It is also retained in the memory of RDP server software. Once a user has provided their password once and the NTLM hash has been calculated, the hash is retained in memory for the rest of the session so subsequent authentication requests to different network resources do not need to keep prompting for the user’s credentials.īecause the NTLM hash is stored in memory, attackers can potentially extract the hash with the right tools, such as Mimikatz.įor logged on users, the NTLM hash is stored within the memory of the LSASS process on each computer. Windows uses a Single Sign On model for user authentication. Pass the hash is a post-compromise technique for further credential theft and lateral movement. The attacker must first obtain access to the network through some other technique such as using phishing emails for credential theft. If an attacker can obtain a copy of a user’s password hash, they are then able to commence an NTLM authentication starting from step 3 of the process above.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |