Pass-the-Hash Attacks and How to Prevent them in Windows Domains

In the movies, hackers typically type a few keystrokes and gain access to entire networks in a matter of seconds. In the real world, however, attackers often start with nothing more than a low-level user account and then work to gain additional privileges that allow them to take over the network.

One of the methods commonly used to gain these privileges is a pass-the-hash attack.

Behind the scenes of password hashing

To understand how a pass-the-hash attack works, you must first understand how password hashes are used.

When you assign a password to a system, that password is not actually stored on the system. Instead, the operating system uses a mathematical formula to calculate a hash for the password. The hash is saved, not the actual password.

When you log into the system, the authentication engine uses the same mathematical formula to calculate a hash for the password you entered and compares it to the stored hash. If the two hashes match, the password is assumed to be correct and access is granted.

The important insight from this is that for the system, the hash is the password.

An attacker who wants to gain access to a system does not always need to know a user’s password. You just need to have access to the password hash already stored in the system. From the hacker’s perspective, accessing a password hash is essentially the same as accessing the password.

Password hashing is a commonly used technique to protect passwords, but not all password hashing technologies are created equal. This post describes the three main types of password hashing techniques and how you can change which one your Active Directory uses.

What happens if the hash is compromised?

As mentioned above, cyber criminals who want to take over a network usually use a simple user account as an entry point. They could buy stolen credentials from the dark web, infect the user with password-stealing malware, or use a variety of other techniques to obtain a user’s password.

Once the hacker has access to a low-level user’s password (the actual password, not the hash), their next priority is to log in as that user and then look for ways to elevate their privileges. This is where the pass-the-hash attack comes in.

Pass-the-hash prevalence in Windows operating systems

Pass-the-hash attacks can be used on a variety of systems, but are most commonly targeted at Windows systems. The reason Windows is a preferred target is because Windows systems contain password hashes for everyone who has ever logged into that system. It doesn’t matter if a user logged into a system locally or if they used an RDP session. Your hash will still be stored on the system.

When the hacker logs into a system, they scan the system for any password hashes that may be present, hoping that an administrator has logged in at some point. In the absence of admin-level hashes, the hacker performs a hash spray attack, using stolen password hashes to log into every other workstation and extract their password hashes.

Eventually, the attacker will likely find a system that contains an admin-level hash. This hash can then be used to gain access to domain controllers, application servers, file servers, and other sensitive resources.

Five steps to prevent a pass-the-hash attack on your network

Unfortunately, pass-the-hash attacks are difficult to detect because these attacks rely on normal operating system authentication mechanisms. Therefore, it is important to take steps to prevent pass-the-hash attacks from being successful. There are several things you can do to reduce the likelihood of a successful pass-the-hash attack.

1. Never log on to a workstation with a privileged account

   First of all, you should never log into a workstation with a privileged account. This includes RDP sessions. The best practice is to set up dedicated administrative workstations that are hardened against attack and perform privileged operations exclusively from those workstations.

2. Enable Windows Defender Credential Guard

   Windows 10 and 11 include a tool called Windows Defender Credential Guard. When enabled, this tool uses hardware-level virtualization to run the Local Security Authority Subsystem service in a sandbox environment. This simple action makes the system much more resilient to pass-the-hash attacks.

3. Apply the principle of least user access

   The main idea behind Least User Access is that users should not have permissions beyond what is specifically required for their work. While using least user access does not prevent a pass-the-hash attack, it does minimize the damage if an attacker manages to compromise one or more accounts.

4. Use firewalls to block unnecessary traffic

   End-user devices likely need access to domain controllers, file servers, and other line-of-business systems. However, it is rather rare that one workstation needs to access another. If you can use firewalls to block workstation-to-workstation traffic, you reduce an attacker’s ability to perform the lateral movements required for a successful pass-the-hash attack.

5. Use Specops Password Auditor to access your password state

   Before an attacker can initiate a pass-the-hash attack, they need an initial entry point. This usually comes in the form of stolen credentials. A free tool called Specops Password Auditor can help you identify compromised accounts before they’re compromised.

Specops Password Auditor not only verifies that users’ passwords meet industry standards for strong passwords, but can also compare users’ passwords against a list of passwords that are known to have been compromised. This allows you to force a password change before such an account can be exploited.

Sponsored by Specops