What Is a Pass-the-Hash (PtH) Attack?

Pass-the-hash attack is a type of cyber attack in which a password hash is stolen from administrators and used to gain unauthorised access across a network. This type of attack eliminates the need to steal or crack a password since all that is required is the password hash to escalate access within a network and its systems.

What Is a Password Hash?

To understand how a pass-the-hash attack works, you need to understand what exactly a password hash is. A password hash is a one-way algorithm that turns a plaintext password into a random string of letters and numbers that cannot be reversed or decoded to reveal the actual password.

Password hashing enhances security by eliminating the storage of plaintext passwords in a server. With password hashing, only the end user knows their plaintext passwords.

What Is a Password Hash?

How Do Pass-the-Hash Attacks Work?

Pass-the-hash attacks begin when a cybercriminal compromises an administrator’s machine. This is often done by infecting their machine with malware through social engineering techniques. For example, an administrator may be sent a phishing email urging them to click an attachment or link. If they click the link or attachment, malware can be immediately downloaded without their knowledge.

Once the malware is installed on the administrator’s machine, the cybercriminal collects password hashes stored on the machine. With only one password hash belonging to a privileged user’s account, cybercriminals can bypass the network or system’s authentication protocol. Once a cybercriminal bypasses authentication, they can access confidential information and move laterally across a network to gain access to other privileged accounts.

How Do Pass-the-Hash Attacks Work?

Who Is the Most Vulnerable to Pass-the-Hash Attacks?

Windows machines are the most susceptible to pass-the-hash attacks due to a vulnerability in Windows New Technology Local Area Network Manager (NTLM) hashes. NTLM is a set of security protocols offered by Microsoft that acts as a Single Sign-On (SSO) solution, which many organisations use.

This NTLM vulnerability allows threat actors to leverage compromised domain accounts with only the password hash, without ever needing the actual password.

Who Is the Most Vulnerable to Pass-the-Hash Attacks?

How To Mitigate Pass-the-Hash Attacks

Invest in a Privileged Access Management (PAM) solution

Privileged access management refers to securing and managing accounts that have access to highly sensitive systems and data. Privileged accounts include payroll systems, IT administrator accounts and operating systems, to name a few.

A PAM solution helps organisations secure and manage access to privileged accounts by leveraging the Principle of Least Privilege (PoLP). PoLP is a cybersecurity concept in which users are given just enough access to the data and systems they need to do their jobs, not more or less. With a PAM solution in place, organisations can ensure that users are only given access to the accounts they need through Role-Based Access Controls (RBAC). Organisations can also enforce the use of strong passwords and Multi-Factor Authentication (MFA) to further secure accounts and systems.

Regularly rotate passwords

Rotating passwords regularly can help mitigate the risk of a pass-the-hash attack since it reduces the time for which a stolen hash is valid. The best PAM solutions are all-encompassing and have password rotation as a feature you can enable.

Implement zero trust

Zero trust is a framework that assumes all users have been breached, requires them to continuously verify their identities, and limits their access to network systems and data. Instead of implicitly trusting all users and devices within a network, zero trust doesn’t trust anyone and assumes all users could be potentially compromised.

Zero trust can help reduce cybersecurity risks, minimise an organisation’s attack surface and improve audit and compliance monitoring. With zero trust, IT administrators have full visibility into all users, systems and devices. They can see who’s connecting to the network, where they are connecting from and what they’re accessing.

Perform penetration testing regularly

Penetration testing, also known as a pen test, is a simulated cyber attack against an organisation’s networks, systems and devices. Performing regular penetration testing can help organisations determine where they have vulnerabilities so they can fix them before they’re exploited by cybercriminals.

Keep Your Organisation Safe From Pass-the-Hash Attacks With KeeperPAM®

KeeperPAM is a next-generation privileged access management solution that combines Keeper’s Enterprise Password Manager (EPM), Keeper Secrets Manager (KSM) and Keeper Connection Manager (KCM) into one unified platform to protect your organisation from cyber attacks.

English (UK) Call Us