Pass the Hash Attack with Mimikatz and PsExec

ID: T1550.002

Sub-technique of: T1550

The Pass the Hash (PtH) attack is a powerful technique that allows an attacker to use an NTLM hash, rather than a plaintext password, to authenticate to a Windows system. In this tutorial, you'll learn how to execute a PtH attack using Mimikatz and extend the attack using PsExec for lateral movement across networked systems.

Pre-Requisites

Before we begin, ensure you have the following:

• Access to the Target System: You must have administrative privileges on a compromised machine to extract the necessary hashes.

• Mimikatz Installed: Download Mimikatz from its official GitHub repository.

• PsExec Tool: Download PsExec from the Microsoft Sysinternals website.

• Windows Environment: Both the target and attacker systems must be running Windows.

Step 1: Downloading and Setting Up Mimikatz

To start, you need to download and set up Mimikatz on your system.

1. Download Mimikatz:

   • Visit the Mimikatz GitHub page.

   • Download the latest release, typically available as a .zip file.

   • Extract the contents of the .zip file to a folder on your machine.

2. Running Mimikatz:

   • Navigate to the folder where you extracted Mimikatz.

   • Right-click on mimikatz.exe and select "Run as administrator" to launch it with elevated privileges.

   Mimikatz requires administrative privileges to interact with the Local Security Authority Subsystem Service (LSASS) and extract credentials.

Step 2: Extracting Hashes with Mimikatz

Once Mimikatz is running with administrative privileges, you can extract the NTLM hashes.

1. Enable Debug Privileges: To allow Mimikatz to perform necessary actions, enter the following command:

   Copy

   privilege::debug

   If successful, Mimikatz will display "Privilege '20' OK".

2. Extracting Password Hashes: Use the following command to extract NTLM hashes from the current session:

   Copy

   sekurlsa::logonpasswords

   This command lists all logged-in users and their associated credentials, including NTLM hashes. Look for the NTLM field in the output, which contains the hash you'll use for the PtH attack.

Step 3: Performing the Pass the Hash Attack

With the NTLM hash in hand, you can now perform the PtH attack to impersonate the user associated with that hash.

1. Using the NTLM Hash with Mimikatz: Mimikatz allows you to authenticate using the extracted NTLM hash without needing the plaintext password. Run the following command to initiate the attack:

   Copy

   sekurlsa::pth /user:USERNAME /domain:DOMAIN /ntlm:NTLM_HASH

   Replace USERNAME with the user's name, DOMAIN with the network domain, and NTLM_HASH with the extracted hash.

   After executing this command, a new command prompt will open. This prompt will have the same privileges as the user whose hash was used, allowing you to perform various actions on the network as that user.

Step 4: Lateral Movement with PsExec

To extend the attack and move laterally across the network, you can use PsExec, a tool that allows you to execute commands on remote systems using the credentials obtained with Mimikatz.

1. Download and Setup PsExec:

   • Visit the Microsoft Sysinternals website and download PsExec.

   • Extract PsExec to a directory accessible from the command line.

2. Using PsExec with Pass the Hash: Assuming you have the NTLM hash and a valid username, you can use PsExec to run commands on another machine in the network. Here’s how:

   Copy

   psexec.exe \\TARGET_SYSTEM -u DOMAIN\USERNAME -p NTLM_HASH cmd.exe

   Replace TARGET_SYSTEM with the hostname or IP address of the remote machine, DOMAIN\USERNAME with the valid domain and username, and NTLM_HASH with the NTLM hash obtained from Mimikatz.

   This command opens a command prompt on the remote system, running under the context of the user whose hash was used. From here, you can execute further commands, perform actions, or explore the system.

Step 5: Cleaning Up After the Attack

After completing the PtH attack, it’s important to clean up to avoid detection.

1. Close the Session: Ensure you close the session on the target system once you've finished your operations to reduce the chances of being detected by security monitoring tools.

2. Clear Logs: Consider clearing event logs or other traces that could reveal your activities. Mimikatz offers commands to interact with the event logs:

   Copy

   event::clear

   This command clears the event logs on the target system, making it more difficult for security teams to trace your actions.

OPSEC Considerations

When performing a Pass the Hash attack, adhering to OPSEC (Operational Security) principles is crucial to avoid detection. Use different IP addresses for different stages of the attack, avoid reusing hashes or commands that could be easily traced, and ensure that your actions are difficult to correlate.

Integrating these techniques into your Red Team or simulated attack activities is essential for maximizing effectiveness while minimizing the risk of exposure.

Conclusion

This tutorial provides a detailed walkthrough on how to perform a Pass the Hash attack using Mimikatz and extend the attack with PsExec for lateral movement. By carefully collecting NTLM hashes and applying rigorous OPSEC practices, you can effectively compromise target systems while maintaining a low profile within your target environment.