Pass-the-Hash

Pass the Hash (PtH) enables lateral movement by allowing authentication using NTLM password hashes instead of plaintext passwords.

1. It only works with NTLM-based authentication, i.e., it is not applicable to Kerberos-authenticated services.

2. It requires SMB access.

3. It needs administrative privileges.

Tools like Impacket (wmiexec, psexec, etc.), Metasploit’s PsExec, and others leverage this method for remote code execution.

Here is how it works:

1. Tools perform authentication over SMB using the provided NTLM hash.

2. If remote code execution is desired, these tools:

   • Start a Windows service (e.g., cmd.exe or powershell.exe)

   • Communicate through Named Pipes using the Service Control Manager API

3. For non-execution tasks (e.g., reading a file share), no service needs to be created.

For this to work, four conditions must be met:

1. SMB port (445) must be accessible through the firewall.

2. File and Printer Sharing must be enabled.

3. ADMIN$ share must be available.

4. Supplied credentials must have local administrative privileges.

Important: PtH does not exploit NTLM, but abuses the availability of stolen password hashes—usually obtained through prior compromise.

$ /usr/bin/impacket-wmiexec -hashes :2892D26CDF84D7A70E2EB3B9F05C425E Administrator@192.168.50.73
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
C:\>hostname
FILES04

C:\>whoami
files04\administrator

This method works for both AD domain accounts and the built-in local administrator account. However, due to the 2014 Microsoft update, this technique cannot be used to authenticate as other local admin accounts (due to unique local account SIDs).