1

UNDERSTANDING THE FEASIBILITY OF PASS-THE-HASH

Joel See Wei Shing

1, Koh Chuen Hoe

2

1Anglo - Chinese School (Independent), 121 Dover Road Singapore 139650,

2DSO National Laboratories, 14 Science Park Drive Singapore 118226,

___________________________________________________________________________

ABSTRACT

This research seeks to understand how Pass-the-hash is still being used to exploit victims

despite technological advances in NTLM hashes and SMB protocols. The research will first

understand how logon processes work under local domain and show how users may be

exploited from the data picked up by WireShark. Following which, it will understand how

communication between client and server works and the possible vulnerabilities of this

communication. On top of which, the research will also explore how lateral movement works

when a hacker compromises one system. Man in the middle attacks will be briefly discussed

with the data and logs that we get. Ultimately, the research will analyse current day

communications security and also discuss how one can best defend from possible attacks.

INTRODUCTION

Pass-the-hash (PTH) is a technique commonly used by penetration testers and hackers to gain

access to resources or to move laterally in a Windows network. However, this appears to

have become more difficult in recent years with newer versions of Windows. In this project,

we study NTLM in greater detail, the mechanics of the PTH attack, and the feasibility of a

PTH attack on the logon mechanism. Due to time constraints, this study is limited to

Windows Workgroups, which are common in small and home networks. Other possible

attacks on the logon mechanism are also discussed.

Pass-the-hash1 technique has been around for 15 years and is still being used in today’s

context.

Why is it still being used despite the changes in protocol schemes? NTLMv1 has been

upgraded to NTLMv2, the protocols are still founded on the same basis (in this case the

challenge-response scheme) but NTLMv22 differs from its predecessor as its length of the

challenge response field may be larger than 24 bytes and is variable (as it is longer, it takes a

longer time to brute force and hence is indirectly stronger). However, the protocols are still

susceptible to Pass-the-hash since they are founded on the same basis. The hash can still be

taken and given to the server, the concept of supplying the hash and not needing to find its

plaintext still exists. The idea of a challenge-response scheme is not a bad one, however, it

seems that stealing the key has become too easy that it can no longer be assumed that the one

that holds the key is entitled to the information.

Hence, pass-the-hash is still being substantially used and this paper seeks to understand why

it works, under what conditions it will work, how it works, and what its limitations are. The

paper will also explore other hacking techniques used alongside pass-the-hash ultimately

1 A pass the hash attack is an exploit in which an attacker steals a hashed user credential and, without cracking

it, reuses it to trick an authentication system into creating a new authenticated session on the same network. 2 http://blogs.msdn.com/b/openspecification/archive/2010/05/03/ntlm-v1-no-excuse-me-ntlm-v2-oh-no-you-

were-right-it-s-v1.aspx

2

showing why pass-the-hash will work on an unsuspecting victim.

To ensure that real computers are not affected, virtual machines3 would be used as a

substitute during the course of the paper. The paper will explore pass-the-hash under the

conditions of a local area network4. This means that the virtual machines used in this set-up

are connected under the same network and are able to communicate with each other and the

entire process can be picked up by Wireshark5. The lab set-up facilitates for the investigation

of NTLM in great and extensive detail, explore how an attacker can launch a PTH attack on a

Windows network as earlier and later mentioned.

What is pass-the-hash (PtH)?

What does the hashing6 function do to begin with? It converts the plaintext of user input into

the ciphertext form. It is a one-way encryption function that is difficult or practically

impossible to undo. This idea is of course to tackle the fact that readable passwords, if stored

in the computer, would be easy to pick up and reproduce to gain computer access. The hash

acts as an identification for the user, if the user enters the right password which then yields a

hash that corroborates with the one stored in the computer, he gains access to the information.

It would be later shown that this concept is fundamentally flawed as the person with the

password need not necessarily be the original user himself and the hash by its own does not

serve as an identification of the user.

As explained earlier, it is practically impossible to undo the one way encryption function of

the hashing function and as such, cracking a hash would take a long time. Instead of adding

more time by trying to crack the hash, why not just supply the hash directly? Hence, PtH uses

the idea of supplying the hash directly to gain access to the computer. The major assumption

for the PtH attack to take place is that the attacker already has access to the hashes of the

user. This could be done by means of running the Windows credentials editor (WCE) but it

would be explained in the later sections of the paper.

3 Installed on software which imitates dedicated hardware. The end user has the same experience on a virtual

machine as they would have on dedicated hardware. 4 A local area network (LAN) is a group of computers and associated devices that share a common

communications line or wireless link to a server. Typically, a LAN encompasses computers and peripherals connected to a server within a small geographic area such as an office building or home. Computers and other mobile devices can share resources such as a printer or network storage. 5 Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and

tries to display that packet data as detailed as possible. 6 Computers. a technique for locating data in a file by applying a transformation, usually arithmetic, to a key. -

http://dictionary.reference.com/browse/hashing

3

Network set-up

.

Figure 1: http://www.windowsecurity.com/articles-

tutorials/misc_network_security/Dissecting-Pass-Hash-

Attack.html

Pass-the-hash is a technique done over the network and does not require the hacker to be

physically present. Since it is done over the network, an understanding of what goes through

the client to the server needs to be understood. The paper will use the evidence provided by

the data gathered by Wireshark. Following which, from the data presented, seek to

understand it and, in the perspective of a hacker, find alternative hacking methods to explore

vulnerabilities in the challenge-response scheme that when coupled with the pass-the-hash

method will work. It will then come to a reasonable conclusion on the feasibility of pass-the-

hash, hopefully finding an answer to the very real problem of today.

3.

Connection

Established

2. Forces

victim to

connect to

attacker

1. Send over

payload

Attacker

Kali Linux

Victim

Windows 7 SP1

2

.

3

.

The paper will also make mention of NTLM on countless occasions. Hence, it is necessary to

explain how NTLM hashes are used in local login processes. The login process follows exactly

as the diagram depicts. Some messages are

transacted behind the scenes. As explained

in the diagram, the user’s password is not

sent in plaintext but rather in a hash form

where the server (internal one – within the

computer) checks against before granting

access to the user if the user supplies the

correct password.

4

How pass-the-hash would hypothetically work under local domain conditions

Since the computers of the victim and the attacker are under the same network, they are able

to ping each other and hence communicate. As such, given the right NTLM hash and

username, the attacker need not be physically present at the victim’s computer and yet would

still be able to access the critical data of the victim.

Figure 2: http://www.windowsecurity.com/articles-

tutorials/misc_network_security/Dissecting-Pass-Hash-Attack.html

Since the victim’s computer also acts as the server and since the attacker is in the same

domain, the two conditions for the attacker to connect to the victim are fulfilled and hence,

the attacker is able to logon to the victim’s computer.

The assumption we are making is that the attacker has the victim’s hash already at hand using

programs such as Cain and Abel, performing a man-in-the middle attack. Only with the hash

will the diagram illustrated above take place successfully.

Using kali linux, the attacker is able to use reverse_tcp payload to force the victim to connect

back to the attacker and will inevitably give shell to the attacker. This allows the attacker to

gain critical information and control over the victim’s computer. Pass-the-hash works

effectively here because the attacker supplies the username and the hashed form of the

password which saves time as a lot of time would be required to compare the given hash with

a rainbow table (mentioned below).

LOCAL DOMAIN

We first explore the use of pass the hash in the local domain, when the computer is not

connected to any domain. The attacker would use a reverse_tcp attack to force a user to

connect back to his machine, thereby giving him shell and enabling the attacker to work

through the network from there.

First, he creates the executable payload to send to his victim.

5

The attacker chooses his own IP address for the victim to connect back to and chooses which

port the victim will listen to. He also chooses the name of the executable file to trick the user

into opening the executable.

To further add to the supposed “credibility”, the attacker ensures this by using the sendemail

function of Metasploit to make the email he sends seem legitimate and trustworthy.

Figure 3: https://www.offensive-security.com/metasploit-unleashed/client-side-exploits/

Of course, prior to sending the email the hacker would first get vital information from earlier

emails to source out for the email addresses that have to do with the relevant people so that

the user will be more inclined to open the exploit.

The executable is now running on the victim’s computer and the attacker has to simply open

the ports on his end and initiate the exploit.

6

Metasploit attempts to connect to the user “jo” and successfully does so.

Here we simply type shell to gain command prompt access to the user account “jo”.

All the while, we were running WireShark in the background to gain the encrypted

communication packets to see whether we could angle our other attacks in the future by

understanding the communication process and thus having some possibility of hacking purely

without social engineering.

7

We get about a 1600 logs from one scan. We narrow the results purely to SMB by filtering

the session.

Here, we particularly analyse the negotiate challenge authenticate process to better

understand what occurs during the logon process.

NEGOTIATE

In the negotiate instance, we observe no important information being transmitted as expected

since the attacker is requesting to logon to the victim.

One key thing to note is that we confirm that the attacker will enter by means of NTLM

negotiation. This bids the question, is it possible if we supply purely the NTLM hashes, we

8

would be able to access the victim’s computer the same way?

THE MAJOR ASSUMPTION

Recalling the assumption made being that the hacker already possessed the hash of the user,

we are reminded that while hashes cannot be obtained by sniffing the network, hashes can be

extracted from memory. If a host is compromised and the attacker gains shell tools like WCE

may be run to extract hashes from memory.

Figure 4:http://2.bp.blogspot.com/-ELtwDqUinxs/TvR3e_QuuaI/AAAAAAAAAWY/Qxfiv-

lSJRY/s1600/01_logon_sessions_wce_dump.PNG

Above is a clear example of how running WCE will yield the hashed passwords. However,

suppose that the prevents the storing of hash values for example, in the case of figure 5, then

“solving” the hash value might prove a good alternative method. This leads us to the rainbow

table.

Figure 5: https://blogs.sans.org/computer-forensics/files/2012/02/Blog2-IMAGE-3.png

9

RAINBOW TABLE

Many novice hackers will not understand what NTLM hashes are and its purposes. Usually,

software like ophCrack and KonBoot are able to sieve out NTLM hashes from the computer.

This is done by placing the software in a USB stick and then going into the computer’s BIOS

to change the computer’s boot priority to USB drive first. The NTLM hashes sieved out may

seem useless to the novice hacker and they will attempt to try and change the NTLM hashes

into plaintext form. However, there is no known way of inversing the hashing function and

hence people have created the rainbow table where a password is keyed in, and the resulting

hash is placed in this rainbow table. Some hash crackers available online include

https://hashkiller.co.uk/ntlm-decrypter.aspx

http://www.tobtu.com/lmntlm.php

Tobuto does the forward hashing function for us while hashkiller searches the rainbow tables

to find the corresponding plaintext password.

CHALLENGE

Having deviated slightly, we now return to the authentication process. What is interesting

here is that we start seeing important information like the challenge the user sends to the

attacker and domain and computer name (which is the same as we are working under local

domain).

10

This brings to mind the possibility of replicating the logon process artificially. Previously,

this log was generated by a “legitimate” logon, with the attacker supplying the correct

username and passwords. Now that we know the username can be easily sniffed out, is it

possible that we understand the challenge-response sequence and thereby break it? We must

first confirm whether NTLM hash is of any use and whether it can be used directly to access

the user’s computer.

The screenshot below shows that we are able to use the NTLM hash directly in accessing the

user’s account and a rainbow table is unnecessary.

Regardless of the violation error, we still able to gain shell into the user’s computer.

11

AUTHENTICATION

Analysing the packets, we see the differences in the authentication process and this sheds

more light on the strength of the negotiate-challenge-authenticate scheme.

We see that in the authentication packet, not only does the whole scheme require the client to

answer the challenge, it also requires the server to respond to the client’s challenge as seen

above.

POSSIBLE ATTACKS

Replay attack

A possible attack that a hacker can use against the client server authentication is by resending

the same packet a client sends to the server after answering the client challenge. The replay

attack, as the name suggests, aims at repeating the process. So how does the client server

authentication sequence counter this? Seen from the observation of a few different challenge

packets, we see that the server sends different server challenges per request by the client.

12

This hence prevents the possibility of the replay attack being performed.

Spoofing

This brings us to the next attack, now that the replay attack is ruled out, IP address spoofing

comes into mind. The process in which IP address spoofing works are as follows.

Figure 6: http://img.wonderhowto.com/img/58/58/63505149684180/0/become-elite-hacker-

part-2-spoofing-cookies-hack-facebook-sessions.w654.jpg

In this diagram, the attacker acts as both the client and server. When the victim wishes to

establish a normal connection, it would send a request. The request will then cause the server

to send a challenge to the victim. The victim then answers the challenge and the attacker

intercepts this packet. The attacker then sends the packet to the server and hence gains access.

This is a seemingly easy way to break the authentication scheme, so how does the scheme

counter this? By using signatures of course, this ensures that the packet that is being sent to

the server is indeed coming from the original client.

We look back to the logs and we observe,

Clearly, no signatures are required and it is most probably due to the fact that this is an

attacker connecting to a client and not the client connecting to the server scenario. Thus for

this scenario we can conclude that spoofing might work.

CONCLUSION

Concluding, we see that the NTLM hashes are never explicitly shown in the packets and

hence pass the hash cannot work as simply as suggested. However, there are loopholes in the

client server authentication scheme as having no signatures could cause a possible spoofing

attack. Furthermore, the encrypted NTLM can be broken by brute force.

13

Figure 7: https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/

As seen from above, the challenge response can be broken up into 3 DES keys each 7bit

long. Together they make up 21bits, these keys are made with from the 16bit MD4

password. This leaves the last 5bits of the last DES key to be 0 and hence making the last

DES key effectively 2bit, making it easy to brute force. Hence, we’re only truly left with

14bit of DES keys to crack.

Hence we can see that NTLMv1 is vulnerable to the brute force attack due to its flaws.

However, it must also be noted that the NTLM hashes are not explicitly shown; the

challenges are not repeated; the packets may require a signature, these factors add to the

strength of the scheme and hence pass the hash will not work as easily as imagined.

Under WORKGROUP settings, minimal difficulties were faced and PTH would be relatively

easy to perform suppose the registry of the computer has not been tampered with. However,

it is expected that under server settings, the domain controller may limit users to basic

functions in light of security issues of giving users too much privilege.

However, it is expected that under server settings, the domain controller may limit users to

basic functions in light of security issues of giving users too much privilege. A

comprehensive list of mitigations, especially in domain settings, has been released by

Microsoft7.

7 https://www.microsoft.com/en-sg/download/details.aspx?id=36036

14

REFERENCES

1. Cloudcracker.com, (2015). Divide and Conquer: Cracking MS-CHAPv2 with a 100%

success rate. [online] Available at:

https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ [Accessed 8

Dec. 2015].

2. Microsoft.com, (2015). Managing Risk. [online] Available at:

http://www.microsoft.com/security/sir/strategy/default.aspx#!password_hashes

[Accessed 8 Dec. 2015].

3. Offensive-security.com, (2015). Client Side Exploits - Metasploit Unleashed. [online]

Available at: https://www.offensive-security.com/metasploit-unleashed/client-side-

exploits/ [Accessed 8 Dec. 2015].

4. SANS Institute InfoSec Reading Room, (2015). Pass-the-hash attacks: Tools and

Mitigation. [online] Available at: https://www.sans.org/reading-

room/whitepapers/testing/pass-the-hash-attacks-tools-mitigation-33283 [Accessed 8

Dec. 2015].

5. WindowSecurity.com, (2010). Dissecting the Pass the Hash Attack. [online]

Available at: http://www.windowsecurity.com/articles-

tutorials/misc_network_security/Dissecting-Pass-Hash-Attack.html [Accessed 8 Dec.

2015].

6. WindowSecurity.com, (2010). How I Cracked your Windows Password (Part 2).

[online] Available at: http://www.windowsecurity.com/articles-

tutorials/authentication_and_encryption/How-Cracked-Windows-Password-

Part2.html [Accessed 8 Dec. 2015].

7. Dictionary.com, (2016). the definition of hashing. [online] Available at:

http://dictionary.reference.com/browse/hashing [Accessed 7 Jan. 2016].

8. SANS Digital Forensics and Incident Response Blog, (2016). Protection against PtH.

[image] Available at: https://blogs.sans.org/computer-forensics/files/2012/02/Blog2-

IMAGE-3.png [Accessed 7 Jan. 2016].

9. SearchNetworking, (2016). What is local area network (LAN)? - Definition from

WhatIs.com. [online] Available at:

http://searchnetworking.techtarget.com/definition/local-area-network-LAN [Accessed

7 Jan. 2016].

10. SearchSecurity, (2016). What is pass the hash attack? - Definition from WhatIs.com.

[online] Available at: http://searchsecurity.techtarget.com/definition/pass-the-hash-

attack [Accessed 7 Jan. 2016].

11. SearchServerVirtualization, (2016). What is virtual machine? - Definition from

WhatIs.com. [online] Available at:

http://searchservervirtualization.techtarget.com/definition/virtual-machine [Accessed

7 Jan. 2016].

15

12. WCE Dump. (2016). [image] Available at: http://2.bp.blogspot.com/

ELtwDqUinxs/TvR3e_QuuaI/AAAAAAAAAWY/Qxfiv

lSJRY/s1600/01_logon_sessions_wce_dump.PNG [Accessed 7 Jan.

2016].

13. Wireshark.org, (2016). Chapter�1.�Introduction. [online] Available at:

https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChI

ntro WhatIs [Accessed 7 Jan. 2016].

14. Microsoft.com, (2015). Mitigating Pass-the-Hash (PtH) Attacks and Other Credential

Theft, Version 1 and 2 [online] Available at: https://www.microsoft.com/en-

sg/download/details.aspx?id=36036 [Accessed 8 Dec. 2015].