Throwback — Part 4 — Pass the Hash
In Part 2 we got a meterpreter shell after successfully phishing BlaireJ. In Part 3 after gaining a Administrator shell we could run Mimikatz and retrieve more credentials and hashes. In Part 1 we also could gain the Hash of HumphreyW. In this Part we will use these hashes to pass them to machines on the network and test where we have access.
Pass the Hash
In a Pass the Hash attack we utilize a flaw in the authentication protocol to authenticate with the hash. This is possible with NTLM hashes in a Windows network.
Before we can start the Pass the Hash attack, we need to tunnel our traffic into the target network, because some of the ressources inside the network are not accessable from outside.
Meterpreter has post/multi/manage/autoroute module, which can be used to tunnel traffic over the compromosed host. For that we background the meterpreter sessions with the “bg” command and select the autoroute module. After that we can set the session to the meterpreter session we want to use and the subnetof the target network. Finally run the module by typing “run” or “exploit”. This will set up a socks4 proxy that we can use with proxychains.
Proxychains should be configured to use the proxy. After configuring it we can use the “proxychains” command in front of every command to tunnel it over the target network.
Performing Pass the Hash
Next we can use crackmapexec to perform a pass the hash attack. With the following command we can pass the hash of BlaireJ across the network and the tool will output where it could successfully connect.
proxychains crackmapexec smb 10.200.70.0/24 -u BlaireJ -d THROWBACK -H BLAIREJ_HASH
This step has to be repeated with every username and the corresponding hash we found. After that you should have found both users that are able to log into THROWBACK-WS01.
You can do much if NTLM is needed in your environment. The only thing you can do is to monitor for Pass the Hash attacks. If possible you should switch to Kerberos authentication.