Attackers love passwords and many password attacks require attackers to first crack a stolen password before he/she can be authenticated into an unauthorized system. An example of such an attack is Bruteforcing, a situation where an attacker enters different passwords into a system with the hopes of eventually guessing the right one, the simplest type of attack right now. Another variation of a password attack is done using Rainbow tables. The attacker uses a table with a list of hashes and/or passwords (probably created by him/her), compares it to stolen password hashes in a compromised database (again, probably compromised by him/her) if any values match, the attacker is authenticated. Of course, these methods can be time-consuming and in many cases, the attacker is unable to gain access to the system. Introducing the Pass-the-hash-attack, a password attack that requires the hash of a password alone for authentication thanks to the Single-Sign-On feature in Windows. This attack is possible due to a vulnerability found in the Single-Sign-On authentication process in Windows 8 OS and lower.
In a Windows domain environment, the Single sign-on feature allows a user (client) log in to a server once and is authenticated to access other resources on the domain as opposed to logging in every time the user needs to use a resource (e.g, servers, applications, etc.) convenient, isn't it? The first time a user logs in to a server, the user's password is converted to an NTLM(New Technology LAN Manager) hash and together with the user's username, both are stored in the memory of the LSA(Local Security Authority) and a process called the Local System Subsystem Service process (LSASS.exe) authenticates and creates a login session to the local system/user/client so that the user can access multiple resources on the server without prompting the user to log in every single time and this is how the authentication process works. When the user/client/Local system needs to access a resource on let's say a file server, the file server challenges the client by sending it a random 16-byte number. The client encrypts that number using the user's NTLM password hash and sends that response to the file server, this is called the NTLM challenge and response. The file server sends the Username of the user, its challenge (plain text 16-byte number), and the client's response (encrypted 16-byte number) to the domain controller. The domain controller decrypts the client's response ( encrypted 16-byte number) using the user's NTLM password hash and if the answer is the same as the file server's challenge (plain text 16-byte number) the user is authenticated. How then is the Pass the Hash Attack Possible?
The goal of the Pass the Hash attack is to gain admin rights into the Domain controller. The Domain Controller is a server that responds to security authentication requests of other servers in the domain before they allow clients access to their resources. If an attacker gains domain admin rights to a domain controller, he/she can authenticate himself/herself to use resources on any server in the domain. To carry out the attack, he/she already has to have admin rights to any system on the network(pretty easy nowadays with malware or social engineering attacks) which would then allow him/her laterally on the network. With the admin rights the attacker has, he/she can access a list of usernames and NTLM password hashes of everyone who has logged into the system both remotely and locally including the domain admin's; the end goal of the attacker. If the domain admin happens to be one of the users who have logged to that system remotely, the attacker passes the domain admin's username and NTLM password hash to the LSASS.exe process which in turn uses it to encrypt the 16-byte challenge number from whatever server he/she is trying to access including the authentication server (Domain Controller). Obviously, the resulting value of that process would correlate with the value the Authentication Server would have; the attacker is authenticated. With this simple process, all clients and servers on the network are at the mercy of the attacker to do whatsoever he/she desires; steal private info, lock the legitimate admin out of the system, delete or change stuff, and many more.
However, in Windows 10, authentication is no longer done by just the server but the server and the user and also makes use of the Primary Refresh Token for every resource being accessed on the network domain.
Thanks for reading!