darkcybe
  • 👋whoami
  • Security Operations
    • 💉Threat Mangement
      • Identify
        • Developing a Security Program
        • Governance, Risk, and Compliance (GRC)
        • Security Architecture
      • Protect
        • Vulnerability Mangement
        • Identity and Access Management (IAM)
        • Zero Trust
    • 👩‍💻Threat Detection
      • Detect
        • Continuous Monitoring & Security Operations Center (SOC)
        • Cyber Threat Intelligence (CTI)
    • 🚒Threat Response
      • Respond
        • Digital Forensics and Incident Response (DFIR)
      • Recover
  • Offensive Security Operations
    • 🎯Penetration Testing
      • Techniques
        • MITRE ATT&CK
          • Reconnaissance
          • Resource Development
            • T1608 - Stage Capabilities
              • Staging Malware and Tools on Kali Linux
          • Initial Access
          • Execution
          • Persistence
          • Privilege Escalation
          • Defense Evasion
          • Credential Access
          • Discovery
          • Lateral Movement
          • Collection
          • Command and Control
          • Exfiltration
          • Impact
        • CAPEC
          • 100 - Overflow Buffers
          • 66 - SQL Injection
          • 94 - Adversary-in-the-Middle (AiTM)
          • 252 - PHP Local File Inclusion (LFI)
          • 560 - Use of Known Domain Credentials
          • 644 - Use of Captured Hashes (Pass-the-Hash (PtH))
          • 633 - Token Impersonation
        • Technology Focused
          • Cloud
            • Amazon Web Services (AWS)
            • Google Cloud Platform (GCP)
          • Network Protocols and Services
            • Port 20/21 - FTP
            • Port 22 - SSH
            • Port 23 - Telnet
            • Port 25 - SMTP
            • Port 53 - DNS
            • Port 80 - HTTP
            • Port 110/995 - POP3
            • Port 135/593 - MSRPC
            • Port 137-139 - NetBIOS
            • Port 143/993 - IMAP
            • Port 443 - HTTPS
            • Port 445 - SMB
            • Port 3389 - RDP
            • Port 5355 - LLMNR
            • ARP
            • Databases
              • Port 1433/1434 - MSSQL
              • Port 3306 - MySQL/MariaDB
            • DHCP
          • Web
            • PHP
          • Windows
            • Active Directory
          • Wireless
          • Linux
      • Offensive Security Tools
    • 🚩Capture The Flag (CTF)
  • Guides
    • 🔍DFIR
      • Evidence Artifacts
        • Event Logs
        • Windows
          • Evidence of...
            • Account Usage
            • File Download
            • Program Execution
            • External Device Activity
            • File and Folder Interaction
            • Lateral Movement
            • Network and Browser History
      • DFIR Tools
        • Malware and File Analysis
          • Sigcheck
          • DensityScout
        • Memory Forensics
          • Volatility
        • Program Execution
          • PeCmd
          • WxTcmd
          • AmcacheParser
          • JumpListExplorer (JLE)
          • AppCompatCacheParser
          • SrumECmd
        • DFIR Toolkits
          • Registry Explorer
          • Incident Timelines
      • Theat Analysis
        • Analysis
          • iOS Popup Scam
        • Emulation
    • 🥷Ethical Hacking
      • Exploitation
      • Post-Exploitation
      • Reporting and Documentation
    • ⛳CTF Walkthroughs
      • 📦Hack The Box (HTB)
        • 🚶HTB Walkthroughs
    • 👷‍♀️Security Engineering
      • Building a Cybersecurity Home Lab
        • Step 1: Lab Design and Architecture
        • Step 2: Installing and Configuring VMware ESXi 8
        • Step 3: Installing the OPNsense Firewall
        • Step 4: Configuring OPNsense Firewall Rules
  • General Resources
    • 🐳Deep Dives
      • Public Key Infrastructure (PKI)
    • 🐍Programming
      • Python
    • 🏋️Training
      • 🗓️Study Methodology
    • 🥠Semi-Pro Tips
      • Linux
      • Windows
      • Resources
Powered by GitBook
On this page
  • Techniques
  • Steps to Conduct a PtH Attack
  • Sources
  1. Offensive Security Operations
  2. Penetration Testing
  3. Techniques
  4. CAPEC

644 - Use of Captured Hashes (Pass-the-Hash (PtH))

Previous560 - Use of Known Domain CredentialsNext633 - Token Impersonation

Last updated 2 years ago

When authenticating via LM or NTLM, an authenticating account's plaintext credentials are not required by the protocols for successful authentication. Instead, the hashed credentials are used to determine if an authentication attempt is valid. If an adversary can obtain an account's hashed credentials, the hash values can then be passed to a system or service to authenticate, without needing to brute-force the hashes to obtain their cleartext values. Successful Pass The Hash attacks result in the adversary fully authenticating as the targeted account, which can further allow the adversary to laterally move within the network, impersonate a legitimate user, and/or download/install malware to systems within the domain. This technique can be performed against any operating system that leverages the LM or NTLM protocols even if the operating system is not Windows-based, since these systems/accounts may still authenticate to a Windows domain.

| MITRE ATT&CK | |

Techniques

  1. Explore

    • Acquire known Windows credential hash value pairs: The adversary must obtain known Windows credential hash value pairs of accounts that exist on the domain.

    • An adversary purchases breached Windows credential hash value pairs from the dark web.

    • An adversary conducts a sniffing attack to steal Windows credential hash value pairs as they are transmitted.

    • An adversary gains access to a Windows domain system/files and exfiltrates Windows credential hash value pairs.

    • An adversary examines outward-facing configuration and properties files to discover hardcoded Windows credential hash value pairs.

  2. Experiment

    • Attempt domain authentication: Try each Windows credential hash value pair until the target grants access.

    • Manually or automatically enter each Windows credential hash value pair through the target's interface.

  3. Exploit

    • Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain

    • Spoofing: Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.

    • Data Exfiltration: The adversary can obtain sensitive data contained within domain systems or applications.

Steps to Conduct a PtH Attack

The following example shows how PtH attacks can be leveraged to conduct lateral movement and perform discovery commands in a compromised domain environment.

  1. Explore

    • Acquire known Windows credential hash value pairs: Pass the Hash attacks are considered a post-compromise technique as access to a valid credential hash value is required. The credential obtained for this example is an Domain Administrator NTLM hash.

  2. Experiment

    • Attempt domain authentication: Using the obtained credential hash, authenitcation must be attempted. The CrackMapExec framework will be used to achieve this, using the smb pass the hash module

    crackmapexec smb 172.16.1.31 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0

# Additionally, the cracked hash can be used as a plaintext password
crackmapexec smb 172.16.1.31 -u Administrator -p Password01

  3. Exploit

    • Data Exfiltration: For this example, a files from network shares will be downloaded

    # Dumping all files from accessible shares
crackmapexec smb 172.16.1.31 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 -M spider_plus -o READ_ONLY=false

Sources

🎯
Use Alternate Authentication Material: Pass the Hash
CAPEC-644: Use of Captured Hashes (Pass The Hash)