Pass-the-Hash Attacks and How to Prevent them in Windows Domains, Active Directory, NTLM, Pass-the-Hash, Password Hash, Specops, Windows, Windows Domain

In the movies, hackers typically enter a few keystrokes and gain access to entire networks in a matter of seconds. In the real world however, attackers often start out with nothing more than a low-level user account and then work to gain additional privileges that will allow them to take over the network.

One of the methods that is commonly used to acquire these privileges is a pass-the-hash attack.

Behind the scenes of the password hash

In order to understand how a pass-the-hash attack works, you must first understand how password hashes are used.

When you assign a password to a system, that password is not actually stored on the system. Instead, the operating system uses a mathematical formula to compute a hash for the password. The hash is what is stored, not the actual password.

When you log into the system, the authentication engine uses the same mathematical formula to compute a hash for the password that you entered and compares it to the stored hash. If the two hashes match one another then the password is assumed to be correct, and access is granted.

The important takeaway from this is that as far as the system is concerned, the hash is the password.

An attacker who wants to gain access to a system doesn’t always need to know a user’s password. They just need to have access to the password hash that is already stored within the system. From the hacker’s perspective, having access to a password hash is essentially the same as having access to the password.

Password hashing is a commonly used technique to protect passwords but not all password hash technologies are equal. This post outlines the three main types of password hashing techniques and how to change which one your Active Directory is using.

What happens when the hash is compromised

As previously noted, cyber criminals who want to take over a network typically use a basic user account as their initial point of entry. They might purchase stolen credentials off the dark Web, infect the user with password stealing malware, or use any number of other techniques to acquire a user’s password.

Once the hacker has access to a low-level user’s password (the actual password, not the hash), their next priority is to log in as that user and then look for ways to elevate their permissions. This is where the pass-the-hash attack comes into play.

Pass-the-hash prevalence in Windows OS

Pass-the-hash attack can be used on a variety of systems, but most commonly target Windows systems. The reason why Windows is a favorite target is because Windows systems contain password hashes for everyone who has ever logged into that system. It doesn’t matter if a user has logged into a system locally or if they used an RDP session. Their hash will still be stored on the system.

When the hacker logs into a system, they search the system for any password hashes that may exist in hopes that an administrator has logged in at some point. If no admin level hashes are present, then the hacker will perform a hash spray attack in which they use stolen password hashes to log into every other workstation and extract its password hashes.

Eventually the attacker will likely find a system that contains an admin level hash. That hash can then be used to gain access to domain controllers, application servers, file servers, and other sensitive resources.

Five steps to prevent a pass-the-hash attack in your network

Unfortunately, pass-the-hash attacks are difficult to detect since these attacks rely on normal operating system authentication mechanisms. As such, it is important to take steps to try to prevent pass-the-hash attacks from being successful. There are several things that you can do to decrease the odds of a pass-the-hash attack succeeding.

  1. Never log into a workstation with a privileged account

    First and foremost, you should never, ever log into a workstation using a privileged account. This includes RDP sessions. Its best to set up dedicated management workstations that have been hardened against attacks and perform privileged operations solely from those workstations.

  2. Enable Windows Defender Credential Guard

    Windows 10 and 11 include a tool called Windows Defender Credential Guard. This tool, when enabled, uses hardware level virtualization to run the Local Security Authority Subsystem Service in a sandboxed environment. This simple action makes the system much more resistant to pass-the-hash attacks.

  3. Apply the Principle of Least User Access

    The main idea behind Least User Access is that users should not have any permissions beyond those that are specifically required for them to do their jobs. While using Least User Access will not prevent a pass-the-hash attack, it will minimize the damage if an attacker does manage to compromise one or more accounts.

  4. Use Firewalls to Block Unnecessary Traffic

    End user devices will likely need access to domain controllers, file servers, and other line of business systems. However, it is somewhat rare for one workstation to need to access another. If you can use firewalls to block workstation to workstation traffic, then you will reduce an attacker’s ability to make the lateral movements that are necessary for a successful pass-the-hash attack.

  5. Use Specops Password Auditor to Access Your Password Health

    Before an attacker can initiate a pass-the-hash attack, they require an initial point of entry. This usually comes in the form of stolen credentials. A free tool called Specops Password Auditor can help you to identify at-risk accounts before they are compromised.

Specops Password Auditor not only verifies that user’s passwords comply with industry standards for secure passwords it can also compare user’s passwords against a list of passwords that are known to have been compromised. That way, you can force a password change before such an account can be exploited.

Sponsored by Specops


Activision Blizzard sees second successful union drive

QA workers at Blizzard Albany, formerly Vicarious Visions, join their colleagues at Raven in the Game Workers Alliance.

View more: Activision Blizzard sees second successful union drive

The Best Gifts for Avid Readers and Bookworms

ASTA Concept When you need a gift for the book lover in your life, it’s tempting to buy them a bunch of books, but there are plenty of more original ideas that you can also pursue. Here are some of the best gift ideas for avid readers. Update, 12/1/22: ...

View more: The Best Gifts for Avid Readers and Bookworms

Logan Sargeant's Big Break Has Arrived

If America's newest Formula 1 driver wants to prove he belongs in the series, he has an excellent chance to do so his rookie season.

View more: Logan Sargeant's Big Break Has Arrived

Today in Apple history: World’s first iPad-only newspaper folds

News Corp's experiment with an iPad “newspaper” came to an ugly end. Photo: The Daily December 3, 2012: News Corp pulls the plug on The Daily, the world’s first iPad-only newspaper, less than two years after launching the publication. While the writing has been on the wall for some ...

View more: Today in Apple history: World’s first iPad-only newspaper folds

Nest Rolls Out a Slew of New Holiday Ringtones for Your Doorbell

Google It’s that time of the year again. The minute Thanksgiving is over, the Christmas tree and lights start going up. Throughout the year, Google releases new Nest doorbell tones that are fun and festive, and for the 2022 holiday, we’re getting five new Nest doorbell ringtones. More importantly, ...

View more: Nest Rolls Out a Slew of New Holiday Ringtones for Your Doorbell

6 of the biggest new Netflix releases coming next week

I hope you’ve cleared out your streaming watchlist, because Netflix is teeing up a slew of new releases over the next several days that will dominate viewership on the platform over the coming week. As we do each weekend, we’ll walk through a curated selection of some of the biggest ...

View more: 6 of the biggest new Netflix releases coming next week

7 Ways to Fix iPhone Calendar Search Not Working

Want to check out the dates of your past or upcoming meeting or travel plans? Or when was your last or next doctor’s appointment? Well, you can search for the appointment and event in your Calendar app. But what if the iPhone Calendar search feature is not working? Well, this ...

View more: 7 Ways to Fix iPhone Calendar Search Not Working

This Wanted Man Finally Gets Arrested After Commenting on Sheriff's Facebook Post

This could be the easiest police manhunt in history. This fugitive from Georgia essentially helped local law enforcement to arrest him after he commented on the Rockdale County Sheriff’s Office’s Facebook page. How About Me? When this sheriff’s office posted a “Most Wanted List” for November, something unexpected happened in ...

View more: This Wanted Man Finally Gets Arrested After Commenting on Sheriff's Facebook Post

Samsung's next-gen OLED screens might support multi-fingerprint sensing

City of Chicago Towed Nearly 250 Cars on First Night of Winter Parking Ban

Amazon Basics Office Products and Electronics Are Now Discounted up to 38%

Ye and big tech gave Infowars one of its biggest days ever

8 Feature Rich Screenshot Tools for Windows

SIM swapper gets 18-months for involvement in $22 million crypto heist

How to Use the Same WhatsApp Account on Two Phones Officially

Ashampoo Uninstaller 11 Giveaway: Free License Here Only!

This Week in Coins: Twitter Speculation Sends Dogecoin Higher, Bitcoin and Ethereum See Green

Let’s Dispel Some Misconceptions About Wrapped Bitcoin and Ethereum

What We’re Playing: ‘Star Trek Timelines’ Free-to-Play in the Final Frontier

Funko Pop spoils the design of a major MCU Phase 5 villain


Top Car News Car News