pass the hash principles:
On Windows systems, often using NTLM authentication, NTLM authentication does not use clear text passwords, but use the hash value of password encryption, hash value generated by the system API (eg LsaLogonUser), in which the hash (hash) into LM hash and NT hash, if the password length is more than 15, it can not generate the LM hash.
From Windows Vista and Windows Server 2008, Microsoft disabled by default LM hash, if the attacker won the hash, it is possible to simulate the user (ie, skip the hash generation process calls the API's) at the time of authentication
Such attacks apply to:
Domain / workgroup environment
Demo:
Drone: win08 r2
attack: win08 r2
1. reading NTLM HASH drone in:
2. attack aircraft perform:
mimikatz.exe "privilege::debug" "sekurlsa::pth /user:administrator /domain:top.pentest.top /ntlm:044dfa0c35b979ed369f7335b5ea20e0"
A cmd window will bounce back to find hash successfully delivered! ! !
Summary: internal network penetration, when we can read ntlm, but found that less than crawl plain text, they can be moved laterally by way hash passed.
Not just for the hash passed through mimikatz, also, impacket toolkit attacks by wce.