Published on February 19th, 2023 📆 | 7898 Views ⚑
0Pass-the-Hash | Optiv
Pass-the-hash (PtH) is an all too common form of credentials attack, especially since the advent of a tool called Mimikatz. Using PtH to extract from admin memory parsing is much faster than old dictionary and brute force style attacks of yester-year using tools such as âCain and Abel.â This blog introduces the Windows Security Account Manager (SAM) file, hashes for credentials, how PtH is easily performed using a tool called Mimikatz, and how to detect such attacks within alerts.
Â
Creating Context â the SAM File
Â
Windows âhashâ (fixed-size mathematically generated value) values for passwords for users on a computer are stored in the Windows SAM file located at %SystemRoot%/system32/config/SAM and mounted via HKLM/SAM:
Â
Â
SAM file as seen in Windows 10 in the System32 config directory
Â
If a computer is compromised by a remote actor or malicious insider they can easily view, copy, and/or exfiltrate the SAM file from a computer to then leverage in compromising credentials. Using old-school methods, one can copy the SAM file from the local system and exfiltrate it to an attacker computer for brute force password attacks against the file. This is not as easy as you think, since it is already in use and therefore not allowed by Windows. However, a trivial batch (.bat) file run as admin easily creates a copy on the local C drive:
Â
@echo off
reg SAVE HKLMSAM C:SAM
reg SAVE HKLMSYSTEM C:SYSTEM
exit
Â
Once obtained, the SAM file can then be leveraged for password cracking. In a reverse direction an actor may also just upload a tool like Mimikatz to a remote compromised endpoint to then run it on the computer to then compromise credentials, which is far more efficient than using PtH tactics.
Â
SAM File Contents and Hash Types
Â
The SAM file contains data as shown below, when viewed in Notepad on Windows:
Â
Â
SAM file snippet viewed in Notepad
Â
Windows XP and older operating systems store passwords in the SAM file. To keep passwords secure they are âhashedâ using one of two formats: LAN Manager (LM) Hash or NT LAN Manager (NTLM). LM hashes are the older, easily cracked version of security, which should not be used today. LM hashes can be cracked in seconds using off-the-shelf hacking tools. When viewing hashes in a SAM file, if you see two different hash values present you know you can âpwnâ (own) the credentials because it must contain both LM and NTML hashes!
Â
NTLM hashes are more robust, but produce a cryptographic value that is predictable. In other words, if you generate the hash value for âadmin123â or âsunsetâ you get a known value that can then be used in a dictionary style attack against unknown hashes. Â
Â
PtH with Mimikatz
Â
No matter what type of hash you use, if admin exists on an endpoint and itâs compromised and Mimikatz is used, complete pwnâge is in your immediate future. Itâs trivial to run the tool to quickly dump all passwords on a local system as shown below:
Â
Â
Mimikatz dumping passwords to âPasswords.txtâ
Â
Â
Examples of passwords dumped by Mimikatz including user kdunham and a NAS device
Â
Once the user is compromised, whatever privileges they have across the network can then be used to log into different computers with different users and hashes. This enables an actor to quickly traverse a network laterally and/or elevate to Domain Admin in many cases. It can also enable an actor to have access to special file stores, such as the network area storage device used for backups as seen in the example above.
Â
Mature pen testers and threat agents often automate the use of Mimikatz with a script, such as a PowerShell script. This enables them to perform several tasks quickly that are always required - such as disabling AV and running the desired command for Mimikatz to steal credentials. Some tools, such as PowerShell Empire, contain a module such as âpthâ to also automate such tasks. Even Microsoft has a PowerShell script for downloading from Github and executing Mimikatz, available at https://gallery.technet.microsoft.com/scriptcenter/Invoke-Mimikatz-and-will-d6c40fac. Â
Â
Mimikatz is one of the most popular but certainly not the only tool for stealing credentials. Related tools of concern include but are not limited to MetaSploit, SMBShell, fgdump, gsecdump, PWDumpX, creddump, and WCE.
Â
Detecting PtH in Alerts
Â
Lateral movement of PtH attempts can be seen between workstations:
Â
- Microsoft Event Security Log ID 4624
- LogonType 3 using NTLM
- Event level information
- Authentication is NOT a domain and NOT anonymous
- Security ID is commonly null for PtH attacks
Â
ID 4624 is for a successful user account login, which can be seen in the Windows event security log. Other codes, like 4740 for lockout, may help reveal a picture of attempted hacking of an account. Combining at least the three PtH components of ID 4624, 3, and NTLM into event correlation enables an analyst to quickly identify PtH attacks. In the real world of reaching through SIEM/SOC data an analyst may be viewing a triggered syslog alert such as:
Â
alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-AUTH] Pass-The-Hash detected!"; pcre: "/ 4624: | 4625: /"; content: "Logon Type|3a| 3 "; content: "Authentication Package|3a| NTLM "; content:!"ANONYMOUS LOGON"; meta_content:!"Domain|3a| ",$WINDOWS_DOMAINS; meta_nocase; program: Security|Security-Auditing; parse_src_ip: 1; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002017; reference: url,http://en.wikipedia.org/wiki/Pass_the_hash; sid: 5002017; rev:2;)
Â
Reading through the rule above notice the use of â!â where something like âANONYMOUS LOGONâ is NOT part of the rule. This matches the ruleset described above and is relatively fast to triage by a junior analyst as PtH.
Â
Summary
Understanding PtH is important in 2018 because it is a very common method popularized by tools such as Mimikatz. Itâs common and relatively easy to spot in terms of low hanging fruit on alerts, monitoring and response. There is a much more complicated architecture behind the scenes of any well defended network related to how identity and access management (IAM) is performed in addition to more advanced PtH detection and counter-tactics.
Â
While this article does not focus upon preventative controls to reduce credential theft risk a few must be noted out of good conscience in addition to additional references below:
Â
- Ensure you donât have admin for all users on a flat network! PtH requires administrative rights. Manage such accounts accordingly.
- Do not allow remote interactive sessions on any high value asset account or device.
- Ensure proper termination of Remote Desktop Protocol (RDP). This varies based upon your specific version of Windows but results, in general, in an increase around admin privileges and protection to use RDP.
- Audit the use of scripts, especially PowerShell, on Windows endpoints. Also audit anti-virus logs and other data for possible Mimikatz or PtH abuse and/or disabling of anti-virus.
Â
More Information
Â
For more information on PtH read the SANS paper at https://www.sans.org/reading-room/whitepapers/testing/pass-the-hash-attacks-tools-mitigation-33283. Â
Â
Extensive mitigation advice from MS against PtH at https://cloudblogs.microsoft.com/microsoftsecure/2012/12/11/new-guidance-to-mitigate-determined-adversaries-favorite-attack-pass-the-hash/ and http://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating%20Pass-the-Hash%20(PtH)%20Attacks%20and%20Other%20Credential%20Theft%20Techniques_English.pdf.
Â
Binary Defense dives into how to detect PtH at https://blog.binarydefense.com/reliably-detecting-pass-the-hash-throughâŚ. Â
Â
A Blackhat talk on why you need to detect more than PtH, because this is a complex subject, available at https://www.blackhat.com/docs/us-14/materials/us-14-Hathaway-Why-You-Need-To-Detect-More-Than-PtH-WP.pdf. Â
Â
A more technical video on how authentication takes place related to PtH: https://www.youtube.com/watch?v=cBXdoIuLzmA.
Gloss