PASS THE HASH (PTH) ATTACK WITH PTH-WINEXE
- Layout for this exercise:
1 - Introduction
- In cryptanalysis and computer security, Pass The Hash (PTH) is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LM hash of a user's password, instead of requiring the associated plaintext password as is normally the case.
- After an attacker obtains valid user name and user password hash values they are then able to use that information to authenticate to a remote server or service using LM or NTLM authentication without the need to brute-force the hashes to obtain the cleartext password.
- The attack exploits an implementation weakness in the authentication protocol, where password hash remain static from session to session until the password is next changed.
- This technique can be performed against any server or service accepting LM or NTLM authentication, whether it runs on a machine with Windows, Unix, or any other operating system.
https://en.wikipedia.org/wiki/Pass_the_hash
2 - UAC (User Account Control) remote restrictions and PTH attack
- However, the UAC (User Account Control) implemented since Windows Vista imposes severe restrictions to remote users, as explained in this Microsot document:
https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows
" When a user who is a member of the local administrators group on the target remote computer establishes a remote administrative connection they will not connect as a full administrator. The user has no elevation potential on the remote computer, and the user cannot perform administrative tasks. If the user wants to administer the workstation with a Security Account Manager (SAM) account, the user must interactively log on to the computer that is to be administered with Remote Assistance or Remote Desktop ... When a user with a domain user account logs on to a Windows Vista computer remotely, and the user is a member of the Administrators group, the domain user will run with a full administrator access token on the remote computer and UAC is disabled for the user on the remote computer for that session. "
- For further details and information:
https://en.wikipedia.org/wiki/User_Account_Control
https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167
- So, if the targeted machine is XP there is no need to disable UAC in order to launch a successful PTH attack, while it is necessary for Windows Vista,W7, W8, W10 desktops and W2008 and W2012 servers.
- In this exercise a Windows 7 is used, so for disabling UAC just follow these steps:
Start -> Control Panel -> User Accounts and Family Safety -> User Accounts -> User Account Control Settings -> Never notify -> OK
- Also, in case of exploiting with Metasploit, UAC can be disabled as explained in this exercise:
http://www.whitelist1.com/2016/06/metasploit-windows-7-bypassing-user.html
3 - Passing the hash in Windows
- The command winexe needs the username and the cleartext password, what can be tedious or difficult to obtain in some cases, depending of the complexity of the password:
https://en.wikipedia.org/wiki/WinExe
- Running winexe for the user marie, the command prompts for her password in cleartext:
- In contrast, pth-winexe, a patched version of winexe can be used to get a remote shell just providing the username and the hash of the password (no cleartext password is needed):
https://www.kali.org/tutorials/pass-the-hash-toolkit-winexe-updates/
- The first step for using pth-winexe is to take a user's password hash and export it as the enviroment variable SMBHASH:
- Running pth-winexe launches a remote command line from the targeted Windows 7 machine:
