Pass the Hash (PtH)
Description
Pass the hash is a very old hacking technique mainly used in Windows environments. This technique allows an attacker who previously collected NT hashes to move laterally in the network without having to crack the account hashes to retrieve clear text passwords. For example, an attacker who gained elevated privileges on a system might have used the tool Mimikatz to dump the hashes stored in the LSASS of the victim system. This way he could have retrieved the hash of multiple users such as Lucy and Paul, both of them having elevated privileges on others systems of the network. Using the Pass the Hash attack, the attacker could authenticate on the servers Lucy and Paul have high privileges onto using their respective hash. Indeed, when authenticating with the hash of a user, the attacker get grants all rights, privileges and roles of the compromised account.
Pass the hash is possible due to the Single Sign On authentication mechanism and weaknesses in the NTLM authentication mechanism. SSO prevent the user the need to reauthenticate each time he want to access a service or a server. Thus, each time a user login to a host or a service, his hash is kept in the cache of the system. An attacker can abuse of this mechanism by dumping the LSASS and retrieve all hashes of users with active or recent connection on the system. Moreover, the NTLM authentication works over a challenge/response workflows only uses the hash as authenticator. Thus, users can authenticate themselves on multiple services using only their NT hash.
Because the hash of a user only changed if the password change, an attacker may reuse the compromised hash multiple times.
Only NT hash ca be passed, not hashed derived from NTLMV2 authentication protocol.
pth-winexe
Impacket - psexec
-hashes LMHASH:NTHASH
Last updated