Jump to content

Pass the hash


Recommended Posts

Hey everyone,

Do you guys know anything about "pass teh hass" techniques'?

I've got a little .exe that will dump all the hashes from the local SAM which I have used on a VMWare macine.

All my VM machines have the same admin password ( Just like the real world, right?)

I would like to use some "run as" command to inject the hash and gain access to another machine on the network.

Now, I know all the Sys Admins on this forum use different passwords for all the machines that you administer and have a copy of Winternals or the like incase a NIC or NIC driver goes down and you need local access but, does anyone have any thoughts on this?

Google can't help me, can you?

All I'm lookin for is a program that can inject a hash into a session to let me have control of a machine.


P.S. Before you ask, I'm not stupid enough to try this in real life (yet)

Link to comment
Share on other sites

To simulate a remote exploit, I´m simply using a psexec connection connecting to the compromised server: 8)


In this first scenario I´m running a Truesec tool named Gsecdump to dump the logged on hashes. I can see that both a user from the hell-domain named marcus is logged on as well as a local account named service1.

My next step will be to use the domain-joined password hash to connect to the domain controller.


Before I do that I will try to connect to the domain controller without the hash to prove that I do not currently have credentials to access the domain controller:

I´m trying to set up a net use session and just as expected, my current credentials doesn´t allow me to mount the hard drive on the domain controller.

So, my approach would be to start a new session on our local attack-machine and inject the hash into that session:


The Msvctl tool is a Truesec internal tool that we use in this case to create something similar to a “runas”-session, but instead of using a username and a password we are simply injecting the hash.


The Truesec Msvctl tool will initiate a new cmd session in the context of the user marcus with the injected hash:

Now when we run the net use command again I´m allowed mounting the hard drive on the domain controller. This works since the Marcus account is a member of the Domain Admins group.

The natural finish would be to run the Gsecdump tool again and extract the password hashes from the entire active directory database:


This means that since we can extract all the password hashes we now can impersonate any account in the entire domain using the Msvctl tool.

Another thing that deserves to be mentioned is that the exact same method can be used to extract the local hashes stored in the SAM (Security Account Manager) database of a client or a server:


In my experience as a pen tester, most environments still use identical local administrative accounts and passwords between servers and clients. The effect of this is that I can use the local hashes from this computer and use it to gain full access to other servers or clients. This drastically increases the chance that I will be able to extract logged on hashes from any member of the Domain admins group since I will control a greater number of computers.

(In this demo I have deliberately left out a lot of info on what the Truesec-tools do exactly and we will not make the msvctl tool publicly available.)


This attack proves that if one computer is fully compromised then the attacker can directly impersonate all the logged on accounts and the accounts stored in the local SAM database or Active Directory Database.

Other important things that needs to be mentioned:


The first natural reaction would be to think that PKI-based smart card logon would solve the problem. Even though I´m personally a big fan of PKI/Smartcard-based authentication it doesn’t prevent this attack.

The issue is that LM/NTLM can still be used for network logon event if the users are using smartcards to authenticate

(The security settings in Windows can´t force smart-card-based logon for network access, only interactive.)

The fact that passwords will be changed into long randomized passwords when you implement smartcard doesn´t change anything. The hash is still there and we are simply using that hash, not the password.

Using the same password for different users

It´s really easy to try the extracted hashed passwords for different user accounts. My experience from the field is that it´s very common that admins reuse passwords between service accounts, their regular user accounts and their administrative accounts. This means that the low privileged user account that we extract from the admins desktop often gives us control over important servers and sometimes even the entire domain.

The length of the password it not of importance in this scenario

In this scenario it doesn´t really matter if a password is a one character password or a complex 127 character password since we are only using the hash.

A simple security or registry setting is NOT all it takes to get rid of LM/NTLM hashes for network authentication

The highest setting (Even in Windows Vista) is “Network Security:LAN Manager Authentication Level=Sent NTLMv2 response only”.

If we could enforce Kerberos or native PKI/smartcard authentication for network authentication this could solve the problem. You can actually do this but it will require an IPSEC authentication implementation in the network.


The purpose of this post is to generate a discussion on potential countermeasures. I have many thoughts of my own on this topic, but before I post them I´m very interested in ideas from others.

Good Luck Hope this Works :cool:

Link to comment
Share on other sites


I have heard of the truesec stuff and their Msvctl tool. It appears that this has never been released and never will be.

I'm doing my first ever contract and I'm a bit conserned about the same admin password being used for everything. I guess my question is more about how serious this is. I imagine that it's only the guys from trusec that have the Msvctl tool but, is this an easy thing to write or is there a skiddie program out there that will do this for you?

There must be loads of companies out there that re-use passwords. How do they get round this?

Is it even comon?

Even if the same password is used, can hash injection be avoided?

Thanks for your help,


Link to comment
Share on other sites

This is actually very interesting, since you seem to only need the hashes, and not the actual password.  By injecting hashes into an already running session, you bypass the need to actually know the password, correct?

I really wish I could get my hands on that tool to play around with on my home network, but alas, such things probably shouldn't be released,  as they would ultimately get into the wrong hands.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...