The Pass-the-Hash attack is a lateral movement technique used in post-exploitation scenarios within Windows environments. Instead of needing to crack a password, attackers use the hashed representation of a password commonly an NTLM hash to authenticate and move laterally across systems.
Password Storage:
Windows systems store passwords as cryptographic hashes rather than plaintext. This design improves security but creates an alternative attack vector.
Types of Hashes:
LAN Manager (LM) Hash:
Obsolete and insecure.
NTLM Hash:
Commonly used in Windows environments but vulnerable to PtH attacks.
Authentication Protocols:
Windows protocols such as NTLM and Kerberos use these hashes to validate user credentials during login.
Process:
Once inside the target system, the attacker extracts password hashes stored in memory or on disk.
Common Tools:
Mimikatz: Extracts credentials and hashes from Windows memory.
Example Command:
mimikatz # sekurlsa::logonpasswords
pwdump: Dumps password hashes from the SAM database.
LSASS Process Dumping: Retrieves hashes from the Local Security Authority Subsystem Service.
Method:
Instead of cracking the hash, the attacker “passes” it directly to authenticate to another system.
Example Command:
pth-winexe -U DOMAIN\\\\Administrator%aad3b435b51404eeaad3b435b51404ee:<NTLM_HASH> //192.168.1.10 cmd
Additional Tools:
PowerShell scripts and other utilities may also be used to facilitate this step.