Pentest List Wiki
  • What is Pentest List Wiki?
  • OFFENSIVE SECURITY
    • External Infrastructure
      • Discovery
        • Email Address Discovery
        • Subdomain Discovery
        • Data Discovery
        • Port & Service Discovery
      • Exploitation
        • Password Spraying
        • Vulnerability Scanning
    • Internal Infrastructure
      • General Discovery
        • AD Attack Path Discovery
        • Port & Service Discovery
      • Credential Discovery
        • Passwords and NetNTLM
        • SAM & LSA secrets
        • NTDS.dit secrets
        • LSASS secrets
        • DCSync
        • DPAPI secrets
      • Movement
        • Credential Spraying
        • SMB Relaying
        • Pass The Hash
      • Infiltration/Exfiltration
        • Pivoting (Proxying)
    • Web Application
      • Discovery
        • Testing API Keys
        • Vulnerability Scan
        • Web Content Discovery
        • Parameter Discovery
        • VHOST Discovery
        • CMS Scanners
      • Exploitation
        • Authentication
          • Email Address Forms
          • AWS Cognito
        • JSON Web Tokens
        • Injection Attacks
          • SQL Injection
          • Cross-Site Scripting
          • HTTP Headers
      • Bypasses
        • Cloudflare Bypass
        • HTTP 403 Bypass
    • Mobile (iOS/Android)
      • iOS
        • IPA Decryption
        • Filesystem Analysis
        • Static Analysis
    • Cloud
      • AWS
        • Vulnerability Scanners
        • S3 Buckets
      • Azure
        • Vulnerability Scanners
        • m365 & Entra ID
  • DEFENSIVE SECURITY
    • Forged Kerberos Tickets
    • Logon Event Visualisation
Powered by GitBook
On this page
  • Performing the attack
  • NetExec
  • xfreerdp
  1. OFFENSIVE SECURITY
  2. Internal Infrastructure
  3. Movement

Pass The Hash

How to Pass The Hash Attack.

PreviousSMB RelayingNextInfiltration/Exfiltration

Last updated 10 months ago

A Pass The Hash attack utilises a known password hash to authenticate to other networked hosts. For example, if two built-in administrator accounts for two different hosts had the same password, their hash would be the same and if one hash was known, this can be used to login to the second host.

There are various ways you might come across a password hash. For example, you might dump a machines SAM and SECURITY registry hive and find it there.

No matter how you found it, you may now consider a Pass The Hash attack.

Performing the attack

NetExec

NetExec can be used to perform a Pass The Hash attack. All you need is the username and the users NT password hash. If it is a domain user, you will also need to specify the domain.

netexec smb <target> --local-auth -u <user> -H <NThash> -x <command>

netexec smb <target> -d <domain> -u <user> -H <NThash> -x <command>

This will provide you with a command line shell on your target.

xfreerdp

By using xfreerdp, it is possible to gain a remote desktop connection into a host using Pass The Hash.

The following command can be used:

xfreerdp /u:<user> /d:<domain> /pth:<LMhash:NThash> /v:<TARGET>

https://github.com/Pennyw0rth/NetExec
https://linux.die.net/man/1/xfreerdp