Pass The Hash

>Basics

• After we have dumped the hashes (SAM/ NTDS.dit), instead of cracking them, we can just use the hashes to authenticate to the target machine, which would save us a lot of resources
• Windows complete LANMAN challenge/ response, NTLMv1, and NTLMv2 entirely from the LANMAN and NTHashes stored for that user in the running LSASS process
• When we say put the hashes in the memory, we actually mean putting them in lsass's logon session array

• Only the hashes taken off from the system are passable, not the traffic sniffed off from the network, because they have additional salt and some other things associated with them, making them unpassable. Only thing we can do is extract hashes out of them by doing something, and them pass them over to the network.

>Doing PTH

• Windows Credential Editor (WCE) - Works for LANMAN, NTLM and Kerberos
• Using Metasploit's psexec module and setting the SMBPASS field to the hash (LM:NT format)

>Mitigation

• Using host firewalls to block client-to-client connections, and whitelisting to allow inbound SMB from only authorised machines

HKLM\\SOFTARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccoutTokenFilterPolicy

-0: PTH is disbaled for all users except the local administrators and remote users can't execute commands on the remote target, whatever kind of auhentication they are using, be it hash, or a normal password
-1: Vulnerable to PTH

• Implementing Local Administrator Password Solution (LAPS) to manage Administrative passwords on workstations
• Implementing Windows Defender Credential Guard. Windows 10 uses it to leverage available virtualisation to isolated credentials from the main OS by virtualisation, TPM and Secure Boot, making it harder to access the hashes, while not working on the ability of hackers to reuse a password hash itself
• We can restrict remote administration using local accounts by the Group Policy, because they introduced two new security identifiers