CAPEC-CAPEC-644 - CERT CVE
Naziv

Use of Captured Hashes (Pass The Hash)

Sažetak An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential (e.g. userID and password) hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols. When authenticating via LM or NTLM, an authenticating account's plaintext credentials are not required by the protocols for successful authentication. Instead, the hashed credentials are used to determine if an authentication attempt is valid. If an adversary can obtain an account's hashed credentials, the hash values can then be passed to a system or service to authenticate, without needing to brute-force the hashes to obtain their cleartext values. Successful Pass The Hash attacks result in the adversary fully authenticating as the targeted account, which can further allow the adversary to laterally move within the network, impersonate a legitimate user, and/or download/install malware to systems within the domain. This technique can be performed against any operating system that leverages the LM or NTLM protocols even if the operating system is not Windows-based, since these systems/accounts may still authenticate to a Windows domain.
Preduvjeti The system/application is connected to the Windows domain.|The system/application leverages the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.|The adversary possesses known Windows credential hash value pairs that exist on the target domain.
Rješenja ['Prevent the use of Lan Man and NT Lan Man authentication on severs and apply patch KB2871997 to Windows 7 and higher systems.', 'Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.', 'Monitor system and domain logs for abnormal credential access.', 'Create a strong password policy and ensure that your system enforces this policy.', 'Leverage system penetration testing and other defense in depth methods to determine vulnerable systems within a domain.']