Name Use of Captured Hashes (Pass The Hash)
Summary An adversary uses stolen hash values for a user's credentials (username and password) to access systems managed under the same credential framwork that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols. When authenticating via LM or NTLM, the hashed credentials' associated plaintext credentials are not requried for successful authentication. Therefore, if an adversary can obtain the hashed credentials of a user, he can then pass these hash values to the server or service to authenticate without needing to brute-force the hashes to obtain their cleartext values. The adversary can then impersonate the user and laterally move within the network. This technique can be performed against any operating system which leverages the LM or NTLM protocols.
Prerequisites The adversary needs to first obtain the hashed credentials of a user, via the use of a tool, prior to executing this attack. The victim system must allow Lan Man or NT Lan Man authentication.
Solutions Prevent the use of Lan Man and NT Lan Man authentication on severs and apply patch KB2871997 to Windows 7 and higher systems. Monitor system and domain logs for abnormal credential access. Leverage system penetration testing and other defense in depth methods to determine vulnerable systems within a domain.
Related Weaknesses
CWE ID Description
CWE-522 Insufficiently Protected Credentials
Back to Top