Pass the hash - again
Pass the hash - again

Many moons ago, in an age of innocence, “Pass The Hash” had a whole other meaning -  something you did at the back of the school on a Friday night.  Now it seems that “Pass The Hash” is back in vogue again - not just in Colorado; the IT version has resurfaced after first appearing some 15 years ago.

Suddenly it seems as if it's the latest exploit about to be unleashed on the corporate landscape. Within a week or two you'll be having the inside sales departments calling to ask if you have ‘PTH' problems. Come April we can expect to see every vendor in the security space having ‘PTH' solutions at tradeshows. Of course this will be followed by the PTH User Groups sponsored by vendors desperately trying to save you from PTH attacks. APTs will have become a distant memory as that was all solved in 2013. 2014 – The year of PTH!

What is it?

Unfortunately it is not as interesting as the original, and it certainly is not going to give you a mellow feeling.

A "pass the hash" (PTH) attack can happen when just the password hash is sufficient to authenticate a user to a system.  This is more of an issue on older windows systems such as XP and 2003. Because of the way in which administrative accounts were set up and stored on a system, it means that very often the local administrator account is vulnerable. And because it is used for many administrative tasks such backups, patching, installing software, etc, it becomes a security risk. If one of the machines is compromised, the local hashes can be dumped out of the Security Account Manager (SAM) database which is present on servers running Windows Server 2003. The SAM stores user accounts for users on the local computer, so if an attacker has now gained administrative access to that machine, other machines on the networks become easy targets.

Newer versions of Windows are less vulnerable because of the way in which a machine acts when added to a domain, but it still carries risk. See: “Still Passing the Hash 15 Years Later”, and many thanks to the authors for providing much of my “research”!

Where does it leave us?

Contrary to the claims of certain vendors, PTH is neither new, nor solved by simply changing administrative passwords.  Unless by administrative passwords you mean, administrators, service accounts, scheduled tasks, and all the other accounts in a system likely to be using the Administrative password. Simply changing your administrator user password is not going to protect you. It may give you the original PTH high, but you can be sure that one of these days you are going to wake up with a terrible headache, and discover that changing your admin accounts didn't offer lasting satisfaction.

Ultimately you need to have a complete inventory of everything from your registry onwards. And it's no good having last week's inventory!

Constantly vigilant

Vigilance was key in the original PTH scenario. Someone had to be constantly on the lookout for “hackers”, be they teachers, parents or the law. And the same applies with today's PTH. Organisations need continuous monitoring of the complete Windows environment, and dynamically discover every location throughout the environment that an account is referenced by a Windows service, task, COM/DCOM object, or AT account.

Discovering where the accounts are used is half the battle. And snapshots in time are not going to do it. You can't manage what you don't know, and unless you are checking continuously you will get caught. I know from past experience!! And of course should you decide to change the passwords regularly, don't start some process to change passwords by creating yet another password on that system so that you can logon on to change the passwords. Ah yes, you're saying to yourself, this doesn't make any sense. And you'd be right, it doesn't. But that's another story.

Is there a moral?

You could say that PTH has never been good for anyone, and both variants can be life changing, not necessarily for the better. Pass The Hash in IT terms has been around for close to 15 years, and exploits were available several years ago, so it's not a new vulnerability, but it is something that you should be aware of. Taking proper precautions such as ensuring that passwords are changed regularly will help. It is also important to ensure that services and scheduled tasks are not using the same passwords across your infrastructure. For example segment your environment in such a way that a breach can be contained, and always be vigilant. Now please “Pass the Hash”

Contributed by Calum MacLeod, VP of EMEA at Lieberman Software Corporation