2

Let's say the attacker got the username and the hashed password. How can he use it when authenticating to some service in its domain with for example NTLM?

How can he send the request as the compromised user? What tools and techniques should he use?

Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
Npv23g
  • 203
  • 1
  • 2
  • 6
  • Wikipedia says the the password is hashed client side and then sent to the server after being hashed ... also hash has no salt. If what I am reading is correct then the "Hash" is the clear text password for all intensive purposes ... I sure hope im wrong because that's terrible. – CaffeineAddiction Nov 01 '16 at 17:59
  • @CaffeineAddiction The good news is that that is wrong... sort of. In a Windows environment, grabbing the NTLM hash does not necessarily translate into easily cracking that hash and getting the user's plaintext password. NTLM isn't that well suited to protect passwords by today's standards--it's a very,very "fast" hashing method for password cracking programs to deal with--but if the user has a genuinely strong password cracking his or her hash can still be impossible, as a practical matter. But, of course, how many users set truly strong passwords? – mostlyinformed Nov 03 '16 at 07:16
  • Just do it: https://security.stackexchange.com/questions/168940/what-harm-is-there-in-obtaining-password-hashes-in-a-windows-environment – SDsolar Sep 07 '17 at 02:54

1 Answers1

1

In a pass the hash scenario there is no salt mixed in with the password when a user authenticates, because of this an attacker can get the hash of the users password when they authenticate to a service and then pass it along to authenticate to more services that use the same authentication scheme without knowing the password. NTLM is an example of a authentication scheme that is vulnerable to this.

https://en.wikipedia.org/wiki/NT_LAN_Manager

kbh
  • 66
  • 3