search

Pass-The-Hash(FOR LIN&WIN)

hashtag
Pass The Hash

A Pass the Hash (PTH) attack involves an attacker using a password hash in place of the actual password for authentication. This method allows the attacker to bypass the need to decrypt the hash to retrieve the password. PTH attacks take advantage of the fact that the authentication protocol accepts the hash directly, as it remains unchanged for all sessions until the password is altered.

hashtag
Windows PTH

hashtag
Mimikatz

mimikatz.exe privilege::debug "sekurlsa::pth /user:rio /rc4:64F12CDDAA88057E06A81B54E73B949B /domain:{DOMAIN} /run:cmd.exe" exit

Explanation:

  • privilege::debug - equivalent of admin rights

  • /user:carni7 - user we want to impersonate

  • /rc4 or /NTLM - user's password hash. rc4 is algorithm

  • /domain - The domain to which the user being impersonated belongs. For a local user account, you can use the computer name, localhost, or simply a dot (.)

  • sekurlsa::pth - mimikatz popular module, which is used for extracting credentials from LSASS.

  • /run:cmd.exe - Instructions to mimikatz to run cmd after injecting hash

hashtag
Invoke-TheHash

Besides mimikatz we could use Invoke-TheHasharrow-up-right for PTH on Windows. This tool uses PowerShell functions for performing Pass the Hash attacks with WMI and SMB. Authentication is performed by passing an NTLM hash into the NTLMv2 authentication protocol.

  • SMB

  • WMI

hashtag
Linux PTH

hashtag
Impacket

Impacket has a lot of useful tools, but for this situtation we need only PsExec. Besides that we could use also wmiexecarrow-up-right, atexecarrow-up-right, smbexecarrow-up-right.

hashtag
CrackMapExec

hashtag
Evil-winrm

hashtag
RDP

By default, Windows has disabled Restricted Admin Mode, and we need to fix that by adding new registry key to DisableRestrictedAdmin

And then to use xfreerdp for Pass The Hash

PreviousDockerNextDetection And Evasion (FOR RT LATER)

Last updated