks rely on normal operating system authentication mechanisms. As such, it is important to take steps to try to prevent pass-the-hash attacks from being successful. There are several things that you can do to decrease the odds of a pass-the-hash attack succeeding.

Never log into a workstation with a privileged account

First and foremost, you should never, ever log into a workstation using a privileged account. This includes RDP sessions. Its best to set up dedicated management workstations that have been hardened against attacks and perform privileged operations solely from those workstations.

Enable Windows Defender Credential Guard

Windows 10 and 11 include a tool called Windows Defender Credential Guard. This tool, when enabled, uses hardware level virtualization to run the Local Security Authority Subsystem Service in a sandboxed environment. This simple action makes the system much more resistant to pass-the-hash attacks.

Apply the Principle of Least User Access

The main idea behind Least User Access is that users should not have any permissions beyond those that are specifically required for them to do their jobs. While using Least User Access will not prevent a pass-the-hash attack, it will minimize the damage if an attacker does manage to compromise one or more accounts.

Use Firewalls to Block Unnecessary Traffic

End user devices will likely need access to domain controllers, file servers, and other line of business systems. However, it is somewhat rare for one workstation to need to access another. If you can use firewalls to block workstation to workstation traffic, then you will reduce an attacker’s ability to make the lateral movements that are necessary for a successful pass-the-hash attack.

Use Specops Password Auditor to Access Your Password Health

Before an attacker can initiate a pass-the-hash attack, they require an initial point of entry. This usually comes in the form of stolen credentials. A free tool called Specops Password Auditor can help you to identify at-risk accounts before they are compromised.

Specops Password Auditor not only verifies that user’s passwords comply with industry standards for secure passwords it can also compare user’s passwords against a list of passwords that are known to have been compromised. That way, you can force a password change before such an account can be exploited.

Sponsored by Specops

Adblock test (Why?)