Red Team Leaders
  • Welcome
  • DOCUMENTATION
    • Adversary Emulation Guide
    • Red Team Operations Framework
    • Purple Team Operations
    • The first 90 days of a new Red Team
  • Red Team Infrastructure
    • Command and Control
      • C2 Redirectors Part.1
  • OFFENSIVE SECURITY
    • Defense Evasion
      • Simple Shellcode Runner in Rust
      • Pass the Hash Attack with Mimikatz and PsExec
      • Direct Syscall Execution in Windows
      • Hookchain Technique Introduction by Helvio Júnior (M4v3r1ck)
    • Credential Access
      • Dumping LSASS with Direct Syscalls
    • Windows Internals and API
      • Building Backdoors with Alternative Socket with lib-nosa (No Socket API)
      • Windows API Hashing to Malware
      • Detection of Hooked Syscalls in ntdll.dll
    • Privilege Escalation
      • Windows UAC Bypass Techniques
      • Obtaining SYSTEM privilege via a vulnerable driver using a Userland program
  • Offensive Artificial Intelligence
    • Prompt Injection 101
Powered by GitBook
On this page
  1. OFFENSIVE SECURITY
  2. Defense Evasion

Pass the Hash Attack with Mimikatz and PsExec

PreviousSimple Shellcode Runner in RustNextDirect Syscall Execution in Windows

Last updated 9 months ago

ID: T1550.002

Sub-technique of:

The Pass the Hash (PtH) attack is a powerful technique that allows an attacker to use an NTLM hash, rather than a plaintext password, to authenticate to a Windows system. In this tutorial, you'll learn how to execute a PtH attack using Mimikatz and extend the attack using PsExec for lateral movement across networked systems.

Pre-Requisites

Before we begin, ensure you have the following:

  • Access to the Target System: You must have administrative privileges on a compromised machine to extract the necessary hashes.

  • Mimikatz Installed: Download Mimikatz from its .

  • PsExec Tool: Download PsExec from the .

  • Windows Environment: Both the target and attacker systems must be running Windows.

Step 1: Downloading and Setting Up Mimikatz

To start, you need to download and set up Mimikatz on your system.

  1. Download Mimikatz:

    • Visit the .

    • Download the latest release, typically available as a .zip file.

    • Extract the contents of the .zip file to a folder on your machine.

  2. Running Mimikatz:

    • Navigate to the folder where you extracted Mimikatz.

    • Right-click on mimikatz.exe and select "Run as administrator" to launch it with elevated privileges.

    Mimikatz requires administrative privileges to interact with the Local Security Authority Subsystem Service (LSASS) and extract credentials.

Step 2: Extracting Hashes with Mimikatz

Once Mimikatz is running with administrative privileges, you can extract the NTLM hashes.

  1. Enable Debug Privileges: To allow Mimikatz to perform necessary actions, enter the following command:

    privilege::debug

    If successful, Mimikatz will display "Privilege '20' OK".

  2. Extracting Password Hashes: Use the following command to extract NTLM hashes from the current session:

    sekurlsa::logonpasswords

    This command lists all logged-in users and their associated credentials, including NTLM hashes. Look for the NTLM field in the output, which contains the hash you'll use for the PtH attack.

Step 3: Performing the Pass the Hash Attack

With the NTLM hash in hand, you can now perform the PtH attack to impersonate the user associated with that hash.

  1. Using the NTLM Hash with Mimikatz: Mimikatz allows you to authenticate using the extracted NTLM hash without needing the plaintext password. Run the following command to initiate the attack:

    sekurlsa::pth /user:USERNAME /domain:DOMAIN /ntlm:NTLM_HASH

    Replace USERNAME with the user's name, DOMAIN with the network domain, and NTLM_HASH with the extracted hash.

    After executing this command, a new command prompt will open. This prompt will have the same privileges as the user whose hash was used, allowing you to perform various actions on the network as that user.

Step 4: Lateral Movement with PsExec

To extend the attack and move laterally across the network, you can use PsExec, a tool that allows you to execute commands on remote systems using the credentials obtained with Mimikatz.

  1. Download and Setup PsExec:

    • Extract PsExec to a directory accessible from the command line.

  2. Using PsExec with Pass the Hash: Assuming you have the NTLM hash and a valid username, you can use PsExec to run commands on another machine in the network. Here’s how:

    psexec.exe \\TARGET_SYSTEM -u DOMAIN\USERNAME -p NTLM_HASH cmd.exe

    Replace TARGET_SYSTEM with the hostname or IP address of the remote machine, DOMAIN\USERNAME with the valid domain and username, and NTLM_HASH with the NTLM hash obtained from Mimikatz.

    This command opens a command prompt on the remote system, running under the context of the user whose hash was used. From here, you can execute further commands, perform actions, or explore the system.

Step 5: Cleaning Up After the Attack

After completing the PtH attack, it’s important to clean up to avoid detection.

  1. Close the Session: Ensure you close the session on the target system once you've finished your operations to reduce the chances of being detected by security monitoring tools.

  2. Clear Logs: Consider clearing event logs or other traces that could reveal your activities. Mimikatz offers commands to interact with the event logs:

    event::clear

    This command clears the event logs on the target system, making it more difficult for security teams to trace your actions.

OPSEC Considerations

When performing a Pass the Hash attack, adhering to OPSEC (Operational Security) principles is crucial to avoid detection. Use different IP addresses for different stages of the attack, avoid reusing hashes or commands that could be easily traced, and ensure that your actions are difficult to correlate.

Integrating these techniques into your Red Team or simulated attack activities is essential for maximizing effectiveness while minimizing the risk of exposure.

Conclusion

This tutorial provides a detailed walkthrough on how to perform a Pass the Hash attack using Mimikatz and extend the attack with PsExec for lateral movement. By carefully collecting NTLM hashes and applying rigorous OPSEC practices, you can effectively compromise target systems while maintaining a low profile within your target environment.

Visit the and download PsExec.

T1550
official GitHub repository
Microsoft Sysinternals website
Mimikatz GitHub page
Microsoft Sysinternals website