CAPEC-644: Use of Captured Hashes (Pass The Hash)

Description
An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.
Extended Description

When authenticating via LM or NTLM, an authenticating account's plaintext credentials are not required by the protocols for successful authentication. Instead, the hashed credentials are used to determine if an authentication attempt is valid. If an adversary can obtain an account's hashed credentials, the hash values can then be passed to a system or service to authenticate, without needing to brute-force the hashes to obtain their cleartext values. Successful Pass The Hash attacks result in the adversary fully authenticating as the targeted account, which can further allow the adversary to laterally move within the network, impersonate a legitimate user, and/or download/install malware to systems within the domain. This technique can be performed against any operating system that leverages the LM or NTLM protocols even if the operating system is not Windows-based, since these systems/accounts may still authenticate to a Windows domain.

Severity :

High

Possibility :

Medium

Type :

Detailed
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-151: Identity Spoofing Identity Spoofing CAPEC-165: File Manipulation File Manipulation CAPEC-545: Pull Data from System Resources Pull Data from System Resources CAPEC-549: Local Execution of Code Local Execution of Code CAPEC-653: Use of Known Operating System Credentials Use of Known Operating System Credentials
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • The system/application is connected to the Windows domain.
  • The system/application leverages the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.
  • The adversary possesses known Windows credential hash value pairs that exist on the target domain.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Low Once an adversary obtains a known Windows credential hash value pair, leveraging it is trivial.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

ATTACK | Use Alternate Authentication Material:Pass The Hash
Resources required

A list of known Window credential hash value pairs for the targeted domain.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-294: Authentication Bypass by Capture-replay

CWE-308: Use of Single-factor Authentication

CWE-522: Insufficiently Protected Credentials

CWE-836: Use of Password Hash Instead of Password for Authentication

Visit http://capec.mitre.org/ for more details.