This summer’s ransomware attacks were ground breaking – and not only for the damage they inflicted. They also raised awareness about the ransomware attack vector from out of the IT shops and into the mainstream consciousness.
And for cyber security professionals like myself, these ransomware attacks were also a valuable reminder. We need to stay vigilant against an old, but still powerful, foe – the pass-the-hash attack. According to reports, ransomware like NotPetya leveraged the Sysinternals tool, PSExec, to launch pass-the-hash attacks.
So today’s post is a pass-the-hash refresher. What it is, how it works and – most importantly – what you can do to counter it. But first, let’s step back and start by defining password hashes.
What is a Password Hash?
To make it difficult for the bad guys to figure out your password, operating system vendors (and even application vendors) convert passwords into a non-reversible equivalent called a password hash. The password hash is not the password itself. It’s a unique signature (typically a 32-digit hexadecimal number, though it can be longer or shorter) of that password that can be used for comparison purposes. When you logon to a Windows system, the password you type in converts to a hash.
For example, the calculated hash of the password: “password” is:
The interesting thing about hashes is that if I change that password a little (say, alter “password” to “p@ssword”) the hash changes radically to:
Looking at those two hashes, you can see that it is difficult to tell that these are the same password, except for that one character difference.
Another notable thing about hashes is that they don’t reflect the length of the password. For example, the password: “Thequickbrownfoxjumpedoverthelazydogsback.” has a hash of:
So whether you have a single character password or one that has 127 characters, you always get a hash of the same length.
When you enter your password, the hash is compared to the hash stored in the operating system for your account. If the hashes match you get logged in.
How Pass-the-Hash Attacks Work
It’s a solid concept that worked well for a time. But, eventually someone learned to exploit the hashes. Now we’re afflicted with pass-the-hash attacks – a form of credential theft used for lateral, “land-and-expand” type attacks, as well as privilege escalation attacks.
In pass-the-hash attacks, a hacker steals privileged credentials from one system. He then uses those credentials to authenticate to other systems on the network. The credential can be obtained in any number of ways, whether it’s through free hacking tools (like mimikatz) that are easily found on the Internet, rainbow tables, or farming the Windows LSA (local security authority).
Now, since these attacks leverage password hashes, they basically let the attacker impersonate the authenticated user, without ever knowing the actual password itself. The attacker then “passes” the stolen credential to other systems to gain broader access to more machines. Essentially, any machine with stored hashes could be a step in a chain that leads the attacker to the ultimate system he’s seeking – one with valuable information.
One important note about pass the hash attacks is that using multi-factor authentication (MFA) does not protect a system from a pass the hash based attack.
How to Stop Pass the Hash Attacks
It’s a clever process but, fortunately for the good guys, one that can be soundly defeated.
Securing Privileged Credentials
To get into those sensitive systems with valuable information the attackers need privileged credentials. So, start by changing those credentials frequently. Obviously the less time an attacker has with a valid credential, the less time he has to conduct mischief. But don’t merely change the passwords. Make sure each system has its own unique password. That way, a stolen credential can’t be used to move from system to system in a chain.
Removing Administrative Privileges
Also, remove administrative privileges from local accounts. There’s no good reason for anyone to maintain persistent administrative access. Instead, set up a system where privileged credentials are checked out to authorized personnel on an as needed basis. And then audit what those privileged users are doing with their elevated access. That way, even if an attacker manages to penetrate the network and steal a local credential, he can’t gain the administrative rights he needs.
Restart Windows Systems
Based on current Microsoft Windows technology, once an account has authenticated successfully on a Windows system, the Windows LSA (lsass.exe) stores those password hashes. This enables a user to quickly regain access to a system later. Unfortunately, this model also allows farming of those password hashes at a later point in time which lends itself to a pass the hash based attack. The only way to clear the LSA is to restart the Windows host.
Those are good general guidelines for protecting yourself against pass-the-hash attacks.
More specifically, here’s how our privileged identity management solution, RED Identity Management, helps you defeat pass the hash.
When RED Identity Management generates a random password, a FIPS 140-2 certified PRNG chooses from among 94 possible characters for each character position. The used APIs and other protocols protects the password while in transit.
Once a generated password meets the constraints of the password policy (length, excluded characters, required characters, etc.), the password is then set on the target system. Then, the password is encrypted using the FIPS certified AES 256bit algorithm. That encrypted value is written to our product’s data store.
This process repeats for every system/account. At 15 characters, there are 94^15 – or more than 395 octillion (395,000,000,000,000,000,000,000,000,000) – possible password combinations. RED Identity Management’s password generator can set passwords up to 127 characters. Obviously, brute force attacks are out of the question.
Also, since each password is generated for each account on each host at run time, it is statistically improbable (to say the least) that any two accounts would ever have the same password. And because each account on each system would have a unique password, perpetrating pass-the hash-attacks becomes a non-issue for managed accounts.
Want to see it for yourself? Request a product demo.
By Chris Stoneff, Vice President Technical Management, Lieberman Software
Chris Stoneff oversees product management, quality assurance and technical support at Lieberman Software, and is instrumental in guiding the development of the Lieberman Software products portfolio.
If you like this topic, please subscribe to our Cyber Defense Newsletter.
You can also follow us on Twitter.