Pass the Hash
ID: T1075 Tactic: Lateral Movement
Pass the hash (PtH) is a method is a method of authenticating a user without having access to the user's clear text password. This method bypasses standard authentication steps that require a clear text password, moving directly into the portion of the authentication that users the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access Technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.
Windows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes.
Some great tools form demonstration are Mimikatz, CrackMapExec, Empire, PsExec, WMI.
In this demonstration I will use Mimikatz to pass the hash I will give a small demo with CrackMapExec and PSExec, I will link great references on these other techniques and frameworks.Since they also work fine but some are more Loud and we are trying to not go for that( at least).
For Mimikatz here we will combing a few tools to grab hashes we can simply use an Administrator Log and from there dump hashes but also we can use an Administrator login then use PSEXEC to escalate from Admin to SYSTEM and then Dump hashes.
Mimikatz
In this section of the Demo I will dump hashes with Mimikatz and then use PsExec to Move Laterally.
In the previous Image a use xfreerdp to connect to the target machine from here I proceeded to upload the tools necessary for PtH and lateral move, which will be mimikatz and PsExec.
I used the following syntax to dump hashes
mimikatz "privilege::debug::" "sekurlsa::logonpasswords" exit This will execute and exit since mimikatz start's its own window and working from a shell is kinda buggy for now. So my option was to execute and exit.
Dumping hashes we see Ryan's NTLM Hash we can use this to authenticate as this user with plenty of tools. I'll continue with mimikatz and then move to other's. Now here Ryan is an Administrator on DELTA. I will use PTT and then Log in to the Remote PC without ever using a clear-text password.
I will get an Access is denied error when I try to enumerate the c$ Share.
So how do we pass the hash with mimikatz. Well we continue with the following syntax "one-liner" will exit once executed:
mimikatz "privilege::debug" "sekurlsa::pth /user:Ryan /domain:WORKGROUP /ntlm:09238831b1af5edab93c773f56409d96" exit
And we can now list the directories on the remote machine.
Great so an Example was made with Mimikatz to authenticate to a remote machine but let's demonstrate with other tools, In the next one I will use CrackMapExec amazing tool written in python and great for these situations for more info on CrackMapExec. This amazing tool will be used to authenticate to SMB using the hash itself there are so many possibilities that can be done with this but I will focus on the Hash part only.
I will use Ryan's Hash to authenticate to the Machine using CrackMapExec.
crackmapexec smb 10.10.10.4 -u Ryan -H 09238831b1af5edab93c773f56409d96
You can also do it to the entire network.
Ryan is an Administrator in DESKTOP-DELTA, we can actually grab a shell on this machine from Kali we can use the Impacket tools, some examples are PSEXEC or WMIEXEC to pass the hash and grab a shell. Good rule of thumb is whenever there is a technique and it's Remote or anything that has to do with Remote 9/10 an Administrator is needed.
From here if you notice the wmiexec help menu you an see that it asks for LMHASH:NTHASH, but mimikatz only gives us the LM hash. No need to worry here usually the hash before : its an empty hash and doesn't show on mimikatz so it doesn't dump that, so to use wmiexec.py here we can just use the hash in this way :HASH
Same technique can be used when working with psexec.py we can pass a hash to authenticate and the extra on this tools is that once we login as the Administrator it will privesc to SYSTEM for us by default.
From Wikipedia's page it states this reason on why Pass The Hash works: Analysis of this mechanism has shown that the cleartext password is not required to complete network authentication successfully, only the hashes are needed.
So the reason is simple windows for Authentication doesn't authenticate with your password!!. It hashes first then uses the hash for authentication at a Network Level.
You can't use the hash for authentication such as Logging In, or Running as Admin [UAC]. This is at a Network Level usually when it's authenticating Remotely.
Last updated
