Pass the hash attack

1. What is the pass the hash attack?
2. What technique is used to prevent the pass the hash attacks?
3. What are pass the hash and pass the ticket attacks?
4. Which is the first step for an attacker in launching a pass the hash attack?
5. Can you pass the hash with NTLMv2?

What is the pass the hash attack?

Pass the hash (PtH) is a type of cybersecurity attack in which an adversary steals a “hashed” user credential and uses it to create a new user session on the same network.

What technique is used to prevent the pass the hash attacks?

Use Firewalls to Block Unnecessary Traffic

However, it is somewhat rare for one workstation to need to access another. If you can use firewalls to block workstation to workstation traffic, then you will reduce an attacker's ability to make the lateral movements that are necessary for a successful pass-the-hash attack.

What are pass the hash and pass the ticket attacks?

In our first post of the series, we looked at ways to detect pass-the-hash attacks, which exploit NTLM authentication within an Active Directory domain. Pass-the-ticket is a related attack that which leverages Kerberos authentication to perform lateral movement.

Which is the first step for an attacker in launching a pass the hash attack?

The attacker must first obtain access to the network through some other technique such as using phishing emails for credential theft. Pass the hash is a post-compromise technique for further credential theft and lateral movement.

Can you pass the hash with NTLMv2?

NTLM has been succeeded by NTLMv2, which is a hardened version of the original NTLM protocol. NTLMv2 includes a time-based response,which makes simple pass the hash attacks impossible.