Pass the Hash
Last updated
Last updated
Pass the hash (PtH) is a method of authenticating a user without having access to the user's clear-text password. This method bypasses standard authentication steps that require a clear text password, moving directly into the portion of the authentication that users the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access Technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.
Windows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes.
Some great tools for demonstration are Mimikatz, CrackMapExec, Empire, PsExec, and WMI.
In this demonstration I will use Mimikatz to pass the hash I will give a small demo with CrackMapExec and PSExec, and I will link great references on these other techniques and frameworks. Since they also work fine but some are louder and we are trying to not go for that( at least).
For Mimikatz here we will combine a few tools to grab hashes we can simply use an Administrator Log and from there dump hashes but also we can use an Administrator login and then use PSEXEC to escalate from Admin to SYSTEM and then Dump hashes.
In this section of the Demo, I will dump hashes with Mimikatz and then use PsExec to Move Laterally.
In the previous Image a used xfreerdp to connect to the target machine from here I proceeded to upload the tools necessary for PtH and lateral move, which will be mimikatz and PsExec.
I used the following syntax to dump hashes
mimikatz "privilege::debug::" "sekurlsa::logonpasswords" exit
This will execute and exit since mimikatz start's its window and working from a shell is kinda buggy for now. So my option was to execute and exit.
Dumping hashes we see Ryan's NTLM Hash we can use this to authenticate as this user with plenty of tools. I'll continue with mimikatz and then move to others. Now here Ryan is an Administrator on DELTA. I will use PTT and then Log in to the Remote PC without ever using a clear-text password.
I will get an Access is denied error when I try to enumerate the c$
Share.
So how do we pass the hash with mimikatz. Well we continue with the following syntax "one-liner" will exit once executed:
mimikatz "privilege::debug" "sekurlsa::pth /user:Ryan /domain:WORKGROUP /ntlm:09238831b1af5edab93c773f56409d96" exit
And we can now list the directories on the remote machine.
Great so an Example was made with Mimikatz to authenticate to a remote machine but let's demonstrate with other tools, In the next one I will use CrackMapExec amazing tool written in python and great for these situations for more info on CrackMapExec. This amazing tool will be used to authenticate to SMB using the hash itself there are so many possibilities that can be done with this but I will focus on the Hash part only.
I will use Ryan's Hash to authenticate to the Machine using CrackMapExec.
crackmapexec smb 10.10.10.4 -u Ryan -H 09238831b1af5edab93c773f56409d96
You can also do it to the entire network.
Ryan is an Administrator in DESKTOP-DELTA, we can grab a shell on this machine from Kali we can use the Impacket tools, some examples are PSEXEC or WMIEXEC to pass the hash and grab a shell. A good rule of thumb is whenever there is a technique and it's Remote or anything that has to do with Remote 9/10 an Administrator is needed.
From here if you notice the wmiexec help menu you can see that it asks for LMHASH: NTHASH, but mimikatz only gives us the LM hash. No need to worry here usually the hash before:
is an empty hash and doesn't show on mimikatz so it doesn't dump that, so to use wmiexec.py here we can just use the hash in this way: HASH
The same technique can be used when working with psexec.py we can pass a hash to authenticate and the extra on this tool is that once we log in as the Administrator it will privesc to SYSTEM for us by default.
Wikipedia's page states this reason why Pass The Hash works: Analysis of this mechanism has shown that the cleartext password is not required to complete network authentication successfully, only the hashes are needed.
So the reason is simple windows for Authentication don't authenticate with your password!!. It hashes first and then uses the hash for authentication at a Network Level.
You can't use the hash for authentication such as Logging In, or Running as Admin [UAC]. This is at a Network Level usually when it's authenticating Remotely.