Pass-the-hash attacks are among the most difficult assaults to thwart. In these attacks, an intruder -- or an employee performing unauthorized activities -- gains administrative (or root) access to a computer where a user logs on. With that highly elevated access, the intruder can obtain the user's password hash from the machine's memory and log on to other computers as the spoofed user.
Once an outsider obtains elevated access, defending against the pass-the-hash attacks is very difficult. There are even free hacking tools available to aid the process. Even worse, pass-the-hash attacks work against very long passwords, smart cards, and many other logon tokens. There aren't a lot of defenses one can deploy to prevent them, which is why security admins fear them. However, defenses do exist.
[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Not just a Windows problem
Some people mistakenly believe that only Windows is vulnerable to pass-the-hash attacks. (I'll note that Microsoft is my full-time employer.) However, most of today's popular operating systems perform subject authentication (for example, user, computer, service/daemon) using password hashes. Those hashes sit in the computer's memory on those operating systems as readily as on Windows and can be obtained just as easily, if not more so, if public tools are on hand.
A little background first: In early and less complex operating systems, passwords were originally stored in plaintext form and often communicated between the logging-on client and the authentication server/service using an open, unencrypted communication channel. This still occurs on many insecure operating systems and programs, such as FTP and Telnet, although it is universally decried when found.
Operating system vendors decided that password hashes could make some types of password compromises harder to accomplish. With a good password hash, it's very unlikely or very difficult for a person obtaining the password hash to convert it back to its original plaintext. Even if the attacker gets the password hash database (in Windows, this is stored in the local SAM database or in the Active Directory database) or captures the hash on the network, he or she could not immediately convert it to its plaintext equivalent for use.
Prior to Windows Vista, Windows stored password hashes in two hash forms: LANManager and NT. IBM created LANManager in the early 1980s, and it's not considered secure. In fact, it's readily and easily crackable when used to protect Windows passwords up to 14 characters in length.