This article will teach you what a pass the hash attack is and how to perform a pass the hash attack yourself.
Hackers have various lateral movement techniques at their disposal. One of the most commonly used is the pass the hash attack; you should know how to perform this attack and protect against it.
If you are on the red side, you will use this attack to jump between compromised machines within an Active Directory environment. If you are on the blue side, you will use your understanding of this attack technique to secure your Active Directory environment and lock down access to your most valuable assets.
Let’s explore what passing the hash means, how to obtain a hash, and how to perform a pass the hash attack using real-world hacking tools.
What Is Passing the Hash?
Before passing hashes and comprising machines, you must understand what a hash is. A hash refers to a fixed-size numerical value computed from input data that can be any size. This input data can be a file, a password, or any other piece of information.
A hashing function will take input data, run it through a mathematical algorithm, and produce a unique hash value that is a fixed size. Hashing is a one-way computation. You cannot retrieve the input data from its hash value. This is important because it provides an extra layer of security. If a machine's password database is compromised, an attacker cannot determine a user’s password from its hash value, which is why passwords are stored as hashes.
To log into a machine, a user will enter their password in cleartext, and the machine will use the same hashing function it used to create a hash of their original password with the one they are trying to authenticate with. If the password hashes match, then the user is allowed access.
NTLM Authentication
In modern Windows Active Directory environments, Kerberos is the default authentication protocol that Microsoft has adopted and expanded on to provide secure authentication using a ticket-based system. However, many Active Directory environments support legacy systems by allowing NT LAN Manager (NTLM) authentication.
NTLM uses a challenge and response mechanism for user authentication:
- Steps 1-2: When a user attempts to access a network resource, the server will challenge the user by sending a random value
- Step 3: The user’s computer will then encrypt this challenge using the user’s password hash and send this encrypted challenge back as a response.
- Steps 4-5:The server will verify the response by sending it to the Domain Controller, who will compare them with the stored password hash and determine if that user should have access.
- Step 6: The server will send a message back to the user to either confirm or deny their access to the network resource.
The NTLM authentication protocol used in Microsoft environments has gone through many revisions, each improving the security of the previous. Today, NTLMv2 Session Security is used within modern Active Directory environments when Kerberos authentication fails.
NTLM authentication is used when a client authenticates to a server by IP address (instead of hostname), if the user attempts to authenticate to a hostname not registered on the Active Directory Domain Name Server (DNS) server, or if a third-party application chooses to use NTLM instead of Kerberos.
For instance, if you want to access a file share in an Active Directory environment. You can use the server’s DNS hostname or IP address to connect to it. If you use the DNS hostname, then Kerberos authentication will be used. However, NTLM authentication will be used if you use the server's IP address.
Under the hood, this will involve you providing the NTLM hash of your password to the server and it verifying this hash matches the hash it has stored for authenticated users. You will not see this. You will only be asked to provide your user credentials (cleartext password) to authenticate and access the file share.
Pass the Hash Attacks
In a pass the hash attack, an attacker will authenticate to a remote system or service in an Active Directory environment using a target user’s NTLM hash instead of the user’s plaintext password. The attacker will obtain the NTLM hash either by capturing it on the network or by extracting it from a machine they have compromised.
This attack only works when Kerberos is not used for authentication and the server or service the attacker tries to connect to uses NTLM authentication. Another requirement is that Server Message Block (SMB) is open (port 445), and the Windows File Sharing and Print Sharing feature is enabled. This setup is common in internal enterprise environments as it allows employees to easily share work documents to collaborate on projects.
The pass the hash attack works for Active Directory domain accounts and the built-in local administrator account for the machine you are trying to authenticate to. However, it cannot be used to authenticate as any other local administrator account.
For instance, if John Smith is a user on Workstation 1 and you want to access this machine. You first capture John Smith’s NTLM hash, then you must verify that SMB and the Windows File Sharing and Print Sharing feature are enabled in the Active Directory environment you want to attack. If these requirements are fulfilled, you can use John Smith’s NTLM hash to authenticate to Workstation 1 and impersonate them using various hacking tools.
Obtaining the Hash
First, you must obtain an NTLM hash to perform a pass the hash attack. This can be done by either capturing the hash on the network or by stealing the hash from a machine you have compromised. First, let’s look at capturing the hash from the network with Responder.
The demonstrations in this article use a vulnerable Windows Active Directory environment. You can learn to create your own virtual hacking environment by following this article and follow along. You can also learn about Kerberoasting attacks here.
With Responder
Responder is a tool commonly used in internal penetration testing and red teaming exercises to test the security of an organization's internal network protocols. The tool can capture and relay authentication credentials in a Windows Active Directory environment. You can use Responder to capture NTLM hashes as they pass around the network for authentication in Link-Local Multicast Name Resolution (LLMNR) requests.
At this point, you may ask what LLMNR requests are. LLMNR is a network protocol used in Active Directory environments to identify hosts on a local network when DNS resolution fails. It acts as a fallback mechanism and allows client machines to interact with servers without needing a DNS server.
LLMNR is vulnerable. It leaks a user’s username and NTLM hash when responding to LLMNR requests. If an attacker can position themselves on the same network as a target machine and intercept the LLMNR traffic between the target and a server, they can steal the user’s NTLM hash. They can then try to crack this hash offline to get the user’s password or use the hash in a pass the hash attack.
This attack is known as LLMNR poisoning and is demonstrated in the graphic below:
LLMNR Poisoning in Action With Responder
Responder comes installed on Kali Linux by default. However, before performing an LLMNR poisoning attack with Responder, you need to meet the following requirements:
- You need to be on the same network as your target machine.
- You need to have the capability of sniffing network packets.
Now you can run the following command to start Responder:
sudo responder -I eth0 -v
This command will start Responder listening on your eth0
network interface (-I
) and in verbose mode (-v
) to provide more output.
Now you have to wait for an event to occur that DNS cannot resolve. For instance, when a user tries to connect to a machine via SMB, SQL, FTP, SMTP, etc, but uses a name that the local DNS server cannot resolve or uses an IP address. This will trigger the machine to send an LLMNR request to find the machine or resource it is trying to access. Responder will capture this LLMNR request and display the NTLM hash for you to use.
Here I have tried to access the C: drive of the test machine from Workstation1 as the StationX-admin user. Workstation1 will make a DNS request to the Active Directory DNS server to find out where the test machine is located. However, this machine does not exist. So, the DNS request will fail. Now, Worksation1 will send out an LLMNR request as a fallback. Responder can capture this LLMNR request and steal the user’s NTLM hash
With Mimikatz
Another way to get your hands on an NTLM hash is to steal it from a machine you have compromised. On Windows machines, NTLM hashes are typically stored in the Security Account Manager (SAM) database. This is part of the Windows Registry and contains various pieces of user account information. You can dump the information in this database and steal NTLM hashes by interacting with the Local Security Authority Subsystem Service (LSASS process).
An infamous tool for stealing credential information from Windows machines is Mimikatz. It is a powerful post-exploitation tool capable of dumping credentials and performing various lateral movement techniques. One of the tool’s features is extracting passwords and other authentication material from a target machine, either stored locally or running in memory.
Credential Dumping in Action With Mimikatz
Mimikatz is installed on Kali Linux by default. To extract password hashes using Mimikatz, you need to fulfill the following requirements:
- You need SYSTEM or local administrative access for permissions to interact with the LSASS process.
- You must disable Microsoft Windows Defender’s Real Time protection on the target machine.
Now you can start the Mimikatz console and engage the SeDebugPrivilege so that you can interact with a process owned by another account using the command:
Privilege::debug
Next, you can dump the credentials of all logged-on users to a machine using the Sekurlsa module and the command:
Sekurlsa::logonpasswords
This will dump the hashes for all users logged on to a current workstation, including those using Active Directory to log on. You can use the NTLM hashes dumped to perform a pass the hash attack. Let’s save the StationX-admin user's NTLM hash for later use.
Modern Windows machines are well protected against Mimikatz. In the real world, an attacker would use various obfuscation techniques to get Mimikatz to run:
- Disabling Anti-Virus or EDR (Endpoint Detection Response) on the target machine before executing Mimikatz.
- Executing Mimikatz in-memory so that Anti-Virus cannot detect it on disk.
- Using process hollowing to execute Mimikatz inside a legitimate process.
Other Tools
Aside from Reponder and Mimikatz, various other tools can be used to obtain NTLM hashes:
- Metepreter - This tool is part of the Metasploit Framework and contains various post-exploitation functionality that allows you to extract NTLM hashes from a machine.
- Empire - This Post-Exploitation Framework written in PowerShell allows you to dump user credentials and perform lateral movement.
- Cain and Abel - This legacy tool only runs on Windows machines. It was commonly used for internal penetration testing engagements to obtain NTLM hashes over the network through unencrypted or weakly encrypted protocols.
- Inveigh - This is a tool similar to Responder. It allows you to perform various network-based attacks in an Active Directory environment, such as SMB relay attacks, credential capture, LLMNR poisoning, etc.
Passing the Hash
Once you have obtained an NTLM hash, you can perform a pass the hash attack using various tools. They all, ultimately, use the stolen NTLM hash to impersonate a user and authenticate to machines said user is allowed to access within their Active Directory environment.
With Mimikatz
Mimikatz can be used to both obtain credential material and use it in a pass the hash attack. This dual-use makes it a powerful tool to add to your hacking arsenal, and its capabilities don’t stop there. It can perform various other lateral movement techniques, including golden ticket attacks, silver ticket attacks, and DCSync attacks.
Passing the Hash in Action With Mimikatz
To perform a pass the hash attack with Mimikaz, you must meet the following requirements:
- You need SMB enabled on the target machine.
- The target machine’s firewall must be configured to allow incoming SMB traffic.
- You must have the NTLM hash of the user you want to impersonate.
- You need SYSTEM or local administrative access for permissions to interact with the LSASS process
- You should already have elevated privileges if you used Mimikatz to obtain an NTLM hash.
As either the SYSTEM or local administrator, run the following command from the Mimikatz command line:
Privilege::debug
This command gives your current Mimikatz session debug privileges so you can interact with the processes owned by other users on the system. Now, you can perform the pass the hash attack with the command:
sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<ntlm_hash>
For example, if you wanted to target the domain user StationX-admin, you would run the command:
sekurlsa::pth /user:stationX-admin /domain:milkyway.local /ntlm:2b576acbe6bcfda7294d6bd18041b8fe
This command spawns a Windows command shell, and a session, that uses the target user’s hash. As such, you can now impersonate the target user, and other machines you now interact with in the Active Directory environment will think you are the target user (e.g. StationX-admin). This makes moving to other machines trivial.
To test if you have successfully obtained a session as the StationX-admin user, you can run the following command from a Windows command shell:
dir \\10.0.200.4\c$
This command lists the contents of Workstation2’s (10.0.200.4
) C: drive. If you run this command from a regular command prompt on Workstation1, you get an “Access is denied” message:
However, if your run this command in the newly created Windows command shell that is impersonating the StationX-admin user, the contents of the C: drive is listed for you:
From here, you can freely execute remote commands on the target machine 10.0.200.4
as the StationX-admin user.
With PsExec
PsExec is a command line tool developed by Microsoft and included in their Sysinternals toolset. It was originally designed to allow administrators to execute commands or run programs on remote systems. Hence it is often found in enterprise environments. However, PsExec has been abused by attackers in the past to perform lateral movement in Active Directory environments using stolen credentials.
Passing the Hash in Action With PsExec
Kali Linux comes installed with a version of PsExec. To perform a pass the hash attack with PsExec, you must meet the following requirements:
- You need SMB enabled on the target machine.
- The target machine’s firewall must be configured to allow incoming SMB traffic.
- You must have the NTLM hash of the user you want to impersonate.
Once these requirements are met, you can perform a pass the hash attack with PsExec by issuing the following command in your Kali Linux machine:
impacket-psexec -hashes 00000000000000000000000000000000:<ntlm_hash> <username>@<ip_address>
For example, to target the StationX-admin who has access to machine 10.0.200.4 (Workation02), you would run the command:
impacket-psexec -hashes 00000000000000000000000000000000:2b576acbe6bcfda7294d6bd18041b8fe stationX-admin@10.0.200.4
This command gives us a Windows command shell on machine 10.0.200.4
. You can perform various post-exploitation activities from here, such as internal reconnaissance or stealing credentials.
The command used here uses the Impacket version of PsExec. This tool is included in the Impacket framework, a collection of Python scripts that emulate the functionality of common Windows administrator tools.
With EvilWinRM
EvilWinRM is a post-exploitation tool written in PowerShell which is designed to simplify gaining and maintaining remote access to Windows systems. The tool can provide you with an interactive session where you can perform remote command execution, transfer files, and execute Windows PowerShell commands.
EvilWinRM uses the Windows Remote Management (WinRM) protocol to provide this functionality to bypass the need for Remote Desktop Protocol (RDP) to be enabled on target machines. WinRM is a protocol used heavily in enterprise Active Directory environments, so network traffic generated by this tool blends in well.
Passing the Hash in Action With EvilWinRM
The EvilWinRM tool comes installed on Kali Linux by default. To perform a pass the hash attack with EvilWinRM, you need to fulfill the following requirements:
- The WinRM protocol must be enabled on the target machine.
- The target machine’s firewall must be configured to allow incoming WinRM connections. This is network port 5985 (HTTP) or 5986 (HTTPS).
- You must have the NTLM hash of the user you want to impersonate.
You can now use the EvilWinRM tool to perform a pass the hash attack by executing the following command on your Kali Linux machine:
evil-winrm -i <ip_address> -u <username> -H <ntlm_hash>
For example, to target the StationX-admin who has access to machine 10.0.200.4
(Workation02), you would run the command:
evil-winrm -i 10.0.200.4 -u stationX-admin -H 2b576acbe6bcfda7294d6bd18041b8fe
This will give you an interactive PowerShell session that you can use to perform post-exploitation activities, such as uploading malware or downloading files.
With xFreeRDP
The xFreeRDP tool is an open-source RDP client application that allows you to connect to and control Windows systems using the RDP protocol. The application can take a username and password, or you can use an NTLM hash and perform a pass the hash attack.
System administrators commonly use RDP within enterprise Active Directory environments to perform administrative tasks through a graphical desktop session. If RDP is not secured in your environment, attackers can move laterally between machines using compromised credentials.
Passing the Hash in Action With xFreeRDP
Kali Linux comes with xFreeRDP. To perform a pass the hash attack with xFreeRDP, you need to satisfy these requirements:
- RDP must be enabled on the machine you are targeting
- Firewalls need configuring to allow incoming RDP traffic to the machine you are targeting
- The user account you target must be within the Remote Desktop Users group on your target Windows machine.
- You need to have the NTLM hash of the user you want to impersonate.
You can now perform a pass the hash attack with xFreeRDP by running the following command from within a Kali Linux terminal:
xfreerdp /u:<user> /d:<domain> /pth:<ntlm_hash> /v:<ip_address>
For example, to target the StationX-admin who has access to machine 10.0.200.4
(Workation02), you would run the command:
xfreerdp /u:stationX-admin /d:milkyway.local /pth:2b576acbe6bcfda7294d6bd18041b8fe /v:10.0.200.4
As shown, this command may fail. This is because Restricted Admin Mode is enabled, by default, on all modern versions of Windows. If this setting is enabled, your pass the hash attack will fail, and you will get the error shown above: “Account Restrictions are preventing this user from signing in.” You must disable Restricted Admin Mode in the Windows registry to get around this. If you have administrator access, this is easy.
For example, you can disable Restricted Admin Mode with the command:
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
Once executed, xFreeRDP will initiate an RDP connection to the machine you specified using the NTLM hash you provided. If successful, this will return a graphical session in a separate window which you can interact with.
Conclusion
The pass the hash attack is a powerful lateral movement technique that you can use to jump between machines in an Active Directory environment. Gaining a practical understanding of this technique is vital for people trying to attack systems and those trying to defend them.
This article examined what a hash is and how to obtain it from an Active Directory environment by capturing it through LLMNR poisoning or extracting it from a compromised machine. Once you have an NTLM hash, performing a pass the hash attack can be done with various hacking tools. These tools have pros and cons based on their prevalence in enterprise environments and the traffic they generate.
With an understanding of how to perform pass the hash attacks, you should now be able to use this when attacking an Active Directory environment or devise ways to protect against these attacks.
This article touched on a few of the hacking tools you can use to perform lateral movement using the pass the hash attack. To discover more, check out this article for a comprehensive cheat sheet of common real-world hacking tools.