Formula
Group
Red Team
Keywords
WindowsActive DirectoryNTLMAttack
Last edited time
May 27, 2024 7:34 AM
Slug
Status
In progress
Title
Code inside page
Github
👉 Overview
👀 What ?
Pass the Hash (PtH) and Pass the Key (PtK) are techniques used in hacking and penetration testing to exploit the way Windows handles authentication. The core concept is to intercept and utilize the hashed or encrypted version of a user's credentials to gain unauthorized access to a system, without needing to know the actual plaintext password.
🧐 Why ?
Understanding PtH and PtK is crucial for both ethical hackers and security professionals. For ethical hackers, these techniques can prove invaluable in testing the security of Windows systems. For security professionals, understanding how these attacks work is the first step in defending against them. PtH and PtK exploit inherent vulnerabilities in Windows' authentication mechanisms, making them a significant threat to any Windows environment.
⛏️ How ?
To perform a PtH or PtK attack, an attacker first needs to obtain the hashed or encrypted credentials. This can be done using various methods, such as sniffing network traffic, extracting hashes from memory, or compromising a system with malware. Once the hashed or encrypted credentials are obtained, they can be used to authenticate as the user. The attacker simply presents the hashed or encrypted credentials to the target system, which treats them as valid and grants access.
⏳ When ?
PtH and PtK attacks have been a common threat since the introduction of NTLM authentication in Windows NT. Despite advancements in security, these attacks remain a significant threat due to the continued use of NTLM and Kerberos authentication in modern Windows systems.
⚙️ Technical Explanations
In a PtH attack, the attacker captures the NTLM hashes of a user's password. This is possible because Windows stores these hashes in memory to support its single sign-on feature. Once the hashes are captured, they can be used to authenticate to other systems that accept NTLM authentication. In a PtK attack, the attacker captures the Kerberos tickets of a user. These tickets, which are encrypted with the user's password, grant access to various services within a Windows domain. The attacker can then present these tickets to access the services as the user. Because the tickets are encrypted, and not the actual password, this attack bypasses most password complexity requirements and lockout policies.