A very dangerous attack that is effective in gaining full admin access to a network is called “Pass the Hash”. Commonly, a user logs into a system with their username and password. Pass the Hash (aka PtH) works by taking the password’s hash and passing it to a system as is, without even knowing the password (or needing).
The attack works by taking control of a workstation or server and installing software that waits for an admin to logon. Once an admin logs on, the hash can be extracted from LSASS (the Local Security SubSystem) and used to logon to a higher level system until eventually the attacker can gain access to a Domain Controller with Domain Admin rights. At that point, it’s “Game Over” for the Active Directory environment since the attacker has full rights to the domain (and eventually the forest).
Pass the Hash Mitigation Techniques:
- Implement policy and technical measures to ensure Domain Admins only logon to writable Domain Controllers and dedicated Admin Servers (that only Domain Admin level personnel administer).
- Implement policy and technical measures to ensure Domain Admins never logon to workstations.
- Implement policy and technical measures to ensure Server Admins only logon to servers under their control.
- Understand that Domains in an Active Directory forest are NOT security boundaries. It is possible to escalate from Domain Admin rights in one domain to Enterprise Admin (Domain Admin in every domain in the forest). Use separate forests to protect accounts, not by separating domains in the forest.
- Leverage the Windows Firewall to limit communication between systems on a network to minimize the chance of a hash being captured on a workstation and used on a server (or DC).
- Pass the Hash Attack (Wikipedia)
- SANS Whitepaper: Pass the hash attacks: Tools and Mitigation
- Why Crack When You Can Pass the Hash? (GIAC)
- Dissecting the Pass the Hash Attack
- New Guidance to Mitigate Determined Adversaries’ Favorite Attack: Pass-the-Hash
- Microsoft Presentation on Pass The Hash