Defending Against Pass-The-Hash
July 24, 2017 | POSTED BY AARON MOSS IN THREAT INTELLIGENCE
What is Pass-The-Hash?
Pass-The-Hash (PTH) is an attack designed to allow an unauthenticated attacker (usually on an internal network) to take control of the NTLMv1 or NTLMv2 hashes of a compromised Windows user and send them to another Windows computer to be used to authenticate. It is an attack that is designed to let attackers move laterally around a Windows network with ease and can be especially dangerous when the hash being used belongs to an Administrative level account.
Why is it important?
As a Security Consultant (read: pentester, or, as my manager says, "Professional Hacker"), I find that the easiest way that I can get the coveted "keys to the kingdom" in Microsoft Windows environments - the Domain Admin, or even Enterprise Admin account - is through compromising some server or workstation that is running some administrative credentials, mostly local administrator, and using those credentials to move around the network.
Windows networks are not particularly setup with security in mind, as most IT administrators just want them to work. Having been one of these administrators myself in a past life, I understand the pain of having to make sure that THINGS JUST WORK. There are *MANY* issues with Windows networks, from patching, to running old software, to weak passwords for user accounts, etc. Many of these issues can be solved with a little elbow grease and time, but it's usually best done when the network is being setup, because once it WORKS, as an admin, we don't want ANYONE messing with our network.
However, one of the issues in Windows networks that is often overlooked is how often an admin can setup an image with the same local administrator account on all computers for that image, whether it be for the server farm or for different workstation images, and the same password, while it may be long and complex, is used EVERYWHERE. While this may keep the casual malicious user/attacker from guessing the password, once a skilled attacker gains access to the computer, it's trivial to dump either the NTLMv1/NTLMv2 hash or the password itself from memory on the machine. Now, it needs to be noted that in order to dump passwords or hashes from memory, it requires administrative or System privileges on the compromised computer. With that being said, if a Windows 7 workstation or 2008 R2 server has not been patched for Microsoft's MS17-010 vulnerability, and an attacker finds it, it's potentially Game Over.  This particular vulnerability, when successfully exploited, gives "NT AUTHORITY\SYSTEM" privileges on the compromised machine.
This can be particularly problematic (or AWESOME, depending on your vantage point) if the local administrator is logged into the machine at the time, and the password is the same across all machines. As an attacker, I am usually successful at gaining admin or system privileges on a machine once I'm on the internal network. I can then use the dumped passwords/hashes to compromise the rest of the network. If there's no user logged in, it's again trivial to use Windows based tools to dump the Security Account Manager file from memory and gain access to the local administrator hash. If this password is the same on all computers, then the password hash will be the same on all computers, and I can either attempt to crack the hash, or use that hash to access other computers in a Pass-The-Hash attack. Once a computer with a Domain/Enterprise Admin account is found logged in, then I will dump those credentials from memory (again, hashes or plaintext passwords, depending on the OS and tool), and utilize them to compromise the entire network. Please note, the many ways that password credentials (passwords and the various types of hashes) can be gained and used for nefarious purposes is beyond the scope of this article.
This is a Windows 10 Enterprise system. This is not my real password. :-)
So, how do we defend against PTH?
There are a few techniques that make my life as a pentester (and, of course, any other unauthorized user) much harder.
- Microsoft LAPS -
The best technique to mitigate the "local administrator" PTH attack is to use Microsoft's Local Administrator Password Solution (LAPS) on all servers and workstations. It's a free tool from Microsoft designed to make attacks like these useless, at least for the local administrator account. It's an Active Directory add-on that works by changing the local administrator account password at a user specified interval and with user specified length and character settings. It then stores that password in Active Directory attributes. The next blog post will have more information on how to install it and best practices for using it.
- Admin Account Restrictions -
Turn off the Domain/Enterprise Admin (DA) accounts. Disable them. Re-enable them when needed; then, disable them again. Even in small networks, not everyone needs to have admin credentials. As a matter of fact, NO ONE needs to have full administrative credentials 100% of the time. If a DA account is needed full time, investigate as to why that is. Managed Service Accounts (MSA) were introduced in Windows 2008 R2 to allow specific services to be ran, and the password changes automatically. MSAs were designed to be a replacement for the local accounts or the DA service accounts that so many of us were guilty of creating, then forgetting about. That password for that DA service account might be 64 characters long, but if I can get the hash for it, I don't need to crack it.
Now, this particular remedy tends to be a proverbial "thorn in the side" because of the effort it takes to implement, but in the event that you experience a compromise on your network, it will save you tons of grief. You can thank me later.
- Network Segmentation and Access Controls -
If your network is flat, there may be nothing stopping me from compromising a workstation, and using that to launch an attack on your servers, then your entire network. Plan for network segmentation.
Put servers in their own VLAN(s), printers in their own VLAN, users in their own VLAN(s), wireless users in their own VLAN, etc. Then monitor how your users and applications access and communicate with other servers, applications, web applications, databases, etc. This will set the baseline for your network.
From there, use firewalls and access controls to restrict access to certain networks and services to only authorized networks or IP addresses.
Example #1 - If a user VLAN doesn't need to directly access a database server, use access controls (firewalls) to restrict access.
Example #2 - On local workstations, Windows Firewall is a built-in, configurable solution to restrict certain networks from communicating with certain ports. For instance, if you use Microsoft Remote Desktop or $VNC service, configure Windows Firewall to restrict access to only certain networks or even IP addresses for access.
If you made it to the end of this long blog post, CONGRATULATIONS! I will be completing this little foray into the world of Pass-the-Hash in the next article, "Installing Microsoft LAPS for Fun and Profit."