One of the most time consuming tasks a penetration tester has to face is password attacks. Traditional password attacks involve password guessing, password cracking or a combination of both. While the first can take anything from days to months, the latter can take from hours to days, depending on the quality of the password dictionary and the available CPU power among others. Tools that make use of Rainbow Tables, like Ophcrack, have significantly reduced those times to hours or even minutes, especially for systems that use weak password schemes like LM or NTLMv1.
All of the above describe how the password attack picture was before a new technique, called ‘Pass-The-Hash’ made its way into the hacking scene. Although someone may think this technique is quite new, it was actually back in 1997 when Paul Ashton posted on Bugtraq a Windows exploit named “NT Pass the Hash” along with the theory which the exploit was based on. This Unix-based tool implemented a modified version of a SMB client that allowed the use of captured LanMan hashes, without having to decrypt them first. However, it wasn’t before last year when Core Security finally took this concept to the next level and produced a much more powerful tool called ‘Pass-The-Hash Toolkit’, which now runs on Windows and works with NTLM hashes. Let’s see how this technique works in more detail.
Pass-The-Hash is a different kind of password attack in that its ultimate goal is not to reveal what the password is, but rather to use it without having to crack it. Think about this, do you really care whether the password you are cracking is actually “peanuts”, “Barbie” or “Mickey Mouse”? I don’t think so. All you need to know is that it will give you access to the resource it’s protecting. Well, that’s the main concept behind ‘Pass-The-Hash’ attack.
First step to launch this attack is obviously to extract the password hashes. I’m not pretending to detail how to obtain them here, but you know you can either dump the SAM database if you managed to get admin privileges or dump current user SAM from memory if you ‘only’ have regular user privileges. Now, instead of trying to crack the hashes with L0pthCrack or Cain, all you need to do is to USE them directly.
To do so, the ‘Pass-The-Hash Toolkit’ contains utilities that let you manipulate the Windows Logon Session maintained by the LSA (Local Security Authority) component, allowing you not only to list the current logon sessions along with its corresponding NTLM credentials, but also to change in runtime the current username, domain name, and even NTLM hashes. Isn’t DLL injection lovely? 🙂
The Toolkit contains three utilities:
-
IAM.EXE: This tool allows you to change your current NTLM credentials directly in memory without having the cleartext passwords. Only the password hashes are needed. Yes, that means no password cracking anymore! From the moment the NTLM credentials are changed you can immediately use commands that make use of NTLM authentication, like ‘net use’ or ‘net view’, with the stolen user’s credentials.
-
WHOSTHERE.EXE: This tool will list logon sessions with NTLM credentials, including username, domain name, LM and NTLM hashes. Those logon sessions also include remote sessions like Remote Desktop Connections. That means you can now steal Domain Administrator’s password not only from the Domain Controller but also from any machine the Administrator may RDP to. Just run WHOSTHERE.EXE while the admin is logged on and use IAM.EXE from your machine to compromise the Domain Controller using those credentials. Also Man-in-the-middle attacks could be used effectively with this tool.
-
GENHASH.EXE: This tool generates LANMAN and NT hashes from user given passwords. It’s just a small tool designed to help testing of IAM.EXE.
The advantages of using this technique are out of doubt. First, the time consuming password cracking is not needed, and additionally, the account lockouts that happened so often when doing password guessing won’t happen anymore. This is a massive improvement so it’s not surprising that Penetration Testers are increasingly relying on ‘Pass The Hash’ techniques.
For the folks on the other side of the line, that is from a defensive perspective, the above reinforces the need of adopting best practices when it comes to high privilege account management, using secure authentication schemes and maintaining a suitable patch and vulnerability management programme. Doesn’t it sound familiar?
—
The tools described in this post are part of the Pass-the-Hash Toolkit (pshtoolkit), written by Hernán Ochoa from Core Security. Latest release of Pass-The-Hash toolkit (v1.3 published on February 29, 2008) is available for free download here.
Absolutely scary, and as a pen tester, AWESOME. All those days waiting for RT’s to complete can now be replaced with this. The scariest part of this blog (to me) is the fact that you can run this against a DC and gain the credentials of all logged on users.