Ok, Today let's talk about ‘pass-the-hash’ attack..
As per wikipedia, pass-the-hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user's password, instead of requiring the associated plaintext password as is normally the case. It replaces the need for stealing the plaintext password with merely stealing the hash and using that to authenticate with.
For pass-the-hash attack to work, we need to have an admin account on a computer, this gives an attacker access to the other credentials in the system. In this demonstration we will use Mimikatz and PSExec to extract a domain admin NTLM hash from memory and use that account to replay against other systems in the domain.
Here I’m logged in (to our lab) as user Raeez on a domain computer with local admin privileges on the system.
This user is not a member of any domain security groups.
To verify this, I am going to use psexec command to run a shell on my domain controller.
Here you can see the access is denied by the DC since there are no privileges on the machine.
Now I'm going to use Mimikatz to extract password hashes from the memory.
As you can see, we got a possible domain admin account called adm_raeez and his NTLM hashes. So this user might have been logged in to the system for doing something and has kept in memory once he is logged off.
I’m going to take his NTLM hash and use simple pass the hash technique using mimikatz as shown below.
This will open up a command prompt with admin privileges in the domain. Now let's try to launch cmd.exe in the domain controller using psexec from the elevated command prompt.
Now I’ve got access to the domain controller as the user adm_raeez with admin rights :)
So that's how we can use mimikatz to perform pass-the-hash. Using this technique we can move laterally in the network and gain access to more passwords and password hashes.
