Giacomo Lanzi
Pass the hash: how to gain access without password
Estimated reading time: 6 minutes
Since the Internet has become widespread, tremendous progress has been made in awareness of the use of passwords. By now everyone knows what best practices are for setting a password (avoid standard passwords, use letters and numbers, avoid dates of birth, etc.). However, there is not much to rest assured, because hackers have another trick that could put your accounts at risk: the pass the hash attack.
Generally, password attacks can be mitigated by enforcing strong passwords, eliminating vendor defaults, and implementing a reasonable cyclical password replacement policy . Attacks on passwords, or rather on credentials, are still very popular, actually. One such attack is the so-called pass the hash or PtH .
These attacks are seen by some as a problem with older Windows systems. A little bit true, but they are still a threat. In fact, the Pass the Hash is still the subject of a lot of material that can be recovered with a simple Google search, both to understand how to defend oneself and to learn how to attack.
The hashes
Before understanding what the Pass the Hash attack is, it is best to clearly define what a Hash is.
Security researchers have known since the dawn of modern computing that memorizing passwords in the clear is a bad security practice . For this, they came up with the idea of passing the plain text string through a special 1-way encryption function to produce a hash . A hash is a mathematical code of a predetermined length that derives and uniquely represents the password , but cannot be mathematically reversed or reveal what the starting password is.
In practice, this is a string of alphanumeric characters generated starting from the password.
The key point is that on both Windows and Linux systems the hash password is stored instead of the readable one. If you think about it, the hash acts as a proxy for identity: if you can prove you have it, it’s like an entrance ticket.
On Windows, the authentication protocol NTLM involves exchanging messages to confirm that users have the hash without actually sending it in the communication . This authentication technique is at the heart of how Active Directory (the heart of the Windows Server system), supports remote logins within a domain and is also used for other Windows services, in especially remote access to files.
Pass the Hash
The operating system stores hashes in memory to implement Single Sign On or SSO , which is a essential feature of Windows corporate environments. So far, so good, it would seem.
For example, on a laptop the user initially logs in with the password, Windows hash it and stores it so that when, for example, you access a remote directory or use other services where you need to prove your identity, you don’t need to re-enter your password. Windows uses the stored hash .
This behavior is sufficient for hackers. Through the use of RAM scrapers used on devices, hackers can peek into RAM and retrieve hashes . Unsurprisingly, there are toolkits on the net that allow hackers to steal credentials from memory and log in as that user.
This is one of the weaknesses of the SSO system. Hackers must not crack hashes (i.e. try to decrypt them), but simply reuse them or pass them to an authentication server , hence the name pass the hash .
Pass the Hash exploits a feature not a bug
The assumption of this attack is that the hacker gains administrator permissions for a first user’s machine. Anyone in the industry will tell you it’s not necessarily difficult to do.
In a typical exploit, the hacker will take some hashes , log into other servers and continue the process of accumulating credentials. If he manages to hit the jackpot, that is, get to a domain controller or SQL server, it may be able to get the hashes of all users on the system.
Unfortunately, pass the hash is a feature of Windows, not a bug! NTLM authentication is actually using hash to implement the SSO protocol , saving the user the trouble of entering the password. Hackers are only using this feature for their own purposes.
In order not to be too hard on Windows systems, it must be said that pass the hash is also a problem in Linux systems that implement the communication protocol Kerboros , where there is an equivalent Pass the Ticket or PtT attack.
Here’s the most important thing to keep in mind: You can’t prevent the Pass the Hash attack, you can only mitigate or greatly reduce the chance of this attack occurring .
Preventing the exploit
To date, this type of attack is used by the worst ransomware software.
The attack would happen like this: Once the ransomware hits, it acquires administrator privileges and, in addition to encrypting all data on the disk, uses the hashes found to perform dei lateral movement . Having obtained access to another machine on the network, proceeds to encrypt the data present on it, spreading rapidly over a network.
The only way to eliminate the chances of pass the hash attack would be to not use the Single Sign-On system for authentication. In this case, the hashes would not exist at all and they could not be exploited for the attack. Unfortunately, it is not easy to eliminate such a convenient system that makes access management so simple and convenient for users.
The SOD solution
Another mitigation method is to implement SIEM and UEBA
Thanks to the SOC as a Service service offered by SOD, in fact, the network is monitored and controlled by an artificial intelligence that reports any possible suspicious behavior. em> lateral movement is thus immediately detected and blocked, as well as dubious requests for access to computers on the corporate network.
Technology advances and new defense solutions are being implemented, but equally attackers discover new ways to exploit vulnerabilities.
To greatly reduce the risk of data loss or fraudulent access, you must always keep up with the times.
If you are interested in knowing how our SOCaaS could help your company, do not hesitate to contact us, we will be happy to answer all your questions. < / p>
Useful links:
Share
RSS
More Articles…
- From Secure Online Desktop to Cyberfero: rebranding of the leading cybersecurity company
- NIS: what it is and how it protects cybersecurity
- Advanced persistent threats (APTs): what they are and how to defend yourself
- Penetration Testing and MFA: A Dual Strategy to Maximize Security
- Penetration Testing: Where to Strike to Protect Your IT Network
- Ransomware: a plague that brings companies and institutions to their knees. Should you pay the ransom? Here is the answer.
- Why IT audit and log management are important for Cybersecurity
- Red Team, Blue Team and Purple Team: what are the differences?
Categories …
- Backup as a Service (18)
- Acronis Cloud Backup (11)
- Veeam Cloud Connect (4)
- Cloud Conference (3)
- Cloud CRM (1)
- Cloud Server/VPS (22)
- Conferenza Cloud (4)
- Cyberfero (15)
- ICT Monitoring (5)
- Log Management (2)
- News (25)
- ownCloud (4)
- Privacy (7)
- Security (203)
- Cyber Threat Intelligence (CTI) (8)
- Deception (4)
- Ethical Phishing (11)
- Netwrix Auditor (2)
- Penetration Test (11)
- Posture Guard (3)
- SOCaaS (65)
- Vulnerabilities (84)
- Web Hosting (15)
Tags
Unknown Feed
Full Disclosure
- iOS Activation Flaw Enables Pre-User Device Compromise and Identity Exposure (iOS 18.5) July 1, 2025Posted by josephgoyd via Fulldisclosure on Jun 30Title: iOS Activation Flaw Enables Pre-User Device Compromise Reported to Apple: May 19, 2025 Reported to US-CERT: May 19, 2025 US-CERT Case #: VU#346053 Vendor Status: Silent Public Disclosure: June 26, 2025 ------------------------------------------------------------------------ Summary ------------------------------------------------------------------------ A critical vulnerability exists in Apple’s iOS activation pipeline that allows...
- Remote DoS in httpx 1.7.0 – Out-of-Bounds Read via Malformed <title> Tag June 26, 2025Posted by Brian Carpenter via Fulldisclosure on Jun 25Hey list, You can remotely crash httpx v1.7.0 (by ProjectDiscovery) by serving a malformed tag on your website. The bug is a classic out-of-bounds read in trimTitleTags() due to a missing bounds check when slicing the title string. It panics with: panic: runtime error: slice bounds out […]
- CVE-2025-32978 - Quest KACE SMA Unauthenticated License Replacement June 24, 2025Posted by Seralys Research Team via Fulldisclosure on Jun 23 Seralys Security Advisory | https://www.seralys.com/research ====================================================================== Title: Unauthenticated License Replacement Product: Quest KACE Systems Management Appliance (SMA) Affected: Confirmed on 14.1 (older versions likely affected) Fixed in: 13.0.385, 13.1.81, 13.2.183, 14.0.341(Patch 5), 14.1.101(Patch 4) Vendor: Quest Software Discovered: April...
- CVE-2025-32977 - Quest KACE Unauthenticated Backup Upload June 24, 2025Posted by Seralys Research Team via Fulldisclosure on Jun 23 Seralys Security Advisory | https://www.seralys.com/research ====================================================================== Title: Unauthenticated Backup Upload Product: Quest KACE Systems Management Appliance (SMA) Affected: Confirmed on 14.1 (older versions likely affected) Fixed in: 13.0.385, 13.1.81, 13.2.183, 14.0.341(Patch 5), 14.1.101(Patch 4) Vendor: Quest Software Discovered: April 2025...
- CVE-2025-32976 - Quest KACE SMA 2FA Bypass June 24, 2025Posted by Seralys Research Team via Fulldisclosure on Jun 23 Seralys Security Advisory | https://www.seralys.com/research ====================================================================== Title: 2FA Bypass Product: Quest KACE Systems Management Appliance (SMA) Affected: Confirmed on 14.1 (older versions likely affected) Fixed in: 13.0.385, 13.1.81, 13.2.183, 14.0.341(Patch 5), 14.1.101(Patch 4) Vendor: Quest Software Discovered: April 2025 Severity: HIGH...
- CVE-2025-32975 - Quest KACE SMA Authentication Bypass June 24, 2025Posted by Seralys Research Team via Fulldisclosure on Jun 23 Seralys Security Advisory | https://www.seralys.com/research ====================================================================== Title: Authentication Bypass Product: Quest KACE Systems Management Appliance (SMA) Affected: Confirmed on 14.1 (older versions likely affected) Fixed in: 13.0.385, 13.1.81, 13.2.183, 14.0.341(Patch 5), 14.1.101(Patch 4) Vendor: Quest Software Discovered: April 2025 Severity:...
- RansomLord (NG v1.0) anti-ransomware exploit tool June 24, 2025Posted by malvuln on Jun 23First official NG versioned release with significant updates, fixes and new features https://github.com/malvuln/RansomLord/releases/tag/v1.0 RansomLord (NG) v1.0 Anti-Ransomware exploit tool. Proof-of-concept tool that automates the creation of PE files, used to exploit ransomware pre-encryption. Lang: C SHA256: ACB0C4EEAB421761B6C6E70B0FA1D20CE08247525641A7CD03B33A6EE3D35D8A Deweaponize feature PoC video:...
- Disclosure Yealink Cloud vulnerabilities June 24, 2025Posted by Jeroen Hermans via Fulldisclosure on Jun 23Dear all, ---Abstract--- Yealink RPS contains several vulnerabilities that can lead to leaking of PII and/or MITM attacks. Some vulnerabilities are unpatched even after disclosure to the manufacturer. ---/Abstract--- We are Stefan Gloor and Jeroen Hermans. We are independent computer security researchers working on a disclosure process […]
- : "Glass Cage" – Zero-Click iMessage → Persistent iOS Compromise + Bricking (CVE-2025-24085 / 24201, CNVD-2025-07885) June 18, 2025Posted by josephgoyd via Fulldisclosure on Jun 17"Glass Cage" – Sophisticated Zero-Click iMessage Exploit ChainEnabling Persistent iOS Compromise and Device Bricking CVE-2025-24085, CVE-2025-24201(CNVD-2025-07885) Author: Joseph Goydish II Date: 06/10/2025 Release Type: Full Disclosure Platform Affected: iOS 18.2 (confirmed zero-day at time of discovery) Delivery Vector: iMessage (default configuration) Impact: Remote Code Execution, Privilege Escalation, Keychain […]
- SEC Consult SA-20250612-0 :: Reflected Cross-Site Scripting in ONLYOFFICE Docs (DocumentServer) June 18, 2025Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jun 17SEC Consult Vulnerability Lab Security Advisory < 20250612-0 > ======================================================================= title: Reflected Cross-Site Scripting product: ONLYOFFICE Docs (DocumentServer) vulnerable version:
Customers
Twitter FEED
Recent activity
-
SecureOnlineDesktop
Estimated reading time: 6 minutes L'impatto crescente delle minacce informatiche, su sistemi operativi privati op… https://t.co/FimxTS4o9G
-
SecureOnlineDesktop
Estimated reading time: 6 minutes The growing impact of cyber threats, on private or corporate operating systems… https://t.co/y6G6RYA9n1
-
SecureOnlineDesktop
Tempo di lettura stimato: 6 minuti Today we are talking about the CTI update of our services. Data security is… https://t.co/YAZkn7iFqa
-
SecureOnlineDesktop
Estimated reading time: 6 minutes Il tema della sicurezza delle informazioni è di grande attualità in questo peri… https://t.co/tfve5Kzr09
-
SecureOnlineDesktop
Estimated reading time: 6 minutes The issue of information security is very topical in this historical period ch… https://t.co/TP8gvdRcrF
Newsletter
{subscription_form_1}Products and Solutions
Partners
Cloud Models
News
- From Secure Online Desktop to Cyberfero: rebranding of the leading cybersecurity company May 6, 2024
- NIS: what it is and how it protects cybersecurity April 22, 2024
- Advanced persistent threats (APTs): what they are and how to defend yourself April 17, 2024
- Penetration Testing and MFA: A Dual Strategy to Maximize Security April 15, 2024
- Penetration Testing: Where to Strike to Protect Your IT Network March 25, 2024
Google Reviews
Ottima azienda, servizi molto utili, staff qualificato e competente. Raccomandata!read more
Ottimo supportoread more
E' un piacere poter collaborare con realtà di questo tiporead more
Un ottimo fornitore.
Io personalmente ho parlato con l' Ing. Venuti, valore aggiunto indubbiamente.read more
About
© 2024 Cyberfero s.r.l. All Rights Reserved. Sede Legale: via Statuto 3 - 42121 Reggio Emilia (RE) – PEC [email protected] Cod. fiscale e P.IVA 03058120357 – R.E.A. 356650 Informativa Privacy - Certificazioni ISO