MITRE ATT&CK vulnerability spotlight: Pass-the-hash

Introduction

Since the first appearance of pass-the-hash (PtH) in the nineties, this lateral movement tactic has been helping attackers leverage credentials to authenticate a user without having access to the user’s cleartext password. 

This article will discuss what the PtH hacking technique is, some basic concepts to help novice hackers better understand how this attack works, how to detect PtH and how to defend against PtH, as well as providing some tips on how to mitigate this infamous authentication trick. This article will provide a high-level look at this hacking technique but will stay low-level enough to heighten your understanding of how PtH work.

MITRE and ATT&CK

MITRE is a not-for-profit corporation dedicated to solving problems for a safer world. Beginning as a systems engineering company in 1958, MITRE has added new technical and organization capabilities to its knowledge base — including cybersecurity.

To this end, MITRE released the MITRE ATT&CK list as a globally accessible knowledge base of adversary techniques and tactics based upon real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for cybersecurity product/service community, the private sector and government use. 

What is pass-the-hash?

PtH is a hacking technique that authenticates a user even when the actor performing the technique does not have access to the user’s password. This is done through bypassing standard user authentication by moving the authentication directly to the portion of authentication that deals with the password hash. 

More specifically, the technique steals the underlying NTLM or LanMan hash of the user’s password stored in stored in the Windows SAM file located in %SystemRoot%/system32/config/SAM. PtH is typically performed using tools such as Mimikatz and Metasploit. 

A little on passwords

Not to “rehash” the issue (yes, pun (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Greg Belding. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/0jEHBUArp2w/