Pass-the-Hash and Credential Relay: A Comprehensive Guide for GIAC GCIH
Introduction
Pass-the-Hash (PtH) and Credential Relay attacks are among the most critical techniques tested on the GIAC GCIH (GIAC Certified Incident Handler) certification exam. These attack methods allow adversaries to move laterally through a network without ever needing to crack or know a user's plaintext password. Understanding these concepts is essential for incident handlers, penetration testers, and security analysts alike.
Why Pass-the-Hash and Credential Relay Are Important
Pass-the-Hash and Credential Relay attacks are important for several reasons:
1. Prevalence in Real-World Attacks: These techniques are used extensively by advanced persistent threat (APT) groups and red teamers. Nearly every major breach involving lateral movement in Windows environments has leveraged some form of credential reuse or relay.
2. Bypasses Traditional Authentication: These attacks circumvent the need to know a plaintext password. If an attacker can obtain a password hash or intercept an authentication attempt, they can impersonate the victim user.
3. Difficult to Detect: Because the attacker is using legitimate credentials (in hashed or relayed form), these attacks often appear as normal authentication events in logs, making detection challenging without specialized monitoring.
4. Enables Lateral Movement: Once initial access is achieved, PtH and relay attacks are the primary mechanisms for moving from one system to another, escalating privileges, and ultimately achieving objectives like domain compromise.
5. Core GCIH Exam Topic: The GCIH exam emphasizes understanding exploitation frameworks and password attacks, and PtH/credential relay falls squarely within this domain.
What Is Pass-the-Hash (PtH)?
Pass-the-Hash is an attack technique in which an attacker captures the NTLM hash of a user's password and then uses that hash directly to authenticate to remote services or systems, without needing to crack the hash to recover the plaintext password.
Key Concepts:
- In Windows environments, when a user authenticates, the system often stores or transmits an NTLM hash (a one-way cryptographic representation of the password).
- The NTLM authentication protocol uses a challenge-response mechanism. However, the hash itself is sufficient to compute the correct response to the server's challenge.
- An attacker who obtains the NTLM hash (from memory, the SAM database, or other sources) can inject this hash into their own authentication session and impersonate the user.
Where Hashes Can Be Obtained:
- LSASS Process Memory: The Local Security Authority Subsystem Service (lsass.exe) stores credentials in memory for single sign-on purposes. Tools like Mimikatz can extract hashes from LSASS.
- SAM Database: The Security Account Manager database on local systems stores local account NTLM hashes.
- NTDS.dit: The Active Directory database on domain controllers stores all domain user hashes.
- Cached Credentials: Windows caches domain credentials locally for offline logon scenarios.
- Network Capture: NTLM hashes can sometimes be captured during network authentication exchanges (NTLMv1/NTLMv2 challenge-response).
What Is Credential Relay (NTLM Relay)?
Credential Relay, commonly referred to as NTLM Relay, is an attack where the adversary intercepts an authentication attempt from a victim and relays (forwards) that authentication to a different target service in real time. Unlike Pass-the-Hash, the attacker does not need to possess the hash; they simply act as a man-in-the-middle, forwarding authentication messages between the victim and the target.
Key Concepts:
- The attacker positions themselves between the victim and a service (often through techniques like LLMNR/NBT-NS poisoning, WPAD abuse, or ARP spoofing).
- When the victim attempts to authenticate to what they believe is a legitimate service, the attacker captures the authentication messages and relays them to a target server.
- The target server believes it is communicating directly with the victim and grants access accordingly.
- This differs from Pass-the-Hash because the attacker is relaying a live authentication session rather than reusing a stored hash.
How Pass-the-Hash Works — Step by Step
Step 1: Initial Compromise
The attacker gains access to a system through phishing, exploitation of a vulnerability, or other means.
Step 2: Credential Extraction
Using tools such as Mimikatz, the attacker extracts NTLM hashes from the compromised system's memory (LSASS), SAM database, or other credential stores.
Example Mimikatz commands:
- sekurlsa::logonpasswords — dumps credentials from LSASS memory
- lsadump::sam — dumps hashes from the local SAM database
Step 3: Hash Injection / Authentication
The attacker uses the captured NTLM hash to authenticate to other systems on the network. Tools commonly used include:
- Mimikatz (sekurlsa::pth) — injects the hash into a new process
- pth-winexe / pth-smbclient — Linux-based tools for PtH
- Impacket's psexec.py, smbexec.py, wmiexec.py — Python-based tools that accept NTLM hashes for authentication
- CrackMapExec — a post-exploitation tool that supports PtH across multiple systems
- Metasploit's psexec module — accepts NTLM hashes for remote code execution
Step 4: Lateral Movement
Once authenticated, the attacker can execute commands, access file shares, move to additional systems, and escalate privileges — all without ever knowing the user's actual password.
How Credential Relay (NTLM Relay) Works — Step by Step
Step 1: Positioning (Man-in-the-Middle)
The attacker uses poisoning or spoofing techniques to intercept authentication requests. Common techniques include:
- LLMNR/NBT-NS Poisoning: Tools like Responder respond to broadcast name resolution queries, tricking victims into authenticating to the attacker.
- WPAD Abuse: The attacker responds to Web Proxy Auto-Discovery requests, forcing victims to send credentials.
- ARP Spoofing / DNS Spoofing: Redirecting traffic at the network layer.
Step 2: Capturing the Authentication Request
When the victim's system sends an NTLM authentication request (e.g., trying to access a network share), the attacker intercepts the initial negotiate and challenge-response messages.
Step 3: Relaying to Target
The attacker forwards the captured authentication messages to a target system (e.g., another server, a domain controller, an Exchange server, or an LDAP service). The target issues a challenge, which the attacker passes back to the victim. The victim responds with a valid response, which the attacker then forwards to the target.
Key tools for NTLM Relay:
- Responder (for poisoning and capturing)
- ntlmrelayx.py (from Impacket) — relays captured authentication to target services
- MultiRelay.py — part of the Responder toolkit
Step 4: Access Granted
The target system authenticates the session as the victim user. The attacker can then perform actions with the victim's permissions — execute commands, dump credentials, modify AD objects, or gain further access.
Key Differences Between PtH and NTLM Relay
- Pass-the-Hash: Requires the attacker to already possess the NTLM hash. Authentication is initiated by the attacker at their convenience. The hash can be reused multiple times.
- NTLM Relay: Does not require possession of the hash. Requires a live, real-time interception of an authentication attempt. The attack is opportunistic and must occur during the authentication session.
Defenses and Mitigations
Understanding defenses is critical for the GCIH exam:
Against Pass-the-Hash:
1. Use Credential Guard: Windows Credential Guard uses virtualization-based security to protect LSASS, preventing hash extraction from memory.
2. Limit Local Administrator Account Reuse: Use Microsoft's Local Administrator Password Solution (LAPS) to ensure unique local admin passwords on every system.
3. Privileged Access Workstations (PAWs): Limit where privileged accounts are used to reduce hash exposure.
4. Disable NTLM Where Possible: Enforce Kerberos authentication and restrict NTLM usage via Group Policy.
5. Protected Users Security Group: Members of this AD group cannot use NTLM authentication and have additional protections.
6. Minimize Cached Credentials: Reduce the number of cached credentials stored on endpoints.
7. Network Segmentation: Limit lateral movement opportunities by segmenting networks.
Against NTLM Relay:
1. Enable SMB Signing: When SMB signing is required on all systems, relayed authentication cannot be used because the attacker cannot forge a valid signature. This is one of the most important mitigations for NTLM relay.
2. Enable LDAP Signing and Channel Binding: Prevents relay attacks targeting LDAP services.
3. Enable Extended Protection for Authentication (EPA): Binds authentication to the TLS channel, preventing relay to web services.
4. Disable LLMNR and NBT-NS: Eliminates the most common poisoning vector used to initiate relay attacks.
5. Disable WPAD: Prevents WPAD-based credential capture.
6. Enforce NTLMv2: While NTLMv2 does not fully prevent relay, it is more resistant than NTLMv1 and should be the minimum standard.
7. Disable NTLM Authentication Entirely: Where feasible, enforce Kerberos-only authentication.
Common Tools and Frameworks
The GCIH exam expects familiarity with common exploitation tools:
- Mimikatz: The gold standard for credential extraction and PtH on Windows. Key modules include sekurlsa::logonpasswords, sekurlsa::pth, and lsadump::sam.
- Impacket: A collection of Python tools for network protocol interaction. Key scripts include psexec.py, smbexec.py, wmiexec.py (for PtH), and ntlmrelayx.py (for NTLM relay).
- Responder: Used for LLMNR/NBT-NS/WPAD poisoning to capture or relay credentials.
- CrackMapExec (CME) / NetExec: A Swiss-army-knife post-exploitation tool that supports PtH, credential spraying, and enumeration across networks.
- Metasploit Framework: The exploit/windows/smb/psexec module supports PtH with NTLM hashes.
- Cobalt Strike: Commercial red team tool with built-in PtH capabilities.
Detection Strategies
For incident handlers (and the GCIH exam), knowing how to detect these attacks is essential:
- Event ID 4624 (Logon Type 3 — Network Logon): PtH attacks typically generate network logon events. Look for unusual source IPs or accounts authenticating to systems they normally do not access.
- Event ID 4776: NTLM authentication events on domain controllers. A spike in NTLM authentications or NTLM auth from unexpected sources may indicate relay or PtH.
- Sysmon Event ID 10: Process access events targeting lsass.exe can indicate credential dumping (a precursor to PtH).
- Honey Tokens / Honey Credentials: Plant fake credentials in memory or LSASS. If these are used, it indicates credential theft and PtH.
- Network Monitoring: Look for anomalous SMB traffic, especially NTLM authentication to unexpected targets.
- Unusual Lateral Movement Patterns: Behavioral analytics can identify accounts accessing systems outside their normal baseline.
Exam Tips: Answering Questions on Pass-the-Hash and Credential Relay
1. Know the Difference Between PtH and NTLM Relay: The exam may present scenarios and ask you to identify which technique is being used. Remember: PtH uses a stolen hash to authenticate; NTLM Relay forwards a live authentication in real time without possessing the hash.
2. Remember That PtH Uses NTLM Hashes, Not Kerberos Tickets: Pass-the-Hash specifically involves NTLM hashes. If the question references Kerberos tickets (TGTs), that is Pass-the-Ticket or Overpass-the-Hash (also called Pass-the-Key), which are different techniques. Do not confuse them.
3. SMB Signing Is the Key Mitigation for NTLM Relay: If an exam question asks about the best or most effective defense against NTLM relay, the answer is almost always requiring SMB signing. This is a frequently tested point.
4. LLMNR/NBT-NS Poisoning Enables Relay: Questions about how an attacker captures credentials for relay will often reference LLMNR or NBT-NS poisoning using Responder. Know that disabling these protocols is a key preventive measure.
5. Know Your Tools: Be able to associate tools with techniques. Mimikatz = credential extraction and PtH. Responder = poisoning and capture. ntlmrelayx.py = NTLM relay. Impacket's psexec.py = remote execution with hashes.
6. Credential Guard Protects Against PtH: If a question asks about a Windows feature that prevents hash extraction from LSASS memory, the answer is Credential Guard (virtualization-based security).
7. LAPS Prevents Shared Local Admin Passwords: If a question discusses mitigating lateral movement via shared local administrator credentials, the answer involves LAPS (Local Administrator Password Solution).
8. Understand the Authentication Flow: Be prepared to explain or identify the steps: hash extraction → hash injection → authentication → lateral movement (for PtH), or poisoning → interception → relay → access (for NTLM relay).
9. NTLMv1 vs. NTLMv2: Know that NTLMv1 hashes are easier to crack and relay than NTLMv2. However, NTLMv2 is still vulnerable to relay attacks — only SMB signing and channel binding fully mitigate relay.
10. Protected Users Group: Members of the Protected Users security group in Active Directory cannot authenticate using NTLM, which mitigates PtH for those accounts. This is a commonly tested mitigation.
11. Read Scenario Questions Carefully: Exam questions often describe a specific attack sequence. Look for keywords: if you see 'hash was extracted from memory and used to authenticate,' it's PtH. If you see 'authentication was intercepted and forwarded to another server,' it's NTLM relay.
12. Index Your GCIH Courseware: Since GCIH is an open-book exam, create index entries for: Mimikatz, Pass-the-Hash, NTLM Relay, Responder, ntlmrelayx, SMB signing, Credential Guard, LAPS, LLMNR poisoning, and Protected Users group. Having quick access to these topics can save valuable time.
13. Overpass-the-Hash (Pass-the-Key): Be aware that this is a variation where an NTLM hash is used to request a Kerberos TGT, effectively converting a PtH attack into a Kerberos-based attack. This can bypass environments that have disabled NTLM but is a separate concept from traditional PtH.
14. Logon Events Matter for Detection: For detection-related questions, remember that PtH generates Event ID 4624 with Logon Type 3 and often uses the NTLM authentication package. Unusual patterns of Type 3 logons from unexpected sources are a key indicator.
Summary
Pass-the-Hash and Credential Relay are foundational attack techniques for lateral movement in Windows environments. For the GCIH exam, focus on understanding the mechanics of each attack, the tools involved, the key differences between them, the primary defensive measures (especially SMB signing, Credential Guard, and disabling LLMNR/NBT-NS), and how to detect these attacks through log analysis. Mastering these concepts will not only help you pass the exam but will also equip you with practical skills for real-world incident handling and response.
