Pass the Hash Attack

One of the biggest security problems that organizations and users are facing is that they use the same passwords for many systems.This can create a huge risk in an organization because If someone manage to obtain a hash from a system he can use it to authenticate with other systems that have the same password without the need of cracking it.This technique is called pass the hash and we will examine it in this article.

For the needs of this tutorial we will use a Windows 2003 Server and Backtrack.So we already know that Windows 2003 Servers are vulnerable to the netapi service.So we will use the appropriate exploit in order to gain access to the remote system.You can see the exploit settings in the image below:

Exploit Settings


As a payload we have used the meterpreter because we will need it in order to obtain the hashes of the remote system easily.So we are exploiting the system:

Exploitation of the system


Now it is time to obtain the hashes of the remote system with the command hashdump.

Obtaining the hashes


Now that we have the hashes we can try to crack them offline.However this process requires time so we will try to use the administrator hash in order to authenticate with the system.Metasploit has a module that has the same function with the psexec utility.So we will use that module in order to authenticate through SMB to the remote target.You can see a description of that module in the next image:

Description of psexec


This metasploit module requires to know in which workgroup the remote target belongs.We can discover that very easily by using the Nmap script engine and executing the following script:

Discovery of the workgroup


We can see that the workgroup is York.So we go back to the metasploit and we are configuring the psexec module You can see all the configurations that we have made in the next screenshot:

psexec configurations


As you can see from the image below we have used the Administrator’s hash that we have obtained before in order to authenticate.Also we changed the LPORT to 4445 because the 4444 in our system is in use from the previous exploitation.Now it is time to authenticate as an administrator:

Authentication with the Administrator's hash


We have successfully authenticated as an administrator to the remote system just by using the hash and we have opened a meterpreter session.An attacker could try to use the same hash to other systems as well that use the same password in order to gain access without the need of finding a vulnerability.


Windows hashes are not salted so anybody with a valid hash can use it directly to authenticate by using this attack.Also this method points out the need for use multiple passwords especially in organizations because if one system is compromised then the other systems that have the same passwords will be at risk regardless of how complex the password will be.