Pass The Hash, Pass The Ticket

unknowoperator · July 19, 2021, 10:53pm

Forgive my english.
I have a couple of questions related to “Pass-The-Hash” and “Pass-The-Ticket” attacks. I understand that both attacks allow an attacker to authenticate on a server using a previously obtained hash or ticket. My questions are the following:
1 - Are those attacks called that because the attacker provides (passes) to the attack/client tool a hash / a ticket instead of a password?
2 - If we had to describe accurately the attack, would the step where the attacker provides to the attack/client tool the hash/ticket be considered as part of the attack or is the attack exclusively the authentication attempt and the other step is more of a preparatory step.
Thank you.

jaa · July 20, 2021, 1:13am

Welcome @unknowoperator .

Yes. In mostly all modern authentication techniques , passwords are not passed during authentication, instead they pass the hashes. This makes hard to the sniffer/attacker to crack the passwords using rainbow tables or by any-other means. However, in Pass the Hash attack technique, instead of brute-forcing the hash for the password, the attacker can send the captured hash directly to the target to get the access.
for all these attacks, the attacker needs to capture the ticket/hashes first. This is known as Hash Harvesting. Using the harvested hash, they can perform the pass the hash attacks. So the harvesting is a separate process. The attacker can either brute-force the hash using rainbow tables to get the password (which is hard) or can rely on techniques such as pass the hash to gain the access on the target machine.

unknowoperator · July 20, 2021, 1:27am

Thank you for your answer. My questions were not clear enough (maybe because of my english).
My questions were mostly terminology and definition questions.

The first question was about terminology. I was wondering if the name of the attack came from the fact that instead of giving a password to the attack tool, the attacker gave a hash.
In NTLM authentication, the hash is not sent to the server but used to compute a new hash based on the hash and a challenge: hash(NT HASH + challenge)
The second question was related to what’s considered to be the attack:
a - The authentication attempt only. The user providing the gathered hash to the tool is a preparatory step only and not considered as part of the attack itself.
b - The user provides the gathered hash to the tool and the authentication attempt occurs.

jaa · July 20, 2021, 2:03am

It is named after the technique. since the technique is passing hash, the attack is called so. Same with pass the ticket.
“passing the hash part” is the attack. In your definition, its (a).
The preparatory step, Gathering the hash is known as hash harvesting.
But they are interrelated. Without harvesting, you can’t perform the attack .Just like Egg and chicken story.

Topic		Replies	Views
Authentication & Authorization (Challenge 2 )Missing Function Level Access Control Web Application Penetration Testing Professional red	1	340	September 10, 2021
Compared Digest with Salted Password Hash Lab9_1 Web Defense Professional blue , webapp	1	285	June 5, 2021
Stuck on MySQL Basics Lab Penetration Testing Student (SP) red , lab	3	1063	October 3, 2023
Authentication and Authorization Labs - Exercises Web Application Penetration Testing Professional red , ine , security , lab , cybersec	1	387	August 22, 2021
Authentication & Authorization Lab 2 Web Application Penetration Testing Professional red	5	455	November 17, 2021

Pass The Hash, Pass The Ticket

Related Topics