Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

Penetration Testing Explained, Part VI: Passing the Hash

We’re now at a point in this series where we’ve exhausted all our standard tricks to steal credentials — guessing passwords, or brute force attacks on the hash itself.  What’s...
Michael Buckbee
2 min read
Published January 6, 2016
Last updated June 30, 2022

We’re now at a point in this series where we’ve exhausted all our standard tricks to steal credentials — guessing passwords, or brute force attacks on the hash itself.  What’s left is a clever idea called passing the hash or PtH that simply reuses a password credential without having to access the plaintext.

Mimikatz

Remember the simple test environment I had set up?

I have a Windows domain with two servers for the mythical Acme company with its beer-based server naming scheme.  Playing the part of the pen tester, I landed on employee Jane’s server, initially using a RAT, and then at some point was able to pop a shell. My goal is to gain credentials of another user with higher privileges and broader access rights than Jane— in other words, move laterally to Bob’s amstel server.

In our last post, I showed you how to dump the local user hashes with fgdump.

Let’s now meet mimikatz, developed by Benjamin Delpy.

Get the Free Pentesting Active
Directory Environments E-Book

Mimikatz is an amazingly powerful tool that probes the lsass process for hashes, and has the ability to run programs under these hash credentials.

You can download the mimikatz binary from github.  Mimikatz runs lean with a total payload of about 395 kb.

The software has its own mini command language. The first command you’ll want to enter is privilege::debug, which ensures you have the right access (see below).mimikatz

To use mimikatz you’ll need admin privileges, the same as you did with fgdump.

Plaintext Passwords?!

After entering sekurlsa::logonpasswords, you’ll see a listing of all active users and services, along with their associated NTLM and SHA1 hashes.  The first surprise is that for users, this pass-the-hash utility also displays the plaintext password.

I was under the impression that Windows would never do something so silly.

Technically, they don’t. The memory region in the lsass process where the Windows password is stored is encrypted. But mimikatz can execute a special Microsoft API that unencrypts the memory.

After doing some research, it turns out that Windows uses plaintext passwords for something called HTTP Digest authentication. You can read more about it here.

In 2014, Microsoft responded to this security hole with a patch that lets sys admins disable “WDigest” passwords from being stored. This Microsoft advisory explains how they’ll need to update a special registry entry. Btw, in Windows 8 and above the default setting is not to store plaintext passwords in lsass.

Now as a pen tester, I learned that Jane’s server minimally needs some security tuning and as a worst case, the patch.

Pass the Hash

The whole point of mimikatz is that you don’t need the actual password text, just the NTLM hash.

Hackers are on the lookout especially for admin-level domain users. If they get their hashes, it becomes relatively straightforward to use mimikatz to make the lateral move.

For my pen testing scenario, I had previously logged into Jane’s computer as user “bigadmin”, a domain-level account with elevated privileges.

As a proof of concept, I then logged directly into Jane’s server. Mimikatz’s pth command is the way you reuse an NLTM hash for another program.mimi-pth

In my test, I passed bigadmin’s NTLM hash to psexec. Remember that utility?

Psexec allows users to remotely execute commands — in this case, Windows cmd shell program. As you can see from the screen capture, I’m now in amstel, the other server in the Acme environment, but logged in as bigadmin. Technically, I am “overpassing the hash” to psexec — more about this in my next post.

Slick!

One of the lessons from using mimikatz is that you should limit users’ networking capabilities, and set a policy to prevent domain-level admins from remotely logging into an ordinary user’s machine.  Smart hackers equipped with mimikatz can leverage these hashes, as we just saw, to move around a target system.

I’ll continue my mimikatz exploration in my next and final post in this series.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

penetration-testing-explained,-part-v:-hash-dumping-and-cracking
Penetration Testing Explained, Part V: Hash Dumping and Cracking
In the previous post in this series, I guessed a local password and then tried various ways to move laterally within my mythical Acme network. But what happens if you can’t...
penetration-testing-explained,-part-vii:-exfiltration-and-conclusions
Penetration Testing Explained, Part VII: Exfiltration and Conclusions
In this series of posts, I covered ideas to get you started using basic testing software to find security vulnerabilities. There are more advanced tools, such as Metasploit, which lets...
penetration-testing-explained,-part-iv:-making-the-lateral-move
Penetration Testing Explained, Part IV: Making the Lateral Move
You can think about the post-exploitation part of penetration testing as an army or rebel force living off the land. You’re scrounging around the victim’s website using what’s available —...
penetration-testing-explained,-part-iii:-playing-with-rats-and-reverse-shells
Penetration Testing Explained, Part III: Playing with RATs and Reverse Shells
Last week I broke into a Windows 2008 server and inserted a remote access trojan or RAT. Don’t call security, I did this in a contained environment within virtual machines....