Home Datacenter Pass The Hash (No Really Don’t)

Pass The Hash (No Really Don’t)

by Philip Sellers

IMG_8237I attended TechEd 2014 back in May of this year and there was one session that I wanted to share called “TWC: Pass-the-Hash and Credential Theft Mitigation Architectures”. The part from the session that I wanted to focus on was regarding administrative privileges. Credential theft has become a serious problem in today’s world where everyone is doing business online. While the internet has allowed us the ability to be more connected it also puts us at the risk of becoming a victim of cybercrime.

Being an administrator in today’s corporate world you have to make sure that you are doing everything you can to protect your company’s digital assets. You have to defend against every possible intrusion while an attacker only has to be successful at finding a vulnerability one time. The TechEd session provided some good ways of how you can lower your chance of becoming a victim of credential theft.

First, let me give you some background on what Pass-The-Hash is about. The “Pass-the-Hash” phrase comes from the ability to steal a password hash and reuse it to connect to other computers. A hash is created based off your password and is used for authenticating you across the network. It will only change when you change your password. The password hash gets stored in memory and allows you to access other resources on the network without having to type in your credentials every time. If someone is able to obtain this hash then they can potentially authenticate as you.

This becomes extremely dangerous when we are talking about local or domain administrator accounts. If you use the same password for the local administrator account on all your computers then an attacker only has to steal the password hash one time and can then use it to access other computers on the network. A password hash can only be used for a network login. It will not work for an interactive login.

In order for an attacker to steal your password hash using the Pass-The-Hash method, they will have to gain local administrative rights on your computer. If they cannot gain administrator equivalent access then they will not be able use this technique. You should use the method of least privilege and never allow users to have administrative rights if possible. A user can be easily tricked into downloading a piece of malware that can allow an attacker to have access to your network. A domain admin account should never log into a standard workstation that accesses the internet or email. If your domain administrator credentials are captured then you have given the attacker the keys to the kingdom. Don’t make it easier for someone to take control over your network.

Removing admin rights can be a challenging task within a corporate environment. Users most of the time think that you do not trust them or that you are trying to exercise your power. Corporate politics can also sometimes influence security decisions. It is our duty as systems administrators to make our users and management understand the importance of restricting administrative rights. You might not be the most liked person but it is better to know that you are doing what is needed to protect your company or organization.

The presentation broke down computers and accounts into three different tiers. You have Tier 0 at the top which would be your core servers like domain controllers and domain admin accounts. This would be the most restrictive tier. Tier 1 would be your application servers and contain your server admin user accounts. Finally, Tier 2 would be your workstations and users that have access to internet and e-mail. You should never login with an account on a lower tier that has access to a higher tier. For example, an account with access to servers or domain controllers should not login to a workstation that has access to the internet. Microsoft also recommends having separate admin workstations that do not access the internet or e-mail for your domain admin account. This will help prevent your admin machine from becoming compromised.

Microsoft has created a document that discusses credential theft using Pass-The-Hash and ways to mitigate it. Please visit the links below to see more detail since I will not be able to cover everything from the presentation and whitepapers. It is well worth the time to learn more about this problem and ways to address it. They also mentioned in the presentation that this is not a flaw or vulnerability that can be addressed with a patch. Most operating systems rely on password hashes and we as administrators must take the steps to make them as secure as possible.

Link to the presentation:

Link to document discussing Pass-the-Hash attacks:

You may also like