Full Report
Hernan Ochoa from Core has released the Pass the Hash Toolkit which is very cool.. It basically means that you dont have to bother cracking a password on a taken machine anymore, you can simply use his iam.exe to associate the captured hash with your current session.. Its accompanying whoisthere.exe means you can grab hashes easily and the fact that its all released with source means you should be able to use it on a customer network without a sinking feeling in your stomach :>
Analysis Summary
# Tool/Technique: Pass the Hash Toolkit (PSHToolkit)
## Overview
The Pass the Hash Toolkit, released by Hernan Ochoa of Core, is a set of tools designed to facilitate credential misuse by allowing an attacker to leverage captured password hashes directly for authentication, bypassing the need for password cracking.
## Technical Details
- Type: Tool
- Platform: Likely Windows (implied by the nature of NTLM pass-the-hash attacks)
- Capabilities: Capturing password hashes and using captured hashes to authenticate/associate the current session under a different user's context.
- First Seen: August 16, 2007
## MITRE ATT&CK Mapping
The primary functionality described maps strongly to credential access and lateral movement techniques involving credential material.
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping
- T1003.001 - LSASS Memory (Implied via hash capture capability)
- **TA0008 - Lateral Movement**
- T1550 - Use Alternate Authentication Material
- T1550.002 - Pass the Hash
## Functionality
### Core Capabilities
* **Hash Theft/Acquisition:** Utilizing `whoisthere.exe` to easily acquire password hashes from the compromised machine (implying interaction with services like SAM or LSA).
* **Hash Re-use/Session Association:** Utilizing `iam.exe` to associate the captured hash with the current session, allowing the attacker to impersonate the user whose hash was captured without knowing the plaintext password.
### Advanced Features
* **Source Code Availability:** The toolkit was released with source code, allowing users to inspect, modify, or compile the tools as needed, increasing their trustworthiness for use in legitimate penetration testing environments ("without a sinking feeling in stomach").
## Indicators of Compromise
*Note: As this summary is based on a description of a publicly released toolkit, specific hashes/indicators are not provided directly in the text. The indicators listed below are generalized based on the expected behavior of the described executables.*
- File Hashes: [Not specified in context]
- File Names: `iam.exe`, `whoisthere.exe`
- Registry Keys: [Not specified in context]
- Network Indicators: [Not specified in context]
- Behavioral Indicators: Attempting to query or dump session/credential information (hashes) from memory or storage; attempting to utilize captured NTLM/LM hashes for Windows service authentication.
## Associated Threat Actors
The toolkit was released publicly by Core Security, suggesting initial use in Red Team/Penetration Testing operations. It is a foundational tool that likely influenced later development by various threat actors mimicking these attack patterns.
## Detection Methods
Detection focuses on the behavior of these specific tools attempting NTLM hash operations or known command-line arguments associated with these tools if signature identification fails.
- Signature-based detection: Signatures for the specific filenames (`iam.exe`, `whoisthere.exe`) if they are present outside of expected installation directories (e.g., tool repositories).
- Behavioral detection: Monitoring for processes that query memory areas associated with credential storage (like LSASS) or network connections utilizing NTLM authentication responses that consist solely of a captured hash structure rather than negotiated session data (indicating credential reuse).
## Mitigation Strategies
The core mitigation involves preventing the necessary precursor steps (hash dumping) and restricting authentication methods that permit hash reuse.
- Prevention measures: Implementing credential protection technologies (e.g., Credential Guard) to shield LSASS memory.
- Hardening recommendations: Enforcing LAPS (Local Administrator Password Solution) to ensure local administrator hashes are unique and frequently rotated; disabling NTLM authentication where feasible, or limiting NTLM fallback options.
## Related Tools/Techniques
This methodology is foundational to many later tools:
* Mimikatz (which performs similar functionalities, including LSA/LSASS access and hash credential usage).
* Responder (for hash capture via poisoning).
* CrackMapExec (for later application of captured credentials).