Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Intercepting pass-the-hash attacks

Roger Grimes | April 21, 2010
Limiting who can access highly privileged accounts and where they do can help keep hackers from snatching precious hashes.

Pass-the-hash attacks are among the most difficult assaults to thwart. In these attacks, an intruderor an employee performing unauthorised activitiesgains administrative (or root) access to a computer where a user logs on. With that highly elevated access, the intruder can obtain the user's password hash from the machine's memory and log on to other computers as the spoofed user.

Once an outsider obtains elevated access, defending against the pass-the-hash attacks is very difficult. There are even free hacking tools available to aid the process. Even worse, pass-the-hash attacks work against very long passwords, smart cards, and many other logon tokens. There aren't a lot of defences one can deploy to prevent them, which is why security admins fear them. However, defences do exist.

Not just a Windows problem
Some people mistakenly believe that only Windows is vulnerable to pass-the-hash attacks. (I'll note that Microsoft is my full-time employer.) However, most of today's popular operating systems perform subject authentication (for example, user, computer, service/daemon) using password hashes. Those hashes sit in the computer's memory on those operating systems as readily as on Windows and can be obtained just as easily, if not more so, if public tools are on hand.

A little background first: In early and less complex operating systems, passwords were originally stored in plaintext form and often communicated between the logging-on client and the authentication server/service using an open, unencrypted communication channel. This still occurs on many insecure operating systems and programs, such as FTP and Telnet, although it is universally decried when found.

Operating system vendors decided that password hashes could make some types of password compromises harder to accomplish. With a good password hash, it's very unlikely or very difficult for a person obtaining the password hash to convert it back to its original plain text. Even if the attacker gets the password hash database (in Windows, this is stored in the local SAM database or in the Active Directory database) or captures the hash on the network, he or she could not immediately convert it to its plain text equivalent for use.

Prior to Windows Vista, Windows stored password hashes in two hash forms: LANManager and NT. IBM created LANManager in the early 1980s, and it's not considered secure. In fact, it's readily and easily crackable when used to protect Windows passwords up to 14 characters in length.

The NT hash, on the other hand, is a good cryptographic hash and has proven resistant to cracking when lengthy and/or complex passwords are used. Unix, Linux, and BSD systems have similar password hash issues, where the early hashes are no longer considered secure, and the new hashes, including SHA-512 and Bcrypt, are recommended in order to protect against cracking.


1  2  3  Next Page 

Sign up for Computerworld eNewsletters.