May 21 2021

Information security: What is Pass the Hash Attack and how to mitigate the attack

Category: Windows SecurityDISC @ 12:12 pm

A Pass the Hash (PTH) attack is a technique whereby an attacker captures a password hash as opposed to the password itself (characters) thereby gaining access (authentication) to the networked systems. This technique is used to steal credentials and enable lateral movement within a network. In a Windows environment, the challenge-response model used by NTLM security is abused to enable a malicious user to authenticate as a valid domain user without knowing their password.  Now that Kerberos has replaced NTLM as the preferred authentication method for Windows domains, NTLM is still enabled in many Windows domains for compatibility reasons. And so, pass the hash attacks remain an effective tool in the hands of attackers. It is worth noting that there are other attacks associated with Keberos such as Pass the ticket and Kerberos-brute force attack etc. I will be discussing this in my next guide. Below are some articles relating to this topic: NT LAN Manager: How to prevent NTLM credentials from being sent to remote servers, Active Directory Authentication methods:How do Kerberos and NTLM work, and How to configure a service account for Kerberos delegation.

Tags: hash attack, hash crack, Windows, windows server