# Pass The Hash A Pass The Hash attack utilises a known password hash to authenticate to other networked hosts. For example, if two built-in administrator accounts for two different hosts had the same password, their hash would be the same and if one hash was known, this can be used to login to the second host. There are various ways you might come across a password hash. For example, you might dump a machines SAM and SECURITY registry hive and find it there. No matter how you found it, you may now consider a Pass The Hash attack. ## Performing the attack ### NetExec NetExec can be used to perform a Pass The Hash attack. All you need is the username and the users NT password hash. If it is a domain user, you will also need to specify the domain. * `netexec smb --local-auth -u -H -x ` `netexec smb -d -u -H -x ` This will provide you with a command line shell on your target. ### **xfreerdp** By using xfreerdp, it is possible to gain a remote desktop connection into a host using Pass The Hash. * The following command can be used: `xfreerdp /u: /d: /pth: /v:` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://wiki.pentestlist.com/offensive-security/internal-infrastructure/movement/pass-the-hash.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.