Forgive my english.
I have a couple of questions related to “Pass-The-Hash” and “Pass-The-Ticket” attacks. I understand that both attacks allow an attacker to authenticate on a server using a previously obtained hash or ticket. My questions are the following:
1 - Are those attacks called that because the attacker provides (passes) to the attack/client tool a hash / a ticket instead of a password?
2 - If we had to describe accurately the attack, would the step where the attacker provides to the attack/client tool the hash/ticket be considered as part of the attack or is the attack exclusively the authentication attempt and the other step is more of a preparatory step.
Forgive my english.
Welcome @othman.bouayad-6ddbb .
Yes. In mostly all modern authentication techniques , passwords are not passed during authentication, instead they pass the hashes. This makes hard to the sniffer/attacker to crack the passwords using rainbow tables or by any-other means. However, in
Pass the Hashattack technique, instead of brute-forcing the hash for the password, the attacker can send the captured hash directly to the target to get the access.
for all these attacks, the attacker needs to capture the ticket/hashes first. This is known as
Hash Harvesting. Using the harvested hash, they can perform the pass the hash attacks. So the harvesting is a separate process. The attacker can either brute-force the hash using rainbow tables to get the password (which is hard) or can rely on techniques such as pass the hash to gain the access on the target machine.
Thank you for your answer. My questions were not clear enough (maybe because of my english).
My questions were mostly terminology and definition questions.
- The first question was about terminology. I was wondering if the name of the attack came from the fact that instead of giving a password to the attack tool, the attacker gave a hash.
In NTLM authentication, the hash is not sent to the server but used to compute a new hash based on the hash and a challenge: hash(NT HASH + challenge)
- The second question was related to what’s considered to be the attack:
a - The authentication attempt only. The user providing the gathered hash to the tool is a preparatory step only and not considered as part of the attack itself.
b - The user provides the gathered hash to the tool and the authentication attempt occurs.
It is named after the technique. since the technique is passing hash, the attack is called so. Same with pass the ticket.
“passing the hash part” is the attack. In your definition, its (a).
The preparatory step, Gathering the hash is known as hash harvesting.
But they are interrelated. Without harvesting, you can’t perform the attack .Just like Egg and chicken story.