Anatomy of a PtH attack. (Courtesy of Microsoft.)Security experts have long warned passwords are among the weakest links in an organization’s IT security posture. As a result, security administrators have engaged in a relentless campaign to get employees to create longer, more complex passwords involving everything from capital letters, numbers and special characters.
But if a network is not configured properly, particularly in restricting remote access and setting the proper firewall rules, no password, regardless of how long and complex, can prevent an attacker from gaining access through a technique known as Pass-the-Hash (PtH) – an attack that’s been around for more than 15 years.
A new guide posted this month by the National Security Agency’s Information Assurance Directorate, explores the PtH attack and provides network security administrators with advice on how to prevent their networks from becoming victims.
The setup
Although biometrics and smart card systems are being deployed rapidly, the most common form of user authentication remains a password. And in Single Sign On systems, users are allowed to authenticate to the operating system once per login. The system then stores the user identity and a cryptologic representation of the user’s password – known as a hash – in memory. Whenever the system requires the user to authenticate during the same login period, it simply uses the cached credentials instead of prompting the user to re-enter their user name and password.
An attacker that gains administrator privileges (or has administrator privileges based on his or her position in the organization) can retrieve the hashed user credentials by accessing the Security Account Manager file or by reading the Local Security Authority Subsystem Service process memory.
The vulnerability comes into play when these credentials match the credentials used to gain access to remote Windows services. Using the PtH technique, an attacker basically reuses the compromised credentials to access other computers across the enterprise.
The attack
The success of a PtH attack depends on a number of different factors. But according to the NSA guide, the most important include the overall network configuration, firewall settings and user account settings.
First, the attacker compromises an initial machine. Free tools are widely available to hackers that enable them to obtain user credentials. Depending on the exploit used, the attacker may only have user privileges and must escalate privileges to an administrator or system account, which grants access to all credentials on the local system.
Next, the attacker attempts to use each set of credentials to authenticate with other systems on the network via PtH. If any credentials grant access to a new machine, then the attacker harvests more credentials.
The attacker continues to spread across the network, potentially gaining more credentials on each newly exploited machine until the domain administrator account is obtained or until all credentials have been exhausted.
The defense
The NSA guide recommends the following defense-in-depth strategy for making it more difficult for attackers to leverage a PtH attack.
- Create unique local account passwords.
Enforce unique local administrator accounts on each machine. - Restrict remote access to local administrator accounts.
Removing network and remote interactive logon privileges, especially from local administrator accounts, will harden the system and prevent an attacker from using PtH with local accounts to obtain unauthorized access to other machines. - Use firewall rules to restrict lateral movement on the network.
Restrict workstations from communicating directly with other workstations using Windows Firewall rules. If a workstation has services that require other workstations to communicate with it, the firewall can be configured to only allow that specific traffic through. - Check out the new features in Windows 8.1 for specific capabilities to combat PtH attacks.
