Pass the hash
MITRE ATT&CK™ Sub-technique T1550.002
Theory
An attacker knowing a user's NT hash can use it to authenticate over NTLM (pass-the-hash) (or indirectly over Kerberos with overpass-the-hash).
Practice
There are many tools that implement pass-the-hash: Impacket scripts (Python) (psexec, smbexec, secretsdump...), NetExec (Python), FreeRDP (C), mimikatz (C), lsassy (Python), pth-toolkit (Python) and many more.
The Impacket script secretsdump (Python) has the ability to remotely dump hashes and LSA secrets from a machine (LMhash
can be empty) (see dumping credentials from registry hives).
NetExec (Python) has the ability to do it on a set of targets. The bh_owned
has the ability to set targets as "owned" in BloodHound (see dumping credentials from registry hives).
Lsassy (Python) has the ability to do it with higher success probabilities as it offers multiple dumping methods. This tool can set targets as "owned" in BloodHound. It works in standalone but also as a NetExec module (see dumping credentials from lsass process memory).
Limitations, tips and tricks
UAC limits pass-the-hash
UAC (User Account Control) limits which local users can do remote administration operations. And since most of the attacks exploiting pass-the-hash rely on remote admin operations, it affects this technique.
the registry key
LocalAccountTokenFilterPolicy
is set to0
by default. It means that the built-in local admin account (RID-500, "Administrator") is the only local account allowed to do remote administration tasks. Setting it to1
allows the other local admins as well.the registry key
FilterAdministratorToken
is set to0
by default. It allows the built-in local admin account (RID-500, "Administrator") to do remote administration tasks. If set to1
, it doesn't.
In short, by default, only the following accounts can fully take advantage of pass-the-hash:
local accounts : the built-in, RID-500, "Administrator" account
domain accounts : all domain accounts with local admin rights
RDP Pass-the-hash
Restricted Admin Mode must be enabled to allow pass-the-hash attacks over RDP.
It is disabled by default, but we can enable it via the DisableRestrictedAdmin
registry entry, as follows:
References
Last updated
Was this helpful?