Pass The Hash Exploiting Windows Passwords Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Pass the Hash is a method to circumvent a password. This method eliminates the need to attack the password directly with a method such as brute force. It has existed and been in practice for over a decade. With the method being known to the information security field for so long, is this still a viable attack technique? Has the operating system vendor successfully mitigated this attack? In this paper I intend to explore if the pass the hash technique is still viable in today's computer security environment. I will focus on the Microsoft operating system family as it is the most prevalent operating system out on the market and is the largest victim to these attacks. I intend to test a couple different readily available pass the hash tool kits and see how they are implemented, and if they still operate as they originally were designed to over a decade ago. Along with this I intend to analyze the tool kits merits, and their disadvantages. From this I intend to find and devise some good working practices and solutions to combat pass the hash.

Keywords: Pass the Hash,

Introduction - What it is and Why it Works

The discovery of Pass the hash has been commonly credited to Paul Aston when he posted to NTBugtrac back in 1997 ("NT "Pass The Hash" With Modified SMB Client Vulnerability") Ashton posted a method that bypasses the normal password entering in order to gain access to a system by grabbing the hash of the password and then using the hash in order to authenticate as an accredited user. This exploit takes advantage of the way that windows used and stored passwords. The early versions of windows prior to Windows XP used a one way function that mathematically manipulated the passwords and encrypted it. This encrypted string is commonly referred to as the LM Hash. While this is not technically a hash, the term is used for simplicity's sake. This method has been in use for over 25 years yet is only being used today as a backwards compatibility measure (Johansson, 2). Windows XP started the use of an actual hashing function, specifically MD4. If a user logs on locally to a machine, a NT hash is made from the password and compared against the hash stored on the machine. If the user is logging onto a domain, the NT hash will be used in the Kerberos logon process. There are some specific situations when Kerberos cannot be used, and in these cases protocol such as LanMan and NTLM are used. The LM and NT hashes are then used in computing the responses to the LanMan and NTLM authentication protocols (Johansson, 3). Kerberos is an authentication protocol initially used in Window 2000 and with usage continued on in later operating systems. It is the protocol used in order to authenticate against a domain controller an issues tickets or tokens. SAM file…accessible only offline

Talk about it being a secondary exploit here.

Explain why focusing on Windows machines and the scope of the paper from there

Testing - Programs and Procedures


In order to complete the testing of a couple of the readily available Pass the Hash tools that are currently on the market, I made four assumptions. The first and biggest assumption is that the "attacker" computer has already been compromised through another technique. Trying to find and use a method for the initial exploit of a computer was beyond the scope of the research in order to complete this paper. With pass the hash not being a primary exploitation, it had to be assumed that the computer trying to pass the hash had already been compromised in some way. The second assumption was that the attacker had already found a way to elevate the privileges on the compromised machine to local administrator. In order for the pass the hash techniques to be used, administrator privileges are needed in order to run the programs successfully. As in the case with the primary exploitation, there are many other methods to elevate privileges on a compromised machine. Finding a method of actually elevating the privileges was beyond the scope of the research. In order to simulate these first two assumptions, the attacker computer was logged on using a local administrator account. The third assumption was that the compromised machine was part of a domain and the intent of passing the hash was to get domain account names and the password hashes. This would enable the attacker to successfully obtain the domain name and password hashes and create an accredited domain log in session with the stolen credentials. Finally, the testing was focused on Windows based systems as this is the most prevalent platform for these types of attacks.

Testing Set-up

In order to test the readily available Pass the Hash programs, I set up a simple machine domain using virtual machines (VM), facilitated by VMware Workstation. For the domain controller, I set up a VM using Windows Server 2008. It was a simple VM with 4 GB of RAM and a single processor. It also had a 40 GB hard drive space and used NAT for networking. Originally I configured the VM to be host only, but encountered some problems and changed the VMs to NAT. I used static IPs in the private network range of my home router, specifically and up. Once the VM was up and running, I elevated the server to the domain controller and setup two computer accounts as well as a domain administrator. For the client computers I used two VMs, both running unpatched versions of Windows XP. Both were single processor machines and had about 2 GB of RAM. Once they were up and running and named, I added them to the domain and logged them on using the domain user accounts I created. One of the XP machines became my "attacker" and used the local administrator account to start the test.


The PSH tool kit is a free download from Hernan Ochoa at the Core Labs website. It was developed back in 2007 for vulnerability testing (Ochoa). In the wrong hands however, this defensive tool quickly becomes a powerful offensive tool. In order to test this, I started up the domain controller and the "attacker" Win XP VM's. Using a local administrator account I used the whosthere.exe program to see what hashes were available to the system. I had previously logged on the machine using one of the domain users that I created in the set-up f the test machines. Using whosthere.exe I could immediately see the hashes of the domain user and copy them. Turning around using the Iam.exe program included in the toolkit, I quickly and easily had a command prompt running as that accredited user. These programs are extremely easy to use and work incredibly fast. One observation from using these programs is that only the hashes on the machine are available to be pulled. It does not reach across the network in order to pull hashes from other areas. After this test was complete, I then used Microsoft's pre-bundled remote desktop fr0m the Domain controller and connected to the XP attacker machine. The credentials for the Domain Administrator were immediately available to be pulled on the attacker machine. This is an easy way for an attacker to gain higher level credentials. I then tried to run this program on the Domain controller itself. The program could not find any hashes or users. I also tried to run this on my laptop which is running windows 7. I found the same problem; the program could not find any of the hashes to be used. This is due to updates to the way that the newer versions of Windows handle the password hashes.


Psexec is a common module that can be used through the Metasploit framework, even though it is not originally a part of Metasploit (Sanders). In order to test this program out, it needed to have the hashes already obtained. Psexec is not a complete package that can obtain the hashes and then pass them along and authenticate as a accredited user. There are many different methods to obtain the hashes to include programs such as pwdump, stealing the hashes from the SAM file, or Metsploits hashdump, to name just a few (Hummel, 7-9). For the purpose of this test, I went back to whosthere and used that program to obtain the password hashes. Once the hashes were in hand, it was a simple process of running the psexec inside of Metasploit and setting the proper parameters. The psexec requires the user name, password hash, source IP address and destination IP address. With these four simple pieces of information, the machine can then be exploited and logged in as an authenticated domain user. This process worked perfectly from the "attacker" Windows XP VM to the secondary Windows XP VM.


The Windows Credentials Editor (WCE) is the new version of the pshtoolkit. Written again by Hernan Ochoa, this small but effective program has several added features and updates that makes it that much more powerful. As stated earlier, with the advent of newer versions of Windows, the pshtoolkit no longer works. WCE is a new program completely re-written and updated to target the newer versions of Windows. This program also supports the obtaining of Kerberos tickets and saving them to a file in order to then reuse them later ("Windows Credentials Editor (WCE) F.A.Q"). Just like in the previous tests, I set up the attacker computer and then also the Domain controller. On each of the machines I ran the WCE and was able to obtain the hashes on the Win XP machines and the Kerberos tickets on the Server 2008. I also saw in my testing that the pshtoolkit does not work on the Windows Server 2008, where as the WCE did. I was able to snag some Kerberos tickets and they saved it to a file. Part of the benefits of this program is that it is backwards compatible; it worked just like its little brother in the windows XP test environment. This new program now allows Pass the Hash to be used in the newer computing environment.


Through testing merely a few of the readily available tools out on the street, it was seen that Pass the Hash technique works, and works well. It gives the attacker the ability to become an accredited user on the network and then to move around and attack other network resources, just as if he was inside the network. The initial problem is that the attacker has to gain entrance in another manner. Then he has to find the hashes that he needs in order to become the accredited user. Getting these hashes can be half the battle. There are many readily available hash dumping programs out on the street, but for most of them the hashes have to be on the machine that is already compromised. The hashes can be sniffed out through network traffic, but is a much harder method and the attacker needs to be n the same network segment (Sanders, "How-Cracked-Windows-Password-Part2"). For the most part, the attacker has to be at the right place at the right time. He has to compromise just the right machine in order to get the hashes that are needed in order to elevate his current login credentials. A lot of luck is involved. If the hashes are not on the compromised system in memory, the attacker cannot obtain the hashes. If he can't get the hashes, he cannot use them in order to masquerade as an accredited user.

Pass the Hash technique is not a standalone technique. It is just one tool of many that the attacker can employ. By itself, this technique cannot grant an attacker complete domain access. It is a support technique and is employed as part of "kit bag" of many other techniques and programs. But once the attacker is on the network, the issue of lateral exploitation is huge and nearly impossible to stop. If he is lucky, the attacker can use this technique in order to steal the domain administrator's credentials. Once he has those, he can do and go anywhere that the network allows the administrators to go; virtually anywhere. Roger Grimes said "concentrating on PTH [Pass the Hash] when the bad guy is a superadmin is like worrying about your brakes after a thief steals your car." (Grimes). Network administrators need to focus on stopping the attacker getting into the network in the first place. If the attacker cannot gain initial access to the network, this exploit cannot be executed. There is not a simple answer to this complicated issue. The problem is multilayered and a multilayered approach to fixing it must be applied. First, network administrators need to keep the attacker out. Focus on the security items that block the attacker from gaining that initial foothold on the network. Standard practices such as keeping machines updated, patched, and running the most recent versions of operating systems with the service packs associated with the operating system. But if the attacker gains access, do not give him access to high level domain credentials. The remote access of administrators to the client machines can expose the administrator credentials. Simple actions such as using the "run as" command or the remote desktop included in Windows place the administrators password hashes into memory where the attacker can obtain them (Pilkington). Administrators need to minimize their use of these interactive logins to machines that they are troubleshooting or suspect that are already compromised. Other simple techniques such as ensuring users log off and restart their machines at the end of the day flushes out the memory and the hashes stored there (Grimes). Through my testing, I also found that Symantec Anti-virus found and quarantined the pshtoolkit and the WCE. Keeping the antivirus software up to date and running on client systems is a good way to stop this attack before it begins.

So, is this still a viable technique? Microsoft has made some improvements in the way that the password hashes are handled. The upgrade to NTLNv2 was a step in the right direction. The use of Kerberos instead of plain NT hashes was also a step in the right direction. However, new tools are emerging all the time. Old tools are being updated in a way to exploit the newer operating systems as can be seen with the WCE tool. Microsoft needs to continue to update the way it handles the password hashing. A new standard needs to be derived instead of just trying to fix the old one and make it work. They need to go back to the drawing board and find a way to keep the hashes from floating around in memory. A volatile memory placement could be implemented. That is, a time to live for the hashes placed in memory before it is completely dumped, and overwritten with garbage data. This could end up being processor time and power hungry, but keeping the hashes out of memory would be an appropriate trade off. Overwriting the memory with garbage would prevent the hashes from being available to dumping and subsequent usage. While this new method of handling the password hashes could mitigate this attack for a while, I believe this technique will be around for quite some time. It is easy to use and the results are worth the trouble of obtaining the password hashes. The determined attacker will find new ways in order to implement this attack vector. This is a viable technique and will be around for the foreseeable future.