Jump to content

Pass the Hash question


Bob123

Recommended Posts

Question for y'all on hashes and Win7.  A little background on my setup.  I have a windows machine with a Kali vm, a WinXP vm, a Win7 Pro vm, and a Win7 Enterprise vm.  I setup the same username and password on all windows machines and also made sure that user was part of the administrators group.  So the same across the board.  The hashes look like they are in two parts with a : between them.  The second part seems the same but the first part is different between the WinXP vm and the Win7 Pro vm.  Why is that?  Both vms have an admin account and those hashes are both exactly the same.  So the two hashes work but why are they different?  Same user name, same member of the groups, and most importantly same password.

Second question.  I have a Win7 Enterprise vm running.  Did exactly the same to it as I did with the Win7 Pro vm yet every time I try either of the hashes I get a STATUS_ACCESS_DENIED.  What makes Enterprise different?

My first setup was a Linux box using KVM with a WinXP vm and a Win7 Enterprise vm thinking it was Linux or something else going on but I can now confirm that Enterprise is the issue.  If anyone has any info that would be great.  If not no big deal.  I'm going to create a Win7 Pro vm on my linux box and see if it works as planned.  Which I assume it will.

Thanks.

Link to comment
Share on other sites

  • 3 weeks later...

Not really sure if I understood your questions and your scenarios. It would probably make more sense if you pasted the hashes here so people can see what you're talking about but I will try to answer anyway.

You need to identify what hashes you are capturing first because Windows uses several authentication protocols. Compatability/group policy will determine which authentication protocol is used and subsequently the hashing algorithm. For example, Windows 7 does not support LM hashes by default but Windows XP is backward compatible so it can.

NTLM hashes are not salted which means that if you you computed the "password" value into a hash value multiple times, you will always get the same resulting hash.

NTLMv2 hashes on the other hand are salted which means if you converted the same password value multiple times into a hash value then you will always get a completely different looking hash each time.

Identifying the hashes first will help you figure out what you can do with them because you won't be able to use ntlmv2 hashes in a pass the hash attack.

Some useful reference material for identifying hashes:

https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...