Pass the Hash
Last updated
Last updated
Adversaries may "pass the hash" using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.
Windows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes.
Example
Let's start by showing why this is a great technique for Defense Evasion the most secure thing available is at the Boot up of the Screen.
Now how can we avoid this part without having the cleartext password of the User and avoiding any login screens, and prompts all the good stuff that might give us away?.
By passing the Hash this is a great technique that will authenticate silently and even when creating a Log it will throw an ID Log 4624
In this Demo will use PSEXEC it's great for this sample and it allows authentication with hashes. (You must already have a hash here, be creative, mimikatz, crackmap, lsassy.)
PsExec
In the above image the authentication using Hashes has been successful be wary that there are some requirements for this to work for example a share with Administrative Access has to be available and the LocalAccountTokenPolicy Registry Key needs to be set at a Value of 1.
This topic is very extensive and there are many tools that can help with this CrackMapExec, SMBExec, WmiExec, Lsassy.
And others do please try and experiment and see what is being left behind, maybe a file?, a log?. When we use PsExec from Sysinternals it leaves a Registry Key when accepting the EULA but what about PsExec.py??.
References:
https://eaneatfruit.github.io/2019/08/18/Offensive-Lateral-Movement/