CAPEC-644: Use of Captured Hashes (Pass The Hash)
An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.
Last updated
Overview
When authenticating via LM or NTLM, an authenticating account's plaintext credentials are not required by the protocols for successful authentication. Instead, the hashed credentials are used to determine if an authentication attempt is valid. If an adversary can obtain an account's hashed credentials, the hash values can then be passed to a system or service to authenticate, without needing to brute-force the hashes to obtain their cleartext values. Successful Pass The Hash attacks result in the adversary fully authenticating as the targeted account, which can further allow the adversary to laterally move within the network, impersonate a legitimate user, and/or download/install malware to systems within the domain. This technique can be performed against any operating system that leverages the LM or NTLM protocols even if the operating system is not Windows-based, since these systems/accounts may still authenticate to a Windows domain.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Acquire known Windows credential hash value pairs] The adversary must obtain known Windows credential hash value pairs of accounts that exist on the domain.
- An adversary purchases breached Windows credential hash value pairs from the dark web.
- An adversary conducts a sniffing attack to steal Windows credential hash value pairs as they are transmitted.
- An adversary gains access to a Windows domain system/files and exfiltrates Windows credential hash value pairs.
- An adversary examines outward-facing configuration and properties files to discover hardcoded Windows credential hash value pairs.
- Step 2Experiment