Please Don't Pass the Hash - You'll Sleep Better!

There's a lot of talk about "pass-the-hash" (PtH) attacks going on. Just type "pass the hash attack" into Google and start exploring - you'll get your fill quickly. Let's start with a quick synopsis of PtH from Wikipedia's definition which you can find here:

Any system using LM or NTLM authentication in combination with any protocol (SMB, FTP, RPC, HTTP etc.) is at risk from this attack. The exploit is very difficult to defend against, because there are countless exploits in Windows and applications running on Windows that can be used by an attacker to elevate their privileges and then carry out the hash harvesting that facilitates the attack. Furthermore, it may only require one machine in a Windows domain to not be configured correctly or be missing a security patch for an attacker to find a way in. A wide range of penetration testing tools are furthermore available to automate the process of discovering a weakness on a machine.

There is no single defense against the technique, so standard defense in depth practices apply - for example use of firewalls, intrusion prevention systems, 802.1x authentication, IPsec, antivirus software, full disk encryption, reducing the number of people with elevated privileges, pro-active security patching etc. Preventing Windows from storing cached credentials may limit attackers to obtaining hashes from memory, which usually means that the target account must be logged into the machine when the attack is executed. Allowing domain administrators to log into systems that may be compromised or untrusted will create a scenario where the administrators' hashes become the targets of attackers; limiting domain administrator logons to trusted domain controllers can therefore limit the opportunities for an attacker.The principle of least privilege suggests that a least user access (LUA) approach should be taken, in that users should not use accounts with more privileges than necessary to complete the task at hand.Configuring systems not to use LM or NTLM can also strengthen security, but newer exploits are able to forward Kerberos tickets in a similar way. Limiting the scope of debug privileges on system may frustrate some attacks that inject code or steal hashes from the memory of sensitive processes.

As stated in the Wikipedia definition there is no single defense against this technique. Furthermore, if you are familiar with defense in depth practices there are a number of things that you, Mr./Ms. IAM Guru, may not have control over like firewalls, intrusion prevention systems, etc. If we assume you have some control over identity and management what can you do to help prevent PtH attacks?

One thing I would like to emphasize is that it is not possible to protect yourself 100% from this or any other type of attack so don't get wrapped around the axle too much about this. If you really need 100% protection the best thing to do is disconnect from the Internet, don't allow employees to take their laptops home or while traveling - right, fat chance. There are, however, a number of basic things that you can do to better protect yourself. Additionally, there are software solutions that can also help. Microsoft has published a number of documents about pass the hash that are worthwhile reading including: Pass-the-Hash and Other Credential Theft and New Strategies and Features to Help Organizations Better Protect Against Pass-the-Hash Attacks. A few of the most basic things you can do to protect yourself include:

  1. Never include your normal work account in a privileged group. If you need to do something that requires elevated domain privileges logoff and logon to your administrative account. This helps to segregate your work and privileged duties so that if you are subjected to a phishing scheme or some other compromise if is more likely to happen on your non-privileged or work account.
  2. Use a different, more secure machine for privileged domain operations. Lock down a different machine, make sure it is running the latest OS with all appropriate patches, apply stricter and stronger security policies to it, connect it to your network via an ethernet cable versus WiFi, etc. This way when you need to use those privileges you are doing so on a much more secure machine.
  3. Always use a password of 15 characters or greater for your privileged accounts. The LMHash is very weak compared to other hashes. By using a 15 character or greater password you prevent the storing of the LMHash. It's good practice anyway to have a longer password for a more privileged account. Change it frequently. If you haven't implemented the "NoLMHash" Group Policy now is the time to do that! Here's a pointer to more information on that: https://support.microsoft.com/en-us/help/299656/how-to-prevent-windows-from-storing-a-lan-manager-hash-of-your-password-in-active-directory-and-local-sam-databases
  4. A vector that is frequently used by attackers to compromise a system is e-mail. Make sure your administrative accounts do not have an Exchange or e-mail access. This further strengthens the need for #2 above - use a different machine for privileged operations.
  5. Make sure your local Guest and local Administrator accounts are disabled.

We developed our Privilege Safe solution to help our customers protect sensitive administrative credentials including for Windows. Privileged Password Manager automates, controls and secures the entire process of granting administrators the credentials necessary to perform their duties. Privileged Password Manager is deployed on a secure, hardened appliance that can only be accessed via a secure, role-based Web interface that provides protection from host admin attacks, as well as OS, database or other system-level modifications. The appliance also has an internal firewall that protects against external network-based attacks and provides additional auditing capabilities. One of the additional features we have just added to this product is the ability to disable privileged accounts when they are not in use by an authorized individual. Not only do we randomize the password as it is checked-in but we also disable the account to further prevent unauthorized access while the privileged credentials are not in use.

Like most things related to security you have to trade off some convenience for better piece of mind. There's lots of great information at Microsoft's web site on protecting yourself from pass-the-hash attacks that you should familiarize yourself with. In addition, Dell's Privileged Password Manager can add an extra layer of protection to your environment.

Interested in learning more about pass-the-hash and the steps to mitigate it? Join Randy Franklin Smith for a one hour webcast where he will decrypt some of the "hash" in the pass-the-hash topic. Register today.

 

About the Author