Pass-the-Hash (NTLM)
Refer to the following resources for more information on the relevant topics:
pass-the-hash attack.
NetNTLM authentication
The Pass-the-Hash (PtH) method relies on the way the NTLM authentication process works, where a user can authenticate to a Windows domain configured to use NTLM authentication just by merely knowing the NTLM hash. Thus, we won't even have to crack the NTLM hashes as we will not require the actual password to authenticate successfully.
Mimikatz provides 2 methods to retrieve the NTML hashes:
a. Local SAM
b. LSASS memory
Ensure to perform the necessary actions before we attempt to harvest the credentials. Refer to the following for more information on each module.
mimikatz # privilege::debug
mimikatz # token::elevate(1) Local SAM
This method will only allow us to retrieve hashes from the local users on the machine only (No domain user's hashes).
mimikatz # lsadump::samEg. We have found the username test.user with the NTLM hash value 1b2axxxx :
mimikatz # lsadump::sam
RID : xxxx
User : jarrett.gxz
Hash NTLM: 1b2axxxx(2) LSASS memory
This method will allow us to retrieve any NTLM hashes for local users and any domain user that has recently logged onto the machine.
Eg. We have found the username jarrett.gxz in the domain test.domain, with the NTLM hash value 1b2axxxx :
Perform Pass-the-Hash
Note we first have to run
token::revertto revert back to our original token privileges, as trying to pass-the-hash with an elevated token won't work
We can view the sekurlsa::pth module command as equivalent to using the runas /netonly command with a hash instead of a password.
PtH with Linux
Several tools exists in Linux, with built-in support to perform PtH. The following outlines a few:
xfreerdp
psexec.py
evil-winrm
Last updated