Hi everyone, recently I knew that in Active Directory of Microsoft is possible to use some services like SMB with the method Pass-the-Hash. My question is, this method is considered a vulnerability and if it is true what vulnerability is?
If you have the hash, it’s the same as having the password: you just pass or feed it into the NLTM protocol to gain entry, you might want to read up on why PTH works, and how Windows auth differs from unix auth (read the article at the end)
Windows keeps hashes in LSASS memory, making it available for Single Sign On. When you need to access other services, Windows just dips into LSASS to pull out the credential — the hashed password — so you don’t have to re-enter it. A prerequisite for PtH to work is that the attacker must obtain local administrator privileges on at least one computer in his organization, so the security problems go beyond the PtH, if not how get the hash
https://www.sans.org/reading-room/whitepapers/testing/pass-the-hash-attacks-tools-mitigation-33283
https://www.microsoft.com/en-us/download/details.aspx?id=36036
1 Like