Pass The Hash
What is it?
Pass the hash is an exploit technique that allows an attacker to bypass password authentication. Instead the attacker can gain access to the system using only the NTLM or LanMan hash of a valid user’s password. Often times these hashes are found by dumping the hashes of previously compromised systems. The attacker will then replay the hashes against other systems in the same network where those credentials may have access, allowing the attacker to move laterally through the network. This also eliminates the need for attackers to try and obtain clear text passwords or crack the hashes since they can be used as is across the network.
Where to find hashes?
Hashes can be obtained using any one of the methods below:
- Cached credentials that can be read from the SAM database by an administrator user
- Dumping the SAM database of local users
- Dumping credentials stored in memory of the lsass process
- Using tools such as mimikatz, wce, fgdump, etc to accomplish the methods above and more
How to pass the hash?
pre-requisite: you need a username and NTLM/ LM hash combination to use in the attack
Running the attack:
First we need to setup an environment variable named SMBHASH that will hold the hash that we wish to pass. When exporting the SMBHASH you may need to replace the first portion of the hash with an empty LM hash like so:
If dumped hash = Administrator:500:NOPASSWORD**:7218cb8759b3a247b790dc403bb016ea
Empty LM Hash = aad3b435b51404eeaad3b435b51404ee
Thus the full export command would combine the empty LM hash with the second part of the dumped hash:
# export SMBHASH=aad3b435b51404eeaad3b435b51404ee:7218cb8759b3a247b790dc403bb016ea
Now that we have exported our SMB hash we can use it with pth-exe to attempt to use it to authenticate to other systems on the network:
pth-winexe -U administrator % //10.10.10.10 cmd
Systems that make use of NTLM or LanMan hashes and use protocols such as smb are at risk of being susceptible to pass the hash attacks. There are some mitigation techniques that can be employed such as using the Microsoft Local Administrator Password Solution (LAPS) to manage local administrator accounts across the domain. Also avoid using cached credentials and limit the number of privileged users. Finally on newer Windows systems we can avoid using NTLM and LanMan. We can also configure additional security for the Local Security Authority (LSA) to prevent untrusted processes from injecting code and reading objects from memory.