Pass-the-Hash
In many ways, the advancement of hacking has truly come to the fore. Attack vectors are coalescing, evolving and advancing the breadth and scope of their impact. There's no better example of this than the pass-the-hash technique, considered by security expert Ed Skoudis to be one of 2010's most dangerous attack vectors.
In many ways, the advancement of hacking has truly come to the fore. Attack vectors are coalescing, evolving and advancing the breadth and scope of their impact. There's no better example of this than the pass-the-hash technique, considered by security expert Ed Skoudis to be one of 2010's most dangerous attack vectors.
Attackers use this technique against Windows systems to bounce through domains across the enterprise, using stolen hashes instead of passwords to authenticate. Pass-the-hash is a boon for business. Attackers no longer have to spend a lot of time guessing password combinations. Now, if the attacker can get access to the password hashes by dumping them from a Windows SAM database, sniffing the hashes in an authentication exchange on the network, or by compromising a user's currently logged in session on a computer, he or she may be able to grab the cached authentication credentials from memory.
"That's just the design of Windows," said Skoudis. "[Windows] also remembers your hashes once you log in so that you can access other file servers or domains without having to type in your password again and again."
So naturally, one might wonder if this is a Windows design flaw or an example of how convenience almost always comes with some strings attached.
"It's an elegant attack at the very heart of Windows authentication," Skoudis said, noting that while endemic to Windows, there still are ways to protect the machine. Most importantly, keep a system patched and only give administrator privileges to people that absolutely require it.
Users should not be surfing the Web or reading e-mail logged in with an account in the administrator's group, according to Skoudis. Instead, they should use non-admin accounts for day-to-day computing activities. Attackers will have a more difficult time getting hashes to pass.
While anyone who runs Windows is at risk, attackers tend to target companies that store sensitive information. Once an attacker takes over one system, they can steal the hashes and use them to pivot around a target environment, gaining access to other machines. In fact, though Skoudis couldn't discuss details, he noted pass-the-hash has been the key attack vector used in some large-scale credit card breaches.