In the pass the hash attack, the attacker harvests password hashes of user accounts. There are a number of methods which an attacker usually uses to get the password hashes:
- An attacker may hack the administrator account and use the administrative privileges to obtain the cached values of password hashes from the SAM. But, the default behavior of offline usage of cached hashes can be disabled by the administrator. So, this method may not always work.
- An attacker sometimes dumps the local user account database or SAM to obtain password hashes of local users. Later, the attacker uses them with local administrative account password hashes to hack multiple systems.
- The attacker sometimes sniffs the LM or NTLM challenge-response dialogues between the client and server and later brute force the encrypted hash values.
- The attacker may also dump the credentials of authenticated users stored by the Windows Isass.exe process. In this method, the attacker can obtain hash values of user accounts, not only of local users but also of the users of the security domain of which the machine is a member.
How can we prevent the pass-the-hash attack?
Actually, there is no single defense against this attack. But, there are a couple of precautions that can be taken. Use of firewall (How does a firewall work ?), intrusion prevention system (What is IPS ?), 802.1x authentication, IPSec (What is IPSec Protocol and how does it work ?), antivirus software, full disk encryption (What is Full Disk Encryption ?), etc can prevent this attack. A Windows machine can be limited from storing cached values of user credentials. The principle of least privilege is always useful. Windows systems can be configured not to use LM or NTLM protocols. Last but not least, Restricted Admin Mode is a new security feature for the Windows Operating System that was introduced in 2014. It can really make the attack more difficult for the attackers.
0 Comments