Daniel Petri

In the constantly evolving landscape of cyber threats, the Overpass the Hash attack is a potent vector. Leveraging the NTLM authentication protocol, this attack enables adversaries to bypass the need for plaintext passwords. Instead, an Overpass the Hash attack employs a user’s hash to authenticate and potentially escalate privileges.

As organizations grapple with the challenges of securing their Active Directory infrastructures, understanding and countering these types of attacks has become a critical focus for IT security experts and administrators.

Related reading: Top Active Directory Hardening Strategies

What is an Overpass the Hash attack?

The Overpass the Hash attack is a post-exploitation technique in which an attacker uses a captured NTLM hash to authenticate to a service or server within an Active Directory domain. Unlike traditional Pass the Hash attacks, which continue within the same authentication session, Overpass the Hash attacks involve using the stolen hash to create a fully authenticated session in which the attacker can obtain fresh Kerberos tickets. This subtle yet powerful distinction enables the attacker to access resources as if they had the user’s password, effectively “overpassing” the need to acquire it through other means.

How does an Overpass the Hash attack work?

The Overpass the Hash attack commences with an attacker acquiring a user’s NTLM hash. This hash represents the user’s password, processed through the NTLM hashing algorithm. Attackers typically obtain the hash by exploiting vulnerabilities on a user’s machine or through social engineering tactics.

After acquiring the NTLM hash, the attacker uses a tool such as Mimikatz to inject the hash into their own security context. This step enables the attacker to use the stolen credentials to invoke the Windows API. This step is critical. Attempting to access resources by using the compromised machine might trigger alerts. Instead, the attacker uses the hash to authenticate from their own device or a controlled machine within the network.

Next, the attacker interacts with the Active Directory domain controller (DC), presenting the stolen hash during the NTLM authentication process. Here, the attacker uses the hash in a manner akin to a password. The DC, unable to distinguish the hash from a legitimate logon, authenticates the session and issues a Kerberos Ticket Granting Ticket (TGT). This TGT, encrypted with the domain’s krbtgt account secret keys, can be decrypted only by the DC; the attacker does not need to decrypt the TGT.

In the final phase, the attacker uses the obtained TGT to request service tickets from the DC. These tickets grant the attacker access to various services within the domain. This process, often referred to as the TGS-REQ Kerberos message, is part of the standard Kerberos protocol used for accessing resources within an Active Directory domain. The DC, believing the TGT to be legitimately obtained, returns service tickets that the attacker can use to access resources, authenticate to other machines, or perform actions on the network, all while masquerading as the compromised user.

What is particularly insidious about the Overpass the Hash attack is the ability to request service tickets for specific services or machines within the domain. The attack thus enables the attacker to target high-value assets or data repositories. Service tickets can have a relatively long lifespan and can be renewed, providing the attacker with a persistent mechanism to access resources until the user’s password is changed or the attack is mitigated.

What risks are associated with an Overpass the Hash attack?

The primary risk of an Overpass the Hash attack lies in its ability to provide attackers with unauthorized access to network resources and sensitive data. The attack also facilitates lateral movement within the network and can lead to privilege escalation if the compromised account has administrative rights. Because the attack leverages legitimate authentication mechanisms, it can be difficult to detect and can provide persistent access to attackers.

As is true for several other attacks, environments that employ NTLM for authentication are susceptible to Overpass-the-Hash attacks. But ask a roomful of 50 Active Directory administrators if they’ve eliminated NTLM authentication in their Active Directory forest, and maybe one will raise their hand. NTLM usage persists for several reasons:

  • Backward compatibility
  • Legacy application support
  • A lack of awareness or resources to transition to more secure protocols

For example, legacy applications that have not been updated to use modern authentication methods might require NTLM. Certain network-attached storage devices or older versions of Windows-based services default to NTLM. And some configurations of Microsoft Internet Information Services (IIS), when set to use Windows Authentication, leverage NTLM if the more secure Kerberos protocol is not properly configured or if clients do not support it. Older versions of SQL Server and other database services can be configured to authenticate users with NTLM, particularly when connecting from non-domain-joined systems or across a workgroup environment. Even using a resource’s IP address instead of its host name can lead to the system defaulting to NTLM for authentication.

Additionally, third-party applications—especially those designed for cross-platform compatibility—might use NTLM when interfacing with Windows systems. This is often the case with various collaboration and document management tools that need to integrate with Windows file sharing or older web applications. In some instances, network appliances like VPN concentrators or gateways, which need to authenticate users against Active Directory, might use NTLM if they are not fully integrated with Kerberos.

The products, devices, services, or applications that rely on NTLM do not inherently make an environment vulnerable to Overpass the Hash attacks. However, they do increase the attack surface. The combination of continued NTLM usage and insufficient security controls creates the vulnerability that Overpass the Hash attacks exploit. Transitioning away from NTLM to Kerberos or employing additional security measures (such as SMB signing), can significantly mitigate the risk.

How can you detect an Overpass the Hash attack?

Detecting an Overpass the Hash attack involves monitoring for unusual patterns of authentication and ticket requests within the Active Directory environment. Security professionals should configure logging and alerting for anomalies, including:

  • Unusual login times
  • Logins from atypical locations
  • Service ticket requests that do not follow normal user behavior

Advanced security information and event management (SIEM) systems can aid in correlating events and identifying potential attacks. However, some seriously damaging attacks are designed to evade event- and log-based monitoring.

Organizations should also monitor for the use of unexpected NTLM authentication; modern environments often favor Kerberos, making NTLM usage stand out. This type of attack is one in which user behavioral analysis really makes a difference.

How can you mitigate an Overpass the Hash attack?

Mitigating an Overpass the Hash attack requires a multifaceted approach.

  • Minimize the use of NTLM authentication and use Kerberos instead, wherever possible.
  • Implement strong password policies and avoid the use of the same passwords across different accounts to reduce the impact of hash theft.
  • Segment the network to help prevent lateral movement.
  • Implement account lockout policies to deter brute-force attempts.
  • Enable Credential Guard on Windows 10 and Windows Server 2016 and later to help prevent the extraction of plaintext passwords and NTLM hashes from memory.

In addition, Active Directory administrators should enforce actionable steps to protect against Overpass the Hash attacks:

  • Disable NTLM authentication on systems where it is not required and enforce the use of Kerberos.
  • Ensure that Local Administrator Password Solution (LAPS) is implemented to manage unique local administrator passwords.
  • Configure Group Policy to prevent the storage of NTLM hashes and to restrict NTLM traffic.
  • Employ advanced auditing and monitoring strategies to detect the anomalous use of NTLM and the presence of Overpass the Hash tools.
  • Train users to recognize phishing attempts and secure their credentials.
  • Keep systems patched and updated to mitigate the vulnerabilities that can lead to credential theft.

Defend against attacks that impersonate users

The Overpass the Hash attack constitutes a significant threat to Active Directory environments, capitalizing on the NTLM protocol to impersonate legitimate users. By leveraging stolen hash values, attackers can gain unauthorized access, compromising the integrity and confidentiality of organizational assets. Vigilance and proactive defense measures are essential to mitigating the risks associated with this attack vector.

As cyber adversaries continue to evolve their tactics, hardening your Active Directory environment against attacks like Overpass the Hash has become imperative. Administrators can thwart such attacks, protecting their systems from unauthorized access and maintaining the trustworthiness of their authentication mechanisms, through proactive measures, including:

Protecting hybrid Active Directory environments is a continuous process. Staying ahead of threats like Overpass the Hash requires a commitment to security best practices and a culture of awareness throughout the organization.