📓
Red Team Notes
  • Introduction
  • Red Team Notes 2.0
  • Red Team
  • Initial Access
    • Spear Phishing Links
      • HTA Files
      • Binaries
      • PDF Files
      • SET(Social-Engineering Toolkit)
    • Spear Phishing Attachments
      • Macros
      • Dynamic Data Exchange
      • SCR Files
      • LNK Files
    • (+) Links and Attachments
  • Execution
    • Component Object Model and Distributed COM
    • MSHTA
    • PowerShell
    • Rundll32
    • Scheduled Tasks
    • Scripting
    • Trusted Developer Utilities
      • MSBuild
      • Regsvr32
    • Windows Remote Management
    • Windows Management Instrumentation (WMI)
  • Persistence
    • Scheduled Tasks
    • Create Account
    • DLL Search Order Hijacking
    • Hooking
    • Logon Scripts
    • Modify Existing Service
    • New Service
    • Path Interception
    • Registry Keys / StartUp Folder
    • ShortCut Modification
  • Privesc
    • Access Token Manipulation
    • DLL Search Order Hijacking
    • Exploitation for Privesc
    • File System Permissions Weakness
    • Always Install Elevated
  • Defense Evasion
  • Credential Access
    • Credential Dumping
    • Kerberoasting
    • LLMNR/NBT-NS Poisoning and Relay
  • Discovery
  • Lateral Movement
    • Pass the Ticket
    • Pass the Hash
    • Remote Desktops
    • Internal Spearphishing
    • Windows Admin Shares
    • Component Object Model and Distributed COM
    • Windows Remote Management
  • Collection
  • Command and Control
  • Exfiltration
  • Impact
  • Active Directory
    • Introduction
      • Kerberos
      • LDAP
    • Enumeration
    • Attacks
      • Unconstrained Delegation
      • Constrained Delegation
      • DCSync
      • Kerberoasting
      • Silver Tickets
      • Golden Tickets
  • Detection
    • Detection
    • Initial Access
    • Execution
      • MSHTA (Detection)
  • Resources & References
    • References & Resources
Powered by GitBook
On this page

Was this helpful?

  1. Lateral Movement

Pass the Hash

ID: T1075 Tactic: Lateral Movement

PreviousPass the TicketNextRemote Desktops

Last updated 5 years ago

Was this helpful?

Pass the hash (PtH) is a method is a method of authenticating a user without having access to the user's clear text password. This method bypasses standard authentication steps that require a clear text password, moving directly into the portion of the authentication that users the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access Technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.

Windows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes.

Some great tools form demonstration are Mimikatz, CrackMapExec, Empire, PsExec, WMI.

In this demonstration I will use Mimikatz to pass the hash I will give a small demo with CrackMapExec and PSExec, I will link great references on these other techniques and frameworks.Since they also work fine but some are more Loud and we are trying to not go for that( at least).

For Mimikatz here we will combing a few tools to grab hashes we can simply use an Administrator Log and from there dump hashes but also we can use an Administrator login then use PSEXEC to escalate from Admin to SYSTEM and then Dump hashes.

Mimikatz

In this section of the Demo I will dump hashes with Mimikatz and then use PsExec to Move Laterally.

In the previous Image a use xfreerdp to connect to the target machine from here I proceeded to upload the tools necessary for PtH and lateral move, which will be mimikatz and PsExec.

I used the following syntax to dump hashes

mimikatz "privilege::debug::" "sekurlsa::logonpasswords" exit This will execute and exit since mimikatz start's its own window and working from a shell is kinda buggy for now. So my option was to execute and exit.

Dumping hashes we see Ryan's NTLM Hash we can use this to authenticate as this user with plenty of tools. I'll continue with mimikatz and then move to other's. Now here Ryan is an Administrator on DELTA. I will use PTT and then Log in to the Remote PC without ever using a clear-text password.

I will get an Access is denied error when I try to enumerate the c$ Share.

So how do we pass the hash with mimikatz. Well we continue with the following syntax "one-liner" will exit once executed:

mimikatz "privilege::debug" "sekurlsa::pth /user:Ryan /domain:WORKGROUP /ntlm:09238831b1af5edab93c773f56409d96" exit

And we can now list the directories on the remote machine.

I will use Ryan's Hash to authenticate to the Machine using CrackMapExec.

crackmapexec smb 10.10.10.4 -u Ryan -H 09238831b1af5edab93c773f56409d96

You can also do it to the entire network.

Ryan is an Administrator in DESKTOP-DELTA, we can actually grab a shell on this machine from Kali we can use the Impacket tools, some examples are PSEXEC or WMIEXEC to pass the hash and grab a shell. Good rule of thumb is whenever there is a technique and it's Remote or anything that has to do with Remote 9/10 an Administrator is needed.

From here if you notice the wmiexec help menu you an see that it asks for LMHASH:NTHASH, but mimikatz only gives us the LM hash. No need to worry here usually the hash before : its an empty hash and doesn't show on mimikatz so it doesn't dump that, so to use wmiexec.py here we can just use the hash in this way :HASH

Same technique can be used when working with psexec.py we can pass a hash to authenticate and the extra on this tools is that once we login as the Administrator it will privesc to SYSTEM for us by default.

From Wikipedia's page it states this reason on why Pass The Hash works: Analysis of this mechanism has shown that the cleartext password is not required to complete network authentication successfully, only the hashes are needed.

So the reason is simple windows for Authentication doesn't authenticate with your password!!. It hashes first then uses the hash for authentication at a Network Level.

You can't use the hash for authentication such as Logging In, or Running as Admin [UAC]. This is at a Network Level usually when it's authenticating Remotely.

Great so an Example was made with Mimikatz to authenticate to a remote machine but let's demonstrate with other tools, In the next one I will use CrackMapExec amazing tool written in python and great for these situations for more info on . This amazing tool will be used to authenticate to SMB using the hash itself there are so many possibilities that can be done with this but I will focus on the Hash part only.

CrackMapExec
LogoWe Don't Need No Stinkin' PSExec - TrustedSec - Information SecurityTrustedSec - Information Security
Expanding Your Empire - harmj0yharmj0y
LogoPass the Hash Attack Tutorial | Lateral Movement using LanMan or NTLM hashesAttack Catalog
RDP From Kali