Pass-the-Hash Toolkit for Windows
Hernan Ochoa
HITB SECONF2008 (Hack In The Box Security Conference), Malaysia. October 27-30, 2008. And Buenos Aires Conference (Ba-Con '08), Buenos Aires, Argentina. October 1-2, 2008.
Date published
NTLM hashes, Pass-the-hash, Windows authentication


The ‘Pass-the-hash’ technique, first published in 1997 by Paul Ashton, basically allows attackers to use captured NTLM hashes to authenticate to remote hosts without having to decrypt those hashes to obtain the cleartext password. All these years this technique has been performed using modified smb clients (e.g.: samba) or third-party implementations of the SMB/CIFS protocol. This means that after successfully authenticating to a remote host using the ‘pass-the-hash’ technique, functionality available to attackers/penetration testers is limited to what is implemented by these clients.

The Pass-The-hash toolkit is the first public implementation of the ‘pass-the-hash’ technique for the Windows platform. It allows attackers/penetration testers to perform the technique from a Windows machine (e.g.: by changing the current local logon session credentials or by creating a new local logon session with the desired credentials: username/domain/NTLM hashes) and then, once authenticated, use native Windows administration utilities (made by Microsoft or a third-party) to access remote services, gaining access to all the functionality provided by the native utilities without limitations.

This presentation will describe how the different tools included in the toolkit were implemented, and will explain how to use the toolkit during a penetration test.