Most of us already know the basic principle of authentication, which, in its simplest form, helps us to identify and verify a user, process, or account. In an Active Directory environment, this is commonly done through the use of an NTLM hash. When a user wants to access a network resource, such as a file share, their password is hashed and sent over a cryptographically secure channel to the resource.

During the authentication process, this is typically used as the method to verify the identity of the user. These hashes can be as good as gold from an attacker’s perspective, especially when they can be obtained “on-demand” through coercion. Authentication coercion is when an attacker is able to force a machine to initiate an authentication attempt back to their “attacker” machine.

Many times, this response comes in the form of an NTLM hash, as noted previously. PKF O’Connor Davies’ penetration testing team regularly leverages stolen NTLM hashes during client penetration tests to move laterally and escalate privileges. The remainder of this article will provide a technical deep dive into these tactics, techniques, and procedures used by penetration testers and attackers, as well as the mitigations an organization can implement to prevent this type of abuse.

How NTLM Hashes Are Used

Once a hash is stolen, an attacker can use a group of available tools to discover a hash collision, which will reveal the plaintext credentials. Alternatively, the NTLM hashes can sometimes be used in relay attacks. Commonly known as a “Pass the Hash” attack, this occurs when an attacker receives an authentication request in the form of an NTLM hash and forwards it to a resource of their choice. The attacker is then able to authenticate as the targeted user by using the relayed hash. This gets especially dangerous (Read more...)