Level:
Intermediate
Context
Pass-the-Hash is a technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user’s
password, instead of requiring the associated plaintext password as is normally the case.
Every Windows machine is vulnerable to Pass-the-Hash.
Mimikatz is an attack tool that allows you to dump password hashes from the SAM database and LSASS.
It can also be used to pass-the-hash against remote machines.
Excerpt
Use Mimikatz to dump password hashes from a Windows machine and then pass-the-hash of a user to authenticate into a remote machine using PSEXEC.
Learning Outcome
– Attackers use pass-the-hash to move from one machine to another.
– They move across the network to search for information they want to steal, tamper with, or destroy.
– Completing this exercise teaches you how to move laterally across Windows networks.
Instructions
– Setup two Windows machines that can communicate with each other over SMB and RPC
– On each machine, create a local administrator user configured with the same username and password
– Confirm that you can PSEXEC from one machine to the other using the credentials of the user
– On one machine, create a new local administrator account and use that account to dump NTLM hashes using Mimikatz
– Obtain the first user’s NTLM hash from the SAM database or LSASS’s process memory
– Use Mimikatz’s pass-the-hash command to spawn a cmd.exe with the hash of the first user
– Confirm that you can use that instance of cmd.exe to PSEXEC into the second machine
Assignment submission instructions:
Click the button below to record your screen and proceed with the exercise.
Please make sure your video is less than 3 min long.
When finished, stop the recording and press the “submit” button in the window below.