Passwords on Windows are stored as hashes, and sometimes they can be tough to crack. In certain situations, though, we can get around that by using the hash as is, with no need to know the plaintext password. It's especially interesting if we can manage to get the hash of an administrative user since we can then authenticate with higher privileges by performing an attack known as pass the hash.
We will be initially compromising a Windows 7 box, grabbing a hash from there, and pivoting to Windows Server 2016. The user whose password hash we obtain needs to have administrative privileges and to have been logged on to both of these machines. We will be using Kali Linux as our attacking box.
Pass the Hash Overview
To understand the pass-the-hash technique, we first need to cover what makes up the hash. On Windows, a typical hash will look something like this:
admin2:1000:aad3b435b51404eeaad3b435b51404ee:7178d3046e7ccfac0469f95588b6bdf7:::
There are four distinct sections, each separated by a semicolon. The first part of the hash is the username, and the second part is the numerical relative identifier.
The third part is the LM hash, a type of hash that was used in older Windows systems and was discontinued starting with < ..
Support the originator by clicking the read the rest link below.
