pth

sekurlsa::pth performs Pass-the-Hash, Pass-the-Key and Over-Pass-the-Hash. Upon successful authentication, a program is run (n.b. defaulted to cme.exe). It has the following command line arguments:

  • /user : the username to impersonate. It must be noted that Administrator is not the only name for this well-known account.

  • /domain : the fully qualified domain name. If Active Directory domain services are not in use or in case of local user/admin, a computer or a server name, workgroup can be used.

  • /rc4 or /ntlm : the RC4 key / NT hash (derived of the user's password).

  • /aes128 : the AES128 key derived from the user's password and the realm of the domain.

  • /aes256 : the AES256 key derived from the user's password and the realm of the domain.

  • /run : the command line to run (defaulted to cmd.exe).

  • /luid : locally unique identifier. According to Microsoft, the locally unique identifier (LUID) is a 64-bit value guaranteed to be unique only on the system on which it was generated. The uniqueness of an LUID is guaranteed only until the system is restarted.

  • /impersonate : It performs user token impersonation. It must be noted that a new process is not spawned but the token is injected on the process running Mimikatz.

LM and NT hashes are used to authenticate accounts using the NTLM protocol. These hashes are often called NTLM hash and many documentations, resources, blogpost and tools mix terms. In this case, "ntlm" refers to the NT hash.

(more information)

Doing Pass-the-Hash on a Windows system requires specific privilege. It either requires elevated privileges (by previously running privilege::debug or by executing Mimikatz as the NT-AUTHORITY\SYSTEM account). This doesn't apply to Pass-The-Ticket which uses an official API.

mimikatz # sekurlsa::pth /user:Administrator /domain:hacklab.local /ntlm:b09a14d2d325026f8986d4a874fbcbc7
user    : Administrator
domain  : hacklab.local
program : cmd.exe
impers. : no
NTLM    : b09a14d2d325026f8986d4a874fbcbc7
  |  PID  5896
  |  TID  4620
  |  LSA Process is now R/W
  |  LUID 0 ; 82772120 (00000000:04ef0098)
  \_ msv1_0   - data copy @ 0000023A0E8BD5C0 : OK !
  \_ kerberos - data copy @ 0000023A0E9FF5A8
   \_ des_cbc_md4       -> null
   \_ des_cbc_md4       OK
   \_ des_cbc_md4       OK
   \_ des_cbc_md4       OK
   \_ des_cbc_md4       OK
   \_ des_cbc_md4       OK
   \_ des_cbc_md4       OK
   \_ *Password replace @ 0000023A0E941CE8 (32) -> null
Pass the Hash

With token impersonation

As can be seen in the following output the hacklab\optimus user is a low privileged user in the HACKLAB.LOCAL active directory domain:

An attempt to DCSync with his credentials will result in the following:

However, by using the /impersonate option, DCSync can be performed without spawning a new window:

According to Benjamin the following must be taken into consideration:

  • This command does not work with minidumps (nonsense)

  • this new version of 'Pass-The-Hash' replaces RC4 keys of Kerberos by the NT hash (and/or replaces AES keys). It allows the Kerberos provider to ask TGT tickets.

  • NT hash is mandatory on XP/2003/Vista/2008 and before 7/2008r2/8/2012 kb2871997 (AES not available or replaceable)

  • AES keys can be replaced only on 8.1/2012r2 or 7/2008r2/8/2012 with kb2871997, in this case an NT hash is not required.

PreviousprocessNextssp

Last updated