1 00:00:00,630 --> 00:00:02,950 We've spent a lot of time on hashes already 2 00:00:02,950 --> 00:00:05,860 but in this lesson I want to focus on just two things 3 00:00:05,860 --> 00:00:07,120 and they're both attacks. 4 00:00:07,120 --> 00:00:10,230 It's the Pass the Hash attack and the Birthday Attack. 5 00:00:10,230 --> 00:00:11,510 As we've previously discussed 6 00:00:11,510 --> 00:00:13,250 in our hashing lesson, passwords 7 00:00:13,250 --> 00:00:15,890 are stored on the server in their hashed format. 8 00:00:15,890 --> 00:00:17,770 Pass the Hash is a hacking technique 9 00:00:17,770 --> 00:00:19,630 that allows the attacker to authenticate 10 00:00:19,630 --> 00:00:21,830 to a remote server or service by using 11 00:00:21,830 --> 00:00:24,380 the underlying hash of a user's password 12 00:00:24,380 --> 00:00:26,000 instead of requiring the associated 13 00:00:26,000 --> 00:00:27,630 plaintext password as you normally 14 00:00:27,630 --> 00:00:28,900 would have to do. 15 00:00:28,900 --> 00:00:31,010 Now, if an attacker is able to sniff that hash 16 00:00:31,010 --> 00:00:33,440 or steal it some other way, they don't need a brute 17 00:00:33,440 --> 00:00:35,003 force to clear text password. 18 00:00:36,186 --> 00:00:37,390 Instead they can simply reuse the hash 19 00:00:37,390 --> 00:00:39,160 of that arbitrary user account 20 00:00:39,160 --> 00:00:40,830 as a go and authenticate against 21 00:00:40,830 --> 00:00:43,180 remote systems and impersonate that user. 22 00:00:43,180 --> 00:00:45,510 In other words, from an attacker's perspective 23 00:00:45,510 --> 00:00:47,220 hashes are functionally equivalent 24 00:00:47,220 --> 00:00:49,250 to the original password that they generated 25 00:00:49,250 --> 00:00:50,780 and it doesn't mean that they need to know 26 00:00:50,780 --> 00:00:53,130 your actual password to use your account 27 00:00:53,130 --> 00:00:54,450 as if they were you. 28 00:00:54,450 --> 00:00:56,840 The Pass the Hash attack is very difficult 29 00:00:56,840 --> 00:00:59,100 to defend against because there are many possible 30 00:00:59,100 --> 00:01:01,880 exploits in Windows as well as the applications 31 00:01:01,880 --> 00:01:03,150 that run on top of it. 32 00:01:03,150 --> 00:01:05,190 And any of these can by used by an attacker 33 00:01:05,190 --> 00:01:07,010 to elevate their permissions and then 34 00:01:07,010 --> 00:01:09,190 be able to pull off credential harvesting 35 00:01:09,190 --> 00:01:11,400 or hash harvesting that they can then use 36 00:01:11,400 --> 00:01:14,710 in a further attack using Pass the Hash. 37 00:01:14,710 --> 00:01:17,430 Also, only one machine in a Windows domain needs 38 00:01:17,430 --> 00:01:20,500 to be miss configured or missing a critical security patch 39 00:01:20,500 --> 00:01:22,100 for a hacker to find their way in 40 00:01:22,100 --> 00:01:24,370 and be able to execute this technique. 41 00:01:24,370 --> 00:01:26,550 There are many penetration tools out there 42 00:01:26,550 --> 00:01:28,680 such as Mimikatz that give you the ability 43 00:01:28,680 --> 00:01:30,550 to automate this process of harvesting 44 00:01:30,550 --> 00:01:33,150 the hashes and conducting the attack. 45 00:01:33,150 --> 00:01:35,160 To prevent the Pass the Hash attack 46 00:01:35,160 --> 00:01:36,630 you should ensure that only trusted 47 00:01:36,630 --> 00:01:38,120 operating systems are allowed to connect 48 00:01:38,120 --> 00:01:39,100 to your servers. 49 00:01:39,100 --> 00:01:40,990 That your Window's domains have their trusts 50 00:01:40,990 --> 00:01:43,420 set up properly and that workstations are all 51 00:01:43,420 --> 00:01:44,590 patched and updated. 52 00:01:44,590 --> 00:01:46,010 That your multifactor authentication 53 00:01:46,010 --> 00:01:47,620 is being used properly in the network 54 00:01:47,620 --> 00:01:49,220 and that user accounts have been set 55 00:01:49,220 --> 00:01:51,650 up to use the concept of least privilege. 56 00:01:51,650 --> 00:01:53,330 Now, the second type of attack that I want 57 00:01:53,330 --> 00:01:56,070 to talk about is called a Birthday Attack. 58 00:01:56,070 --> 00:01:58,000 The Birthday Attack occurs when an attacker 59 00:01:58,000 --> 00:01:59,940 is able to send two different messages 60 00:01:59,940 --> 00:02:02,090 through a hash algorithm and it results 61 00:02:02,090 --> 00:02:04,490 in the same identical hash digest 62 00:02:04,490 --> 00:02:06,130 causing a collision. 63 00:02:06,130 --> 00:02:07,870 This attack gets it's name from something 64 00:02:07,870 --> 00:02:10,190 called the Birthday Paradox, which says 65 00:02:10,190 --> 00:02:11,830 that if you have a random group of people 66 00:02:11,830 --> 00:02:13,040 the chances are that you are going to have 67 00:02:13,040 --> 00:02:15,610 two people in that group with the same birthday. 68 00:02:15,610 --> 00:02:17,390 When I teach this course in person to a group 69 00:02:17,390 --> 00:02:20,160 of 30 people, most of the time, two people 70 00:02:20,160 --> 00:02:22,110 in the class have the same birthday. 71 00:02:22,110 --> 00:02:25,170 At least the same month and day if not also the year. 72 00:02:25,170 --> 00:02:28,550 In fact, even though there are 365 days in a year 73 00:02:28,550 --> 00:02:30,800 you only need 57 people in a room 74 00:02:30,800 --> 00:02:34,760 to get a 99% chance of having two identical birthdays. 75 00:02:34,760 --> 00:02:38,530 With 23 people in a room, your odds are 50/50. 76 00:02:38,530 --> 00:02:40,640 That's why in my classes of 30 students, 77 00:02:40,640 --> 00:02:43,730 more often than not we have identical birthdays. 78 00:02:43,730 --> 00:02:46,520 In the world of hashes, two identical hash digest 79 00:02:46,520 --> 00:02:48,070 would result in a collision. 80 00:02:48,070 --> 00:02:50,470 Now if a hacker can find two identical messages 81 00:02:50,470 --> 00:02:52,530 with the same hash, they can use this 82 00:02:52,530 --> 00:02:54,340 as an attack against your system. 83 00:02:54,340 --> 00:02:56,100 For example, if they found a match to your 84 00:02:56,100 --> 00:02:58,070 passwords hash, they could bypass your 85 00:02:58,070 --> 00:03:00,260 authentication system, even by entering in 86 00:03:00,260 --> 00:03:01,630 the wrong password. 87 00:03:01,630 --> 00:03:03,230 And for this reason we want to make sure 88 00:03:03,230 --> 00:03:06,950 we're using hashes with long output digest 89 00:03:06,950 --> 00:03:09,220 so when we start using things like SHA-256 90 00:03:09,220 --> 00:03:11,955 over MD5 this reduces the amount of collisions 91 00:03:11,955 --> 00:03:14,933 and reduces the effectiveness of a Birthday Attack.